Author: struberg
Date: Tue Mar 15 08:27:37 2011
New Revision: 1081681
URL: http://svn.apache.org/viewvc?rev=1081681&view=rev
Log:
OWB-545 introduce ManagedSecurityService
Added:
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/SimpleSecurityService.java
- copied, changed from r1081676,
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/SimpleSecurityService.java
Removed:
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/SimpleSecurityService.java
Modified:
openwebbeans/trunk/webbeans-impl/src/main/resources/META-INF/openwebbeans/openwebbeans.properties
openwebbeans/trunk/webbeans-openejb/src/main/java/org/apache/webbeans/ejb/service/OpenEJBSecurityService.java
openwebbeans/trunk/webbeans-spi/src/main/java/org/apache/webbeans/spi/SecurityService.java
openwebbeans/trunk/webbeans-tomcat6/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java
openwebbeans/trunk/webbeans-tomcat7/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java
Added:
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java
URL:
http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java?rev=1081681&view=auto
==============================================================================
---
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java
(added)
+++
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/ManagedSecurityService.java
Tue Mar 15 08:27:37 2011
@@ -0,0 +1,329 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.webbeans.corespi.security;
+
+import org.apache.webbeans.exception.WebBeansException;
+import org.apache.webbeans.spi.SecurityService;
+
+import java.lang.reflect.AccessibleObject;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Properties;
+
+/**
+ * This version of the {@link SecurityService} uses the
java.lang.SecurityManager
+ * to check low level access to the underlying functions via a doPriviliged
block.
+ */
+public class ManagedSecurityService implements SecurityService
+{
+ private static final int METHOD_CLASS_GETDECLAREDCONSTRUCTOR = 0x01;
+
+ private static final int METHOD_CLASS_GETDECLAREDCONSTRUCTORS = 0x02;
+
+ private static final int METHOD_CLASS_GETDECLAREDMETHOD = 0x03;
+
+ private static final int METHOD_CLASS_GETDECLAREDMETHODS = 0x04;
+
+ private static final int METHOD_CLASS_GETDECLAREDFIELD = 0x05;
+
+ private static final int METHOD_CLASS_GETDECLAREDFIELDS = 0x06;
+
+ private static final PrivilegedActionGetSystemProperties
SYSTEM_PROPERTY_ACTION = new PrivilegedActionGetSystemProperties();
+
+
+
+ @Override
+ public Principal getCurrentPrincipal()
+ {
+ // no pricipal by default
+ return null;
+ }
+
+ @Override
+ public <T> Constructor<T> doPrivilegedGetDeclaredConstructor(Class<T>
clazz, Class<?>... parameterTypes) throws NoSuchMethodException
+ {
+ Object obj = AccessController.doPrivileged(
+ new PrivilegedActionForClass(clazz, parameterTypes,
METHOD_CLASS_GETDECLAREDCONSTRUCTOR));
+ if (obj instanceof NoSuchMethodException)
+ {
+ throw (NoSuchMethodException)obj;
+ }
+ return (Constructor<T>)obj;
+ }
+
+ @Override
+ public <T> Constructor<?>[] doPrivilegedGetDeclaredConstructors(Class<T>
clazz)
+ {
+ Object obj = AccessController.doPrivileged(
+ new PrivilegedActionForClass(clazz, null,
METHOD_CLASS_GETDECLAREDCONSTRUCTORS));
+ return (Constructor<T>[])obj;
+ }
+
+ @Override
+ public <T> Method doPrivilegedGetDeclaredMethod(Class<T> clazz, String
name, Class<?>... parameterTypes)
+ throws NoSuchMethodException
+ {
+ Object obj = AccessController.doPrivileged(
+ new PrivilegedActionForClass(clazz, new Object[] {name,
parameterTypes}, METHOD_CLASS_GETDECLAREDMETHOD));
+ if (obj instanceof NoSuchMethodException)
+ {
+ throw (NoSuchMethodException)obj;
+ }
+ return (Method)obj;
+ }
+
+ @Override
+ public <T> Method[] doPrivilegedGetDeclaredMethods(Class<T> clazz)
+ {
+ Object obj = AccessController.doPrivileged(
+ new PrivilegedActionForClass(clazz, null,
METHOD_CLASS_GETDECLAREDMETHODS));
+ return (Method[])obj;
+ }
+
+ @Override
+ public <T> Field doPrivilegedGetDeclaredField(Class<T> clazz, String name)
throws NoSuchFieldException
