Examples of org.jboss.security.RunAsIdentity

• org.jboss.security.RunAsIdentity
  The RunAsIdentity is a Principal that associates the run-as principal with his run-as role(s). @author Thomas.Diesler@jboss.org @author Scott.Stark@jboss.org @author Anil.Saldhana@jboss.org @version $Revision: 68965 $

   /** Push the run as role using the SecurityAssociation.pushRunAsIdentity method
    *@see SecurityAssociation#pushRunAsIdentity(RunAsIdentity)
    */
   public boolean login()
   {
      RunAsIdentity runAsRole = new RunAsIdentity(roleName, principalName);
      SecurityAssociation.pushRunAsIdentity(runAsRole);
      pushedRole = true;
      return true;
   }

         // The caller is using a run-as identity
         else
         {
            if(callerRunAs instanceof RunAsIdentity)
            {
               RunAsIdentity callerRunAsIdentity = (RunAsIdentity) callerRunAs;
               // Check that the run-as role is in the set of method roles
               if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false)
               {
                  String method = this.ejbMethod.getName();
                  String msg = "Insufficient method permissions, principal=" + ejbPrincipal
                  + ", ejbName=" + this.ejbName
                  + ", method=" + method + ", interface=" + this.methodInterface
                  + ", requiredRoles=" + methodRoles + ", runAsRoles="
                  + callerRunAsIdentity.getRunAsRoles();
                  if(trace)
                     log.trace("Exception:"+msg);
                  allowed = false;
               }
            }

         allowed = am.doesUserHaveRole(ejbPrincipal, set);
      else
      {
         if(callerRunAs instanceof RunAsIdentity)
         {
            RunAsIdentity callerRunAsIdentity = (RunAsIdentity) callerRunAs;
            allowed = callerRunAsIdentity.doesUserHaveRole(set);
         }
      }
      return allowed ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
   }

            SubjectInfo si = sc.getSubjectInfo();

            if(si != null)
            {
               Subject activeSubject = si.getAuthenticatedSubject();
               RunAsIdentity callerRunAsIdentity = (RunAsIdentity)sc.getIncomingRunAs();

               if( activeSubject != null )
               {
                  Set principalsSet = null;
                  if( callerRunAsIdentity == null )
                  {
                     principalsSet = activeSubject.getPrincipals();
                  }
                  else
                  {
                     principalsSet = callerRunAsIdentity.getPrincipalsSet();
                  }

                  theSubject = new Subject(true, principalsSet,
                     activeSubject.getPublicCredentials(),
                     activeSubject.getPrivateCredentials());
               }
               else
               {
                  if( callerRunAsIdentity != null )
                  {
                     Set principalsSet = callerRunAsIdentity.getPrincipalsSet();
                     theSubject = new Subject(true, principalsSet, EMPTY_SET, EMPTY_SET);
                  }
               }
            }
         }

        RoleGroup roleGroup = null;

        RunAs runAs = securityContext.getIncomingRunAs();
        if (runAs != null && runAs instanceof RunAsIdentity) {
            RunAsIdentity runAsIdentity = (RunAsIdentity) runAs;
            roleGroup = runAsIdentity.getRunAsRolesAsRoleGroup();
        } else {
            AuthorizationManager am = securityContext.getAuthorizationManager();
            SecurityContextCallbackHandler scb = new SecurityContextCallbackHandler(securityContext);

            roleGroup = am.getSubjectRoles(securityContext.getSubjectInfo().getAuthenticatedSubject(), scb);

                throw SecurityMessages.MESSAGES.invalidUserException();
            }
        }

        if (runAs != null) {
            RunAs runAsIdentity = new RunAsIdentity(runAs, runAsPrincipal, extraRoles);
            current.setOutgoingRunAs(runAsIdentity);
        } else if (previous != null && previous.getOutgoingRunAs() != null) {
            // Ensure the propagation continues.
            current.setOutgoingRunAs(previous.getOutgoingRunAs());
        }

            if (principalName == null)
               principalName = applicationMetaData.getUnauthenticatedPrincipal();

            // the run-as principal might have extra roles mapped in the assembly-descriptor
            Set extraRoleNames = assemblyDescriptor.getSecurityRoleNamesByPrincipal(principalName);
            runAsIdentity = new RunAsIdentity(roleName, principalName, extraRoleNames);
         }

         if (secMetaData != null && secMetaData.getUseCallerIdentity())
            this.isUseCallerIdentity = true;

         log.trace("method=" + mi.getMethod() + ", interface=" + iface
            + ", requiredRoles=" + methodRoles);
      }

      // Check if the caller is allowed to access the method
      RunAsIdentity callerRunAsIdentity = SecurityAssociation.peekRunAsIdentity();
      if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
      {
         // The caller is using a the caller identity
         if (callerRunAsIdentity == null)
         {
            // Now actually check if the current caller has one of the required method roles
            if (realmMapping.doesUserHaveRole(principal, methodRoles) == false)
            {
               Set userRoles = realmMapping.getUserRoles(principal);
               String method = mi.getMethod().getName();
               String msg = "Insufficient method permissions, principal=" + principal
                  + ", method=" + method + ", interface=" + iface
                  + ", requiredRoles=" + methodRoles + ", principalRoles=" + userRoles;
               log.error(msg);
               SecurityException e = new SecurityException(msg);
               throw new EJBException("checkSecurityAssociation", e);
            }
         }

         // The caller is using a run-as identity
         else
         {
            // Check that the run-as role is in the set of method roles
            if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false)
            {
               String method = mi.getMethod().getName();
               String msg = "Insufficient method permissions, runAsPrincipal=" + callerRunAsIdentity.getName()
                  + ", method=" + method + ", interface=" + iface
                  + ", requiredRoles=" + methodRoles + ", runAsRoles=" + callerRunAsIdentity.getRunAsRoles();
               log.error(msg);
               SecurityException e = new SecurityException(msg);
               throw new EJBException("checkSecurityAssociation", e);
            }
         }

            String principalName = secMetaData.getRunAsPrincipalName();
            if( principalName == null )
               principalName = application.getUnauthenticatedPrincipal();
            // the run-as principal might have extra roles mapped in the assembly-descriptor
            Set extraRoleNames = assemblyDescriptor.getSecurityRoleNamesByPrincipal(principalName);
            runAsIdentity = new RunAsIdentity(roleName, principalName, extraRoleNames);
         }

         securityManager = container.getSecurityManager();
      }
   }

            try {
                servlet = request.getWrapper();
                if (servlet != null) {
                    String name = servlet.getName();
                    RunAsIdentityMetaData identity = runAsIdentity.get(name);
                    RunAsIdentity runAsIdentity = null;
                    if (identity != null) {
                        WebLogger.WEB_SECURITY_LOGGER.tracef(name + ", runAs: " + identity);
                        runAsIdentity = new RunAsIdentity(identity.getRoleName(), identity.getPrincipalName(),
                                identity.getRunAsRoles());
                    }
                    SecurityActions.pushRunAsIdentity(runAsIdentity);
                }