001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.ejb.plugins;
023:
024: import org.jboss.ejb.Container;
025: import org.jboss.invocation.Invocation;
026: import org.jboss.invocation.InvocationType;
027: import org.jboss.metadata.ApplicationMetaData;
028: import org.jboss.metadata.AssemblyDescriptorMetaData;
029: import org.jboss.metadata.BeanMetaData;
030: import org.jboss.metadata.SecurityIdentityMetaData;
031: import org.jboss.security.AnybodyPrincipal;
032: import org.jboss.security.AuthenticationManager;
033: import org.jboss.security.RealmMapping;
034: import org.jboss.security.RunAsIdentity;
035: import org.jboss.system.Registry;
036:
037: import java.security.Principal;
038: import java.util.Map;
039: import java.util.Set;
040: import java.lang.reflect.Method;
041: import javax.security.auth.Subject;
042: import javax.ejb.TimedObject;
043: import javax.ejb.Timer;
044:
045: /**
046: * The SecurityInterceptor is where the EJB 2.0 declarative security model
047: * is enforced. This is where the caller identity propagation is controlled as well.
048: *
049: * @author <a href="on@ibis.odessa.ua">Oleg Nitz</a>
050: * @author <a href="mailto:Scott.Stark@jboss.org">Scott Stark</a>.
051: * @author <a href="mailto:Thomas.Diesler@jboss.org">Thomas Diesler</a>.
052: * @version $Revision: 60859 $
053: */
054: public class SecurityInterceptor extends AbstractInterceptor {
055: /** The interface of an observer that should be notified when principal
056: authentication fails.
057: */
058: public interface AuthenticationObserver {
059: final String KEY = "SecurityInterceptor.AuthenticationObserver";
060:
061: void authenticationFailed();
062: }
063:
064: /** The authentication manager plugin
065: */
066: protected AuthenticationManager securityManager;
067:
068: /** The authorization manager plugin
069: */
070: protected RealmMapping realmMapping;
071:
072: // The bean uses this run-as identity to call out
073: protected RunAsIdentity runAsIdentity;
074:
075: // A map of SecurityRolesMetaData from jboss.xml
076: protected Map securityRoles;
077:
078: // The observer to be notified when principal authentication fails.
079: // This is a hook for the CSIv2 code. The authenticationObserver may
080: // send out a ContextError message, as required by the CSIv2 protocol.
081: protected AuthenticationObserver authenticationObserver;
082: /** */
083: protected Method ejbTimeout;
084:
085: /** Called by the super class to set the container to which this interceptor
086: belongs. We obtain the security manager and runAs identity to use here.
087: */
088: public void setContainer(Container container) {
089: super .setContainer(container);
090: if (container != null) {
091: BeanMetaData beanMetaData = container.getBeanMetaData();
092: ApplicationMetaData applicationMetaData = beanMetaData
093: .getApplicationMetaData();
094: AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData
095: .getAssemblyDescriptor();
096: securityRoles = assemblyDescriptor.getSecurityRoles();
097:
098: SecurityIdentityMetaData secMetaData = beanMetaData
099: .getSecurityIdentityMetaData();
100: if (secMetaData != null
101: && secMetaData.getUseCallerIdentity() == false) {
102: String roleName = secMetaData.getRunAsRoleName();
103: String principalName = secMetaData
104: .getRunAsPrincipalName();
105:
106: // the run-as principal might have extra roles mapped in the assembly-descriptor
107: Set extraRoleNames = assemblyDescriptor
108: .getSecurityRoleNamesByPrincipal(principalName);
109: runAsIdentity = new RunAsIdentity(roleName,
110: principalName, extraRoleNames);
111: }
112:
113: securityManager = container.getSecurityManager();
114: realmMapping = container.getRealmMapping();
115:
116: try {
117: // Get the timeout method
118: ejbTimeout = TimedObject.class.getMethod("ejbTimeout",
119: new Class[] { Timer.class });
120: } catch (NoSuchMethodException ignore) {
121: }
122: }
123: }
124:
125: // Container implementation --------------------------------------
126: public void start() throws Exception {
127: super .start();
128: authenticationObserver = (AuthenticationObserver) Registry
129: .lookup(AuthenticationObserver.KEY);
130: }
131:
132: public Object invokeHome(Invocation mi) throws Exception {
133: // Authenticate the subject and apply any declarative security checks
134: checkSecurityAssociation(mi);
135:
136: /* If a run-as role was specified, push it so that any calls made
137: by this bean will have the runAsRole available for declarative
138: security checks.
