Example 1 with JndiPermission
use of org.wildfly.naming.java.permission.JndiPermission in project wildfly by wildfly.
the class WritableServiceBasedNamingStoreTestCase method testPermissions.
/**
* Binds an entry and then do lookups with several permissions
* @throws Exception
*/
@Test
public void testPermissions() throws Exception {
final NamingContext namingContext = new NamingContext(store, null);
final String name = "a/b";
final Object value = new Object();
ArrayList<JndiPermission> permissions = new ArrayList<JndiPermission>();
// simple bind test, note that permission must have absolute path
WritableServiceBasedNamingStore.pushOwner(OWNER_FOO);
try {
permissions.add(new JndiPermission(store.getBaseName() + "/" + name, "bind,list,listBindings"));
store.bind(new CompositeName(name), value);
} finally {
WritableServiceBasedNamingStore.popOwner();
}
// all of these lookup should work
permissions.set(0, new JndiPermission(store.getBaseName() + "/" + name, JndiPermission.ACTION_LOOKUP));
assertEquals(value, testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name));
permissions.set(0, new JndiPermission(store.getBaseName() + "/-", JndiPermission.ACTION_LOOKUP));
assertEquals(value, testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name));
permissions.set(0, new JndiPermission(store.getBaseName() + "/a/*", JndiPermission.ACTION_LOOKUP));
assertEquals(value, testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name));
permissions.set(0, new JndiPermission(store.getBaseName() + "/a/-", JndiPermission.ACTION_LOOKUP));
assertEquals(value, testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name));
permissions.set(0, new JndiPermission("<<ALL BINDINGS>>", JndiPermission.ACTION_LOOKUP));
assertEquals(value, testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name));
permissions.set(0, new JndiPermission(store.getBaseName() + "/" + name, JndiPermission.ACTION_LOOKUP));
assertEquals(value, testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, store.getBaseName() + "/" + name));
NamingContext aNamingContext = (NamingContext) namingContext.lookup("a");
permissions.set(0, new JndiPermission(store.getBaseName() + "/" + name, JndiPermission.ACTION_LOOKUP));
assertEquals(value, testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, aNamingContext, "b"));
// this lookup should not work, no permission
try {
testActionWithPermission(JndiPermission.ACTION_LOOKUP, Collections.<JndiPermission>emptyList(), namingContext, name);
fail("Should have failed due to missing permission");
} catch (AccessControlException e) {
}
// a permission which only allows entries in store.getBaseName()
try {
permissions.set(0, new JndiPermission(store.getBaseName() + "/*", JndiPermission.ACTION_LOOKUP));
testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name);
fail("Should have failed due to missing permission");
} catch (AccessControlException e) {
}
// permissions which are not absolute paths (do not include store base name, i.e. java:)
try {
permissions.set(0, new JndiPermission(name, JndiPermission.ACTION_LOOKUP));
testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name);
fail("Should have failed due to missing permission");
} catch (AccessControlException e) {
}
if (!"java:".equals(store.getBaseName().toString())) {
try {
permissions.set(0, new JndiPermission("/" + name, JndiPermission.ACTION_LOOKUP));
testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name);
fail("Should have failed due to missing permission");
} catch (AccessControlException e) {
}
try {
permissions.set(0, new JndiPermission("/-", JndiPermission.ACTION_LOOKUP));
testActionWithPermission(JndiPermission.ACTION_LOOKUP, permissions, namingContext, name);
fail("Should have failed due to missing permission");
} catch (AccessControlException e) {
}
}
}
Also used :
ArrayList(java.util.ArrayList)
CompositeName(javax.naming.CompositeName)
AccessControlException(java.security.AccessControlException)
JndiPermission(org.wildfly.naming.java.permission.JndiPermission)
Test(org.junit.Test)
Example 2 with JndiPermission
use of org.wildfly.naming.java.permission.JndiPermission in project wildfly by wildfly.
the class SecurityHelper method testActionWithoutPermission.
