All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.jboss.security.plugins.javaee.EJBAuthorizationHelper Maven / Gradle / Ivy

There is a newer version: 5.1.0.Final
Show newest version
/*
  * JBoss, Home of Professional Open Source
  * Copyright 2007, JBoss Inc., and individual contributors as indicated
  * by the @authors tag. See the copyright.txt in the distribution for a
  * full listing of individual contributors.
  *
  * This is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as
  * published by the Free Software Foundation; either version 2.1 of
  * the License, or (at your option) any later version.
  *
  * This software is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
  * License along with this software; if not, write to the Free
  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
package org.jboss.security.plugins.javaee;

import java.lang.reflect.Method;
import java.security.CodeSource;
import java.security.Principal;
import java.util.HashMap;
import java.util.Set;

import javax.naming.InitialContext;
import javax.security.auth.Subject;

import org.jboss.security.AuthorizationManager;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.RunAs;
import org.jboss.security.audit.AuditLevel;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.authorization.resources.EJBResource;
import org.jboss.security.callbacks.SecurityContextCallbackHandler;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.javaee.AbstractEJBAuthorizationHelper;
import org.jboss.security.javaee.SecurityRoleRef;
import org.jboss.security.javaee.exceptions.MissingArgumentsException;
import org.jboss.security.javaee.exceptions.WrongEEResourceException;


/**
 *  Default implementation of the EJBAuthorizationHelper
 *  @author [email protected]
 *  @since  Apr 18, 2008 
 *  @version $Revision$
 */
public class EJBAuthorizationHelper extends AbstractEJBAuthorizationHelper
{
   protected String POLICY_REGISTRATION_JNDI = "java:/policyRegistration";
   
   @Override
   public boolean authorize(
         String ejbName, 
         Method ejbMethod, 
         Principal ejbPrincipal, 
         String invocationInterfaceString,
         CodeSource ejbCodeSource,
         Subject callerSubject, 
         RunAs callerRunAs,  
         String contextID,
         RoleGroup methodRoles)
   {
      if(ejbName == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("ejbName");
      if(ejbMethod == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("ejbMethod");
      if(ejbCodeSource == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("ejbCodeSource");
      if(contextID == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("contextID");
      if(callerSubject == null && callerRunAs == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("callerSubject");

      AuthorizationManager am = securityContext.getAuthorizationManager();
      if(am == null)
         throw PicketBoxMessages.MESSAGES.invalidNullProperty("AuthorizationManager");

      HashMap map =  new HashMap();
      try
      {
         if(this.policyRegistration == null)
            this.policyRegistration = getPolicyRegistrationFromJNDI(); 
      }
      catch(Exception e)
      {
         PicketBoxLogger.LOGGER.debugIgnoredException(e);
      }
      
      map.put(ResourceKeys.POLICY_REGISTRATION, this.policyRegistration); 
     
      EJBResource ejbResource = new EJBResource(map);
      ejbResource.setEjbVersion(version);
      ejbResource.setPolicyContextID(contextID);
      ejbResource.setCallerRunAsIdentity(callerRunAs);
      ejbResource.setEjbName(ejbName);
      ejbResource.setEjbMethod(ejbMethod);
      ejbResource.setPrincipal(ejbPrincipal);
      ejbResource.setEjbMethodInterface(invocationInterfaceString);
      ejbResource.setCodeSource(ejbCodeSource);
      ejbResource.setCallerRunAsIdentity(callerRunAs);
      ejbResource.setCallerSubject(callerSubject);
      ejbResource.setEjbMethodRoles(methodRoles);
      
