jbossws · jimma · Nov 5, 2024 · Oct 21, 2024 · Oct 24, 2024 · Nov 1, 2024
@@ -104,4 +104,7 @@ public InputStream getResourceAsStream(final String name)
         }
         return (is == null && !skipSps.contains(name)) ? delegate.getResourceAsStream(name) : is;
     }
+    public ClassLoader getDelegate() {
+        return this.delegate;
+    }
 }
@@ -87,7 +87,7 @@
 import org.jboss.wsf.stack.cxf.i18n.Messages;
 import org.jboss.wsf.stack.cxf.interceptor.EndpointAssociationInterceptor;
 import org.jboss.wsf.stack.cxf.interceptor.GracefulShutdownInterceptor;
-import org.jboss.wsf.stack.cxf.interceptor.HandlerAuthInterceptor;
+import org.jboss.wsf.stack.cxf.interceptor.HandlerConfigInterceptor;
 import org.jboss.wsf.stack.cxf.interceptor.NsCtxSelectorStoreInterceptor;
 import org.jboss.wsf.stack.cxf.interceptor.WSDLSoapAddressRewriteInterceptor;
 import org.jboss.wsf.stack.cxf.management.InstrumentationManagerExtImpl;
@@ -366,7 +366,9 @@ protected void setInterceptors(Bus bus, Deployment dep, Map<String, String> prop
 
       final String p = (props != null) ? props.get(Constants.JBWS_CXF_DISABLE_HANDLER_AUTH_CHECKS) : null;
       if ((p == null || (!"true".equalsIgnoreCase(p) && !"1".equalsIgnoreCase(p))) && !Boolean.getBoolean(Constants.JBWS_CXF_DISABLE_HANDLER_AUTH_CHECKS)) {
-         bus.getInInterceptors().add(new HandlerAuthInterceptor());
+         bus.getInInterceptors().add(new HandlerConfigInterceptor());
+      } else {
+         bus.getInInterceptors().add(new HandlerConfigInterceptor(true));
       }
 
       final SOAPAddressRewriteMetadata sarm = dep.getAttachment(SOAPAddressRewriteMetadata.class);

@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jboss.wsf.stack.cxf.interceptor;
+
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+
+public abstract class AbstractTCCLPhaseInterceptor<T extends Message> extends AbstractPhaseInterceptor<T> {
+    public AbstractTCCLPhaseInterceptor(String phase) {
+        super(null, phase, false);
+    }
+
+    public AbstractTCCLPhaseInterceptor(String i, String p) {
+        super(i, p, false);
+    }
+
+    public AbstractTCCLPhaseInterceptor(String phase, boolean uniqueId) {
+        super(null, phase, uniqueId);
+    }
+
+    public AbstractTCCLPhaseInterceptor(String i, String p, boolean uniqueId) {
+        super(i,p, uniqueId);
+    }
+
+    @Override
+    public void handleMessage(T message) throws Fault {
+        ClassLoaderUtils.ClassLoaderHolder origLoader = null;
+        try {
+            origLoader = ClassLoaderUtils.setThreadContextClassloader(this.getClass().getClassLoader());
+            handleMessageWithTCCL(message);
+        } finally {
+            origLoader.reset();
+        }
+    }
+    public abstract void handleMessageWithTCCL(T message) throws Fault;
+}
@@ -44,23 +44,42 @@
 import org.jboss.wsf.spi.deployment.Endpoint;
 import org.jboss.wsf.spi.security.EJBMethodSecurityAttribute;
 import org.jboss.wsf.spi.security.EJBMethodSecurityAttributeProvider;
+import org.jboss.wsf.stack.cxf.JAXPDelegateClassLoader;
 
 /**
- * Interceptor which checks the current principal is authorized to
- * call a given handler
- * 
+ * Interceptor that configures a jbossws handler chain and can skip authentication.
+ * It set {@code JBossWSHandlerChainInvoker} to use correct Thread Context Class Loader
+ * and perform security checks before invoking the handlers.
  * @author [email protected]
+ * @author [email protected]
  * @since 23-Sep-2013
  */
-public class HandlerAuthInterceptor extends AbstractPhaseInterceptor<Message>
+public class HandlerConfigInterceptor extends AbstractPhaseInterceptor<Message>
 {
-   private static final String KEY = HandlerAuthInterceptor.class.getName() + ".SECURITY_EXCEPTION";
-
-   public HandlerAuthInterceptor()
+   private static final String KEY = HandlerConfigInterceptor.class.getName() + ".SECURITY_EXCEPTION";
+
+   private final boolean skipAuth;
+   public HandlerConfigInterceptor()
    {
       super(Phase.PRE_PROTOCOL_FRONTEND);
       addBefore(SOAPHandlerInterceptor.class.getName());
       addBefore(LogicalHandlerInInterceptor.class.getName());
+      skipAuth = false;
+   }
+   /**
+    * Create a {@code HandlerConfigInterceptor} that can optionally skip authentication.
+    * When the authentication is skipped, it added a customized {@code JBossWSHandlerChainInvoker}
+    * which set the correct TCCL to allow the handler to access CDI
+    * Please see https://issues.redhat.com/browse/JBWS-4430
+    * This interceptor will be added to CXF interceptor chain
+    * @param skipAuth a boolean flag indicating whether to skip authentication.
+    **/
+   public HandlerConfigInterceptor(boolean skipAuth)
+   {
+      super(Phase.PRE_PROTOCOL_FRONTEND);
+      addBefore(SOAPHandlerInterceptor.class.getName());
+      addBefore(LogicalHandlerInInterceptor.class.getName());
+      this.skipAuth = skipAuth;
    }
 
