Main Page | Packages | Class Hierarchy | Class List | File List | Class Members | Related Pages | Search for 
src / org / objectweb / jonas_ejb / container

PermissionManager.java

00001 
00027 package org.objectweb.jonas_ejb.container;
00028 
00029 import java.net.URI;
00030 import java.net.URL;
00031 import java.security.CodeSource;
00032 import java.security.PermissionCollection;
00033 import java.security.Principal;
00034 import java.security.ProtectionDomain;
00035 import java.security.cert.Certificate;
00036 import java.util.Iterator;
00037 
00038 import javax.security.jacc.EJBMethodPermission;
00039 import javax.security.jacc.EJBRoleRefPermission;
00040 import javax.security.jacc.PolicyContext;
00041 import javax.security.jacc.PolicyContextException;
00042 
00043 import org.objectweb.jonas_ejb.deployment.api.BeanDesc;
00044 import org.objectweb.jonas_ejb.deployment.api.DeploymentDesc;
00045 import org.objectweb.jonas_ejb.deployment.api.ExcludeListDesc;
00046 import org.objectweb.jonas_ejb.deployment.api.MethodPermissionDesc;
00047 import org.objectweb.jonas_ejb.lib.EJBInvocation;
00048 
00049 import org.objectweb.jonas_lib.deployment.api.SecurityRoleRefDesc;
00050 import org.objectweb.jonas_lib.security.AbsPermissionManager;
00051 import org.objectweb.jonas_lib.security.PermissionManagerException;
00052 
00053 import org.objectweb.jonas.security.jacc.JPolicyContextHandlerCurrent;
00054 import org.objectweb.jonas.security.jacc.JPolicyContextHandlerData;
00055 
00056 import org.objectweb.security.context.SecurityContext;
00057 import org.objectweb.security.context.SecurityCurrent;
00058 
00059 import org.objectweb.util.monolog.api.BasicLevel;
00060 
00066 public class PermissionManager extends AbsPermissionManager {
00067 
00071     private DeploymentDesc ejbDeploymentDesc = null;
00072 
00079     public PermissionManager(DeploymentDesc ejbDeploymentDesc, String contextId) throws PermissionManagerException {
00080         super(contextId);
00081         this.ejbDeploymentDesc = ejbDeploymentDesc;
00082     }
00083 
00103     public void translateEjbDeploymentDescriptor() throws PermissionManagerException {
00104         translateEjbMethodPermission();
00105         translateEjbExcludeList();
00106         translateEjbSecurityRoleRef();
00107     }
00108 
00130     protected void translateEjbMethodPermission() throws PermissionManagerException {
00131         if (ejbDeploymentDesc == null || getPolicyConfiguration() == null) {
00132             throw new PermissionManagerException("PolicyConfiguration or ejbDeploymentDesc is null");
00133         }
00134 
00135         MethodPermissionDesc methodPermissionDesc = null;
00136         PermissionCollection permissionCollection = null;
00137 
00138         for (Iterator it = ejbDeploymentDesc.getMethodPermissionsDescList().iterator(); it.hasNext();) {
00139             methodPermissionDesc = (MethodPermissionDesc) it.next();
00140             permissionCollection = methodPermissionDesc.getEJBMethodPermissions();
00141             try {
00142                 // unchecked or roles
00143                 if (methodPermissionDesc.isUnchecked()) {
00144                     getPolicyConfiguration().addToUncheckedPolicy(permissionCollection);
00145                 } else {
00146                     for (Iterator rolesIt = methodPermissionDesc.getRoleNameList().iterator(); rolesIt.hasNext();) {
00147                         getPolicyConfiguration().addToRole((String) rolesIt.next(), permissionCollection);
00148                     }
00149                 }
00150             } catch (PolicyContextException pce) {
00151                 throw new PermissionManagerException("Can not add add excluded policy", pce);
00152             }
00153         }
00154     }
00155 
00167     protected void translateEjbExcludeList() throws PermissionManagerException {
00168         if (ejbDeploymentDesc == null || getPolicyConfiguration() == null) {
00169             throw new PermissionManagerException("PolicyConfiguration or ejbDeploymentDesc is null");
00170         }