      SecurityContextCallbackHandler sch = new SecurityContextCallbackHandler(this.securityContext); 
      RoleGroup callerRoles = am.getSubjectRoles(callerSubject, sch);
      
      boolean isAuthorized = false;
      try
      {
         int check = am.authorize(ejbResource, callerSubject, callerRoles);
         isAuthorized = (check == AuthorizationContext.PERMIT);
         authorizationAudit((isAuthorized ? AuditLevel.SUCCESS : AuditLevel.FAILURE)
                             ,ejbResource, null);
      }
      catch (Exception e)
      {
         isAuthorized = false;
         PicketBoxLogger.LOGGER.debugAuthorizationError(e);
         authorizationAudit(AuditLevel.ERROR,ejbResource,e);
      } 
      
      return isAuthorized;
   }

   @Override
   public boolean isCallerInRole(
         String roleName, 
         String ejbName, 
         Principal ejbPrincipal,
         Subject callerSubject, 
         String contextID,
         Set securityRoleRefs)
   {
      return this.isCallerInRole(roleName, ejbName, ejbPrincipal, 
            callerSubject, contextID, securityRoleRefs, false); 
   }
   
   public boolean isCallerInRole( Resource resource, String roleName ) throws WrongEEResourceException,MissingArgumentsException
   {
      boolean isAuthorized = false;
      EJBResource ejbResource = (EJBResource) resource;

      if(roleName == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("roleName");
      if( ejbResource.getEjbName() == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("ejbName");
      if( ejbResource.getPolicyContextID() == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("contextID");

      AuthorizationManager am = securityContext.getAuthorizationManager();

      Subject callerSubject = ejbResource.getCallerSubject();
      
      if(am == null)
         throw PicketBoxMessages.MESSAGES.invalidNullProperty("AuthorizationManager");

      try
      {
         if(this.policyRegistration == null)
            this.policyRegistration = getPolicyRegistrationFromJNDI(); 
      }
      catch(Exception e)
      {
         PicketBoxLogger.LOGGER.debugIgnoredException(e);
      }
      
      ejbResource.add( ResourceKeys.POLICY_REGISTRATION, this.policyRegistration );
      
      ejbResource.add( ResourceKeys.ROLENAME, roleName );
      ejbResource.add( ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE); 
      
      SecurityContextCallbackHandler sch = new SecurityContextCallbackHandler(this.securityContext); 
      RoleGroup callerRoles = am.getSubjectRoles( callerSubject, sch);
      
      try
      {
         int check = am.authorize(ejbResource, callerSubject, callerRoles);
         isAuthorized = (check == AuthorizationContext.PERMIT);
      } 
      catch (Exception e)
      {
         isAuthorized = false;
         PicketBoxLogger.LOGGER.debugFailureExecutingMethod("isCallerInRole", e);
         authorizationAudit(AuditLevel.ERROR,ejbResource,e);
      } 
      return isAuthorized;  
   }

   @Override
   public boolean isCallerInRole(String roleName, String ejbName, Principal ejbPrincipal, Subject callerSubject,
         String contextID, Set securityRoleRefs, boolean enforceEJBRestrictions)
   { 
      if(roleName == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("roleName");
      if(ejbName == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("ejbName");
      if(contextID == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("contextID");

      boolean isAuthorized = false;
      AuthorizationManager am = securityContext.getAuthorizationManager();
      
      if(am == null)
         throw PicketBoxMessages.MESSAGES.invalidNullProperty("AuthorizationManager");

      HashMap map = new HashMap();

      try
      {
         if(this.policyRegistration == null)
            this.policyRegistration = getPolicyRegistrationFromJNDI(); 
      }
      catch(Exception e)
      {
         PicketBoxLogger.LOGGER.debugIgnoredException(e);
      }
      
      
      
      map.put(ResourceKeys.POLICY_REGISTRATION, this.policyRegistration);
      
      map.put(ResourceKeys.ROLENAME, roleName);
      map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE); 
      
      EJBResource ejbResource = new EJBResource(map);
      ejbResource.setPolicyContextID(contextID);
      
