dain 2006/02/01 06:50:08
Modified: modules/core/src/java/org/openejb/security
EJBRunAsInterceptor.java
EJBSecurityInterceptor.java
PolicyContextHandlerEJBInterceptor.java
SubjectIdExtractInterceptor.java
Added: modules/core/src/java/org/openejb/security
DefaultSubjectInterceptor.java
EjbRunAsInterceptor.java
EjbSecurityInterceptor.java
Log:
Major refactor
Split container into an object to represent a deployed ejb and a set of
shared containers which process invocations
Introduced interface between CMP container and CMP engine
Revision Changes Path
1.3 +14 -9
openejb/modules/core/src/java/org/openejb/security/EJBRunAsInterceptor.java
Index: EJBRunAsInterceptor.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/security/EJBRunAsInterceptor.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- EJBRunAsInterceptor.java 9 Mar 2005 05:01:01 -0000 1.2
+++ EJBRunAsInterceptor.java 1 Feb 2006 11:50:08 -0000 1.3
@@ -55,32 +55,37 @@
*/
package org.openejb.security;
+import javax.security.auth.Subject;
+
import org.apache.geronimo.core.service.Interceptor;
-import org.apache.geronimo.core.service.InvocationResult;
import org.apache.geronimo.core.service.Invocation;
+import org.apache.geronimo.core.service.InvocationResult;
import org.apache.geronimo.security.ContextManager;
-
-import javax.security.auth.Subject;
+import org.openejb.ExtendedEjbDeployment;
+import org.openejb.EjbInvocation;
/**
* A simple interceptor that sets up the next caller to be the configured
run-as
* <code>Subject</code>.
+ *
* @version $Revision$ $Date$
*/
-public final class EJBRunAsInterceptor implements Interceptor {
+public final class EjbRunAsInterceptor implements Interceptor {
private final Interceptor next;
- private final Subject subject;
- public EJBRunAsInterceptor(Interceptor next, Subject subject) {
+ public EjbRunAsInterceptor(Interceptor next) {
this.next = next;
- this.subject = subject;
}
public InvocationResult invoke(Invocation invocation) throws Throwable {
+ EjbInvocation ejbInvocation = ((EjbInvocation) invocation);
+ ExtendedEjbDeployment deployment = (ExtendedEjbDeployment)
ejbInvocation.getEjbDeployment();
+ Subject runAsSubject = deployment.getRunAsSubject();
+
Subject save = ContextManager.getNextCaller();
try {
- ContextManager.setNextCaller(subject);
+ ContextManager.setNextCaller(runAsSubject);
return next.invoke(invocation);
} finally {
ContextManager.setNextCaller(save);
1.11 +12 -14
openejb/modules/core/src/java/org/openejb/security/EJBSecurityInterceptor.java
Index: EJBSecurityInterceptor.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/security/EJBSecurityInterceptor.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- EJBSecurityInterceptor.java 18 Apr 2005 19:05:11 -0000 1.10
+++ EJBSecurityInterceptor.java 1 Feb 2006 11:50:08 -0000 1.11
@@ -59,41 +59,39 @@
import org.apache.geronimo.core.service.Invocation;
import org.apache.geronimo.core.service.InvocationResult;
import org.apache.geronimo.security.ContextManager;
-
-import org.openejb.EJBInvocation;
import org.openejb.EJBContextImpl;
+import org.openejb.ExtendedEjbDeployment;
+import org.openejb.EjbInvocation;
/**
* An interceptor that performs the JACC EJB security check before continuing
* on w/ the interceptor stack call.
