001: /*
002: * JBoss, Home of Professional Open Source
003: * Copyright 2006, JBoss Inc., and individual contributors as indicated
004: * by the @authors tag. See the copyright.txt in the distribution for a
005: * full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.ejb.plugins;
023:
024: import java.lang.reflect.Method;
025: import java.security.Principal;
026: import java.util.ArrayList;
027: import java.util.Map;
028: import java.util.Set;
029:
030: import javax.security.jacc.EJBMethodPermission;
031:
032: import org.jboss.ejb.Container;
033: import org.jboss.invocation.Invocation;
034: import org.jboss.metadata.ApplicationMetaData;
035: import org.jboss.metadata.AssemblyDescriptorMetaData;
036: import org.jboss.metadata.BeanMetaData;
037: import org.jboss.security.SimplePrincipal;
038:
039: //$Id$
040:
041: /**
042: * JBAS-4149: : Jacc Authorization Interceptor that checks for deployment level
043: * role mappings before using the roles provided in the jaas based
044: * subject
045: * @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
046: * @since Feb 23, 2007
047: * @version $Revision$
048: */
049: public class ExtendedJaccAuthorizationInterceptor extends
050: JaccAuthorizationInterceptor {
051: //Deployment level principal to roles mapping
052: protected Map<String, Set<String>> deploymentRoleMap = null;
053:
054: public void setContainer(Container container) {
055: super .setContainer(container);
056: if (container != null) {
057: BeanMetaData beanMetaData = container.getBeanMetaData();
058: ApplicationMetaData applicationMetaData = beanMetaData
059: .getApplicationMetaData();
060: AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData
061: .getAssemblyDescriptor();
062:
063: //Check for any deployment level mapping
064: deploymentRoleMap = assemblyDescriptor
065: .getPrincipalVersusRolesMap();
066: }
067: }
068:
069: protected void checkSecurityAssociation(Invocation mi)
070: throws Exception {
071: Method m = mi.getMethod();
072: // Ignore internal container calls
073: if (m == null)
074: return;
075: String iface = mi.getType().toInterfaceString();
076: EJBMethodPermission methodPerm = new EJBMethodPermission(
077: ejbName, iface, m);
078:
079: //Check if there is caller RAI
080: if (SecurityActions.peekRunAsIdentity(1) == null) {
081: if (deploymentRoleMap != null
082: && deploymentRoleMap.size() > 0) {
083: Principal[] principals = null;
084: Principal principal = mi.getPrincipal();
085: if (principal != null) {
086: Set<String> roles = deploymentRoleMap.get(principal
087: .getName());
088: if (roles != null) {
089: ArrayList<Principal> al = new ArrayList<Principal>();
090: for (String rolename : roles) {
091: al.add(new SimplePrincipal(rolename));
092: }
093: principals = new Principal[al.size()];
094: al.toArray(principals);
095: if (log.isTraceEnabled())
096: log.trace("Principal="
097: + principal.getName() + "::roles="
098: + principals);
099: }
100:
101: checkPolicy(principals, methodPerm, SecurityActions
102: .getContextSubject());
103: return;
104: }
105: }
106: }
107: //For RAI as well as the non-availability of deployment level role mapping
108: super.checkSecurityAssociation(mi);
109: }
110: }
|