+ {
+ Object obj = AccessController.doPrivileged(
+ new PrivilegedActionForClass(clazz, name,
METHOD_CLASS_GETDECLAREDFIELD));
+ if (obj instanceof NoSuchFieldException)
+ {
+ throw (NoSuchFieldException)obj;
+ }
+ return (Field)obj;
+ }
+
+ @Override
+ public <T> Field[] doPrivilegedGetDeclaredFields(Class<T> clazz)
+ {
+ Object obj = AccessController.doPrivileged(
+ new PrivilegedActionForClass(clazz, null,
METHOD_CLASS_GETDECLAREDFIELDS));
+ return (Field[])obj;
+ }
+
+ @Override
+ public void doPrivilegedSetAccessible(AccessibleObject obj, boolean flag)
+ {
+ AccessController.doPrivileged(new
PrivilegedActionForSetAccessible(obj, flag));
+ }
+
+ @Override
+ public boolean doPrivilegedIsAccessible(AccessibleObject obj)
+ {
+ return (Boolean) AccessController.doPrivileged(new
PrivilegedActionForIsAccessible(obj));
+ }
+
+ @Override
+ public <T> T doPrivilegedObjectCreate(Class<T> clazz) throws
PrivilegedActionException, IllegalAccessException, InstantiationException
+ {
+ return (T) AccessController.doPrivileged(new
PrivilegedActionForObjectCreation(clazz));
+ }
+
+ @Override
+ public void doPrivilegedSetSystemProperty(String propertyName, String
value)
+ {
+ AccessController.doPrivileged(new
PrivilegedActionForSetProperty(propertyName, value));
+ }
+
+ @Override
+ public String doPrivilegedGetSystemProperty(String propertyName, String
defaultValue)
+ {
+ return AccessController.doPrivileged(new
PrivilegedActionForProperty(propertyName, defaultValue));
+ }
+
+ @Override
+ public Properties doPrivilegedGetSystemProperties()
+ {
+ return AccessController.doPrivileged(SYSTEM_PROPERTY_ACTION);
+ }
+
+
+ // the following block contains internal wrapper classes for doPrivileged
actions
+
+ protected static class PrivilegedActionForClass implements
PrivilegedAction<Object>
+ {
+ private Class<?> clazz;
+
+ private Object parameters;
+
+ private int method;
+
+ protected PrivilegedActionForClass(Class<?> clazz, Object parameters,
int method)
+ {
+ this.clazz = clazz;
+ this.parameters = parameters;
+ this.method = method;
+ }
+
+ public Object run()
+ {
+ try
+ {
+ switch (method)
+ {
+ case METHOD_CLASS_GETDECLAREDCONSTRUCTOR:
+ return
clazz.getDeclaredConstructor((Class<?>[])parameters);
+ case METHOD_CLASS_GETDECLAREDCONSTRUCTORS:
+ return clazz.getDeclaredConstructors();
+ case METHOD_CLASS_GETDECLAREDMETHOD:
+ String name = (String)((Object[])parameters)[0];
+ Class<?>[] realParameters =
(Class<?>[])((Object[])parameters)[1];
+ return clazz.getDeclaredMethod(name, realParameters);
+ case METHOD_CLASS_GETDECLAREDMETHODS:
+ return clazz.getDeclaredMethods();
+ case METHOD_CLASS_GETDECLAREDFIELD:
+ return clazz.getDeclaredField((String)parameters);
+ case METHOD_CLASS_GETDECLAREDFIELDS:
+ return clazz.getDeclaredFields();
+
+ default:
+ return new WebBeansException("unknown security method:
" + method);
+ }
+ }
+ catch (Exception exception)
+ {
+ return exception;
+ }
+ }
+
+ }
+
+ protected static class PrivilegedActionForSetAccessible implements
PrivilegedAction<Object>
+ {
+
+ private AccessibleObject object;
+
+ private boolean flag;
+
+ protected PrivilegedActionForSetAccessible(AccessibleObject object,
boolean flag)
+ {
+ this.object = object;
+ this.flag = flag;
+ }
+
+ public Object run()
+ {
+ object.setAccessible(flag);
+ return null;
+ }
+ }
+
+ protected static class PrivilegedActionForIsAccessible implements
PrivilegedAction<Object>
+ {
+
+ private AccessibleObject object;
+
+ protected PrivilegedActionForIsAccessible(AccessibleObject object)
+ {
+ this.object = object;
+ }
+
+ public Object run()
+ {
+ return object.isAccessible();
+ }
+ }
+
+ protected static class PrivilegedActionForProperty implements
PrivilegedAction<String>
+ {
+ private final String propertyName;
+
+ private final String defaultValue;
+
+ protected PrivilegedActionForProperty(String propertyName, String
defaultValue)
+ {
+ this.propertyName = propertyName;
+ this.defaultValue = defaultValue;
+ }
+
+ @Override
+ public String run()
+ {
+ return System.getProperty(this.propertyName,this.defaultValue);
