You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by db...@apache.org on 2007/03/26 01:33:39 UTC
svn commit: r522381 - in
/incubator/openejb/trunk/openejb3/container/openejb-core/src:
main/java/org/apache/openejb/config/
main/java/org/apache/openejb/core/ivm/naming/
main/java/org/apache/openejb/core/security/jacc/
test/java/org/apache/openejb/core...
Author: dblevins
Date: Sun Mar 25 16:33:39 2007
New Revision: 522381
URL: http://svn.apache.org/viewvc?view=rev&rev=522381
Log:
Basic security working.
Processing and enforcing of excludes-list. Enforcement of methods restricted to specific roles.
Modified:
incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/naming/InitContextFactory.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicPolicyConfiguration.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/test/resources/groups.properties
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java?view=diff&rev=522381&r1=522380&r2=522381
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java Sun Mar 25 16:33:39 2007
@@ -68,6 +68,7 @@
import org.apache.openejb.jee.SessionBean;
import org.apache.openejb.jee.SessionType;
import org.apache.openejb.jee.TransactionType;
+import org.apache.openejb.jee.ExcludeList;
import org.apache.openejb.jee.oejb3.EjbDeployment;
import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.util.Logger;
@@ -156,6 +157,7 @@
initInterceptors(jar, ejbJar, infos);
initSecurityRoles(jar, ejbJar);
initMethodPermissions(jar, ejbds, ejbJar);
+ initExcludesList(jar, ejbds, ejbJar);
initMethodTransactions(jar, ejbds, ejbJar);
for (EnterpriseBeanInfo bean : ejbJar.enterpriseBeans) {
@@ -315,6 +317,15 @@
}
}
+ private void initExcludesList(EjbModule jar, Map ejbds, EjbJarInfo ejbJarInfo) {
+
+ ExcludeList methodPermissions = jar.getEjbJar().getAssemblyDescriptor().getExcludeList();
+
+ for (Method excludedMethod : methodPermissions.getMethod()) {
+ ejbJarInfo.excludeList.add(getMethodInfo(excludedMethod, ejbds));
+ }
+ }
+
private void resolveRoleLinks(EjbModule jar, EnterpriseBeanInfo bean, JndiConsumer item) {
if (!(item instanceof RemoteBean)) {
return;
@@ -343,24 +354,29 @@
List<MethodInfo> mi = new ArrayList<MethodInfo>(ms.size());
for (Method method : ms) {
- MethodInfo methodInfo = new MethodInfo();
-
- EjbDeployment d = (EjbDeployment) ejbds.get(method.getEjbName());
-
- methodInfo.description = method.getDescription();
- methodInfo.ejbDeploymentId = d.getDeploymentId();
- methodInfo.ejbName = method.getEjbName();
- methodInfo.methodIntf = (method.getMethodIntf() == null) ? null : method.getMethodIntf().toString();
- methodInfo.methodName = method.getMethodName();
-
- MethodParams mp = method.getMethodParams();
- if (mp != null) {
- methodInfo.methodParams = mp.getMethodParam();
- }
+ MethodInfo methodInfo = getMethodInfo(method, ejbds);
mi.add(methodInfo);
}
return mi;
+ }
+
+ private MethodInfo getMethodInfo(Method method, Map ejbds) {
+ MethodInfo methodInfo = new MethodInfo();
+
+ EjbDeployment d = (EjbDeployment) ejbds.get(method.getEjbName());
+
+ methodInfo.description = method.getDescription();
+ methodInfo.ejbDeploymentId = d.getDeploymentId();
+ methodInfo.ejbName = method.getEjbName();
+ methodInfo.methodIntf = (method.getMethodIntf() == null) ? null : method.getMethodIntf().toString();
+ methodInfo.methodName = method.getMethodName();
+
+ MethodParams mp = method.getMethodParams();
+ if (mp != null) {
+ methodInfo.methodParams = mp.getMethodParam();
+ }
+ return methodInfo;
}
private EnterpriseBeanInfo initSessionBean(SessionBean s, Map m) throws OpenEJBException {
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/naming/InitContextFactory.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/naming/InitContextFactory.java?view=diff&rev=522381&r1=522380&r2=522381
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/naming/InitContextFactory.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/ivm/naming/InitContextFactory.java Sun Mar 25 16:33:39 2007
@@ -20,10 +20,13 @@
import java.util.Properties;
import javax.naming.Context;
+import javax.naming.AuthenticationException;
+import javax.security.auth.login.LoginException;
import org.apache.openejb.EnvProps;
import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.spi.ContainerSystem;
+import org.apache.openejb.spi.SecurityService;
public class InitContextFactory implements javax.naming.spi.InitialContextFactory {
@@ -32,6 +35,19 @@
initializeOpenEJB(env);
}
+
+ String user = (String) env.get(Context.SECURITY_PRINCIPAL);
+ String pass = (String) env.get(Context.SECURITY_CREDENTIALS);
+
+ if (user != null && pass != null){
+ try {
+ SecurityService securityService = SystemInstance.get().getComponent(SecurityService.class);
+ Object identity = securityService.login(user, pass);
+ securityService.associate(identity);
+ } catch (LoginException e) {
+ throw (AuthenticationException) new AuthenticationException("User could not be authenticated: "+user).initCause(e);
+ }
+ }
ContainerSystem containerSystem = SystemInstance.get().getComponent(ContainerSystem.class);
Context context = containerSystem.getJNDIContext();
context = (Context) context.lookup("java:openejb/ejb");
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicPolicyConfiguration.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicPolicyConfiguration.java?view=diff&rev=522381&r1=522380&r2=522381
