01: /**
02: * EasyBeans
03: * Copyright (C) 2006 Bull S.A.S.
04: * Contact: easybeans@ow2.org
05: *
06: * This library is free software; you can redistribute it and/or
07: * modify it under the terms of the GNU Lesser General Public
08: * License as published by the Free Software Foundation; either
09: * version 2.1 of the License, or any later version.
10: *
11: * This library is distributed in the hope that it will be useful,
12: * but WITHOUT ANY WARRANTY; without even the implied warranty of
13: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14: * Lesser General Public License for more details.
15: *
16: * You should have received a copy of the GNU Lesser General Public
17: * License along with this library; if not, write to the Free Software
18: * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
19: * USA
20: *
21: * --------------------------------------------------------------------------
22: * $Id: AccessInterceptor.java 1970 2007-10-16 11:49:25Z benoitf $
23: * --------------------------------------------------------------------------
24: */package org.ow2.easybeans.security.interceptors;
25:
26: import java.util.Arrays;
27:
28: import javax.ejb.EJBAccessException;
29: import javax.security.jacc.PolicyContext;
30:
31: import org.ow2.easybeans.api.EZBPermissionManager;
32: import org.ow2.easybeans.api.EasyBeansInterceptor;
33: import org.ow2.easybeans.api.EasyBeansInvocationContext;
34: import org.ow2.easybeans.security.propagation.context.SecurityCurrent;
35:
36: /**
37: * This interceptor checks that the role is allowed to call the given method.
38: * @author Florent Benoit
39: */
40: public class AccessInterceptor implements EasyBeansInterceptor {
41:
42: /**
43: * Grant access to the given method by checking roles.
44: * @param invocationContext context with useful attributes on the current
45: * invocation
46: * @return result of the next invocation (to chain interceptors)
47: * @throws Exception if interceptor fails
48: */
49: public Object intercept(
50: final EasyBeansInvocationContext invocationContext)
51: throws Exception {
52: String oldContextId = PolicyContext.getContextID();
53: boolean accessGranted = true;
54: boolean runAsBean = invocationContext.getFactory()
55: .getBeanInfo().getSecurityInfo().getRunAsRole() != null;
56: try {
57: EZBPermissionManager permissionManager = invocationContext
58: .getFactory().getContainer().getPermissionManager();
59: if (permissionManager != null) {
60: accessGranted = permissionManager.checkSecurity(
61: invocationContext, runAsBean);
62: }
63: } finally {
64: PolicyContext.setContextID(oldContextId);
65: }
66: if (!accessGranted) {
67: StringBuffer errMsg = new StringBuffer(
68: "Access Denied on bean '");
69: errMsg.append(invocationContext.getFactory().getBeanInfo()
70: .getName());
71: errMsg.append("' contained in the URL '");
72: errMsg.append(invocationContext.getFactory().getContainer()
73: .getArchive());
74: errMsg.append("'. ");
75: errMsg.append(" Method = '");
76: errMsg.append(invocationContext.getMethod());
77: errMsg.append("'. ");
78: errMsg.append("Current caller's principal is '");
79: errMsg
80: .append(SecurityCurrent.getCurrent()
81: .getSecurityContext().getCallerPrincipal(
82: runAsBean));
83: errMsg.append("' with roles '");
84: errMsg.append(Arrays.asList(SecurityCurrent.getCurrent()
85: .getSecurityContext().getCallerRoles(runAsBean)));
86: errMsg.append("'.");
87: throw new EJBAccessException(errMsg.toString());
88: }
89:
90: return invocationContext.proceed();
91: }
92:
93: }
|