/** * {@inheritDoc} */ @Override protected JaccService<AttachmentList<EjbJaccConfig>> createService(String contextId, AttachmentList<EjbJaccConfig> metaData, Boolean standalone) { return new EjbJaccService(contextId, metaData, standalone); } }
Function<String, ApplicationSecurityDomainConfig> getKnownSecurityDomainFunction() { return name -> { synchronized (knownApplicationSecurityDomains) { for (ApplicationSecurityDomainConfig applicationSecurityDomainConfig : knownApplicationSecurityDomains) { if (applicationSecurityDomainConfig.isSameDomain(name)) { return applicationSecurityDomainConfig; } } } return null; }; } }
public static EJBMethodSecurityAttribute rolesAllowed(final Set<String> roles) { return new EJBMethodSecurityAttribute(false, false, roles); }
String securityDomain = securityMetaData.getSecurityDomain(); if (securityDomain == null) { securityDomain = DEFAULT_DOMAIN; ROOT_LOGGER.trace("Using security domain: " + securityDomain + " for EJB " + ejbComponent.getComponentName()); final String runAs = securityMetaData.getRunAs(); final String runAsPrincipal = securityMetaData.getRunAsPrincipal(); final SecurityRolesMetaData securityRoles = securityMetaData.getSecurityRoles(); Set<String> extraRoles = null; Map<String,Set<String>> principalVsRolesMap = null; extraRoles = securityRoles.getSecurityRoleNamesByPrincipal(runAsPrincipal); SecurityContextInterceptorHolder holder = new SecurityContextInterceptorHolder(); holder.setSecurityManager(securityManager).setSecurityDomain(securityDomain) .setRunAs(runAs).setRunAsPrincipal(runAsPrincipal).setPolicyContextID(this.policyContextID) .setExtraRoles(extraRoles).setPrincipalVsRolesMap(principalVsRolesMap) .setSkipAuthentication(securityRequired == false); return new SecurityContextInterceptor(holder);
/** * <p> * Returns the method roles as a set of {@code Principal} instances. All roles specified in the method-permissions or * via {@code RolesAllowed} for this method are wrapped by a {@code SimplePrincipal}. If the method has been added to * the exclude-list or annotated with {@code DenyAll}, a NOBODY_PRINCIPAL is returned. If the method has been added * to the unchecked list or annotated with {@code PermitAll}, an ANYBODY_PRINCIPAL is returned. * </p> * * @return the constructed set of role principals. */ protected Set<Principal> getMethodRolesAsPrincipals() { Set<Principal> methodRoles = new HashSet<Principal>(); if (this.ejbMethodSecurityMetaData.isDenyAll()) methodRoles.add(NobodyPrincipal.NOBODY_PRINCIPAL); else if (this.ejbMethodSecurityMetaData.isPermitAll()) methodRoles.add(AnybodyPrincipal.ANYBODY_PRINCIPAL); else { for (String role : this.ejbMethodSecurityMetaData.getRolesAllowed()) methodRoles.add(new SimplePrincipal(role)); } return methodRoles; }
private EJBMethodSecurityAttribute mergeExistingRoles(EJBMethodSecurityAttribute ejbMethodSecurityMetaData, final EJBMethodSecurityAttribute existingRoles) { if (existingRoles != null && !existingRoles.getRolesAllowed().isEmpty()) { final Set<String> roles = new HashSet<String>(existingRoles.getRolesAllowed()); roles.addAll(ejbMethodSecurityMetaData.getRolesAllowed()); ejbMethodSecurityMetaData = EJBMethodSecurityAttribute.rolesAllowed(roles); } return ejbMethodSecurityMetaData; } }
@Override public void createPermissions(final AttachmentList<EjbJaccConfig> metaData, final PolicyConfiguration policyConfiguration) throws PolicyContextException { for (EjbJaccConfig permission : metaData) { for (Permission deny : permission.getDeny()) { policyConfiguration.addToExcludedPolicy(deny); } for (Permission permit : permission.getPermit()) { policyConfiguration.addToUncheckedPolicy(permit); } for (Entry<String, Permission> role : permission.getRoles()) { policyConfiguration.addToRole(role.getKey(), role.getValue()); } } } }