00171         ExcludeListDesc excludeListDesc = ejbDeploymentDesc.getExcludeListDesc();
00172         if (excludeListDesc != null) {
00173             try {
00174                 getPolicyConfiguration().addToExcludedPolicy(excludeListDesc.getEJBMethodPermissions());
00175             } catch (PolicyContextException pce) {
00176                 throw new PermissionManagerException("Can not add add excluded policy", pce);
00177             }
00178         }
00179     }
00180 
00194     public void translateEjbSecurityRoleRef() throws PermissionManagerException {
00195         if (ejbDeploymentDesc == null || getPolicyConfiguration() == null) {
00196             throw new PermissionManagerException("PolicyConfiguration or ejbDeploymentDesc is null");
00197         }
00198 
00199         SecurityRoleRefDesc securityRoleRefDesc = null;
00200         BeanDesc beanDesc = null;
00201 
00202         // Add EJBRoleRefPermission for each bean
00203         for (Iterator itEjb = ejbDeploymentDesc.getBeanDescIterator(); itEjb.hasNext();) {
00204             beanDesc = (BeanDesc) itEjb.next();
00205             for (Iterator it = beanDesc.getSecurityRoleRefDescList().iterator(); it.hasNext();) {
00206                 securityRoleRefDesc = (SecurityRoleRefDesc) it.next();
00207                 try {
00208                     getPolicyConfiguration().addToRole(securityRoleRefDesc.getRoleLink(),
00209                             securityRoleRefDesc.getEJBRoleRefPermission());
00210                 } catch (PolicyContextException pce) {
00211                     throw new PermissionManagerException("Can not add add excluded policy", pce);
00212                 }
00213             }
00214         }
00215     }
00216 
00225     public boolean checkSecurity(String ejbName, EJBInvocation ejbInv, boolean inRunAs) {
00226         try {
00227             PolicyContext.setContextID(getContextId());
00228             String methodSignature = ejbInv.methodPermissionSignature;
00229 
00230             TraceEjb.security.log(BasicLevel.DEBUG, "EjbName = " + ejbName + ", methodSignature = " + methodSignature);
00231 
00232             // Set the information for the Policy provider
00233             JPolicyContextHandlerData jPolicyContextHandlerData = JPolicyContextHandlerCurrent.getCurrent()
00234                     .getJPolicyContextHandlerData();
00235             if (jPolicyContextHandlerData == null) {
00236                 TraceEjb.security.log(BasicLevel.ERROR, "The Handler data retrieved is null !");
00237                 return false;
00238             }
00239             jPolicyContextHandlerData.setEjbArguments(ejbInv.arguments);
00240             jPolicyContextHandlerData.setProcessingBean(ejbInv.bean);
00241 
00242             PolicyContext.setHandlerData(jPolicyContextHandlerData);
00243 
00244             // Build Protection Domain with a codesource and array of principal
00245             URI uri = new URI("file://" + getContextId());
00246             CodeSource codesource = new CodeSource(new URL(uri.toString()), (Certificate[]) null);
00247             SecurityCurrent current = SecurityCurrent.getCurrent();
00248             final SecurityContext sctx = current.getSecurityContext();
00249 
00250             TraceEjb.security.log(BasicLevel.DEBUG, "Security Context = " + sctx);
00251 
00252             if (sctx != null) {
00253                 TraceEjb.security.log(BasicLevel.DEBUG, "sctx.getCallerPrincipalRoles() = " + sctx.getCallerPrincipalRoles(inRunAs));
00254             }
00255 
00256 
00257             String runAsRole = null;
00258 
00259             Principal[] principals = null;
00260             if (sctx != null) {
00261                 runAsRole = sctx.peekRunAsRole();
00262                 if (runAsRole != null) {
00263                     principals = new Principal[sctx.peekRunAsPrincipalRoles().length];
00264                     for (int k = 0; k < sctx.peekRunAsPrincipalRoles().length; k++) {
00265                         principals[k] = new org.objectweb.jonas.security.auth.JPrincipal(
