Examples of java.security.AccessControlContext

• java.security.AccessControlContext
  An AccessControlContext is used to make system resource access decisions based on the context it encapsulates.

  More specifically, it encapsulates a context and has a single method, checkPermission, that is equivalent to the checkPermission method in the AccessController class, with one difference: The AccessControlContext checkPermission method makes access decisions based on the context it encapsulates, rather than that of the current execution thread.

  Thus, the purpose of AccessControlContext is for those situations where a security check that should be made within a given context actually needs to be done from within a different context (for example, from within a worker thread).

  An AccessControlContext is created by calling the AccessController.getContext method. The getContext method takes a "snapshot" of the current calling context, and places it in an AccessControlContext object, which it returns. A sample call is the following:

   AccessControlContext acc = AccessController.getContext() 

  Code within a different context can subsequently call the checkPermission method on the previously-saved AccessControlContext object. A sample call is the following:

   acc.checkPermission(permission) 

  @see AccessController @author Roland Schemers

    public boolean hasResourcePermissions(Request request, AuthResult authResult, Object constraints, UserIdentity userIdentity) {
        if (!(userIdentity instanceof JACCUserIdentity)) {
            return false;
        }

        AccessControlContext acc = ((JACCUserIdentity)userIdentity).getAccessControlContext();
        try {
            acc.checkPermission(new WebResourcePermission(request));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }

        }
    }*/

    @Override
    public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
        AccessControlContext acc = ContextManager.getCurrentContext();
        String name = currentRequestWrapperName.get();

        /**
         * JACC v1.0 secion B.19
         */
        if (name == null || name.equals("jsp")) {
            name = "";
        }
        try {
            acc.checkPermission(new WebRoleRefPermission(name, role));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }

    public SecurityHandler buildSecurityHandler(String policyContextID, Subject defaultSubject, RunAsSource runAsSource, boolean checkRolePermissions) {
        if (defaultSubject == null) {
            defaultSubject = ContextManager.EMPTY;
        }
        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null, null);
        IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject, runAsSource);
        return new JaccSecurityHandler(policyContextID, authenticator, loginService, identityService, defaultAcc);
    }

    protected boolean checkWebResourcePermissions(String pathInContext, Request request, Response response, Object constraintInfo, UserIdentity userIdentity) throws IOException {
        if (!(userIdentity instanceof GeronimoUserIdentity)){
            //we already checked against default_acc and got false
            return false;
        }
        AccessControlContext acc = ((GeronimoUserIdentity)userIdentity).getAccessControlContext();
        return checkWebResourcePermission(request, acc);
    }

            ComponentPermissions componentPermissions = new ComponentPermissions(new Permissions(), unchecked, Collections.<String, PermissionCollection>emptyMap());
            applicationPolicyConfigurationManager = setUpJACC(Collections.<String, SubjectInfo>emptyMap(), Collections.<Principal, Set<String>>emptyMap(), componentPermissions, policyContextId);
            LoginService loginService = newLoginService();
//            final ServletCallbackHandler callbackHandler = new ServletCallbackHandler(loginService);
            final Subject subject = new Subject();
            final AccessControlContext acc = ContextManager.registerSubjectShort(subject, null, null);
            securityHandlerFactory = new ServerAuthenticationGBean(new Authenticator() {
                public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException {
                    return new UserAuthentication("test", new GeronimoUserIdentity(subject, new GeronimoUserPrincipal("foo"), acc));
                }// most likely validatedUser is not needed here.

        if (servletName == null || servletName.equals("jsp")) {
            servletName = "";
        }
        try {
            //correct run-as identity available from context manager.
            AccessControlContext acc = ContextManager.getCurrentContext();
            acc.checkPermission(new WebRoleRefPermission(servletName, role));
            return true;
        } catch (AccessControlException e) {
            return false;
        }
    }

    public SecurityHandler buildSecurityHandler(String policyContextID, Subject defaultSubject, RunAsSource runAsSource, boolean checkRolePermissions) {
        if (defaultSubject == null) {
            defaultSubject = ContextManager.EMPTY;
        }
        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null, null);
        IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject, runAsSource);
        authConfigProperties.put(POLICY_CONTEXT_ID_KEY, policyContextID);
        Authenticator authenticator = new JaspiAuthenticator(serverAuthConfig, authConfigProperties, servletCallbackHandler, serviceSubject, allowLazyAuthentication, identityService);
        //login service functionality is already inside the servletCallbackHandler
        return new JaccSecurityHandler(policyContextID, authenticator, loginService, identityService, defaultAcc);

        final LoginService loginService = new JAASLoginService(configurationFactory, realmName);
        Authenticator authenticator = buildAuthenticator();
        if (defaultSubject == null) {
            defaultSubject = ContextManager.EMPTY;
        }
        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null, null);
        IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject, runAsSource);
        if (checkRolePermissions) {
            return new JaccSecurityHandler(policyContextID, authenticator, loginService, identityService, defaultAcc);
        } else {
            return new EJBWebServiceSecurityHandler(policyContextID, authenticator, loginService, identityService, defaultAcc);

        ContextManager.popCallers((Callers) previousToken);
    }

    public UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, String[] roles) {
        if (subject != null) {
            AccessControlContext acc = ContextManager.registerSubjectShort(subject, userPrincipal, roles == null? null: Arrays.asList(roles));
            return new GeronimoUserIdentity(subject, userPrincipal, acc);
        }
        return new GeronimoUserIdentity(null, null, defaultAcc);
    }

        ContextManager.setCurrentCaller(subject);

        try {

            AccessControlContext acc = ContextManager.getCurrentContext();

            /**
             * JACC v1.0 secion 4.1.1
             */
            String transportType;
            if (request.isSecure()) {
                transportType = "CONFIDENTIAL";
                //What about INTEGRAL?? Does Tomcat support it??
            } else {
                transportType = "NONE";
            }
            WebUserDataPermission wudp = new WebUserDataPermission(request.getServletPath(), new String[]{request.getMethod()}, transportType);
            acc.checkPermission(wudp);

        } catch (AccessControlException ace) {
            response.sendError(Response.SC_FORBIDDEN);
            return false;
        }