001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.ejb.plugins;
023:
024: import java.security.Principal;
025: import java.util.Map;
026: import java.util.Set;
027: import javax.ejb.EJBException;
028:
029: import org.jboss.ejb.Container;
030: import org.jboss.invocation.Invocation;
031: import org.jboss.invocation.InvocationType;
032: import org.jboss.metadata.ApplicationMetaData;
033: import org.jboss.metadata.AssemblyDescriptorMetaData;
034: import org.jboss.metadata.BeanMetaData;
035: import org.jboss.security.AnybodyPrincipal;
036: import org.jboss.security.RealmMapping;
037: import org.jboss.security.RunAsIdentity;
038: import org.jboss.security.SecurityAssociation;
039:
040: /** The declarative roles based authorization interceptor which uses the
041: * RealmMapping interface of the associated security domain.
042: *
043: * @author <a href="mailto:Scott.Stark@jboss.org">Scott Stark</a>.
044: * @author <a href="mailto:Thomas.Diesler@jboss.org">Thomas Diesler</a>.
045: * @version $Revision: 57209 $
046: */
047: public class SecurityRolesInterceptor extends AbstractInterceptor {
048: /** The security domain authorization service */
049: protected RealmMapping realmMapping;
050:
051: /** A static map of SecurityRolesMetaData from jboss.xml */
052: protected Map securityRoles;
053:
054: /** Called by the super class to set the container to which this interceptor
055: belongs. We obtain the authorization service here.
056: */
057: public void setContainer(Container container) {
058: super .setContainer(container);
059: if (container != null) {
060: BeanMetaData beanMetaData = container.getBeanMetaData();
061: ApplicationMetaData applicationMetaData = beanMetaData
062: .getApplicationMetaData();
063: AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData
064: .getAssemblyDescriptor();
065: securityRoles = assemblyDescriptor.getSecurityRoles();
066:
067: realmMapping = container.getRealmMapping();
068: }
069: }
070:
071: // Container implementation --------------------------------------
072: public void start() throws Exception {
073: super .start();
074: }
075:
076: public Object invokeHome(Invocation mi) throws Exception {
077: // Apply any declarative security checks
078: checkSecurityAssociation(mi);
079: Object returnValue = getNext().invokeHome(mi);
080: return returnValue;
081: }
082:
083: public Object invoke(Invocation mi) throws Exception {
084: // Authenticate the subject and apply any declarative security checks
085: checkSecurityAssociation(mi);
086: Object returnValue = getNext().invoke(mi);
087: return returnValue;
088: }
089:
090: /** Validate access to the method by checking the principal's roles against
091: those required to access the method.
092: @param mi the method invocation context
093: */
094: private void checkSecurityAssociation(Invocation mi)
095: throws Exception {
096: Principal principal = mi.getPrincipal();
097: boolean trace = log.isInfoEnabled();
098:
099: if (realmMapping == null) {
100: throw new EJBException("checkSecurityAssociation",
101: new SecurityException(
102: "Role mapping manager has not been set"));
103: }
104:
105: // Get the method permissions
106: InvocationType iface = mi.getType();
107: Set methodRoles = container.getMethodPermissions(
108: mi.getMethod(), iface);
109: if (methodRoles == null) {
110: String method = mi.getMethod().getName();
111: String msg = "No method permissions assigned to method="
112: + method + ", interface=" + iface;
113: log.error(msg);
114: SecurityException e = new SecurityException(msg);
115: throw new EJBException("checkSecurityAssociation", e);
116: } else if (trace) {
117: log.trace("method=" + mi.getMethod() + ", interface="
118: + iface + ", requiredRoles=" + methodRoles);
119: }
120:
121: // Check if the caller is allowed to access the method
122: RunAsIdentity callerRunAsIdentity = SecurityAssociation
123: .peekRunAsIdentity();
124: if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false) {
125: // The caller is using a the caller identity
126: if (callerRunAsIdentity == null) {
127: // Now actually check if the current caller has one of the required method roles
128: if (realmMapping.doesUserHaveRole(principal,
129: methodRoles) == false) {
130: Set userRoles = realmMapping
131: .getUserRoles(principal);
132: String method = mi.getMethod().getName();
133: String msg = "Insufficient method permissions, principal="
134: + principal
135: + ", method="
136: + method
137: + ", interface="
138: + iface
139: + ", requiredRoles="
140: + methodRoles
141: + ", principalRoles=" + userRoles;
142: log.error(msg);
143: SecurityException e = new SecurityException(msg);
144: throw new EJBException("checkSecurityAssociation",
145: e);
146: }
147: }
148:
149: // The caller is using a run-as identity
150: else {
151: // Check that the run-as role is in the set of method roles
152: if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false) {
153: String method = mi.getMethod().getName();
154: String msg = "Insufficient method permissions, runAsPrincipal="
155: + callerRunAsIdentity.getName()
156: + ", method="
157: + method
158: + ", interface="
159: + iface
160: + ", requiredRoles="
161: + methodRoles
162: + ", runAsRoles="
163: + callerRunAsIdentity.getRunAsRoles();
164: log.error(msg);
165: SecurityException e = new SecurityException(msg);
166: throw new EJBException("checkSecurityAssociation",
167: e);
168: }
169: }
170: }
171: }
172: }
|