Skip to content

Remove Java Security Manager #4541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
madurangasiriwardena wants to merge 1 commit into
base: 4.12.x
Choose a base branch
from
Open

Remove Java Security Manager #4541

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 0 additions & 213 deletions ....core/src/main/java/org/wso2/carbon/user/core/authorization/JDBCAuthorizationManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,6 @@
import org.wso2.carbon.utils.dbcreator.DatabaseCreator;

import javax.sql.DataSource;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
Expand Down Expand Up @@ -82,13 +78,6 @@ public class JDBCAuthorizationManager implements AuthorizationManager {
private static final String DELETE_ROLE_PERMISSIONS_MYSQL = "DeleteRolePermissions-mysql";
private static final String DELETE_USER_PERMISSIONS_MYSQL = "DeleteUserPermissions-mysql";

private static final ThreadLocal<Boolean> isSecureCall = new ThreadLocal<Boolean>() {
@Override
protected Boolean initialValue() {
return Boolean.FALSE;
}
};

public JDBCAuthorizationManager(RealmConfiguration realmConfig, Map<String, Object> properties,
ClaimManager claimManager, ProfileConfigurationManager profileManager, UserRealm realm,
Integer tenantId) throws UserStoreException {
Expand Down Expand Up @@ -183,12 +172,6 @@ public boolean isRoleAuthorized(String roleName, String resourceId, String actio
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class};
Object object = callSecure("isRoleAuthorized", new Object[]{roleName, resourceId, action}, argTypes);
return (Boolean) object;
}

for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.isRoleAuthorized(roleName, resourceId, action, this)) {
Expand Down Expand Up @@ -222,12 +205,6 @@ public boolean isUserAuthorized(String userName, String resourceId, String actio
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class};
Object object = callSecure("isUserAuthorized", new Object[]{userName, resourceId, action}, argTypes);
return (Boolean) object;
}

if (CarbonConstants.REGISTRY_SYSTEM_USERNAME.equals(userName)) {
return true;
}
Expand Down Expand Up @@ -389,12 +366,6 @@ public String[] getAllowedRolesForResource(String resourceId, String action)
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class};
Object object = callSecure("getAllowedRolesForResource", new Object[]{resourceId, action}, argTypes);
return (String[]) object;
}

TreeNode.Permission permission = PermissionTreeUtil.actionToPermission(action);
permissionTree.updatePermissionTree();
SearchResult sr =
Expand Down Expand Up @@ -426,12 +397,6 @@ public String[] getExplicitlyAllowedUsersForResource(String resourceId, String a
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class};
Object object = callSecure("getExplicitlyAllowedUsersForResource", new Object[]{resourceId, action}, argTypes);
return (String[]) object;
}

TreeNode.Permission permission = PermissionTreeUtil.actionToPermission(action);
permissionTree.updatePermissionTree();
SearchResult sr =
Expand All @@ -458,12 +423,6 @@ public String[] getDeniedRolesForResource(String resourceId, String action)
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class};
Object object = callSecure("getDeniedRolesForResource", new Object[]{resourceId, action}, argTypes);
return (String[]) object;
}

TreeNode.Permission permission = PermissionTreeUtil.actionToPermission(action);
permissionTree.updatePermissionTree();
SearchResult sr =
Expand All @@ -481,13 +440,6 @@ public String[] getExplicitlyDeniedUsersForResource(String resourceId, String ac
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class};
Object object = callSecure("getExplicitlyDeniedUsersForResource", new Object[]{resourceId, action},
argTypes);
return (String[]) object;
}

TreeNode.Permission permission = PermissionTreeUtil.actionToPermission(action);
permissionTree.updatePermissionTree();
SearchResult sr =
Expand All @@ -501,13 +453,6 @@ public String[] getExplicitlyDeniedUsersForResource(String resourceId, String ac
public String[] getAllowedUIResourcesForUser(String userName, String permissionRootPath)
throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class};
Object object = callSecure("getAllowedUIResourcesForUser", new Object[]{userName, permissionRootPath},
argTypes);
return (String[]) object;
}

