Don't allow invocation of non-public methods on no-interface view

jbossas · Apr 18, 2011 · a0dba7c · a0dba7c
1 parent 980e04b
commit a0dba7c
Show file tree

Hide file tree

Showing 5 changed files with 110 additions and 61 deletions.
diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponentConfiguration.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponentConfiguration.java
@@ -72,8 +72,10 @@ protected Interceptor create(Component component, InterceptorFactoryContext cont
                     return new CMTTxInterceptor((TransactionalComponent) component);
                 }
             });
-        } else
+        } else {
             txAttrs = null;
+        }
+
     }
 
     protected void addComponentSystemInterceptorFactory(InterceptorFactory interceptorFactory) {

diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/session/SessionBeanComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/session/SessionBeanComponent.java
@@ -21,6 +21,7 @@
  */
 package org.jboss.as.ejb3.component.session;
 
+import org.jboss.as.ee.component.Component;
 import org.jboss.as.ee.component.ComponentInjector;
 import org.jboss.as.ee.component.ComponentInstance;
 import org.jboss.as.ee.component.ComponentView;
@@ -29,10 +30,11 @@
 import org.jboss.as.ejb3.component.EJBComponent;
 import org.jboss.as.threads.ThreadsServices;
 import org.jboss.ejb3.context.CurrentInvocationContext;
-import org.jboss.ejb3.context.base.BaseSessionContext;
 import org.jboss.ejb3.context.base.BaseSessionInvocationContext;
 import org.jboss.ejb3.context.spi.SessionContext;
+import org.jboss.invocation.Interceptor;
 import org.jboss.invocation.InterceptorContext;
+import org.jboss.logging.Logger;
 import org.jboss.msc.service.ServiceName;
 
 import javax.ejb.AccessTimeout;
@@ -41,6 +43,7 @@
 import java.io.Serializable;
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
@@ -55,6 +58,8 @@
  */
 public abstract class SessionBeanComponent extends EJBComponent implements org.jboss.ejb3.context.spi.SessionBeanComponent {
 
+    private static final Logger logger = Logger.getLogger(SessionBeanComponent.class);
+
     static final ServiceName ASYNC_EXECUTOR_SERVICE_NAME = ThreadsServices.EXECUTOR.append("ejb3-async");
 
     protected AccessTimeout beanLevelAccessTimeout;
@@ -108,7 +113,7 @@ public Object proceed() throws Exception {
         try {
             return super.applyInjections(instance);
         } finally {
-             CurrentInvocationContext.pop();
+            CurrentInvocationContext.pop();
         }
     }
 
@@ -153,23 +158,23 @@ public Executor getAsynchronousExecutor() {
 
     protected boolean isAsynchronous(final Method method) {
         final Set<Method> asyncMethods = this.asynchronousMethods;
-        if(asyncMethods == null) {
+        if (asyncMethods == null) {
             return false;
         }
 
         for (Method asyncMethod : asyncMethods) {
             if (method.getName().equals(asyncMethod.getName())) {
                 final Object[] methodParams = method.getParameterTypes();
                 final Object[] asyncMethodParams = asyncMethod.getParameterTypes();
-                if(Arrays.equals(methodParams, asyncMethodParams)) {
+                if (Arrays.equals(methodParams, asyncMethodParams)) {
                     return true;
                 }
             }
         }
         return false;
     }
 
