org.objectweb.easybeans.security.permissions
Class PermissionManager

java.lang.Object
  extended by org.objectweb.easybeans.security.permissions.AbsPermissionManager
      extended by org.objectweb.easybeans.security.permissions.PermissionManager
All Implemented Interfaces:
EZBPermissionManager

public class PermissionManager
extends AbsPermissionManager
implements EZBPermissionManager

Permission manager for EJB.

Author:
Florent Benoit

Field Summary
private  java.security.CodeSource codeSource
          CodeSource.
private  IEJBJarInfo ejbJarInfo
          EJB-jar Info.
private  JLog logger
          Logger.
 
Constructor Summary
PermissionManager(java.net.URL contextIdURL, IEJBJarInfo ejbJarInfo)
          Default Constructor.
 
Method Summary
 boolean checkSecurity(EasyBeansInvocationContext invocationContext, boolean runAsBean)
          Checks the security for the given invocation context.
private static javax.security.jacc.EJBMethodPermission invocationContextToMethodPermission(EasyBeansInvocationContext invocationContext)
          Gets a EJBMethodPermission from an invocation context.
 boolean isCallerInRole(java.lang.String ejbName, java.lang.String roleName, boolean inRunAs)
          Test if the caller has a given role.
protected  void translateEjbExcludeList(ISecurityInfo securityInfo)
          3.1.5.2 Translating the EJB exclude-list
An EJBMethodPermission object must be created for each method element occurring in the exclude-list element of the deployment descriptor.
protected  void translateEjbMethodPermission(ISecurityInfo securityInfo)
          3.1.5.1 Translating EJB method-permission Elements
For each method element of each method-permission element, an EJBMethodPermission object translated from the method element must be added to the policy statements of the PolicyConfiguration object.
 void translateEjbSecurityRoleRef(IBeanInfo beanInfo, ISecurityInfo securityInfo)
          3.1.5.3 Translating EJB security-role-ref Elements
For each security-role-ref element appearing in the deployment descriptor, a corresponding EJBRoleRefPermission must be created.
 void translateMetadata()
          3.1.5 Translating EJB Deployment Descriptors
A reference to a PolicyConfiguration object must be obtained by calling the getPolicyConfiguration method on the PolicyConfigurationFactory implementation class of the provider configured into the container.
 
Methods inherited from class org.objectweb.easybeans.security.permissions.AbsPermissionManager
commit, delete, getContextId, getContextIdURL, getPolicy, getPolicyConfiguration, setContextId, setPolicyConfiguration
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface org.objectweb.easybeans.api.EZBPermissionManager
commit
 

Field Detail

logger

private JLog logger
Logger.


codeSource

private java.security.CodeSource codeSource
CodeSource.


ejbJarInfo

private IEJBJarInfo ejbJarInfo
EJB-jar Info.

Constructor Detail

PermissionManager

public PermissionManager(java.net.URL contextIdURL,
                         IEJBJarInfo ejbJarInfo)
                  throws PermissionManagerException
Default Constructor.

Parameters:
contextIdURL - context ID used for PolicyContext
ejbJarInfo - the metadata on all the beans (runtime info)
Throws:
PermissionManagerException - if permissions can't be set
Method Detail

translateMetadata

public void translateMetadata()
                       throws PermissionManagerException
3.1.5 Translating EJB Deployment Descriptors
A reference to a PolicyConfiguration object must be obtained by calling the getPolicyConfiguration method on the PolicyConfigurationFactory implementation class of the provider configured into the container. The policy context identifier used in the call to getPolicyConfiguration must be a String that satisfies the requirements described in Section 3.1.4, EJB Policy Context Identifiers, on page 28. The value true must be passed as the second parameter in the call to getPolicyConfiguration to ensure that any and all policy statements are removed from the policy context associated with the returned PolicyConfiguration. The method-permission, exclude-list, and security-role-ref elements appearing in the deployment descriptor must be translated into permissions and added to the PolicyConfiguration object to yield an equivalent translation as that defined in the following sections and such that every EJB method for which the container performs pre-dispatch access decisions is implied by at least one permission resulting from the translation.