+ *
* @version $Revision$ $Date$
*/
-public final class EJBSecurityInterceptor implements Interceptor {
+public final class EjbSecurityInterceptor implements Interceptor {
private final Interceptor next;
- private final String policyContextID;
- private final PermissionManager permissionManager;
- public EJBSecurityInterceptor(Interceptor next, String policyContextID,
PermissionManager permissionManager) {
+ public EjbSecurityInterceptor(Interceptor next) {
this.next = next;
- //TODO go back to the commented version when possible
- this.policyContextID = policyContextID;
-// this.policyContextID = policyContextID.toString().replaceAll("[,:
]", "_");
- this.permissionManager = permissionManager;
}
public InvocationResult invoke(Invocation invocation) throws Throwable {
- EJBInvocation ejbInvocation = ((EJBInvocation) invocation);
- EJBContextImpl context =
ejbInvocation.getEJBInstanceContext().getEJBContextImpl();
+ EjbInvocation ejbInvocation = ((EjbInvocation) invocation);
+ ExtendedEjbDeployment deployment = (ExtendedEjbDeployment)
ejbInvocation.getEjbDeployment();
+
+ EJBContextImpl context =
ejbInvocation.getEJBInstanceContext().getEJBContextImpl();
Subject oldCaller = context.getCallerSubject();
Subject subject = ContextManager.getCurrentCaller();
String oldPolicyContextID = PolicyContext.getContextID();
try {
- PolicyContext.setContextID(policyContextID);
+ PolicyContext.setContextID(deployment.getPolicyContextId());
AccessControlContext accessContext =
ContextManager.getCurrentContext();
if (accessContext != null) {
+ PermissionManager permissionManager =
deployment.getPermissionManager();
Permission permission =
permissionManager.getPermission(ejbInvocation.getType(),
ejbInvocation.getMethodIndex());
if (permission != null)
accessContext.checkPermission(permission);
}
1.3 +4 -4
openejb/modules/core/src/java/org/openejb/security/PolicyContextHandlerEJBInterceptor.java
Index: PolicyContextHandlerEJBInterceptor.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/security/PolicyContextHandlerEJBInterceptor.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- PolicyContextHandlerEJBInterceptor.java 7 Jul 2004 22:17:35 -0000
1.2
+++ PolicyContextHandlerEJBInterceptor.java 1 Feb 2006 11:50:08 -0000
1.3
@@ -52,7 +52,7 @@
import org.apache.geronimo.core.service.Interceptor;
import org.apache.geronimo.core.service.Invocation;
import org.apache.geronimo.core.service.InvocationResult;
-import org.openejb.EJBInvocation;
+import org.openejb.EjbInvocation;
/**
@@ -65,7 +65,7 @@
* @version $Revision$ $Date$
* @see org.openejb.security.PolicyContextHandlerEnterpriseBean
* @see org.openejb.security.PolicyContextHandlerEJBArguments
- * @see EJBSecurityInterceptor
+ * @see EjbSecurityInterceptor
*/
public class PolicyContextHandlerEJBInterceptor implements Interceptor {
private final Interceptor next;
@@ -77,7 +77,7 @@
public InvocationResult invoke(final Invocation invocation) throws
Throwable {
PolicyContextHandlerDataEJB data = new PolicyContextHandlerDataEJB();
- EJBInvocation ejbInvocation = (EJBInvocation) invocation;
+ EjbInvocation ejbInvocation = (EjbInvocation) invocation;
data.arguments = ejbInvocation.getArguments();
data.bean = ejbInvocation.getEJBInstanceContext().getInstance();
1.3 +3 -3
openejb/modules/core/src/java/org/openejb/security/SubjectIdExtractInterceptor.java
Index: SubjectIdExtractInterceptor.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/security/SubjectIdExtractInterceptor.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- SubjectIdExtractInterceptor.java 2 Mar 2004 05:21:40 -0000 1.2
+++ SubjectIdExtractInterceptor.java 1 Feb 2006 11:50:08 -0000 1.3
@@ -51,7 +51,7 @@
import org.apache.geronimo.core.service.Invocation;
import org.apache.geronimo.core.service.InvocationResult;
import org.apache.geronimo.security.ContextManager;
-import org.openejb.EJBInvocationImplRemote;
+import org.openejb.EjbInvocationImplRemote;
/**
@@ -66,7 +66,7 @@
}
public InvocationResult invoke(Invocation invocation) throws Throwable {
- EJBInvocationImplRemote remoteInvocation = (EJBInvocationImplRemote)
invocation;
+ EjbInvocationImplRemote remoteInvocation = (EjbInvocationImplRemote)
invocation;
//TODO fix me Help Help!
