File Doc Category Size Date Package
RoleBasedAuthorizationInterceptor.java API Doc JBoss 4.2.1 6118 Fri Jul 13 21:02:28 BST 2007 org.jboss.aspects.security

RoleBasedAuthorizationInterceptor

java.lang.Object

public class RoleBasedAuthorizationInterceptor extends Object implements org.jboss.aop.advice.Interceptor

The RoleBasedAuthorizationInterceptor checks that the caller principal is authorized to call a method by verifing that it contains at least one of the required roled.

author: Bill Burke
author: Oleg Nitz
author: Scott Stark.
author: Dain Sundstrom.
version: $Revision: 57186 $

Fields Summary
protected Logger
log
protected org.jboss.security.AuthenticationManager
securityManager
protected org.jboss.security.RealmMapping
realmMapping
Constructors Summary
public RoleBasedAuthorizationInterceptor(org.jboss.security.AuthenticationManager manager, org.jboss.security.RealmMapping realmMapping)
this.securityManager = manager; this.realmMapping = realmMapping;
Methods Summary
protected java.util.Set getAnnotationRoleSet(org.jboss.aop.joinpoint.Invocation invocation)
HashSet set = new HashSet(); Exclude exclude = (Exclude) invocation.resolveAnnotation(Exclude.class); if (exclude != null) { set.add(NobodyPrincipal.NOBODY_PRINCIPAL); return set; } Unchecked unchecked = (Unchecked) invocation.resolveAnnotation(Unchecked.class); if (unchecked != null) { set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL); return set; } Permissions permissions = (Permissions) invocation.resolveAnnotation(Permissions.class); if (permissions == null) { // Default behavior is unchecked set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL); return set; } for (int i = 0; i < permissions.value().length; i++) { set.add(new SimplePrincipal(permissions.value()[i])); } return set;
public java.lang.String getName()
return "RoleBasedAuthorizationInterceptor";
protected java.util.Set getRoleSet(org.jboss.aop.joinpoint.Invocation invocation)
Set roles = (Set) invocation.getMetaData("security", "roles"); if (roles == null) roles = getAnnotationRoleSet(invocation); return roles;
public java.lang.Object invoke(org.jboss.aop.joinpoint.Invocation invocation)
Check if the principal is authorized to call the method by verifying that the it containes at least one of the required roles.
// If there is not a security manager then there is no authorization // required if (securityManager == null) { return invocation.invokeNext(); } if (realmMapping == null) { throw new SecurityException("Role mapping manager has not been set"); } Set roles = getRoleSet(invocation); if (roles == null) { /* REVISIT: for better message String message = "No method permissions assigned. to " + "method=" + invocation.getMethod().getName() + ", interface=" + invocation.getType(); */ String message = "No method permissions assigned."; log.error(message); throw new SecurityException(message); } // Check if the caller is allowed to access the method RunAsIdentity callerRunAsIdentity = SecurityActions.peekRunAsIdentity(); if (roles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false) { // The caller is using a the caller identity if (callerRunAsIdentity == null) { Principal principal = SecurityActions.getPrincipal(); // Now actually check if the current caller has one of the required method roles if (realmMapping.doesUserHaveRole(principal, roles) == false) { Set userRoles = realmMapping.getUserRoles(principal); String msg = "Insufficient permissions, principal=" + principal + ", requiredRoles=" + roles + ", principalRoles=" + userRoles; log.error(msg); throw new SecurityException(msg); } } // The caller is using a run-as identity else { // Check that the run-as role is in the set of method roles if (callerRunAsIdentity.doesUserHaveRole(roles) == false) { String msg = "Insufficient permissions, runAsPrincipal=" + callerRunAsIdentity.getName() + ", requiredRoles=" + roles + ", runAsRoles=" + callerRunAsIdentity.getRunAsRoles(); log.error(msg); throw new SecurityException(msg); } } } return invocation.invokeNext();