return allowed ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
}
private int checkRoleRef()
{
AuthorizationManager am = (AuthorizationManager)policyRegistration;
//Check the caller of this beans run-as identity
if (ejbPrincipal == null && callerRunAs == null)
{
if(trace)
log.trace("ejbPrincipal = null,callerRunAsIdentity = null => DENY" );
return AuthorizationContext.DENY;
}
// Map the role name used by Bean Provider to the security role
// link in the deployment descriptor. The EJB 1.1 spec requires
// the security role refs in the descriptor but for backward
// compability we're not enforcing this requirement.
//
// TODO (2.3): add a conditional check using jboss.xml <enforce-ejb-restrictions> element
// which will throw an exception in case no matching
// security ref is found.
boolean matchFound = false;
Iterator<SecurityRoleRef> it = this.securityRoleReferences.iterator();
while ( it.hasNext())
{
SecurityRoleRef meta = it.next();
if (meta.getName().equals(roleName))
{
roleName = meta.getLink();
matchFound = true;
break;
}
}
if (!matchFound)
log.trace("no match found for security role " + roleName +
" in the deployment descriptor for ejb " + this.ejbName);
HashSet<Principal> set = new HashSet<Principal>();
set.add(new SimplePrincipal(roleName));
boolean allowed = false;
if (callerRunAs == null)
allowed = am.doesUserHaveRole(ejbPrincipal, set);
else
{
if(callerRunAs instanceof RunAsIdentity)
{
RunAsIdentity callerRunAsIdentity = (RunAsIdentity) callerRunAs;