001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.aspects.security;
023:
024: import org.jboss.aop.joinpoint.Invocation;
025: import org.jboss.logging.Logger;
026: import org.jboss.security.AnybodyPrincipal;
027: import org.jboss.security.AuthenticationManager;
028: import org.jboss.security.NobodyPrincipal;
029: import org.jboss.security.RealmMapping;
030: import org.jboss.security.RunAsIdentity;
031: import org.jboss.security.SimplePrincipal;
032:
033: import java.security.Principal;
034: import java.util.HashSet;
035: import java.util.Set;
036:
037: /**
038: * The RoleBasedAuthorizationInterceptor checks that the caller principal is
039: * authorized to call a method by verifing that it contains at least one
040: * of the required roled.
041: *
042: * @author <a href="bill@jboss.org">Bill Burke</a>
043: * @author <a href="on@ibis.odessa.ua">Oleg Nitz</a>
044: * @author <a href="mailto:Scott.Stark@jboss.org">Scott Stark</a>.
045: * @author <a href="mailto:dain@daingroup.com">Dain Sundstrom</a>.
046: * @version $Revision: 57186 $
047: */
048: public class RoleBasedAuthorizationInterceptor implements
049: org.jboss.aop.advice.Interceptor {
050: protected Logger log = Logger.getLogger(this .getClass());
051: protected AuthenticationManager securityManager;
052: protected RealmMapping realmMapping;
053:
054: public RoleBasedAuthorizationInterceptor(
055: AuthenticationManager manager, RealmMapping realmMapping) {
056: this .securityManager = manager;
057: this .realmMapping = realmMapping;
058: }
059:
060: public String getName() {
061: return "RoleBasedAuthorizationInterceptor";
062: }
063:
064: protected Set getRoleSet(Invocation invocation) {
065: Set roles = (Set) invocation.getMetaData("security", "roles");
066: if (roles == null)
067: roles = getAnnotationRoleSet(invocation);
068: return roles;
069:
070: }
071:
072: protected Set getAnnotationRoleSet(Invocation invocation) {
073: HashSet set = new HashSet();
074: Exclude exclude = (Exclude) invocation
075: .resolveAnnotation(Exclude.class);
076: if (exclude != null) {
077: set.add(NobodyPrincipal.NOBODY_PRINCIPAL);
078: return set;
079: }
080: Unchecked unchecked = (Unchecked) invocation
081: .resolveAnnotation(Unchecked.class);
082: if (unchecked != null) {
083: set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
084: return set;
085: }
086: Permissions permissions = (Permissions) invocation
087: .resolveAnnotation(Permissions.class);
088: if (permissions == null) {
089: // Default behavior is unchecked
090: set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
091: return set;
092: }
093: for (int i = 0; i < permissions.value().length; i++) {
094: set.add(new SimplePrincipal(permissions.value()[i]));
095: }
096: return set;
097: }
098:
099: /**
100: * Check if the principal is authorized to call the method by verifying that
101: * the it containes at least one of the required roles.
102: */
103: public Object invoke(Invocation invocation) throws Throwable {
104: // If there is not a security manager then there is no authorization
105: // required
106: if (securityManager == null) {
107: return invocation.invokeNext();
108: }
109:
110: if (realmMapping == null) {
111: throw new SecurityException(
112: "Role mapping manager has not been set");
113: }
114:
115: Set roles = getRoleSet(invocation);
116: if (roles == null) {
117: /*
118: REVISIT: for better message
119: String message = "No method permissions assigned. to " +
120: "method=" + invocation.getMethod().getName() +
121: ", interface=" + invocation.getType();
122: */
123: String message = "No method permissions assigned.";
124: log.error(message);
125: throw new SecurityException(message);
126: }
127:
128: // Check if the caller is allowed to access the method
129: RunAsIdentity callerRunAsIdentity = SecurityActions
130: .peekRunAsIdentity();
131: if (roles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false) {
132: // The caller is using a the caller identity
133: if (callerRunAsIdentity == null) {
134: Principal principal = SecurityActions.getPrincipal();
135: // Now actually check if the current caller has one of the required method roles
136: if (realmMapping.doesUserHaveRole(principal, roles) == false) {
137: Set userRoles = realmMapping
138: .getUserRoles(principal);
139: String msg = "Insufficient permissions, principal="
140: + principal + ", requiredRoles=" + roles
141: + ", principalRoles=" + userRoles;
142: log.error(msg);
143: throw new SecurityException(msg);
144: }
145: }
146:
147: // The caller is using a run-as identity
148: else {
149: // Check that the run-as role is in the set of method roles
150: if (callerRunAsIdentity.doesUserHaveRole(roles) == false) {
151: String msg = "Insufficient permissions, runAsPrincipal="
152: + callerRunAsIdentity.getName()
153: + ", requiredRoles="
154: + roles
155: + ", runAsRoles="
156: + callerRunAsIdentity.getRunAsRoles();
157: log.error(msg);
158: throw new SecurityException(msg);
159: }
160: }
161: }
162: return invocation.invokeNext();
163: }
164:
165: }
|