//ContextManager.setNextCaller(ContextManager.getRegisteredSubject((Long)
remoteInvocation.getSubjectId()));
return next.invoke(invocation);
1.1
openejb/modules/core/src/java/org/openejb/security/DefaultSubjectInterceptor.java
Index: DefaultSubjectInterceptor.java
===================================================================
/**
* Redistribution and use of this software and associated documentation
* ("Software"), with or without modification, are permitted provided
* that the following conditions are met:
*
* 1. Redistributions of source code must retain copyright
* statements and notices. Redistributions must also contain a
* copy of this document.
*
* 2. Redistributions in binary form must reproduce the
* above copyright notice, this list of conditions and the
* following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. The name "OpenEJB" must not be used to endorse or promote
* products derived from this Software without prior written
* permission of The OpenEJB Group. For written permission,
* please contact [EMAIL PROTECTED]
*
* 4. Products derived from this Software may not be called "OpenEJB"
* nor may "OpenEJB" appear in their names without prior written
* permission of The OpenEJB Group. OpenEJB is a registered
* trademark of The OpenEJB Group.
*
* 5. Due credit should be given to the OpenEJB Project
* (http://openejb.org/).
*
* THIS SOFTWARE IS PROVIDED BY THE OPENEJB GROUP AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
* NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
* FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
* THE OPENEJB GROUP OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Copyright 2005 (C) The OpenEJB Group. All Rights Reserved.
*
* $Id: DefaultSubjectInterceptor.java,v 1.1 2006/02/01 11:50:08 dain Exp $
*/
package org.openejb.security;
import javax.security.auth.Subject;
import org.apache.geronimo.core.service.Interceptor;
import org.apache.geronimo.core.service.Invocation;
import org.apache.geronimo.core.service.InvocationResult;
import org.apache.geronimo.security.ContextManager;
import org.openejb.EjbDeployment;
import org.openejb.EjbInvocation;
/**
* @version $Revision: 1.1 $ $Date: 2006/02/01 11:50:08 $
*/
public final class DefaultSubjectInterceptor implements Interceptor {
private final Interceptor interceptor;
public DefaultSubjectInterceptor(Interceptor interceptor) {
this.interceptor = interceptor;
}
public InvocationResult invoke(Invocation invocation) throws Throwable {
boolean clearCurrentCaller = false;
if (ContextManager.getCurrentCaller() == null) {
EjbInvocation ejbInvocation = ((EjbInvocation) invocation);
EjbDeployment deployment = ejbInvocation.getEjbDeployment();
Subject defaultSubject = deployment.getDefaultSubject();
ContextManager.setCurrentCaller(defaultSubject);
ContextManager.setNextCaller(defaultSubject);
clearCurrentCaller = true;
}
try {
return interceptor.invoke(invocation);
} finally {
if (clearCurrentCaller) {
ContextManager.setCurrentCaller(null);
ContextManager.setNextCaller(null);
}
}
}
}
1.1
openejb/modules/core/src/java/org/openejb/security/EjbRunAsInterceptor.java
Index: EjbRunAsInterceptor.java
===================================================================
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2003 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http:www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" and
* "Apache Geronimo" must not be used to endorse or promote products
* derived from this software without prior written permission. For
* written permission, please contact [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache",
* "Apache Geronimo", nor may "Apache" appear in their name, without
* prior written permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http:www.apache.org/>.
*
* ====================================================================
*/
package org.openejb.security;
import javax.security.auth.Subject;
import org.apache.geronimo.core.service.Interceptor;
import org.apache.geronimo.core.service.Invocation;
import org.apache.geronimo.core.service.InvocationResult;
import org.apache.geronimo.security.ContextManager;
import org.openejb.ExtendedEjbDeployment;
import org.openejb.EjbInvocation;
/**
* A simple interceptor that sets up the next caller to be the configured
run-as
* <code>Subject</code>.