List<String> lstPermissions = new ArrayList<>();
if (isRoleAndGroupSeparationEnabled || verifyByRetrievingAllUserRoles) {
String[] roles = this.userRealm.getUserStoreManager().getRoleListOfUser(userName);
Expand Down Expand Up @@ -562,13 +507,6 @@ public String[] getAllowedUIResourcesForUser(String userName, String permissionR
public String[] getAllowedUIResourcesForRole(String roleName, String permissionRootPath)
throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class};
Object object = callSecure("getAllowedUIResourcesForRole",
new Object[]{roleName, permissionRootPath}, argTypes);
return (String[]) object;
}

List<String> lstPermissions = new ArrayList<String>();
List<String> resourceIds = getUIPermissionId();
if (resourceIds != null) {
Expand Down Expand Up @@ -605,13 +543,6 @@ public void authorizeRole(String roleName, String resourceId, String action)
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class};
callSecure("authorizeRole", new Object[]{roleName, resourceId, action},
argTypes);
return;
}

for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.authorizeRole(roleName, resourceId, action, this)) {
Expand All @@ -633,13 +564,6 @@ public void denyRole(String roleName, String resourceId, String action)
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class};
callSecure("denyRole", new Object[]{roleName, resourceId, action},
argTypes);
return;
}

for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.denyRole(roleName, resourceId, action, this)) {
Expand All @@ -657,13 +581,6 @@ public void denyRole(String roleName, String resourceId, String action)
public void authorizeUser(String userName, String resourceId, String action)
throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class};
callSecure("authorizeUser", new Object[]{userName, resourceId, action},
argTypes);
return;
}

for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.authorizeUser(userName, resourceId, action, this)) {
Expand All @@ -684,14 +601,6 @@ public void authorizeUser(String userName, String resourceId, String action)
public void denyUser(String userName, String resourceId, String action)
throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class};
callSecure("denyUser", new Object[]{userName, resourceId, action},
argTypes);
return;
}


for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.denyUser(userName, resourceId, action, this)) {
Expand All @@ -716,14 +625,6 @@ public void clearResourceAuthorizations(String resourceId) throws UserStoreExcep
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class};
callSecure("clearResourceAuthorizations", new Object[]{resourceId},
argTypes);
return;
}


for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.clearResourceAuthorizations(resourceId, this)) {
Expand Down Expand Up @@ -788,14 +689,6 @@ public void clearRoleAuthorization(String roleName, String resourceId, String ac
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class};
callSecure("clearRoleAuthorization", new Object[]{roleName, resourceId, action},
argTypes);
return;
}


for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.clearRoleAuthorization(roleName, resourceId, action, this)) {
Expand Down Expand Up @@ -834,14 +727,6 @@ public void clearRoleAuthorization(String roleName, String resourceId, String ac
public void clearUserAuthorization(String userName, String resourceId, String action)
throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class};
callSecure("clearUserAuthorization", new Object[]{userName, resourceId, action},
argTypes);
return;
}


for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.clearUserAuthorization(userName, resourceId, action, this)) {
Expand Down Expand Up @@ -877,14 +762,6 @@ public void clearUserAuthorization(String userName, String resourceId, String ac
public void clearRoleActionOnAllResources(String roleName, String action)
throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class};
callSecure("clearRoleActionOnAllResources", new Object[]{roleName, action},
argTypes);
return;
}


for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.clearRoleActionOnAllResources(roleName, action, this)) {
Expand Down Expand Up @@ -924,14 +801,6 @@ public void clearRoleActionOnAllResources(String roleName, String action)

public void clearRoleAuthorization(String roleName) throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class};
callSecure("clearRoleAuthorization", new Object[]{roleName},
argTypes);
return;
}


