00001
00027 package org.objectweb.jonas_ejb.container;
00028
00029 import java.net.URI;
00030 import java.net.URL;
00031 import java.security.CodeSource;
00032 import java.security.PermissionCollection;
00033 import java.security.Principal;
00034 import java.security.ProtectionDomain;
00035 import java.security.cert.Certificate;
00036 import java.util.Iterator;
00037
00038 import javax.security.jacc.EJBMethodPermission;
00039 import javax.security.jacc.EJBRoleRefPermission;
00040 import javax.security.jacc.PolicyContext;
00041 import javax.security.jacc.PolicyContextException;
00042
00043 import org.objectweb.jonas_ejb.deployment.api.BeanDesc;
00044 import org.objectweb.jonas_ejb.deployment.api.DeploymentDesc;
00045 import org.objectweb.jonas_ejb.deployment.api.ExcludeListDesc;
00046 import org.objectweb.jonas_ejb.deployment.api.MethodPermissionDesc;
00047 import org.objectweb.jonas_ejb.lib.EJBInvocation;
00048
00049 import org.objectweb.jonas_lib.deployment.api.SecurityRoleRefDesc;
00050 import org.objectweb.jonas_lib.security.AbsPermissionManager;
00051 import org.objectweb.jonas_lib.security.PermissionManagerException;
00052
00053 import org.objectweb.jonas.security.jacc.JPolicyContextHandlerCurrent;
00054 import org.objectweb.jonas.security.jacc.JPolicyContextHandlerData;
00055
00056 import org.objectweb.security.context.SecurityContext;
00057 import org.objectweb.security.context.SecurityCurrent;
00058
00059 import org.objectweb.util.monolog.api.BasicLevel;
00060
00066 public class PermissionManager extends AbsPermissionManager {
00067
00071 private DeploymentDesc ejbDeploymentDesc = null;
00072
00079 public PermissionManager(DeploymentDesc ejbDeploymentDesc, String contextId) throws PermissionManagerException {
00080 super(contextId);
00081 this.ejbDeploymentDesc = ejbDeploymentDesc;
00082 }
00083
00103 public void translateEjbDeploymentDescriptor() throws PermissionManagerException {
00104 translateEjbMethodPermission();
00105 translateEjbExcludeList();
00106 translateEjbSecurityRoleRef();
00107 }
00108
00130 protected void translateEjbMethodPermission() throws PermissionManagerException {
00131 if (ejbDeploymentDesc == null || getPolicyConfiguration() == null) {
00132 throw new PermissionManagerException("PolicyConfiguration or ejbDeploymentDesc is null");
00133 }
00134
00135 MethodPermissionDesc methodPermissionDesc = null;
00136 PermissionCollection permissionCollection = null;
00137
00138 for (Iterator it = ejbDeploymentDesc.getMethodPermissionsDescList().iterator(); it.hasNext();) {
00139 methodPermissionDesc = (MethodPermissionDesc) it.next();
00140 permissionCollection = methodPermissionDesc.getEJBMethodPermissions();
00141 try {
00142
00143 if (methodPermissionDesc.isUnchecked()) {
00144 getPolicyConfiguration().addToUncheckedPolicy(permissionCollection);
00145 } else {
00146 for (Iterator rolesIt = methodPermissionDesc.getRoleNameList().iterator(); rolesIt.hasNext();) {
00147 getPolicyConfiguration().addToRole((String) rolesIt.next(), permissionCollection);
00148 }
00149 }
00150 } catch (PolicyContextException pce) {
00151 throw new PermissionManagerException("Can not add add excluded policy", pce);
00152 }
00153 }
00154 }
00155
00167 protected void translateEjbExcludeList() throws PermissionManagerException {
00168 if (ejbDeploymentDesc == null || getPolicyConfiguration() == null) {
00169 throw new PermissionManagerException("PolicyConfiguration or ejbDeploymentDesc is null");
00170 }
00171 ExcludeListDesc excludeListDesc = ejbDeploymentDesc.getExcludeListDesc();
00172 if (excludeListDesc != null) {
00173 try {
00174 getPolicyConfiguration().addToExcludedPolicy(excludeListDesc.getEJBMethodPermissions());
00175 } catch (PolicyContextException pce) {
00176 throw new PermissionManagerException("Can not add add excluded policy", pce);
00177 }
00178 }
00179 }
00180
00194 public void translateEjbSecurityRoleRef() throws PermissionManagerException {
00195 if (ejbDeploymentDesc == null || getPolicyConfiguration() == null) {
00196 throw new PermissionManagerException("PolicyConfiguration or ejbDeploymentDesc is null");
00197 }
00198
00199 SecurityRoleRefDesc securityRoleRefDesc = null;
00200 BeanDesc beanDesc = null;
00201
00202
00203 for (Iterator itEjb = ejbDeploymentDesc.getBeanDescIterator(); itEjb.hasNext();) {
00204 beanDesc = (BeanDesc) itEjb.next();
00205 for (Iterator it = beanDesc.getSecurityRoleRefDescList().iterator(); it.hasNext();) {
00206 securityRoleRefDesc = (SecurityRoleRefDesc) it.next();
00207 try {
00208 getPolicyConfiguration().addToRole(securityRoleRefDesc.getRoleLink(),
00209 securityRoleRefDesc.getEJBRoleRefPermission());
00210 } catch (PolicyContextException pce) {
00211 throw new PermissionManagerException("Can not add add excluded policy", pce);