interceptorFactories.put(InterceptorOrder.View.POLICY_CONTEXT, new ImmediateInterceptorFactory(new PolicyContextIdInterceptor(policyContextID))); final Map<String, Set<String>> principalVsRolesMap = securityRoles.getPrincipalVersusRolesMap(); if (! principalVsRolesMap.isEmpty()) { interceptorFactories.put(InterceptorOrder.View.SECURITY_ROLES, new ImmediateInterceptorFactory(new SecurityRolesAddingInterceptor("ejb", principalVsRolesMap))); interceptorFactories.put(InterceptorOrder.View.RUN_AS_PRINCIPAL, new ImmediateInterceptorFactory(new RunAsPrincipalInterceptor(runAsPrincipal))); final Set<String> extraRoles = securityRoles.getSecurityRoleNamesByPrincipal(runAsPrincipal); if (! extraRoles.isEmpty()) { interceptorFactories.put(InterceptorOrder.View.EXTRA_PRINCIPAL_ROLES, new ImmediateInterceptorFactory(new RoleAddingInterceptor("ejb", RoleMapper.constant(Roles.fromSet(extraRoles))))); roles.addAll(extraRoles); interceptorFactories.put(InterceptorOrder.View.RUN_AS_PRINCIPAL, new ImmediateInterceptorFactory(new RunAsPrincipalInterceptor(RunAsPrincipalInterceptor.ANONYMOUS_PRINCIPAL))); interceptorFactories.put(InterceptorOrder.View.RUN_AS_ROLE, new ImmediateInterceptorFactory(new RoleAddingInterceptor("ejb", RoleMapper.constant(Roles.fromSet(Collections.singleton(runAsRole)))))); roles.add(runAsRole); interceptorFactories.put(InterceptorOrder.View.SECURITY_IDENTITY_OUTFLOW, new IdentityOutflowInterceptorFactory("ejb", RoleMapper.constant(Roles.fromSet(roles)))); } else { interceptorFactories.put(InterceptorOrder.View.SECURITY_IDENTITY_OUTFLOW, IdentityOutflowInterceptorFactory.INSTANCE);
public boolean isCallerInRole(final String roleName) throws IllegalStateException { if (isSecurityDomainKnown()) { if (enableJacc) { Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy(); ProtectionDomain domain = new ProtectionDomain(null, null, null, JaccInterceptor.getGrantedRoles(getCallerSecurityIdentity())); return policy.implies(domain, new EJBRoleRefPermission(getComponentName(), roleName)); } else { return checkCallerSecurityIdentityRole(roleName); } } else if (WildFlySecurityManager.isChecking()) { return WildFlySecurityManager.doUnchecked((PrivilegedAction<Boolean>) () -> serverSecurityManager.isCallerInRole(getComponentName(), policyContextID, securityMetaData.getSecurityRoles(), securityMetaData.getSecurityRoleLinks(), roleName)); } else { return this.serverSecurityManager.isCallerInRole(getComponentName(), policyContextID, securityMetaData.getSecurityRoles(), securityMetaData.getSecurityRoleLinks(), roleName); } }
@Override protected Interceptor create(final Component component, final InterceptorFactoryContext context) { if (! (component instanceof EJBComponent)) { throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class); } final EJBComponent ejbComponent = (EJBComponent) component; final EJBSecurityMetaData securityMetaData = ejbComponent.getSecurityMetaData(); String securityDomainName = securityMetaData.getSecurityDomain(); if (securityDomainName == null) { securityDomainName = DEFAULT_DOMAIN; } final SecurityDomain securityDomain = ejbComponent.getSecurityDomain(); if (securityDomain == null) { throw EjbLogger.ROOT_LOGGER.invalidSecurityForDomainSet(ejbComponent.getComponentName()); } if (ROOT_LOGGER.isTraceEnabled()) { ROOT_LOGGER.trace("Using security domain: " + securityDomainName + " for EJB " + ejbComponent.getComponentName()); } return new SecurityDomainInterceptor(securityDomain); } }
public void addRole(String role, Permission permission) { roles.add(new Entry<>(role, permission)); } public List<Map.Entry<String, Permission>> getRoles() {
protected void setupSecurityInterceptors(final ViewDescription view) { // setup security interceptor for the component view.getConfigurators().add(new EJBSecurityViewConfigurator()); }