for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.clearRoleAuthorization(roleName, this)) {
Expand Down Expand Up @@ -970,13 +839,6 @@ public void clearRoleAuthorization(String roleName) throws UserStoreException {

public void clearUserAuthorization(String userName) throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class};
callSecure("clearUserAuthorization", new Object[]{userName},
argTypes);
return;
}

for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.clearUserAuthorization(userName, this)) {
Expand Down Expand Up @@ -1010,13 +872,6 @@ public void clearUserAuthorization(String userName) throws UserStoreException {
public void resetPermissionOnUpdateRole(String roleName, String newRoleName)
throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class};
callSecure("resetPermissionOnUpdateRole", new Object[]{roleName, newRoleName},
argTypes);
return;
}

for (AuthorizationManagerListener listener : UMListenerServiceComponent
.getAuthorizationManagerListeners()) {
if (!listener.resetPermissionOnUpdateRole(roleName, newRoleName, this)) {
Expand Down Expand Up @@ -1066,13 +921,6 @@ public void addAuthorization(String subject, String resourceId, String action,
resourceId = resourceId.toLowerCase();
}

if (!isSecureCall.get()) {
Class argTypes[] = new Class[]{String.class, String.class, String.class, boolean.class, boolean.class};
callSecure("addAuthorization", new Object[]{subject, resourceId, action, authorized, isRole},
argTypes);
return;
}

short allow = 0;
if (authorized) {
allow = UserCoreConstants.ALLOW;
Expand Down Expand Up @@ -1400,11 +1248,6 @@ private Connection getDBConnection() throws SQLException {

public void populatePermissionTreeFromDB() throws UserStoreException {

if (!isSecureCall.get()) {
Class argTypes[] = new Class[0];
callSecure("populatePermissionTreeFromDB", new Object[0], argTypes);
return;
}
permissionTree.updatePermissionTreeFromDB();
}

Expand All @@ -1413,17 +1256,6 @@ public void populatePermissionTreeFromDB() throws UserStoreException {
* scenario.
*/
public void clearPermissionTree() {
if (!isSecureCall.get()) {
Class argTypes[] = new Class[0];
try {
callSecure("clearPermissionTree", new Object[0], argTypes);
} catch (UserStoreException e) {
if(log.isDebugEnabled()){
log.debug("Error while clearing Permission Tree : " + e);
}
}
return;
}
this.permissionTree.clear();
this.authorizationCache.clearCache();
}
Expand Down Expand Up @@ -1505,49 +1337,4 @@ public String[] normalizeRoles(String[] roles) {
return roles;
}

/**
* This method is used by the APIs' in the JDBCAuthorizationManager
* to make compatible with Java Security Manager.
*/
private Object callSecure(final String methodName, final Object[] objects, final Class[] argTypes)
throws UserStoreException {

final JDBCAuthorizationManager instance = this;

isSecureCall.set(Boolean.TRUE);
final Method method;
try {
Class clazz = Class.forName("org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager");
method = clazz.getDeclaredMethod(methodName, argTypes);

} catch (NoSuchMethodException e) {
log.error("Error occurred when calling method " + methodName, e);
throw new UserStoreException(e);
} catch (ClassNotFoundException e) {
log.error("Error occurred when calling class " + methodName, e);
throw new UserStoreException(e);
}

try {
return AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
return method.invoke(instance, objects);
}
});
} catch (PrivilegedActionException e) {
if (e.getCause() != null && e.getCause().getCause() != null && e.getCause().getCause() instanceof
UserStoreException) {
// Actual UserStoreException get wrapped with two exceptions
throw new UserStoreException(e.getCause().getCause().getMessage(), e);

} else {
String msg = "Error occurred while accessing Java Security Manager Privilege Block";
log.error(msg);
throw new UserStoreException(msg, e);
}
} finally {
isSecureCall.set(Boolean.FALSE);
}
}
}
Loading
Loading