00266                                 sctx.peekRunAsPrincipalRoles()[k]);
00267                     }
00268                 } else {
00269                     principals = new Principal[sctx.getCallerPrincipalRoles(inRunAs).length];
00270                     for (int k = 0; k < sctx.getCallerPrincipalRoles(inRunAs).length; k++) {
00271                         principals[k] = new org.objectweb.jonas.security.auth.JPrincipal(
00272                                 sctx.getCallerPrincipalRoles(inRunAs)[k]);
00273                     }
00274                }
00275             } else {
00276                 TraceEjb.security.log(BasicLevel.DEBUG, "Security context is null");
00277             }
00278             ProtectionDomain protectionDomain = new ProtectionDomain(codesource, null, null, principals);
00279 
00280             //TODO : cache ejbName/methodSignature to avoid creation of a new
00281             // EJBMethodPermission each time
00282             // See JACC 4.12
00283             EJBMethodPermission ejbMethodPermission = new EJBMethodPermission(ejbName, methodSignature);
00284             boolean accessOK = getPolicy().implies(protectionDomain, ejbMethodPermission);
00285             TraceEjb.security.log(BasicLevel.DEBUG, "Policy.implies result = " + accessOK);
00286             jPolicyContextHandlerData = null;
00287             return accessOK;
00288 
00289         } catch (Exception e) {
00290             TraceEjb.security.log(BasicLevel.ERROR, "Can't check security :" + e.getMessage());
00291             return false;
00292         }
00293 
00294     }
00295 
00307     public boolean isCallerInRole(String ejbName, String roleName, boolean inRunAs) {
00308         try {
00309             PolicyContext.setContextID(getContextId());
00310             TraceEjb.security.log(BasicLevel.DEBUG, "roleName = " + roleName);
00311 
00312             // Build Protection Domain with a codesource and array of principal
00313             URI uri = new URI("file://" + getContextId());
00314             CodeSource codesource = new CodeSource(new URL(uri.toString()), (Certificate[]) null);
00315             SecurityCurrent current = SecurityCurrent.getCurrent();
00316             final SecurityContext sctx = current.getSecurityContext();
00317 
00318             TraceEjb.security.log(BasicLevel.DEBUG, "Security Context = " + sctx);
00319             TraceEjb.security.log(BasicLevel.DEBUG, "sctx.getCallerPrincipalRoles() = "
00320                     + sctx.getCallerPrincipalRoles(inRunAs));
00321 
00322             Principal[] principals = null;
00323             if (sctx != null) {
00324                 principals = new Principal[sctx.getCallerPrincipalRoles(inRunAs).length];
00325                 for (int k = 0; k < sctx.getCallerPrincipalRoles(inRunAs).length; k++) {
00326                     principals[k] = new org.objectweb.jonas.security.auth.JPrincipal(sctx.getCallerPrincipalRoles(inRunAs)[k]);
00327                 }
00328             } else {
00329                 TraceEjb.security.log(BasicLevel.DEBUG, "Security context is null");
00330             }
00331             ProtectionDomain protectionDomain = new ProtectionDomain(codesource, null, null, principals);
00332 
00333             //TODO :add cache mechanism
00334             // See JACC 4.12
00335             EJBRoleRefPermission ejbRoleRefPermission = new EJBRoleRefPermission(ejbName, roleName);
00336             boolean isInRole = getPolicy().implies(protectionDomain, ejbRoleRefPermission);
00337             TraceEjb.security.log(BasicLevel.DEBUG, "Policy.implies result = " + isInRole);
00338             return isInRole;
00339 
00340         } catch (Exception e) {
00341             TraceEjb.security.log(BasicLevel.ERROR, "Can't check isCallerInRole :" + e.getMessage());
00342             return false;
00343         }
00344 
00345     }
00346 
00350     protected void resetDeploymentDesc() {
00351         ejbDeploymentDesc = null;
00352     }
00353 
00354 }
Generated on Tue Feb 15 15:05:25 2005 for JOnAS by  doxygen 1.3.9.1