*
* @version $Revision: 1.1 $ $Date: 2006/02/01 11:50:08 $
*/
public final class EjbRunAsInterceptor implements Interceptor {
private final Interceptor next;
public EjbRunAsInterceptor(Interceptor next) {
this.next = next;
}
public InvocationResult invoke(Invocation invocation) throws Throwable {
EjbInvocation ejbInvocation = ((EjbInvocation) invocation);
ExtendedEjbDeployment deployment = (ExtendedEjbDeployment)
ejbInvocation.getEjbDeployment();
Subject runAsSubject = deployment.getRunAsSubject();
Subject save = ContextManager.getNextCaller();
try {
ContextManager.setNextCaller(runAsSubject);
return next.invoke(invocation);
} finally {
ContextManager.setNextCaller(save);
}
}
}
1.1
openejb/modules/core/src/java/org/openejb/security/EjbSecurityInterceptor.java
Index: EjbSecurityInterceptor.java
===================================================================
/* ====================================================================
* Redistribution and use of this software and associated documentation
* ("Software"), with or without modification, are permitted provided
* that the following conditions are met:
*
* 1. Redistributions of source code must retain copyright
* statements and notices. Redistributions must also contain a
* copy of this document.
*
* 2. Redistributions in binary form must reproduce this list of
* conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* 3. The name "OpenEJB" must not be used to endorse or promote
* products derived from this Software without prior written
* permission of The OpenEJB Group. For written permission,
* please contact [EMAIL PROTECTED]
*
* 4. Products derived from this Software may not be called "OpenEJB"
* nor may "OpenEJB" appear in their names without prior written
* permission of The OpenEJB Group. OpenEJB is a registered
* trademark of The OpenEJB Group.
*
* 5. Due credit should be given to the OpenEJB Project
* (http://openejb.org/).
*
* THIS SOFTWARE IS PROVIDED BY THE OPENEJB GROUP AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
* NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
* FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
* THE OPENEJB GROUP OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the OpenEJB Project. For more information
* please see <http://openejb.org/>.
*
* ====================================================================
*/
package org.openejb.security;
import java.rmi.AccessException;
import java.security.AccessControlContext;
import java.security.AccessControlException;
import java.security.Permission;
import javax.ejb.AccessLocalException;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import org.apache.geronimo.core.service.Interceptor;
import org.apache.geronimo.core.service.Invocation;
import org.apache.geronimo.core.service.InvocationResult;
import org.apache.geronimo.security.ContextManager;
import org.openejb.EJBContextImpl;
import org.openejb.ExtendedEjbDeployment;
import org.openejb.EjbInvocation;
/**
* An interceptor that performs the JACC EJB security check before continuing
* on w/ the interceptor stack call.
*
* @version $Revision: 1.1 $ $Date: 2006/02/01 11:50:08 $
*/
public final class EjbSecurityInterceptor implements Interceptor {
private final Interceptor next;
public EjbSecurityInterceptor(Interceptor next) {
this.next = next;
}
public InvocationResult invoke(Invocation invocation) throws Throwable {
EjbInvocation ejbInvocation = ((EjbInvocation) invocation);
ExtendedEjbDeployment deployment = (ExtendedEjbDeployment)
ejbInvocation.getEjbDeployment();
EJBContextImpl context =
ejbInvocation.getEJBInstanceContext().getEJBContextImpl();
Subject oldCaller = context.getCallerSubject();
Subject subject = ContextManager.getCurrentCaller();
String oldPolicyContextID = PolicyContext.getContextID();
try {
PolicyContext.setContextID(deployment.getPolicyContextId());
AccessControlContext accessContext =
ContextManager.getCurrentContext();
if (accessContext != null) {
PermissionManager permissionManager =
deployment.getPermissionManager();
Permission permission =
permissionManager.getPermission(ejbInvocation.getType(),
ejbInvocation.getMethodIndex());
if (permission != null)
accessContext.checkPermission(permission);
}
context.setCallerSubject(subject);
ContextManager.setCurrentCaller(ContextManager.getNextCaller());
return next.invoke(invocation);
} catch (AccessControlException e) {
if (ejbInvocation.getType().isLocal()) {
throw new AccessLocalException(e.getMessage());
} else {
throw new AccessException(e.getMessage());
}
} finally {
PolicyContext.setContextID(oldPolicyContextID);
ContextManager.setCurrentCaller(subject);
context.setCallerSubject(oldCaller);
}
}
}