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicPolicyConfiguration.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/jacc/BasicPolicyConfiguration.java Sun Mar 25 16:33:39 2007
@@ -40,12 +40,9 @@
private final String contextID;
private int state;
private final HashMap<String, Permissions> rolePermissionsMap = new HashMap();
- private final HashMap<Principal, Permissions> principalRoleMapping = new HashMap();
private Permissions unchecked = null;
private Permissions excluded = null;
- private final HashMap<Principal, Permissions> principalPermissionsMap = new HashMap();
-
BasicPolicyConfiguration(String contextID) {
this.contextID = contextID;
this.state = OPEN;
@@ -67,7 +64,7 @@
for (int i = 0; i < principals.length; i++) {
Principal principal = principals[i];
- Permissions permissions = (Permissions) principalPermissionsMap.get(principal);
+ Permissions permissions = (Permissions) rolePermissionsMap.get(principal.getName());
if (permissions != null && permissions.implies(permission)) return true;
}
@@ -75,11 +72,6 @@
return false;
}
- public void setPrincipalRoleMapping(Map principalRoleMap) throws PolicyContextException {
- principalRoleMapping.clear();
- principalRoleMapping.putAll(principalRoleMap);
- }
-
public void addToRole(String roleName, PermissionCollection permissions) throws PolicyContextException {
if (state != OPEN) throw new UnsupportedOperationException("Not in an open state");
@@ -162,27 +154,6 @@
public void commit() throws PolicyContextException {
if (state != OPEN) throw new UnsupportedOperationException("Not in an open state");
-
- for (Iterator principalEntries = principalRoleMapping.entrySet().iterator(); principalEntries.hasNext(); ) {
- Map.Entry principalEntry = (Map.Entry) principalEntries.next();
- Principal principal = (Principal) principalEntry.getKey();
- Permissions principalPermissions = (Permissions) principalPermissionsMap.get(principal);
-
- if (principalPermissions == null) {
- principalPermissions = new Permissions();
- principalPermissionsMap.put(principal, principalPermissions);
- }
-
- HashSet roleSet = (HashSet) principalEntry.getValue();
- for (Iterator roles = roleSet.iterator(); roles.hasNext(); ) {
- Permissions permissions = (Permissions) rolePermissionsMap.get(roles.next());
- if (permissions == null) continue;
- for (Enumeration rolePermissions = permissions.elements(); rolePermissions.hasMoreElements(); ) {
- principalPermissions.add((Permission) rolePermissions.nextElement());
- }
- }
-
- }
state = IN_SERVICE;
}
@@ -198,10 +169,8 @@
public void open(boolean remove) {
if (remove) {
rolePermissionsMap.clear();
- principalRoleMapping.clear();
unchecked = null;
excluded = null;
- principalPermissionsMap.clear();
}
state = OPEN;
}
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java?view=diff&rev=522381&r1=522380&r2=522381
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java Sun Mar 25 16:33:39 2007
@@ -30,6 +30,7 @@
import org.apache.openejb.jee.StatelessBean;
import javax.naming.InitialContext;
+import javax.naming.Context;
import javax.ejb.Stateless;
import javax.annotation.security.RolesAllowed;
import javax.annotation.security.PermitAll;
@@ -45,7 +46,7 @@
public void _test() throws Exception {
}
-
+
public void test() throws Exception {
System.setProperty(javax.naming.Context.INITIAL_CONTEXT_FACTORY, InitContextFactory.class.getName());
@@ -76,20 +77,35 @@
assembler.createApplication(ejbJarInfo);
- InitialContext ctx = new InitialContext();
+ Properties props = new Properties();
+ props.setProperty(Context.SECURITY_PRINCIPAL, "jonathan");
+ props.setProperty(Context.SECURITY_CREDENTIALS, "secret");
+
+ InitialContext ctx = new InitialContext(props);
+
+
Foo foo = (Foo) ctx.lookup("FooBeanBusinessLocal");
foo.svnCheckout("");
+
+ foo.svnCommit("");
+
+ try {
+ foo.deleteProject("");
+ fail("Should not be allowed");
+ } catch (Exception e) {
+ // good.
+ }
}
@Stateless
public static class FooBean implements Foo {
- @RolesAllowed({"Committer"})
+ @RolesAllowed({"committer"})
public String svnCommit(String s) {
return s;
}
- @RolesAllowed({"Committer", "Contributor"})
+ @RolesAllowed({"committer", "contributor"})
public String submitPatch(String s) {
return s;
}
@@ -106,14 +122,14 @@
}
@Stateless
- @RunAs("Contributor")
+ @RunAs("contributor")
public static class BarBean implements Foo {
- @RolesAllowed({"Committer"})
+ @RolesAllowed({"committer"})
public String svnCommit(String s) {
return s;
}
- @RolesAllowed({"Committer", "Contributor"})
+ @RolesAllowed({"committer", "contributor"})
public String submitPatch(String s) {
return s;
}
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/test/resources/groups.properties
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/test/resources/groups.properties?view=diff&rev=522381&r1=522380&r2=522381
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/test/resources/groups.properties (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/test/resources/groups.properties Sun Mar 25 16:33:39 2007
@@ -15,6 +15,6 @@
## limitations under the License.
## ---------------------------------------------------------------------------
-programmers=jonathan
-accounting=daniel
-employees=jonathan,daniel
+committer=jonathan
+contributor=daniel
+community=jonathan,daniel