00212 }
00213 }
00214 }
00215 }
00216
00225 public boolean checkSecurity(String ejbName, EJBInvocation ejbInv, boolean inRunAs) {
00226 try {
00227 PolicyContext.setContextID(getContextId());
00228 String methodSignature = ejbInv.methodPermissionSignature;
00229
00230 TraceEjb.security.log(BasicLevel.DEBUG, "EjbName = " + ejbName + ", methodSignature = " + methodSignature);
00231
00232
00233 JPolicyContextHandlerData jPolicyContextHandlerData = JPolicyContextHandlerCurrent.getCurrent()
00234 .getJPolicyContextHandlerData();
00235 if (jPolicyContextHandlerData == null) {
00236 TraceEjb.security.log(BasicLevel.ERROR, "The Handler data retrieved is null !");
00237 return false;
00238 }
00239 jPolicyContextHandlerData.setEjbArguments(ejbInv.arguments);
00240 jPolicyContextHandlerData.setProcessingBean(ejbInv.bean);
00241
00242 PolicyContext.setHandlerData(jPolicyContextHandlerData);
00243
00244
00245 URI uri = new URI("file://" + getContextId());
00246 CodeSource codesource = new CodeSource(new URL(uri.toString()), (Certificate[]) null);
00247 SecurityCurrent current = SecurityCurrent.getCurrent();
00248 final SecurityContext sctx = current.getSecurityContext();
00249
00250 TraceEjb.security.log(BasicLevel.DEBUG, "Security Context = " + sctx);
00251
00252 if (sctx != null) {
00253 TraceEjb.security.log(BasicLevel.DEBUG, "sctx.getCallerPrincipalRoles() = " + sctx.getCallerPrincipalRoles(inRunAs));
00254 }
00255
00256
00257 String runAsRole = null;
00258
00259 Principal[] principals = null;
00260 if (sctx != null) {
00261 runAsRole = sctx.peekRunAsRole();
00262 if (runAsRole != null) {
00263 principals = new Principal[sctx.peekRunAsPrincipalRoles().length];
00264 for (int k = 0; k < sctx.peekRunAsPrincipalRoles().length; k++) {
00265 principals[k] = new org.objectweb.jonas.security.auth.JPrincipal(
00266 sctx.peekRunAsPrincipalRoles()[k]);
00267 }
00268 } else {
00269 principals = new Principal[sctx.getCallerPrincipalRoles(inRunAs).length];
00270 for (int k = 0; k < sctx.getCallerPrincipalRoles(inRunAs).length; k++) {
00271 principals[k] = new org.objectweb.jonas.security.auth.JPrincipal(
00272 sctx.getCallerPrincipalRoles(inRunAs)[k]);
00273 }
00274 }
00275 } else {
00276 TraceEjb.security.log(BasicLevel.DEBUG, "Security context is null");
00277 }
00278 ProtectionDomain protectionDomain = new ProtectionDomain(codesource, null, null, principals);
00279
00280
00281
00282
00283 EJBMethodPermission ejbMethodPermission = new EJBMethodPermission(ejbName, methodSignature);
00284 boolean accessOK = getPolicy().implies(protectionDomain, ejbMethodPermission);
00285 TraceEjb.security.log(BasicLevel.DEBUG, "Policy.implies result = " + accessOK);
00286 jPolicyContextHandlerData = null;
00287 return accessOK;
00288
00289 } catch (Exception e) {
00290 TraceEjb.security.log(BasicLevel.ERROR, "Can't check security :" + e.getMessage());
00291 return false;
00292 }
00293
00294 }
00295
00307 public boolean isCallerInRole(String ejbName, String roleName, boolean inRunAs) {
00308 try {
00309 PolicyContext.setContextID(getContextId());
00310 TraceEjb.security.log(BasicLevel.DEBUG, "roleName = " + roleName);
00311
00312
00313 URI uri = new URI("file://" + getContextId());
00314 CodeSource codesource = new CodeSource(new URL(uri.toString()), (Certificate[]) null);
00315 SecurityCurrent current = SecurityCurrent.getCurrent();
00316 final SecurityContext sctx = current.getSecurityContext();
00317
00318 TraceEjb.security.log(BasicLevel.DEBUG, "Security Context = " + sctx);
00319 TraceEjb.security.log(BasicLevel.DEBUG, "sctx.getCallerPrincipalRoles() = "
00320 + sctx.getCallerPrincipalRoles(inRunAs));
00321
00322 Principal[] principals = null;
00323 if (sctx != null) {
00324 principals = new Principal[sctx.getCallerPrincipalRoles(inRunAs).length];
00325 for (int k = 0; k < sctx.getCallerPrincipalRoles(inRunAs).length; k++) {
00326 principals[k] = new org.objectweb.jonas.security.auth.JPrincipal(sctx.getCallerPrincipalRoles(inRunAs)[k]);
00327 }
00328 } else {
00329 TraceEjb.security.log(BasicLevel.DEBUG, "Security context is null");
00330 }
00331 ProtectionDomain protectionDomain = new ProtectionDomain(codesource, null, null, principals);
00332
00333
00334
00335 EJBRoleRefPermission ejbRoleRefPermission = new EJBRoleRefPermission(ejbName, roleName);
00336 boolean isInRole = getPolicy().implies(protectionDomain, ejbRoleRefPermission);
00337 TraceEjb.security.log(BasicLevel.DEBUG, "Policy.implies result = " + isInRole);
00338 return isInRole;
00339
00340 } catch (Exception e) {
00341 TraceEjb.security.log(BasicLevel.ERROR, "Can't check isCallerInRole :" + e.getMessage());
00342 return false;
00343 }
00344
00345 }
00346
00350 protected void resetDeploymentDesc() {
00351 ejbDeploymentDesc = null;
00352 }
00353
00354 }