Examples of org.jboss.security.AuthorizationManager

• org.jboss.security.AuthorizationManager
  Generalized Authorization Manager Interface.
  
  Replaces the legacy RealmMapping interface @see org.jboss.security.RealmMapping @author Anil Saldhana @since Jan 2, 2006 @version $Revision: 68778 $

/*     */
/* 149 */     if (!this.methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL))
/*     */     {
/* 152 */       if (this.callerRunAs == null)
/*     */       {
/* 154 */         AuthorizationManager am = (AuthorizationManager)this.policyRegistration;
/*     */
/* 157 */         if (!am.doesUserHaveRole(this.ejbPrincipal, this.methodRoles))
/*     */         {
/* 159 */           if (this.ejbMethod == null) {
/* 160 */             throw new IllegalStateException("ejbMethod is null");
/*     */           }
/* 162 */           Set userRoles = am.getUserRoles(this.ejbPrincipal);
/* 163 */           String method = this.ejbMethod.getName();
/* 164 */           String msg = "Insufficient method permissions, principal=" + this.ejbPrincipal + ", ejbName=" + this.ejbName + ", method=" + method + ", interface=" + this.methodInterface + ", requiredRoles=" + this.methodRoles + ", principalRoles=" + userRoles;
/*     */
/* 168 */           if (this.trace)
/* 169 */             log.trace("Exception:" + msg);

/* 197 */     return allowed ? 1 : -1;
/*     */   }
/*     */
/*     */   private int checkRoleRef()
/*     */   {
/* 202 */     AuthorizationManager am = (AuthorizationManager)this.policyRegistration;
/*     */
/* 204 */     if ((this.ejbPrincipal == null) && (this.callerRunAs == null))
/*     */     {
/* 206 */       if (this.trace)
/* 207 */         log.trace("ejbPrincipal = null,callerRunAsIdentity = null => DENY");
/* 208 */       return -1;
/*     */     }
/*     */
/* 219 */     boolean matchFound = false;
/* 220 */     Iterator it = this.securityRoleReferences.iterator();
/* 221 */     while (it.hasNext())
/*     */     {
/* 223 */       SecurityRoleRef meta = (SecurityRoleRef)it.next();
/* 224 */       if (meta.getName().equals(this.roleName))
/*     */       {
/* 226 */         this.roleName = meta.getLink();
/* 227 */         matchFound = true;
/* 228 */         break;
/*     */       }
/*     */     }
/*     */
/* 232 */     if (!matchFound) {
/* 233 */       log.trace("no match found for security role " + this.roleName + " in the deployment descriptor for ejb " + this.ejbName);
/*     */     }
/*     */
/* 236 */     HashSet set = new HashSet();
/* 237 */     set.add(new SimplePrincipal(this.roleName));
/*     */
/* 239 */     boolean allowed = false;
/* 240 */     if (this.callerRunAs == null) {
/* 241 */       allowed = am.doesUserHaveRole(this.ejbPrincipal, set);
/*     */     }
/* 244 */     else if ((this.callerRunAs instanceof RunAsIdentity))
/*     */     {
/* 246 */       RunAsIdentity callerRunAsIdentity = (RunAsIdentity)this.callerRunAs;
/* 247 */       allowed = callerRunAsIdentity.doesUserHaveRole(set);

/*  54 */     super(sc);
/*     */   }
/*     */
/*     */   public boolean authorize(String ejbName, Method ejbMethod, Principal ejbPrincipal, String invocationInterfaceString, CodeSource ejbCS, Subject callerSubject, RunAs callerRunAs, Set<Principal> methodRoles)
/*     */   {
/*  78 */     AuthorizationManager am = this.securityContext.getAuthorizationManager();
/*     */
/*  80 */     HashMap map = new HashMap();
/*  81 */     map.put("authorizationManager", am);
/*     */
/*  83 */     EJBResource ejbResource = new EJBResource(map);
/*  84 */     ejbResource.setCallerRunAsIdentity(callerRunAs);
/*  85 */     ejbResource.setEjbName(ejbName);
/*  86 */     ejbResource.setEjbMethod(ejbMethod);
/*  87 */     ejbResource.setPrincipal(ejbPrincipal);
/*  88 */     ejbResource.setEjbMethodInterface(invocationInterfaceString);
/*  89 */     ejbResource.setCodeSource(ejbCS);
/*  90 */     ejbResource.setCallerRunAsIdentity(callerRunAs);
/*  91 */     ejbResource.setCallerSubject(callerSubject);
/*  92 */     ejbResource.setMethodRoles(methodRoles);
/*     */
/*  94 */     boolean isAuthorized = false;
/*     */     try
/*     */     {
/*  97 */       int check = am.authorize(ejbResource);
/*  98 */       isAuthorized = check == 1;
/*  99 */       authorizationAudit(isAuthorized ? "Success" : "Failure", ejbResource, null);
/*     */     }
/*     */     catch (Exception e)
/*     */     {

/*     */   }
/*     */
/*     */   public boolean isCallerInRole(String roleName, String ejbName, Principal ejbPrincipal, Set<SecurityRoleRef> securityRoleRefs)
/*     */   {
/* 131 */     boolean isAuthorized = false;
/* 132 */     AuthorizationManager am = this.securityContext.getAuthorizationManager();
/*     */
/* 134 */     if (am == null) {
/* 135 */       throw new IllegalStateException("AuthorizationManager is null");
/*     */     }
/* 137 */     HashMap map = new HashMap();
/*     */
/* 139 */     map.put("authorizationManager", am);
/* 140 */     map.put("roleName", roleName);
/* 141 */     map.put("roleRefPermissionCheck", Boolean.TRUE);
/*     */
/* 144 */     EJBResource ejbResource = new EJBResource(map);
/*     */
/* 146 */     RunAs callerRunAs = this.securityContext.getIncomingRunAs();
/*     */
/* 148 */     ejbResource.setEjbName(ejbName);
/* 149 */     ejbResource.setPrincipal(ejbPrincipal);
/* 150 */     ejbResource.setCallerRunAsIdentity(callerRunAs);
/* 151 */     ejbResource.setSecurityRoleReferences(securityRoleRefs);
/*     */     try
/*     */     {
/* 155 */       int check = am.authorize(ejbResource);
/* 156 */       isAuthorized = check == 1;
/*     */     }
/*     */     catch (Exception e)
/*     */     {
/* 160 */       isAuthorized = false;

/*      */       {
/*  423 */         InitialContext ic = new InitialContext();
/*  424 */         String amCtx = "java:/jaas/" + securityDomain + "/authorizationMgr";
/*      */         try
/*      */         {
/*  427 */           AuthorizationManager authzmgr = (AuthorizationManager)ic.lookup(amCtx);
/*  428 */           if ((authzmgr instanceof PolicyRegistration))
/*      */           {
/*  430 */             PolicyRegistration xam = (PolicyRegistration)authzmgr;
/*  431 */             xam.registerPolicy(contextID, xacmlFile.toURL());
/*      */           }

/*      */     {
/*  533 */       InitialContext ic = new InitialContext();
/*  534 */       String amCtx = "java:/jaas/" + securityDomain + "/authorizationMgr";
/*      */       try
/*      */       {
/*  537 */         AuthorizationManager authzmgr = (AuthorizationManager)ic.lookup(amCtx);
/*  538 */         if ((authzmgr instanceof PolicyRegistration))
/*      */         {
/*  540 */           PolicyRegistration xam = (PolicyRegistration)authzmgr;
/*  541 */           xam.deRegisterPolicy(contextID);
/*      */         }

/*     */
/*  89 */     Map map = resource.getMap();
/*  90 */     if (map == null) {
/*  91 */       throw new IllegalStateException("Map from the Resource is null");
/*     */     }
/*  93 */     AuthorizationManager am = (AuthorizationManager)map.get("authorizationManager");
/*  94 */     if (am == null)
/*  95 */       throw new IllegalStateException("Authorization Manager is null");
/*  96 */     if ((am instanceof PolicyRegistration)) {
/*  97 */       this.policyRegistration = ((PolicyRegistration)am);
/*     */     }
/*     */
/* 107 */     this.callerSubject = ejbResource.getCallerSubject();
/* 108 */     this.ejbCS = ejbResource.getCodeSource();
/* 109 */     this.ejbMethod = ejbResource.getEjbMethod();
/* 110 */     this.ejbName = ejbResource.getEjbName();
/* 111 */     this.methodInterface = ejbResource.getEjbMethodInterface();
/*     */
/* 113 */     this.roleName = ((String)map.get("roleName"));
/*     */
/* 115 */     if (am != null)
/*     */     {
/* 117 */       Principal ejbPrincipal = (Principal)map.get("ejb.principal");
/* 118 */       Set roleset = am.getUserRoles(ejbPrincipal);
/* 119 */       this.securityContextRoles = getGroupFromRoleSet(roleset);
/*     */     }
/* 121 */     this.roleRefCheck = ((Boolean)map.get("roleRefPermissionCheck"));
/* 122 */     if (this.roleRefCheck == Boolean.TRUE) {
/* 123 */       return checkRoleRef();

      if(contextID == null)
         throw new IllegalArgumentException("ContextID is null");
      if(callerSubject == null && callerRunAs == null)
         throw new IllegalArgumentException("Either callerSubject or callerRunAs should be non-null");