      RunAs callerRunAs = SecurityActions.getIncomingRunAs(securityContext);
      
      ejbResource.setEjbVersion(version);
      ejbResource.setEjbName(ejbName);
      ejbResource.setPrincipal(ejbPrincipal);
      ejbResource.setCallerRunAsIdentity(callerRunAs);
      ejbResource.setSecurityRoleReferences(securityRoleRefs); 
      ejbResource.setEnforceEJBRestrictions(enforceEJBRestrictions);
      
      ejbResource.setCallerSubject(callerSubject);
      SecurityContextCallbackHandler sch = new SecurityContextCallbackHandler(this.securityContext); 
      RoleGroup callerRoles = am.getSubjectRoles(callerSubject, sch);
      
      try
      {
         int check = am.authorize(ejbResource, callerSubject, callerRoles);
         isAuthorized = (check == AuthorizationContext.PERMIT);
      } 
      catch (Exception e)
      {
         isAuthorized = false;
         PicketBoxLogger.LOGGER.debugFailureExecutingMethod("isCallerInRole", e);
         authorizationAudit(AuditLevel.ERROR,ejbResource,e);
      } 
      return isAuthorized; 
   }

   @Override
   public String getEJBVersion()
   {
      return this.version;
   }
   
   @Override
   public void setEJBVersion(String ejbVersion)
   {
      /**
       * Validate the argument
       */ 
      if(EJBResource.EJB_VERSION_1_1.equalsIgnoreCase(ejbVersion) ||
            EJBResource.EJB_VERSION_2_0.equalsIgnoreCase(ejbVersion) ||
            EJBResource.EJB_VERSION_3_0.equalsIgnoreCase(ejbVersion))
      {
          this.version = ejbVersion;  
      }
      else
         throw PicketBoxMessages.MESSAGES.invalidEJBVersion(ejbVersion);
   }

   @Override
   public boolean authorize( Resource resource ) 
   throws WrongEEResourceException, MissingArgumentsException
   {
      if( resource instanceof EJBResource == false )
        throw PicketBoxMessages.MESSAGES.invalidType(EJBResource.class.getName());
      EJBResource ejbResource = (EJBResource) resource;
      validateEJBResource( ejbResource );
      
      AuthorizationManager am = securityContext.getAuthorizationManager();
      if(am == null)
         throw PicketBoxMessages.MESSAGES.invalidNullProperty("AuthorizationManager");

      try
      {
         if(this.policyRegistration == null)
            this.policyRegistration = getPolicyRegistrationFromJNDI(); 
      }
      catch(Exception e)
      {
         PicketBoxLogger.LOGGER.debugIgnoredException(e);
      }
      Subject callerSubject = ejbResource.getCallerSubject();
      
      ejbResource.add( ResourceKeys.POLICY_REGISTRATION, this.policyRegistration );  
      SecurityContextCallbackHandler sch = new SecurityContextCallbackHandler( this.securityContext ); 
      RoleGroup callerRoles = am.getSubjectRoles( callerSubject, sch );
      
      boolean isAuthorized = false;
      try
      {
         int check = am.authorize(ejbResource, callerSubject, callerRoles);
         isAuthorized = (check == AuthorizationContext.PERMIT);
         authorizationAudit((isAuthorized ? AuditLevel.SUCCESS : AuditLevel.FAILURE)
                             ,ejbResource, null);
      }
      catch (Exception e)
      {
         isAuthorized = false;
         PicketBoxLogger.LOGGER.debugAuthorizationError(e);
         authorizationAudit(AuditLevel.ERROR, ejbResource, e);
      } 
      
      return isAuthorized;
   }
   
   /**
    * Validate that the EJBResource has all the parameters to make a decision
    * @param ejbResource
    */
   private void validateEJBResource( EJBResource ejbResource ) throws MissingArgumentsException
   {
      if( ejbResource.getEjbName() == null )
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("ejbName");
      if( ejbResource.getEjbMethod() == null )
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("ejbMethod");
      if( ejbResource.getCodeSource() == null )
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("ejbCodeSource");
      if( ejbResource.getPolicyContextID() == null )
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("contextID");
      if( ejbResource.getCallerSubject() == null && ejbResource.getCallerRunAsIdentity() == null)
         throw new MissingArgumentsException(PicketBoxMessages.MESSAGES.missingCallerInfoMessage());
   }
  
   private PolicyRegistration getPolicyRegistrationFromJNDI() throws Exception
   {
      return (PolicyRegistration) (new InitialContext()).lookup(POLICY_REGISTRATION_JNDI);
   }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy