org.glassfish.ejb.security.application

Class EJBSecurityManager

java.lang.Object

org.glassfish.ejb.security.application.EJBSecurityManager

All Implemented Interfaces:

SecurityManager

public final class EJBSecurityManager
extends Object
implements SecurityManager

This class is used by the EJB server to manage security. All the container object only call into this object for managing security. This class cannot be subclassed.

An instance of this class should be created per deployment unit.

Author:

Harpreet Singh, monzillo

Constructor Summary

Constructors

Constructor and Description
EJBSecurityManager(EjbDescriptor ejbDescriptor, InvocationManager invocationManager, EJBSecurityManagerFactory fact)

Method Summary

Modifier and Type	Method and Description
boolean	authorize(ComponentInvocation componentInvocation) This method is called by the EJB container to decide whether or not a method specified in the Invocation should be allowed.
void	destroy() Call this method to clean up all the bookeeping data-structures in the SM.
Object	doAsPrivileged(PrivilegedExceptionAction pea) This method is used by SecurityUtil runMethod to run the action as the subject encapsulated in the cuurent SecurityContext.
Principal	getCallerPrincipal() This method returns the Client Principal who initiated the current Invocation.
static String	getContextID(EjbDescriptor ejbDescriptor)
Subject	getCurrentSubject() This will return the subject associated with the current call.
boolean	getUsesCallerIdentity()
Object	invoke(Method beanClassMethod, boolean isLocal, Object beanObject, Object[] parameters) This method is similiar to the runMethod, except it keeps the semantics same as the one in reflection.
boolean	isCallerInRole(String role) This method returns a boolean value indicating whether or not the caller is in the specified role.
void	loadPolicyConfiguration(EjbDescriptor ejbDescriptor)
void	postInvoke(ComponentInvocation inv) This method is used by Message Driven Bean Container to remove the run-as identity information that was set up using the preSetRunAsIdentity method
void	preInvoke(ComponentInvocation inv) This method is used by MDB Container - Invocation Manager to setup the run-as identity information.
void	resetPolicyContext() Purge ThreadLocals held by javax.security.jacc.PolicyContext
Object	runMethod(Method beanClassMethod, Object beanObject, Object[] parameters) Runs a business method of an EJB within the bean's policy context.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

EJBSecurityManager

public EJBSecurityManager(EjbDescriptor ejbDescriptor,
                          InvocationManager invocationManager,
                          EJBSecurityManagerFactory fact)
                   throws Exception

Throws:

Exception

Method Detail

getContextID

public static String getContextID(EjbDescriptor ejbDescriptor)

preInvoke

public void preInvoke(ComponentInvocation inv)

This method is used by MDB Container - Invocation Manager to setup the run-as identity information. It has to be coupled with the postSetRunAsIdentity method. This method is called for EJB/MDB Containers

Specified by:

preInvoke in interface SecurityManager

postInvoke

public void postInvoke(ComponentInvocation inv)

This method is used by Message Driven Bean Container to remove the run-as identity information that was set up using the preSetRunAsIdentity method

Specified by:

postInvoke in interface SecurityManager

getUsesCallerIdentity

public boolean getUsesCallerIdentity()

loadPolicyConfiguration

public void loadPolicyConfiguration(EjbDescriptor ejbDescriptor)
                             throws Exception

Throws:

Exception

authorize

public boolean authorize(ComponentInvocation componentInvocation)

This method is called by the EJB container to decide whether or not a method specified in the Invocation should be allowed.

Specified by:

authorize in interface SecurityManager

Parameters:

componentInvocation - invocation object that contains all the details of the invocation.

Returns:

A boolean value indicating if the client should be allowed to invoke the EJB.

isCallerInRole

public boolean isCallerInRole(String role)

This method returns a boolean value indicating whether or not the caller is in the specified role.

Specified by:

isCallerInRole in interface SecurityManager

Parameters:

role - role name in the form of java.lang.String

Returns:

A boolean true/false depending on whether or not the caller has the specified role.

invoke

public Object invoke(Method beanClassMethod,
                     boolean isLocal,
                     Object beanObject,
                     Object[] parameters)
              throws Throwable

This method is similiar to the runMethod, except it keeps the semantics same as the one in reflection. On failure, if the exception is caused due to reflection, it returns the InvocationTargetException. This method is called from the containers for ejbTimeout, WebService and MDBs.

Specified by:

invoke in interface SecurityManager

Parameters:

beanClassMethod, - the bean class method to be invoked

isLocal, - true if this invocation is through the local EJB view

beanObject - the object on which this method is to be invoked in this case the ejb,

parameters - the parameters for the method,

c, - the container instance can be a null value, where in the container will be queried to find its security manager.

Returns:

Object, the result of the execution of the method.

Throws:

Throwable

resetPolicyContext

public void resetPolicyContext()

Description copied from interface: SecurityManager

Purge ThreadLocals held by javax.security.jacc.PolicyContext

Specified by:

resetPolicyContext in interface SecurityManager

getCallerPrincipal

public Principal getCallerPrincipal()

This method returns the Client Principal who initiated the current Invocation.

Specified by:

getCallerPrincipal in interface SecurityManager

Returns:

A Principal object of the client who made this invocation. or null if the SecurityContext has not been established by the client.

destroy

public void destroy()

Description copied from interface: SecurityManager

Call this method to clean up all the bookeeping data-structures in the SM.

Specified by:

destroy in interface SecurityManager

getCurrentSubject

public Subject getCurrentSubject()

This will return the subject associated with the current call. If the run as subject is in effect. It will return that subject. This is done to support the JACC specification which says if the runas principal is in effect, that principal should be used for making a component call.

Specified by:

getCurrentSubject in interface SecurityManager

Returns:

Subject the current subject. Null if this is not the run-as case

doAsPrivileged

public Object doAsPrivileged(PrivilegedExceptionAction pea)
                      throws Throwable

Description copied from interface: SecurityManager

This method is used by SecurityUtil runMethod to run the action as the subject encapsulated in the cuurent SecurityContext.

Specified by:

doAsPrivileged in interface SecurityManager

Throws:

Throwable

runMethod

public Object runMethod(Method beanClassMethod,
                        Object beanObject,
                        Object[] parameters)
                 throws Throwable

Runs a business method of an EJB within the bean's policy context. The original policy context is restored after method execution. This method should only be used by com.sun.enterprise.security.SecurityUtil.

Parameters:

beanClassMethod - the EJB business method

beanObject - the EJB bean instance

parameters - parameters passed to beanClassMethod

Returns:

return value from beanClassMethod

Throws:

InvocationTargetException - if the underlying method throws an exception

Throwable - other throwables in other cases