001    /**
002     * Copyright (c) 2000-2012 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.pacl.checker;
016    
017    import com.liferay.portal.kernel.log.Log;
018    import com.liferay.portal.kernel.log.LogFactoryUtil;
019    import com.liferay.portal.kernel.util.ServerDetector;
020    import com.liferay.portal.security.pacl.PACLClassUtil;
021    
022    import java.security.Permission;
023    
024    import sun.reflect.Reflection;
025    
026    /**
027     * @author Brian Wing Shun Chan
028     */
029    public class SecurityChecker extends BaseChecker {
030    
031            public void afterPropertiesSet() {
032            }
033    
034            public void checkPermission(Permission permission) {
035                    String name = permission.getName();
036    
037                    if (name.equals(SECURITY_PERMISSION_GET_POLICY)) {
038                            if (!hasGetPolicy()) {
039                                    throwSecurityException(_log, "Attempted to get the policy");
040                            }
041                    }
042                    else if (name.equals(SECURITY_PERMISSION_SET_POLICY)) {
043                            if (!hasSetPolicy()) {
044                                    throwSecurityException(_log, "Attempted to set the policy");
045                            }
046                    }
047                    else {
048                            if (_log.isDebugEnabled()) {
049                                    Thread.dumpStack();
050                            }
051    
052                            throwSecurityException(
053                                    _log,
054                                    "Attempted to " + permission.getName() + " on " +
055                                            permission.getActions());
056                    }
057            }
058    
059            protected boolean hasGetPolicy() {
060                    Class<?> callerClass8 = Reflection.getCallerClass(8);
061    
062                    if (isGlassfishJ2EEInstanceListener(
063                                    callerClass8.getEnclosingClass()) &&
064                            CheckerUtil.isAccessControllerDoPrivileged(9)) {
065    
066                            logGetPolicy(callerClass8, 8);
067    
068                            return true;
069                    }
070    
071                    if (isWebSphereWASJSPExtensionServletWrapper(callerClass8)) {
072                            logGetPolicy(callerClass8, 8);
073    
074                            return true;
075                    }
076    
077                    return false;
078            }
079    
080            protected boolean hasSetPolicy() {
081                    Class<?> callerClass6 = Reflection.getCallerClass(6);
082    
083                    if (isGlassfishPolicyContextHandlerImpl(callerClass6)) {
084                            logSetPolicy(callerClass6, 6);
085    
086                            return true;
087                    }
088    
089                    Class<?> callerClass7 = Reflection.getCallerClass(7);
090    
091                    if (isGeronimoDispatchListener(callerClass7)) {
092                            logSetPolicy(callerClass7, 7);
093    
094                            return true;
095                    }
096    
097                    return false;
098            }
099    
100            protected boolean isGeronimoDispatchListener(Class<?> clazz) {
101                    if (!ServerDetector.isGeronimo()) {
102                            return false;
103                    }
104    
105                    if (clazz == null) {
106                            return false;
107                    }
108    
109                    String className = clazz.getName();
110    
111                    if (!className.equals(_CLASS_NAME_DISPATCH_LISTENER)) {
112                            return false;
113                    }
114    
115                    String classLocation = PACLClassUtil.getClassLocation(clazz);
116    
117                    return classLocation.contains(
118                            "/repository/org/apache/geronimo/modules/geronimo-tomcat6/");
119            }
120    
121            protected boolean isGlassfishJ2EEInstanceListener(Class<?> clazz) {
122                    if (!ServerDetector.isGlassfish()) {
123                            return false;
124                    }
125    
126                    if (clazz == null) {
127                            return false;
128                    }
129    
130                    String className = clazz.getName();
131    
132                    if (!className.equals(_CLASS_NAME_J2EE_INSTANCE_LISTENER)) {
133                            return false;
134                    }
135    
136                    String classLocation = PACLClassUtil.getClassLocation(clazz);
137    
138                    return classLocation.startsWith("bundle://");
139            }
140    
141            protected boolean isGlassfishPolicyContextHandlerImpl(Class<?> clazz) {
142                    if (!ServerDetector.isGlassfish()) {
143                            return false;
144                    }
145    
146                    if (clazz == null) {
147                            return false;
148                    }
149    
150                    String className = clazz.getName();
151    
152                    if (!className.equals(_CLASS_NAME_POLICY_CONTEXT_HANDLER_IMPL)) {
153                            return false;
154                    }
155    
156                    String classLocation = PACLClassUtil.getClassLocation(clazz);
157    
158                    return classLocation.startsWith("bundle://");
159            }
160    
161            protected boolean isWebSphereWASJSPExtensionServletWrapper(Class<?> clazz) {
162                    if (!ServerDetector.isWebSphere()) {
163                            return false;
164                    }
165    
166                    String className = clazz.getName();
167    
168                    if (!className.equals(_CLASS_NAME_WAS_JSP_EXTENSION_SERVLET_WRAPPER)) {
169                            return false;
170                    }
171    
172                    String classLocation = PACLClassUtil.getClassLocation(clazz);
173    
174                    return classLocation.startsWith("bundleresource://");
175            }
176    
177            protected void logGetPolicy(Class<?> callerClass, int frame) {
178                    if (_log.isInfoEnabled()) {
179                            _log.info(
180                                    "Allowing frame " + frame + " with caller " + callerClass +
181                                            " to get the policy");
182                    }
183            }
184    
185            protected void logSetPolicy(Class<?> callerClass, int frame) {
186                    if (_log.isInfoEnabled()) {
187                            _log.info(
188                                    "Allowing frame " + frame + " with caller " + callerClass +
189                                            " to set the policy");
190                    }
191            }
192    
193            private static final String _CLASS_NAME_DISPATCH_LISTENER =
194                    "org.apache.geronimo.tomcat.listener.DispatchListener";
195    
196            private static final String _CLASS_NAME_J2EE_INSTANCE_LISTENER =
197                    "com.sun.web.server.J2EEInstanceListener";
198    
199            private static final String _CLASS_NAME_POLICY_CONTEXT_HANDLER_IMPL =
200                    "com.sun.enterprise.security.authorize.PolicyContextHandlerImpl";
201    
202            private static final String _CLASS_NAME_WAS_JSP_EXTENSION_SERVLET_WRAPPER =
203                    "com.ibm.ws.jsp.webcontainerext.ws.WASJSPExtensionServletWrapper";
204    
205            private static Log _log = LogFactoryUtil.getLog(SecurityChecker.class);
206    
207    }