You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by jg...@apache.org on 2019/05/29 10:02:07 UTC
[tomee] 02/07: Only check JACC permissions here
This is an automated email from the ASF dual-hosted git repository.
jgallimore pushed a commit to branch tomee-7.1.x
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 0b71eec6e8a18a80fa3296a998523fec2024a21a
Author: Jonathan Gallimore <jo...@jrg.me.uk>
AuthorDate: Tue Aug 21 22:39:10 2018 +0100
Only check JACC permissions here
---
.../src/test/resources/arquillian.xml | 23 ++++++++++++++++++++++
arquillian/arquillian-tomee-tests/pom.xml | 17 ++++++++++++++++
.../core/security/jacc/BasicJaccProvider.java | 18 ++++++++++++++++-
3 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/arquillian/arquillian-tomee-tests/arquillian-tomee-webprofile-tests/src/test/resources/arquillian.xml b/arquillian/arquillian-tomee-tests/arquillian-tomee-webprofile-tests/src/test/resources/arquillian.xml
index fb0f5fd..8640e8e 100644
--- a/arquillian/arquillian-tomee-tests/arquillian-tomee-webprofile-tests/src/test/resources/arquillian.xml
+++ b/arquillian/arquillian-tomee-tests/arquillian-tomee-webprofile-tests/src/test/resources/arquillian.xml
@@ -113,6 +113,29 @@
</property>
</configuration>
</container>
+ <container qualifier="tomee-remote-secpol">
+ <configuration>
+ <property name="httpPort">-1</property>
+ <property name="ajpPort">-1</property>
+ <property name="stopPort">-1</property>
+ <property name="dir">target/tomee-remote</property>
+ <property name="appWorkingDir">target/arquillian-remote-working-dir</property>
+ <property name="portRange">33001-36000</property>
+ <property name="cleanOnStartUp">true</property>
+ <property name="properties">
+ My\ DataSource.JdbcUrl = jdbc:hsqldb:mem:hsqldb
+ My\ Unmanaged\ DataSource.JdbcUrl = jdbc:hsqldb:mem:hsqldb
+ openejb.classloader.forced-load=org.apache.openejb.arquillian.tests
+ openejb.ear.use-as-webcontext-base=true
+ embedded = false
+
+ # try to save some permgen mem
+ openejb.cdi.activated-on-ejb = false
+ openejb.descriptors.output = true
+ javax.security.jacc.policy.provider=sun.security.provider.PolicyFile
+ </property>
+ </configuration>
+ </container>
<container qualifier="tomee-webapp">
<configuration>
<property name="httpPort">-1</property>
diff --git a/arquillian/arquillian-tomee-tests/pom.xml b/arquillian/arquillian-tomee-tests/pom.xml
index 310fbf8..5799e29 100644
--- a/arquillian/arquillian-tomee-tests/pom.xml
+++ b/arquillian/arquillian-tomee-tests/pom.xml
@@ -268,6 +268,23 @@
</configuration>
</execution>
<execution>
+ <id>test-tomee-remote-secpol</id>
+ <phase>test</phase>
+ <goals>
+ <goal>test</goal>
+ </goals>
+ <configuration>
+ <skip>${skip.remote.webprofile}</skip>
+ <systemPropertyVariables>
+ <openejb.arquillian.debug>true</openejb.arquillian.debug>
+ <tomee.version>${project.version}</tomee.version>
+ <tomee.classifier>webprofile</tomee.classifier>
+ <arquillian.launch>tomee-remote-secpol</arquillian.launch>
+ <openejb.arquillian.adapter>tomee-remote</openejb.arquillian.adapter>
+ </systemPropertyVariables>
+ </configuration>
+ </execution>
+ <execution>
<id>test-tomee-embedded</id>
<phase>test</phase>
<goals>
diff --git a/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicJaccProvider.java b/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicJaccProvider.java
index 4d59fa1..a77c46c 100644
--- a/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicJaccProvider.java
+++ b/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicJaccProvider.java
@@ -19,20 +19,36 @@ package org.apache.openejb.core.security.jacc;
import org.apache.openejb.core.security.JaccProvider;
+import javax.security.jacc.EJBMethodPermission;
+import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
+import javax.security.jacc.WebResourcePermission;
+import javax.security.jacc.WebRoleRefPermission;
+import javax.security.jacc.WebUserDataPermission;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.ProtectionDomain;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Map;
+import java.util.Set;
/**
* @version $Rev$ $Date$
*/
public class BasicJaccProvider extends JaccProvider {
+ private static final Set<Class> JACC_PERMISSIONS = new HashSet<Class>() {
+ {
+ add(EJBMethodPermission.class);
+ add(EJBRoleRefPermission.class);
+ add(WebResourcePermission.class);
+ add(WebRoleRefPermission.class);
+ add(WebUserDataPermission.class);
+ }
+ };
static {
// force preloading to avoid to loop under SecurityManager
try {
@@ -82,7 +98,7 @@ public class BasicJaccProvider extends JaccProvider {
public boolean implies(final ProtectionDomain domain, final Permission permission) {
final String contextID = PolicyContext.getContextID();
- if (contextID != null) {
+ if (contextID != null && JACC_PERMISSIONS.contains(permission.getClass())) {
try {
final BasicPolicyConfiguration configuration = configurations.get(contextID);