[jboss-cvs] jboss/src/main/org/jboss/ejb/plugins ...

[Anil S. <ani...@jb...>]

  User: asaldhana
  Date: 06/07/07 12:33:35

  Added:       src/main/org/jboss/ejb/plugins 
                        SecurityAuthorizationInterceptor.java
  Log:
  JBAS-3374: Authorization Interceptor that integrates with the Authorization Framework
  
  Revision  Changes    Path
  1.1      date: 2006/07/07 16:33:35;  author: asaldhana;  state: Exp;jboss/src/main/org/jboss/ejb/plugins/SecurityAuthorizationInterceptor.java
  
  Index: SecurityAuthorizationInterceptor.java
  ===================================================================
  /*
    * JBoss, Home of Professional Open Source
    * Copyright 2005, JBoss Inc., and individual contributors as indicated
    * by the @authors tag. See the copyright.txt in the distribution for a
    * full listing of individual contributors.
    *
    * This is free software; you can redistribute it and/or modify it
    * under the terms of the GNU Lesser General Public License as
    * published by the Free Software Foundation; either version 2.1 of
    * the License, or (at your option) any later version.
    *
    * This software is distributed in the hope that it will be useful,
    * but WITHOUT ANY WARRANTY; without even the implied warranty of
    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
    * Lesser General Public License for more details.
    *
    * You should have received a copy of the GNU Lesser General Public
    * License along with this software; if not, write to the Free
    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
    */
  package org.jboss.ejb.plugins;
  
  import java.lang.reflect.Method;
  import java.util.HashMap;
   
  import javax.security.auth.Subject;
  
  import org.jboss.ejb.Container;
  import org.jboss.invocation.Invocation;
  import org.jboss.metadata.BeanMetaData;
  import org.jboss.mx.util.MBeanProxyExt;
  import org.jboss.mx.util.MBeanServerLocator;
  import org.jboss.security.AuthorizationManager;
  import org.jboss.security.authorization.AuthorizationContext;
  import org.jboss.security.authorization.EJBResource;
  import org.jboss.security.plugins.AuthorizationManagerServiceMBean;
  
  //$Id: SecurityAuthorizationInterceptor.java,v 1.1 2006/07/07 16:33:35 asaldhana Exp $
  
  /**
   *  Authorization Interceptor that makes use of the Authorization
   *  Framework for access control decisions
   *  @author <a href="mailto:Ani...@jb...">Anil Saldhana</a>
   *  @since  Jul 6, 2006 
   *  @version $Revision: 1.1 $
   */
  public class SecurityAuthorizationInterceptor extends AbstractInterceptor
  {  
     protected String ejbName = null;
     protected String securityDomain = null; 
     protected AuthorizationManagerServiceMBean authorizationManagerService = null;
     
     
     public SecurityAuthorizationInterceptor()
     { 
        authorizationManagerService = (AuthorizationManagerServiceMBean)
           MBeanProxyExt.create(AuthorizationManagerServiceMBean.class,
                 AuthorizationManagerServiceMBean.OBJECT_NAME,
                 MBeanServerLocator.locateJBoss()); 
     }
  
     /**
      * @see AbstractInterceptor#setContainer(Container)
      */
     public void setContainer(Container container)
     {
        super.setContainer(container);
        if (container != null)
        {
           BeanMetaData beanMetaData = container.getBeanMetaData();
           ejbName = beanMetaData.getEjbName(); 
           securityDomain = container.getSecurityManager().getSecurityDomain();
        }
     } 
  
     /**
      * @see AbstractInterceptor#invokeHome(Invocation)
      */
     public Object invokeHome(Invocation mi) throws Exception
     {
        // Authorize the call
        checkAuthorization(mi);
        Object returnValue = getNext().invokeHome(mi);
        return returnValue;
     }
  
     /**
      * @see AbstractInterceptor#invoke(Invocation)
      */
     public Object invoke(Invocation mi) throws Exception
     {
        // Authorize the call
        checkAuthorization(mi);
        Object returnValue = getNext().invoke(mi);
        return returnValue;
     }
  
     /** Authorize the caller's access to the method invocation
      */
     private void checkAuthorization(Invocation mi)
        throws Exception
     {
        Method m = mi.getMethod();
        // Ignore internal container calls
        if( m == null  )
           return; 
        // Get the caller
        Subject caller = SecurityActions.getContextSubject(); 
        
        AuthorizationManager authzManager = this.getAuthorizationManager();
        final HashMap map =  new HashMap();
        map.put("ejb.name",this.ejbName);
        map.put("ejb.method",mi.getMethod()); 
        map.put("ejb.principal", mi.getPrincipal());
        map.put("authorizationManager",authzManager);
        EJBResource ejbResource = new EJBResource(map); 
        boolean isAuthorized = false;
        try
        {
           int check = authzManager.authorize(ejbResource);
           isAuthorized = (check == AuthorizationContext.PERMIT);
        } 
        catch (Exception e)
        {
           isAuthorized = false;
           log.error("Error in authorization:",e);
        }
        String msg = "Denied: caller=" + caller;
        if(!isAuthorized)
           throw new SecurityException(msg); 
     }
     
     /**
      * Get the Authorization Manager for the security domain
      * @return authorization manager
      * @throws Exception
      */
     private AuthorizationManager getAuthorizationManager() throws Exception
     { 
        return authorizationManagerService.getAuthorizationManager(securityDomain); 
     }  
  }