/** * <p> * Sets the JACC contextID using a privileged action and returns the previousID from the {@code PolicyContext}. * </p> * * @param contextID the JACC contextID to be set. * @return the previous contextID as retrieved from the {@code PolicyContext}. */ protected String setContextID(final String contextID) { if (! WildFlySecurityManager.isChecking()) { final String previousID = PolicyContext.getContextID(); PolicyContext.setContextID(contextID); return previousID; } else { final PrivilegedAction<String> action = new SetContextIDAction(contextID); return AccessController.doPrivileged(action); } }
@Override public ProtectionDomain run() { if (!securityManager.authorize(ejbComponent.getComponentName(), componentView.getProxyClass().getProtectionDomain().getCodeSource(), methodIntfType.name(), AuthorizationInterceptor.this.viewMethod, AuthorizationInterceptor.this.getMethodRolesAsPrincipals(), AuthorizationInterceptor.this.contextID)) { throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(invokedMethod,ejbComponent.getComponentName()); } return null; } });
public Object processInvocation(final InterceptorContext context) throws Exception { final String oldId = PolicyContext.getContextID(); setContextID(policyContextID); try { return context.proceed(); } finally { setContextID(oldId); } }
public boolean isEnableJacc() { ApplicationSecurityDomainConfig config = knownSecurityDomain == null ? null : knownSecurityDomain.apply(getSecurityDomain()); if (config != null) { return config.isEnableJacc(); } return false; }
@Override protected Interceptor create(final Component component, final InterceptorFactoryContext context) { if (! (component instanceof EJBComponent)) { throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class); } final EJBComponent ejbComponent = (EJBComponent) component; final Function<SecurityIdentity, Set<SecurityIdentity>> identityOutflowFunction = ejbComponent.getIdentityOutflowFunction(); return new IdentityOutflowInterceptor(identityOutflowFunction, category, roleMapper); } }
/** * <p> * Sets the JACC contextID using a privileged action and returns the previousID from the {@code PolicyContext}. * </p> * * @param contextID the JACC contextID to be set. * @return the previous contextID as retrieved from the {@code PolicyContext}. */ protected String setContextID(final String contextID) { if (! WildFlySecurityManager.isChecking()) { final String previousID = PolicyContext.getContextID(); PolicyContext.setContextID(contextID); return previousID; } else { final PrivilegedAction<String> action = new SetContextIDAction(contextID); return AccessController.doPrivileged(action); } }
@Override protected void populateModel(OperationContext context, ModelNode operation, Resource resource) throws OperationFailedException { super.populateModel(context, operation, resource); ModelNode model = resource.getModel(); boolean enableJacc = false; if (model.hasDefined(ENABLE_JACC.getName())) { enableJacc = ENABLE_JACC.resolveModelAttribute(context, model).asBoolean(); } knownApplicationSecurityDomains.add(new ApplicationSecurityDomainConfig(context.getCurrentAddressValue(), enableJacc)); }
@Override protected void performRemove(OperationContext context, ModelNode operation, ModelNode model) throws OperationFailedException { super.performRemove(context, operation, model); HashSet<ApplicationSecurityDomainConfig> applicationSecurityDomainConfigs; synchronized (knownApplicationSecurityDomains) { applicationSecurityDomainConfigs = new HashSet<>(knownApplicationSecurityDomains); } for (ApplicationSecurityDomainConfig domain : applicationSecurityDomainConfigs) { if (domain.isSameDomain(context.getCurrentAddressValue())) { knownApplicationSecurityDomains.remove(domain); } } }