public static void testActionWithoutPermission(final int action, final Collection<JndiPermission> additionalRequiredPerms, final NamingContext namingContext, final String name, final Object... params) throws Exception {
final CompositeName n = name == null ? new CompositeName() : new CompositeName(name);
final String sn = name == null ? "" : name;
ArrayList<JndiPermission> allPerms = new ArrayList<JndiPermission>(additionalRequiredPerms);
allPerms.add(new JndiPermission(sn, not(action)));
try {
runWithSecurityManager(new Callable<Object>() {
@Override
public Object call() throws Exception {
return performAction(action, namingContext, n, params);
}
}, getSecurityContextForJNDILookup(allPerms));
fail("Naming operation " + action + " should not have been permitted");
} catch (SecurityException e) {
//expected
}
}
Also used :
CompositeName(javax.naming.CompositeName)
ArrayList(java.util.ArrayList)
JndiPermission(org.wildfly.naming.java.permission.JndiPermission)
PrivilegedActionException(java.security.PrivilegedActionException)
NamingException(javax.naming.NamingException)
Example 3 with JndiPermission
use of org.wildfly.naming.java.permission.JndiPermission in project wildfly by wildfly.
the class SecurityHelper method getSecurityContextForJNDILookup.
private static AccessControlContext getSecurityContextForJNDILookup(Collection<JndiPermission> jndiPermissions) {
CodeSource src = new CodeSource(null, (Certificate[]) null);
Permissions perms = new Permissions();
for (JndiPermission p : jndiPermissions) {
perms.add(p);
}
ProtectionDomain domain = new ProtectionDomain(src, perms);
AccessControlContext ctx = new AccessControlContext(new ProtectionDomain[] { domain });
return ctx;
}
Also used :
ProtectionDomain(java.security.ProtectionDomain)
AccessControlContext(java.security.AccessControlContext)
Permissions(java.security.Permissions)
JndiPermission(org.wildfly.naming.java.permission.JndiPermission)
CodeSource(java.security.CodeSource)
Certificate(java.security.cert.Certificate)
Example 4 with JndiPermission
use of org.wildfly.naming.java.permission.JndiPermission in project wildfly by wildfly.
the class NamingContextTestCase method testListWithContinuation.
@Test
@SuppressWarnings("unchecked")
public void testListWithContinuation() throws Exception {
bindListWithContinuations();
NamingEnumeration<NameClassPair> results = namingContext.list(new CompositeName("comp"));
checkListWithContinuationsResults(results);
//the same with security permissions
results = (NamingEnumeration<NameClassPair>) testActionPermission(JndiPermission.ACTION_LIST, Arrays.asList(new JndiPermission("test", "list")), namingContext, "comp");
checkListWithContinuationsResults(results);
}
Also used :
NameClassPair(javax.naming.NameClassPair)
CompositeName(javax.naming.CompositeName)
JndiPermission(org.wildfly.naming.java.permission.JndiPermission)
Test(org.junit.Test)
Example 5 with JndiPermission
use of org.wildfly.naming.java.permission.JndiPermission in project wildfly by wildfly.
the class NamingContextTestCase method testListBindingsWithContinuation.
@Test
@SuppressWarnings("unchecked")
public void testListBindingsWithContinuation() throws Exception {
bindListWithContinuations();
NamingEnumeration<Binding> results = namingContext.listBindings(new CompositeName("comp"));
checkListWithContinuationsResults(results);
//the same with security permissions
results = (NamingEnumeration<Binding>) testActionPermission(JndiPermission.ACTION_LIST_BINDINGS, Arrays.asList(new JndiPermission("test", "listBindings")), namingContext, "comp");
checkListWithContinuationsResults(results);
}
Also used :
Binding(javax.naming.Binding)
CompositeName(javax.naming.CompositeName)
JndiPermission(org.wildfly.naming.java.permission.JndiPermission)
Test(org.junit.Test)
Aggregations
JndiPermission (org.wildfly.naming.java.permission.JndiPermission)19
CompositeName (javax.naming.CompositeName)10
Deployment (org.jboss.arquillian.container.test.api.Deployment)8
Test (org.junit.Test)7
JavaArchive (org.jboss.shrinkwrap.api.spec.JavaArchive)6
ArrayList (java.util.ArrayList)3
Name (javax.naming.Name)3
PrivilegedActionException (java.security.PrivilegedActionException)2
LinkRef (javax.naming.LinkRef)2
NamingException (javax.naming.NamingException)2
Reference (javax.naming.Reference)2
StringRefAddr (javax.naming.StringRefAddr)2
WebArchive (org.jboss.shrinkwrap.api.spec.WebArchive)2
AccessControlContext (java.security.AccessControlContext)1
AccessControlException (java.security.AccessControlException)1
CodeSource (java.security.CodeSource)1
Permissions (java.security.Permissions)1
ProtectionDomain (java.security.ProtectionDomain)1
Certificate (java.security.cert.Certificate)1
MBeanPermission (javax.management.MBeanPermission)1