Specified by:
translateMetadata in interface EZBPermissionManager
Throws:
PermissionManagerException - if permissions can't be set

translateEjbMethodPermission

protected void translateEjbMethodPermission(ISecurityInfo securityInfo)
                                     throws PermissionManagerException
3.1.5.1 Translating EJB method-permission Elements
For each method element of each method-permission element, an EJBMethodPermission object translated from the method element must be added to the policy statements of the PolicyConfiguration object. The name of each such EJBMethodPermission object must be the ejb-name from the corresponding method element, and the actions must be established by translating the method element into a method specification according to the methodSpec syntax defined in the documentation of the EJBMethodPermission class. The actions translation must preserve the degree of specificity with respect to method-name, method-intf, and method-params inherent in the method element. If the method-permission element contains the unchecked element, then the deployment tools must call the addToUncheckedPolicy method to add the permissions resulting from the translation to the PolicyConfiguration object. Alternatively, if the method-permission element contains one or more role-name elements, then the deployment tools must call the addToRole method to add the permissions resulting from the translation to the corresponding roles of the PolicyConfiguration object.

Parameters:
securityInfo - the security info for a given bean.
Throws:
PermissionManagerException - if permissions can't be set

translateEjbExcludeList

protected void translateEjbExcludeList(ISecurityInfo securityInfo)
                                throws PermissionManagerException
3.1.5.2 Translating the EJB exclude-list
An EJBMethodPermission object must be created for each method element occurring in the exclude-list element of the deployment descriptor. The name and actions of each EJBMethodPermission must be established as described in Section 3.1.5.1, Translating EJB method-permission Elements. The deployment tools must use the addToExcludedPolicy method to add the EJBMethodPermission objects resulting from the translation of the exclude-list to the excluded policy statements of the PolicyConfiguration object.

Parameters:
securityInfo - the security info for a given bean.
Throws:
PermissionManagerException - if permissions can't be set

translateEjbSecurityRoleRef

public void translateEjbSecurityRoleRef(IBeanInfo beanInfo,
                                        ISecurityInfo securityInfo)
                                 throws PermissionManagerException
3.1.5.3 Translating EJB security-role-ref Elements
For each security-role-ref element appearing in the deployment descriptor, a corresponding EJBRoleRefPermission must be created. The name of each EJBRoleRefPermission must be obtained as described for EJBMethodPermission objects. The actions used to construct the permission must be the value of the role-name (that is the reference), appearing in the security-role-ref. The deployment tools must call the addToRole method on the PolicyConfiguration object to add a policy statement corresponding to the EJBRoleRefPermission to the role identified in the rolelink appearing in the security-role-ref.

Parameters:
beanInfo - info about the bean.
securityInfo - the security info for a given bean.
Throws:
PermissionManagerException - if permissions can't be set

checkSecurity

public boolean checkSecurity(EasyBeansInvocationContext invocationContext,
                             boolean runAsBean)
Checks the security for the given invocation context.

Specified by:
checkSecurity in interface EZBPermissionManager
Parameters:
invocationContext - the context to check.
runAsBean - if true, the bean is a run-as bean.
Returns:
true if the access has been granted, else false.

invocationContextToMethodPermission

private static javax.security.jacc.EJBMethodPermission invocationContextToMethodPermission(EasyBeansInvocationContext invocationContext)
Gets a EJBMethodPermission from an invocation context.

Parameters:
invocationContext - the context containing data on the current invocation.
Returns:
a Method Permission for the current method.

isCallerInRole

public boolean isCallerInRole(java.lang.String ejbName,
                              java.lang.String roleName,
                              boolean inRunAs)
Test if the caller has a given role. EJBRoleRefPermission object must be created with ejbName and actions equal to roleName
See section 4.3.2 of JACC

Specified by:
isCallerInRole in interface EZBPermissionManager
Parameters:
ejbName - The name of the EJB on wich look role
roleName - The name of the security role. The role must be one of the security-role-ref that is defined in the deployment descriptor.
inRunAs - bean calling this method is running in run-as mode or not ?
Returns:
True if the caller has the specified role.