private void hasPermission(EJBComponent ejbComponent, ComponentView componentView, Method method, SecurityIdentity securityIdentity) { MethodInterfaceType methodIntfType = getMethodInterfaceType(componentView.getPrivateData(MethodIntf.class)); EJBMethodPermission permission = createEjbMethodPermission(method, ejbComponent, methodIntfType); ProtectionDomain domain = new ProtectionDomain (componentView.getProxyClass().getProtectionDomain().getCodeSource(), null, null, getGrantedRoles(securityIdentity)); Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy(); if (!policy.implies(domain, permission)) { throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(method,ejbComponent.getComponentName()); } }
try { AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> { hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity); return null; }); hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity);
} else { if (componentDescription.isEnableJacc()) { authorizationInterceptor = new JaccInterceptor(viewClassName, viewMethod); } else { authorizationInterceptor = new RolesAllowedInterceptor(ejbMethodSecurityMetaData.getRolesAllowed());
public boolean isCallerInRole(final String roleName) throws IllegalStateException { if (isSecurityDomainKnown()) { if (enableJacc) { Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy(); ProtectionDomain domain = new ProtectionDomain(null, null, null, JaccInterceptor.getGrantedRoles(getCallerSecurityIdentity())); return policy.implies(domain, new EJBRoleRefPermission(getComponentName(), roleName)); } else { return checkCallerSecurityIdentityRole(roleName); } } else if (WildFlySecurityManager.isChecking()) { return WildFlySecurityManager.doUnchecked((PrivilegedAction<Boolean>) () -> serverSecurityManager.isCallerInRole(getComponentName(), policyContextID, securityMetaData.getSecurityRoles(), securityMetaData.getSecurityRoleLinks(), roleName)); } else { return this.serverSecurityManager.isCallerInRole(getComponentName(), policyContextID, securityMetaData.getSecurityRoles(), securityMetaData.getSecurityRoleLinks(), roleName); } }