+ }
+
+ }
+
+ protected static class PrivilegedActionForSetProperty implements
PrivilegedAction<Object>
+ {
+ private final String propertyName;
+
+ private final String value;
+
+ protected PrivilegedActionForSetProperty(String propertyName, String
value)
+ {
+ this.propertyName = propertyName;
+ this.value = value;
+ }
+
+ @Override
+ public String run()
+ {
+ System.setProperty(propertyName, value);
+ return null;
+ }
+
+ }
+
+ protected static class PrivilegedActionGetSystemProperties implements
PrivilegedAction<Properties>
+ {
+
+ @Override
+ public Properties run()
+ {
+ return System.getProperties();
+ }
+
+ }
+
+ protected static class PrivilegedActionForObjectCreation implements
PrivilegedExceptionAction<Object>
+ {
+ private Class<?> clazz;
+
+ protected PrivilegedActionForObjectCreation(Class<?> clazz)
+ {
+ this.clazz = clazz;
+ }
+
+ @Override
+ public Object run() throws Exception
+ {
+ try
+ {
+ return clazz.newInstance();
+ }
+ catch (InstantiationException e)
+ {
+ throw e;
+ }
+ catch (IllegalAccessException e)
+ {
+ throw e;
+ }
+ }
+
+ }
+
+
+}
Copied:
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/SimpleSecurityService.java
(from r1081676,
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/SimpleSecurityService.java)
URL:
http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/SimpleSecurityService.java?p2=openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/SimpleSecurityService.java&p1=openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/SimpleSecurityService.java&r1=1081676&r2=1081681&rev=1081681&view=diff
==============================================================================
---
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/SimpleSecurityService.java
(original)
+++
openwebbeans/trunk/webbeans-impl/src/main/java/org/apache/webbeans/corespi/security/SimpleSecurityService.java
Tue Mar 15 08:27:37 2011
@@ -16,7 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.webbeans.corespi;
+package org.apache.webbeans.corespi.security;
import org.apache.webbeans.spi.SecurityService;
@@ -46,6 +46,12 @@ public class SimpleSecurityService imple
}
@Override
+ public <T> Constructor<T> doPrivilegedGetDeclaredConstructor(Class<T>
clazz, Class<?>... parameterTypes) throws NoSuchMethodException
+ {
+ return clazz.getDeclaredConstructor(parameterTypes);
+ }
+
+ @Override
public <T> Constructor<?>[] doPrivilegedGetDeclaredConstructors(Class<T>
clazz)
{
return clazz.getDeclaredConstructors();
Modified:
openwebbeans/trunk/webbeans-impl/src/main/resources/META-INF/openwebbeans/openwebbeans.properties
URL:
http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-impl/src/main/resources/META-INF/openwebbeans/openwebbeans.properties?rev=1081681&r1=1081680&r2=1081681&view=diff
==============================================================================
---
openwebbeans/trunk/webbeans-impl/src/main/resources/META-INF/openwebbeans/openwebbeans.properties
(original)
+++
openwebbeans/trunk/webbeans-impl/src/main/resources/META-INF/openwebbeans/openwebbeans.properties
Tue Mar 15 08:27:37 2011
@@ -58,7 +58,7 @@ org.apache.webbeans.spi.ContextsService=
################################### Default Contexts Service
####################################
# Default SecurityService implementation which directly invokes underlying
classes
# without using a SecurityManager
-org.apache.webbeans.spi.SecurityService=org.apache.webbeans.corespi.SimpleSecurityService
+org.apache.webbeans.spi.SecurityService=org.apache.webbeans.corespi.security.SimpleSecurityService
################################################################################################
################################################################################################
Modified:
openwebbeans/trunk/webbeans-openejb/src/main/java/org/apache/webbeans/ejb/service/OpenEJBSecurityService.java
URL:
http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-openejb/src/main/java/org/apache/webbeans/ejb/service/OpenEJBSecurityService.java?rev=1081681&r1=1081680&r2=1081681&view=diff
