-
1. Re: JACC:EJBContext.isCallerInRole
anil.saldhana Apr 22, 2006 12:49 PM (in response to anil.saldhana)Summary is that the JaccAuthorizationInterceptor will plugin a custom RealmMapping implementation, with the getPrincipal and getUserRoles being handled by the previous RealmMapping implementation existing in the Container (in this case, JaasSecurityManager). Only the doesUserHaveRole will be performed by the plugged in RM impl.
-
2. Re: JACC:EJBContext.isCallerInRole
anil.saldhana Apr 25, 2006 3:05 AM (in response to anil.saldhana)Given the following DD:
<ejb-jar> <display-name>CallerInRole Tests</display-name> <enterprise-beans> <session> .... <security-role-ref> <role-name>NiceUser</role-name> <role-link>GoodRole</role-link> </security-role-ref> </session> </enterprise-beans> <assembly-descriptor> <security-role> <description>Good Role to invoke</description> <role-name>GoodRole</role-name> </security-role> <method-permission> <role-name>GoodRole</role-name> <method> <ejb-name>UsefulStatelessSessionBean</ejb-name> <method-name>*</method-name> </method> </method-permission> </assembly-descriptor> </ejb-jar>
The EJBModule class builds up the PolicyConfiguration as follows:
- a EJBRoleRefPermission is created for ejbname=UsefulStatelessSessionBean and actions=NiceUser.
But when the EJBContext.isCallerInRole("NiceUser") or EJBContext.isCallerInRole("GoodRole") call comes in, the EnterpriseClass then always follows the role-link element to make a check for
RealmMapping.doesUserHaveRole(principal, "GoodRole"). This is bound to fail because the PC is storing a EJBRefPerm to "NiceUser".
The jacc-1.0 spec says the following:3.1.5.3 Translating EJB security-role-ref Elements For each security-role-ref element appearing in the deployment descriptor, a corresponding EJBRoleRefPermission must be created. The name of each EJBRoleRefPermission must be obtained as described for EJBMethodPermission objects. The actions used to construct the permission must be the value of the role-name (that is the reference), appearing in the security-role-ref. The deployment tools must call the addToRole method on the PolicyConfiguration object to add a policy statement corresponding to the EJBRoleRefPermission to the role identified in the rolelink appearing in the security-role-ref.
So the PC construction is consistent. But the isCallerInRole check is not consistent.
Scott, what are your thoughts on this? -
3. Re: JACC:EJBContext.isCallerInRole
starksm64 Apr 25, 2006 9:37 AM (in response to anil.saldhana)There is an attempt to map the incoming role name ("NiceUser") to the linked to name ("GoodRole"):
Iterator it = getContainer().getBeanMetaData().getSecurityRoleReferences(); boolean matchFound = false; while (it.hasNext()) { SecurityRoleRefMetaData meta = (SecurityRoleRefMetaData) it.next(); if (meta.getName().equals(roleName)) { roleName = meta.getLink(); matchFound = true; break; } }
For the configuration shown, the permission check would be against EJBRoleRefPermission("NiceUser", "GoodRole"), so this should work. The problem is where to put this check. It cannot be in the doesUserHaveRole method as this is used for both method permissions and isCallerInRole. We just need to refactor the current EnterpriseContext.isCallerInRole into a jacc/non-jacc version and add a container configuration flag that causes the jacc version to be used. We could do this implicitly based on the existence of the JaccAuthorizationInterceptor in the configuration, that is a coupling of externali configuration to implementation details in code. -
4. Re: JACC:EJBContext.isCallerInRole
anil.saldhana Apr 25, 2006 11:07 AM (in response to anil.saldhana)A better approach would be to have a flag on the container that whether JACC is installed or not.
Since there is a call on the JaccAuthorizationInterceptor to set the container, it can enable the flag.
From the configuration I showed, theoretically, both the checks on "NiceUser" and "GoodRole" should pass. But the jacc spec block I pasted earlier, seems to be saying that the EJBRoleRefPermission should contain just "NiceUser" in the PolicyConfiguration. There will be no EJBRoleRefPerm for "GoodRole". Is this correct, Scott? -
5. Re: JACC:EJBContext.isCallerInRole
starksm64 Apr 25, 2006 11:12 AM (in response to anil.saldhana)This is the same issue as in the web container. There has to be a role-link for every security-role-ref:
If the Bean Provider has declared any security role references using the security-role-ref elements, the Application Assembler must link all the security role references listed in the security-role-ref elements to the security roles defined in the security-role elements. This is described in more detail in subsection 21.3.3.
There should never be an isCallerInRole("GoodRole") call as this has not been declared. That would require:<session> .... <security-role-ref> <role-name>GoodRole</role-name> <role-link>GoodRole</role-link> </security-role-ref> </session