-    public abstract Object invoke(Serializable sessionId, Map<String,Object> contextData, Class<?> invokedBusinessInterface, Method implMethod, Object[] args) throws Exception;
+    public abstract Object invoke(Serializable sessionId, Map<String, Object> contextData, Class<?> invokedBusinessInterface, Method implMethod, Object[] args) throws Exception;
 
     protected Object invokeAsynchronous(final Method method, final InterceptorContext context) throws Exception {
         if (Void.TYPE.isAssignableFrom(method.getReturnType())) {
@@ -178,4 +183,83 @@ protected Object invokeAsynchronous(final Method method, final InterceptorContex
             return new AsyncFutureInterceptor(getAsynchronousExecutor()).processInvocation(context);
         }
     }
+
+    @Override
+    public Interceptor createClientInterceptor(Class<?> view, Serializable sessionId) {
+        // ignore the session id. Session aware components like (StatefulSessionComponent) should override
+        // this method to take into account the session id.
+        return this.createClientInterceptor(view);
+    }
+
+    @Override
+    public Interceptor createClientInterceptor(final Class<?> view) {
+
+        return new Interceptor() {
+            @Override
+            public Object processInvocation(InterceptorContext context) throws Exception {
+                final Method method = context.getMethod();
+                // if no-interface view, then check whether invocation on the method is allowed
+                // (for ex: invocation on protected methods isn't allowed)
+                if (SessionBeanComponent.this.getComponentClass().equals(view)) {
+                    if (!SessionBeanComponent.this.isInvocationAllowed(method)) {
+                        throw new javax.ejb.EJBException("Cannot invoke method " + method
+                                + " on nointerface view of bean " + SessionBeanComponent.this.getComponentName());
+
+                    }
+                }
+                // TODO: FIXME: Component shouldn't be attached in a interceptor context that
+                // runs on remote clients.
+                context.putPrivateData(Component.class, SessionBeanComponent.this);
+                try {
+                    if (isAsynchronous(method)) {
+                        return invokeAsynchronous(method, context);
+                    }
+                    return context.proceed();
+                } finally {
+                    context.putPrivateData(Component.class, null);
+                }
+            }
+        };
+    }
+
+    /**
+     * EJB 3.1 spec mandates that the view should allow invocation on only public, non-final, non-static
+     * methods. This method returns true if the passed {@link Method method} is public, non-static and non-final.
+     * Else returns false.
+     */
+    protected boolean isInvocationAllowed(Method method) {
+        int m = method.getModifiers();
+        // We handle only public, non-static, non-final methods
+        if (!Modifier.isPublic(m)) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("Method " + method + " is *not* public");
+            }
+            // it's not a public method
+            return false;
+        }
+        if (Modifier.isFinal(m)) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("Method " + method + " is final");
+            }
+            // it's a final method
+            return false;
+        }
+        if (Modifier.isStatic(m)) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("Method " + method + " is static");
+            }
+            // it's a static method
+            return false;
+        }
+        if (Modifier.isNative(m)) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("Method " + method + " is native");
+            }
+            // it's a native method
+            return false;
+        }
+        // we handle rest of the methods
+        return true;
+    }
+
 }
diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/singleton/SingletonComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/singleton/SingletonComponent.java
@@ -31,6 +31,7 @@
 import org.jboss.invocation.Interceptor;
 import org.jboss.invocation.InterceptorContext;
 import org.jboss.invocation.InterceptorFactoryContext;
+import org.jboss.invocation.Interceptors;
 import org.jboss.logging.Logger;
 
 import javax.ejb.AccessTimeout;
@@ -91,29 +92,6 @@ protected synchronized AbstractComponentInstance constructComponentInstance(Obje
         return this.singletonComponentInstance;
     }
 
-    @Override
-    public Interceptor createClientInterceptor(Class<?> view) {
-        return new Interceptor() {
-            @Override
-            public Object processInvocation(InterceptorContext context) throws Exception {
-                // TODO: FIXME: Component shouldn't be attached in a interceptor context that
-                // runs on remote clients.
-                context.putPrivateData(Component.class, SingletonComponent.this);
-
-                final Method method = context.getMethod();
-                if(isAsynchronous(method)) {
-                    return invokeAsynchronous(method, context);
-                }
-                return context.proceed();
-            }
-        };
-    }
-
-    @Override
-    public Interceptor createClientInterceptor(Class<?> view, Serializable sessionId) {
-        return createClientInterceptor(view);
-    }
-
     synchronized ComponentInstance getComponentInstance() {
         if (this.singletonComponentInstance == null) {
             this.singletonComponentInstance = (SingletonComponentInstance) this.createInstance();

diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/stateful/StatefulSessionComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/stateful/StatefulSessionComponent.java
@@ -30,6 +30,7 @@
 import org.jboss.invocation.Interceptor;
 import org.jboss.invocation.InterceptorContext;
 import org.jboss.invocation.InterceptorFactoryContext;
+import org.jboss.invocation.Interceptors;
 
 import java.io.Serializable;
 import java.lang.reflect.Method;
@@ -74,23 +75,33 @@ public Interceptor createClientInterceptor(Class<?> view) {
     }
 
     @Override
-    public Interceptor createClientInterceptor(Class<?> view, final Serializable sessionId) {
+    public Interceptor createClientInterceptor(final Class<?> view, final Serializable sessionId) {
         return new Interceptor() {
             @Override
             public Object processInvocation(InterceptorContext context) throws Exception {
+                final Method method = context.getMethod();
+                // if no-interface view, then check whether invocation on the method is allowed
+                // (for ex: invocation on protected methods isn't allowed)
+                if (StatefulSessionComponent.this.getComponentClass().equals(view)) {
+                    if (!StatefulSessionComponent.this.isInvocationAllowed(method)) {
+                        throw new javax.ejb.EJBException("Cannot invoke method " + method
+                                + " on nointerface view of bean " + StatefulSessionComponent.this.getComponentName());
+
+                    }
+                }
+                // TODO: FIXME: Component shouldn't be attached in a interceptor context that
+                // runs on remote clients.
+                context.putPrivateData(Component.class, StatefulSessionComponent.this);
                 // TODO: attaching as Serializable.class is a bit wicked
                 context.putPrivateData(Serializable.class, sessionId);
-                // TODO: this won't work for remote proxies
-                context.putPrivateData(Component.class, StatefulSessionComponent.this);
                 try {
-                    final Method method = context.getMethod();
                     if (isAsynchronous(method)) {
                         return invokeAsynchronous(method, context);
                     }
                     return context.proceed();
                 } finally {
-                    context.putPrivateData(Serializable.class, null);
                     context.putPrivateData(Component.class, null);
+                    context.putPrivateData(Serializable.class, null);
                 }
             }
         };

diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/stateless/StatelessSessionComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/stateless/StatelessSessionComponent.java
@@ -33,6 +33,7 @@
 import org.jboss.invocation.Interceptor;
 import org.jboss.invocation.InterceptorContext;
 import org.jboss.invocation.InterceptorFactoryContext;
+import org.jboss.invocation.Interceptors;
 
 import java.io.Serializable;
 import java.lang.reflect.Method;
@@ -72,33 +73,6 @@ public void destroy(StatelessSessionComponentInstance obj) {
         this.pool = new StrictMaxPool<StatelessSessionComponentInstance>(factory, 20, 5, TimeUnit.MINUTES);
     }
 
-    @Override
-    public Interceptor createClientInterceptor(Class<?> viewClass) {
-        return new Interceptor() {
-            @Override
-            public Object processInvocation(InterceptorContext context) throws Exception {
-                // TODO: FIXME: Component shouldn't be attached in a interceptor context that
-                // runs on remote clients.
-                context.putPrivateData(Component.class, StatelessSessionComponent.this);
-                try {
-                    final Method method = context.getMethod();
-                    if(isAsynchronous(method)) {
-                        return invokeAsynchronous(method, context);
-                    }
-                    return context.proceed();
-                }
-                finally {
-                    context.putPrivateData(Component.class, null);
-                }
-            }
-        };
-    }
-
-    @Override
-    public Interceptor createClientInterceptor(Class<?> view, Serializable sessionId) {
-        return createClientInterceptor(view);
-    }
-
     //TODO: This should be getInstance()
     @Override
     public ComponentInstance createInstance() {