139: */
140: SecurityActions.pushRunAsIdentity(runAsIdentity);
141:
142: try {
143: Object returnValue = getNext().invokeHome(mi);
144: return returnValue;
145: } finally {
146: SecurityActions.popRunAsIdentity();
147: SecurityActions.popSubjectContext();
148: }
149: }
150:
151: public Object invoke(Invocation mi) throws Exception {
152: // Authenticate the subject and apply any declarative security checks
153: checkSecurityAssociation(mi);
154:
155: /* If a run-as role was specified, push it so that any calls made
156: by this bean will have the runAsRole available for declarative
157: security checks.
158: */
159: SecurityActions.pushRunAsIdentity(runAsIdentity);
160:
161: try {
162: Object returnValue = getNext().invoke(mi);
163: return returnValue;
164: } finally {
165: SecurityActions.popRunAsIdentity();
166: SecurityActions.popSubjectContext();
167: }
168: }
169:
170: /** The EJB 2.0 declarative security algorithm:
171: 1. Authenticate the caller using the principal and credentials in the MethodInfocation
172: 2. Validate access to the method by checking the principal's roles against
173: those required to access the method.
174: */
175: protected void checkSecurityAssociation(Invocation mi)
176: throws Exception {
177: Principal principal = mi.getPrincipal();
178: Object credential = mi.getCredential();
179: boolean trace = log.isTraceEnabled();
180:
181: // If there is not a security manager then there is no authentication required
182: Method m = mi.getMethod();
183: boolean containerMethod = m == null || m.equals(ejbTimeout);
184: if (containerMethod == true || securityManager == null
185: || container == null) {
186: // Allow for the progatation of caller info to other beans
187: SecurityActions.pushSubjectContext(principal, credential,
188: null);
189: return;
190: }
191:
192: if (realmMapping == null) {
193: throw new SecurityException(
194: "Role mapping manager has not been set");
195: }
196:
197: // authenticate the current principal
198: RunAsIdentity callerRunAsIdentity = SecurityActions
199: .peekRunAsIdentity();
200: if (callerRunAsIdentity == null) {
201: // Check the security info from the method invocation
202: Subject subject = new Subject();
203: if (securityManager.isValid(principal, credential, subject) == false) {
204: // Notify authentication observer
205: if (authenticationObserver != null)
206: authenticationObserver.authenticationFailed();
207: // Check for the security association exception
208: Exception ex = SecurityActions.getContextException();
209: if (ex != null)
210: throw ex;
211: // Else throw a generic SecurityException
212: String msg = "Authentication exception, principal="
213: + principal;
214: SecurityException e = new SecurityException(msg);
215: throw e;
216: } else {
217: SecurityActions.pushSubjectContext(principal,
218: credential, subject);
219: if (trace) {
220: log.trace("Authenticated principal=" + principal);
221: }
222: }
223: } else {
224: // Duplicate the current subject context on the stack since
225: SecurityActions.dupSubjectContext();
226: }
227:
228: // Get the method permissions
229: InvocationType iface = mi.getType();
230: Set methodRoles = container.getMethodPermissions(
231: mi.getMethod(), iface);
232: if (methodRoles == null) {
233: String method = mi.getMethod().getName();
234: String msg = "No method permissions assigned to method="
235: + method + ", interface=" + iface;
236: SecurityException e = new SecurityException(msg);
237: throw e;
238: } else if (trace) {
239: log.trace("method=" + mi.getMethod() + ", interface="
240: + iface + ", requiredRoles=" + methodRoles);
241: }
242:
243: // Check if the caller is allowed to access the method
244: if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false) {
245: // The caller is using a the caller identity
246: if (callerRunAsIdentity == null) {
247: // Now actually check if the current caller has one of the required method roles
248: if (realmMapping.doesUserHaveRole(principal,
249: methodRoles) == false) {
250: Set userRoles = realmMapping
251: .getUserRoles(principal);
252: String method = mi.getMethod().getName();
253: BeanMetaData beanMetaData = container
254: .getBeanMetaData();
255: String msg = "Insufficient method permissions, principal="
256: + principal
257: + ", ejbName="
258: + beanMetaData.getEjbName()
259: + ", method="
260: + method
261: + ", interface="
262: + iface
263: + ", requiredRoles="
264: + methodRoles
265: + ", principalRoles=" + userRoles;
266: SecurityException e = new SecurityException(msg);
267: throw e;
268: }
269: }
270:
271: // The caller is using a run-as identity
272: else {
273: // Check that the run-as role is in the set of method roles
274: if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false) {
275: String method = mi.getMethod().getName();
276: BeanMetaData beanMetaData = container
277: .getBeanMetaData();
278: String msg = "Insufficient method permissions, principal="
279: + principal
280: + ", ejbName="
281: + beanMetaData.getEjbName()
282: + ", method="
283: + method
284: + ", interface="
285: + iface
286: + ", requiredRoles="
287: + methodRoles
288: + ", runAsRoles="
289: + callerRunAsIdentity.getRunAsRoles();
290: SecurityException e = new SecurityException(msg);
291: throw e;
292: }
293: }
294: }
295: }
296: }
|