org.ow2.jonas.lib.ejb21
Class PermissionManager

java.lang.Object
  org.ow2.jonas.lib.security.AbsPermissionManager
      org.ow2.jonas.lib.ejb21.PermissionManager

public class PermissionManager
extends AbsPermissionManager

Defines a PermissionManager class which will manage JACC permissions for an ejbjar

Author:

Florent Benoit

Constructor Summary

PermissionManager(DeploymentDesc ejbDeploymentDesc, String contextId)
Default Constructor

Method Summary

boolean	checkSecurity(String ejbName, EJBInvocation ejbInv, boolean inRunAs) Check the security for a given EJB signature method and for an EJB
boolean	isCallerInRole(String ejbName, String roleName, boolean inRunAs) Test if the caller has a given role.
protected void	resetDeploymentDesc() Reset Deployment Descriptor
void	translateEjbDeploymentDescriptor() 3.1.5 Translating EJB Deployment Descriptors A reference to a PolicyConfiguration object must be obtained by calling the getPolicyConfiguration method on the PolicyConfigurationFactory implementation class of the provider configured into the container.
protected void	translateEjbExcludeList() 3.1.5.2 Translating the EJB exclude-list An EJBMethodPermission object must be created for each method element occurring in the exclude-list element of the deployment descriptor.
protected void	translateEjbMethodPermission() 3.1.5.1 Translating EJB method-permission Elements For each method element of each method-permission element, an EJBMethodPermission object translated from the method element must be added to the policy statements of the PolicyConfiguration object.
void	translateEjbSecurityRoleRef() 3.1.5.3 Translating EJB security-role-ref Elements For each security-role-ref element appearing in the deployment descriptor, a corresponding EJBRoleRefPermission must be created.

Methods inherited from class org.ow2.jonas.lib.security.AbsPermissionManager

commit, delete, getContextId, getPolicy, getPolicyConfiguration, setContextId, setPolicy, setPolicyConfiguration

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PermissionManager

public PermissionManager(DeploymentDesc ejbDeploymentDesc,
                         String contextId)
                  throws PermissionManagerException

Default Constructor

Parameters:

ejbDeploymentDesc - EJB deployment Descriptor

contextId - context ID used for PolicyContext

Throws:

PermissionManagerException - if permissions can't be set

Method Detail

translateEjbDeploymentDescriptor

public void translateEjbDeploymentDescriptor()
                                      throws PermissionManagerException

3.1.5 Translating EJB Deployment Descriptors A reference to a PolicyConfiguration object must be obtained by calling the getPolicyConfiguration method on the PolicyConfigurationFactory implementation class of the provider configured into the container. The policy context identifier used in the call to getPolicyConfiguration must be a String that satisfies the requirements described in Section 3.1.4, EJB Policy Context Identifiers, on page 28. The value true must be passed as the second parameter in the call to getPolicyConfiguration to ensure that any and all policy statements are removed from the policy context associated with the returned PolicyConfiguration. The method-permission, exclude-list, and security-role-ref elements appearing in the deployment descriptor must be translated into permissions and added to the PolicyConfiguration object to yield an equivalent translation as that defined in the following sections and such that every EJB method for which the container performs pre-dispatch access decisions is implied by at least one permission resulting from the translation.

Throws:

PermissionManagerException - if permissions can't be set

translateEjbMethodPermission

protected void translateEjbMethodPermission()
                                     throws PermissionManagerException

3.1.5.1 Translating EJB method-permission Elements For each method element of each method-permission element, an EJBMethodPermission object translated from the method element must be added to the policy statements of the PolicyConfiguration object. The name of each such EJBMethodPermission object must be the ejb-name from the corresponding method element, and the actions must be established by translating the method element into a method specification according to the methodSpec syntax defined in the documentation of the EJBMethodPermission class. The actions translation must preserve the degree of specificity with respect to method-name, method-intf, and method-params inherent in the method element. If the method-permission element contains the unchecked element, then the deployment tools must call the addToUncheckedPolicy method to add the permissions resulting from the translation to the PolicyConfiguration object. Alternatively, if the method-permission element contains one or more role-name elements, then the deployment tools must call the addToRole method to add the permissions resulting from the translation to the corresponding roles of the PolicyConfiguration object.

Throws:

PermissionManagerException - if permissions can't be set

translateEjbExcludeList

protected void translateEjbExcludeList()
                                throws PermissionManagerException

3.1.5.2 Translating the EJB exclude-list An EJBMethodPermission object must be created for each method element occurring in the exclude-list element of the deployment descriptor. The name and actions of each EJBMethodPermission must be established as described in Section 3.1.5.1, Translating EJB method-permission Elements. The deployment tools must use the addToExcludedPolicy method to add the EJBMethodPermission objects resulting from the translation of the exclude-list to the excluded policy statements of the PolicyConfiguration object.

Throws:

PermissionManagerException - if permissions can't be set

translateEjbSecurityRoleRef

public void translateEjbSecurityRoleRef()
                                 throws PermissionManagerException

3.1.5.3 Translating EJB security-role-ref Elements For each security-role-ref element appearing in the deployment descriptor, a corresponding EJBRoleRefPermission must be created. The name of each EJBRoleRefPermission must be obtained as described for EJBMethodPermission objects. The actions used to construct the permission must be the value of the role-name (that is the reference), appearing in the security-role-ref. The deployment tools must call the addToRole method on the PolicyConfiguration object to add a policy statement corresponding to the EJBRoleRefPermission to the role identified in the rolelink appearing in the security-role-ref.

Throws:

PermissionManagerException - if permissions can't be set

checkSecurity

public boolean checkSecurity(String ejbName,
                             EJBInvocation ejbInv,
                             boolean inRunAs)

Check the security for a given EJB signature method and for an EJB

Parameters:

ejbName - name of the EJB

ejbInv - object containing security signature of the method, args of method, etc

inRunAs - bean calling this method is running in run-as mode or not ?

Returns:

true if access to specific method is granted, else false.

isCallerInRole

public boolean isCallerInRole(String ejbName,
                              String roleName,
                              boolean inRunAs)

Test if the caller has a given role. EJBRoleRefPermission object must be created with ejbName and actions equal to roleName

Parameters:

ejbName - The name of the EJB on wich look role

roleName - The name of the security role. The role must be one of the security-role-ref that is defined in the deployment descriptor.

inRunAs - bean calling this method is running in run-as mode or not ?

Returns:

True if the caller has the specified role.

See Also:

4.3.2 of JACC

resetDeploymentDesc

protected void resetDeploymentDesc()

Reset Deployment Descriptor

Specified by:

resetDeploymentDesc in class AbsPermissionManager