      AuthorizationManager am = securityContext.getAuthorizationManager();
      if(am == null)
         throw new IllegalStateException("Authorization Manager is null");

      HashMap<String,Object> map =  new HashMap<String,Object>();
      try
      {
         if(this.policyRegistration == null)
            this.policyRegistration = getPolicyRegistrationFromJNDI();
      }
      catch(Exception e)
      {
         log.error("Error getting Policy Registration",e);
      }

      map.put(ResourceKeys.POLICY_REGISTRATION, this.policyRegistration);

      EJBResource ejbResource = new EJBResource(map);
      ejbResource.setEjbVersion(version);
      ejbResource.setPolicyContextID(contextID);
      ejbResource.setCallerRunAsIdentity(callerRunAs);
      ejbResource.setEjbName(ejbName);
      ejbResource.setEjbMethod(ejbMethod);
      ejbResource.setPrincipal(ejbPrincipal);
      ejbResource.setEjbMethodInterface(invocationInterfaceString);
      ejbResource.setCodeSource(ejbCS);
      ejbResource.setCallerRunAsIdentity(callerRunAs);
      ejbResource.setCallerSubject(callerSubject);
      ejbResource.setEjbMethodRoles(methodRoles);

      SecurityContextCallbackHandler sch = new SecurityContextCallbackHandler(this.securityContext);
      RoleGroup callerRoles = am.getSubjectRoles(callerSubject, sch);

      boolean isAuthorized = false;
      try
      {
         int check = am.authorize(ejbResource, callerSubject, callerRoles);
         isAuthorized = (check == AuthorizationContext.PERMIT);
         authorizationAudit((isAuthorized ? AuditLevel.SUCCESS : AuditLevel.FAILURE)
                             ,ejbResource, null);
      }
      catch (Exception e)

         throw new IllegalArgumentException("ejbName is null");
      if(contextID == null)
         throw new IllegalArgumentException("ContextID is null");

      boolean isAuthorized = false;
      AuthorizationManager am = securityContext.getAuthorizationManager();

      if(am == null)
         throw new IllegalStateException("AuthorizationManager is null");

      HashMap<String,Object> map = new HashMap<String,Object>();

      try
      {
         if(this.policyRegistration == null)
            this.policyRegistration = getPolicyRegistrationFromJNDI();
      }
      catch(Exception e)
      {
         log.error("Error getting Policy Registration",e);
      }

      map.put(ResourceKeys.POLICY_REGISTRATION, this.policyRegistration);

      map.put(ResourceKeys.ROLENAME, roleName);
      map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);

      EJBResource ejbResource = new EJBResource(map);
      ejbResource.setPolicyContextID(contextID);

      RunAs callerRunAs = SecurityActions.getIncomingRunAs(securityContext);

      ejbResource.setEjbVersion(version);
      ejbResource.setEjbName(ejbName);
      ejbResource.setPrincipal(ejbPrincipal);
      ejbResource.setCallerRunAsIdentity(callerRunAs);
      ejbResource.setSecurityRoleReferences(securityRoleRefs);
      ejbResource.setEnforceEJBRestrictions(enforceEJBRestrictions);

      ejbResource.setCallerSubject(callerSubject);
      SecurityContextCallbackHandler sch = new SecurityContextCallbackHandler(this.securityContext);
      RoleGroup callerRoles = am.getSubjectRoles(callerSubject, sch);

      try
      {
         int check = am.authorize(ejbResource, callerSubject, callerRoles);
         isAuthorized = (check == AuthorizationContext.PERMIT);
      }
      catch (Exception e)
      {
         isAuthorized = false;

    @see java.security.acl.Group;
    @see Subject#getPrincipals()
    */
   public boolean doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals)
   {
      AuthorizationManager am = SecurityUtil.getAuthorizationManager(securityDomain,
            SecurityConstants.JAAS_CONTEXT_ROOT);
      return am.doesUserHaveRole(principal, rolePrincipals);
   }