==============================================================================
---
openwebbeans/trunk/webbeans-openejb/src/main/java/org/apache/webbeans/ejb/service/OpenEJBSecurityService.java
(original)
+++
openwebbeans/trunk/webbeans-openejb/src/main/java/org/apache/webbeans/ejb/service/OpenEJBSecurityService.java
Tue Mar 15 08:27:37 2011
@@ -21,7 +21,7 @@ package org.apache.webbeans.ejb.service;
import java.security.Principal;
import org.apache.openejb.loader.SystemInstance;
-import org.apache.webbeans.corespi.SimpleSecurityService;
+import org.apache.webbeans.corespi.security.SimpleSecurityService;
import org.apache.webbeans.spi.SecurityService;
public class OpenEJBSecurityService extends SimpleSecurityService implements
SecurityService
Modified:
openwebbeans/trunk/webbeans-spi/src/main/java/org/apache/webbeans/spi/SecurityService.java
URL:
http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-spi/src/main/java/org/apache/webbeans/spi/SecurityService.java?rev=1081681&r1=1081680&r2=1081681&view=diff
==============================================================================
---
openwebbeans/trunk/webbeans-spi/src/main/java/org/apache/webbeans/spi/SecurityService.java
(original)
+++
openwebbeans/trunk/webbeans-spi/src/main/java/org/apache/webbeans/spi/SecurityService.java
Tue Mar 15 08:27:37 2011
@@ -48,6 +48,12 @@ public interface SecurityService
public Principal getCurrentPrincipal();
/**
+ * @see Class#getDeclaredConstructor(Class[])
+ */
+ public <T> Constructor<T> doPrivilegedGetDeclaredConstructor(Class<T>
clazz, Class<?>... parameterTypes)
+ throws NoSuchMethodException;
+
+ /**
* @see Class#getDeclaredConstructors()
*/
public <T> Constructor<?>[] doPrivilegedGetDeclaredConstructors(Class<T>
clazz);
@@ -55,7 +61,8 @@ public interface SecurityService
/**
* @see Class#getDeclaredMethod(String, Class[])
*/
- public <T> Method doPrivilegedGetDeclaredMethod(Class<T> clazz, String
name, Class<?>... parameterTypes) throws NoSuchMethodException;
+ public <T> Method doPrivilegedGetDeclaredMethod(Class<T> clazz, String
name, Class<?>... parameterTypes)
+ throws NoSuchMethodException;
/**
* @see Class#getDeclaredMethods()
Modified:
openwebbeans/trunk/webbeans-tomcat6/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java
URL:
http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-tomcat6/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java?rev=1081681&r1=1081680&r2=1081681&view=diff
==============================================================================
---
openwebbeans/trunk/webbeans-tomcat6/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java
(original)
+++
openwebbeans/trunk/webbeans-tomcat6/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java
Tue Mar 15 08:27:37 2011
@@ -20,7 +20,7 @@ package org.apache.webbeans.web.tomcat;
import java.security.Principal;
-import org.apache.webbeans.corespi.SimpleSecurityService;
+import org.apache.webbeans.corespi.security.SimpleSecurityService;
import org.apache.webbeans.spi.SecurityService;
public class TomcatSecurityService extends SimpleSecurityService implements
SecurityService
Modified:
openwebbeans/trunk/webbeans-tomcat7/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java
URL:
http://svn.apache.org/viewvc/openwebbeans/trunk/webbeans-tomcat7/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java?rev=1081681&r1=1081680&r2=1081681&view=diff
==============================================================================
---
openwebbeans/trunk/webbeans-tomcat7/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java
(original)
+++
openwebbeans/trunk/webbeans-tomcat7/src/main/java/org/apache/webbeans/web/tomcat/TomcatSecurityService.java
Tue Mar 15 08:27:37 2011
@@ -20,7 +20,7 @@ package org.apache.webbeans.web.tomcat;
import java.security.Principal;
-import org.apache.webbeans.corespi.SimpleSecurityService;
+import org.apache.webbeans.corespi.security.SimpleSecurityService;
import org.apache.webbeans.spi.SecurityService;
public class TomcatSecurityService extends SimpleSecurityService implements
SecurityService