    @Override
@@ -71,61 +90,110 @@ public void handleMessage(Message message) throws Fault
       if (null == invoker)
       {
          final org.apache.cxf.endpoint.Endpoint endpoint = ex.getEndpoint();
-         if (endpoint instanceof JaxWsEndpointImpl) { // JAXWS handlers are not assigned to different endpoint types 
+         if (endpoint instanceof JaxWsEndpointImpl) { // JAXWS handlers are not assigned to different endpoint types
             final JaxWsEndpointImpl ep = (JaxWsEndpointImpl)endpoint;
             @SuppressWarnings("rawtypes")
             final List<Handler> handlerChain = ep.getJaxwsBinding().getHandlerChain();
             if (handlerChain != null && !handlerChain.isEmpty()) { //save
-               invoker = new JBossWSHandlerChainInvoker(handlerChain, isOutbound(message, ex));
+               invoker = new JBossWSHandlerChainInvoker(handlerChain, isOutbound(message, ex), skipAuth);
                ex.put(HandlerChainInvoker.class, invoker);
             }
          }
       }
    }
-   
+
    private boolean isOutbound(Message message, Exchange ex) {
       return message == ex.getOutMessage()
-          || message == ex.getOutFaultMessage();
+              || message == ex.getOutFaultMessage();
    }
-   
+
    private static class JBossWSHandlerChainInvoker extends HandlerChainInvoker
    {
 
+      private final boolean skip;
       public JBossWSHandlerChainInvoker(@SuppressWarnings("rawtypes") List<Handler> hc, boolean isOutbound)
       {
          super(hc, isOutbound);
+         skip = false;
+      }
+
+      public JBossWSHandlerChainInvoker(@SuppressWarnings("rawtypes") List<Handler> hc, boolean isOutbound, boolean skipAuth)
+      {
+         super(hc, isOutbound);
+         skip = skipAuth;
       }
 
       @Override
       public boolean invokeLogicalHandlers(boolean requestor, LogicalMessageContext context)
       {
-         checkAuthorization(context);
-         return super.invokeLogicalHandlers(requestor, context);
+         if (!skip) {
+            checkAuthorization(context);
+         }
+         ClassLoader original = SecurityActions.getContextClassLoader();
+         try {
+           if (original instanceof JAXPDelegateClassLoader) {
+               JAXPDelegateClassLoader jaxpLoader = (JAXPDelegateClassLoader)original;
+               SecurityActions.setContextClassLoader(jaxpLoader.getDelegate());
+            }
+            return super.invokeLogicalHandlers(requestor, context);
+         } finally {
+            SecurityActions.setContextClassLoader(original);
+         }
       }
 
       @Override
       public boolean invokeProtocolHandlers(boolean requestor, MessageContext context)
       {
-         checkAuthorization(context);
-         return super.invokeProtocolHandlers(requestor, context);
+         if (!skip) {
+            checkAuthorization(context);
+         }
+         ClassLoader original = SecurityActions.getContextClassLoader();
+         try {
+            if (original instanceof JAXPDelegateClassLoader) {
+               JAXPDelegateClassLoader jaxpLoader = (JAXPDelegateClassLoader)original;
+               SecurityActions.setContextClassLoader(jaxpLoader.getDelegate());
+            }
+            return super.invokeProtocolHandlers(requestor, context);
+         } finally {
+            SecurityActions.setContextClassLoader(original);
+         }
       }
-      
+
       @Override
       public boolean invokeLogicalHandlersHandleFault(boolean requestor, LogicalMessageContext context)
       {
-         if (context.containsKey(KEY)) {
+
+         if (!skip && context.containsKey(KEY)) {
             return true;
          }
-         return super.invokeLogicalHandlersHandleFault(requestor, context);
+         ClassLoader original = SecurityActions.getContextClassLoader();
+         try {
+            if (original instanceof JAXPDelegateClassLoader) {
+               JAXPDelegateClassLoader jaxpLoader = (JAXPDelegateClassLoader)original;
+               SecurityActions.setContextClassLoader(jaxpLoader.getDelegate());
+            }
+            return super.invokeLogicalHandlersHandleFault(requestor, context);
+         } finally {
+            SecurityActions.setContextClassLoader(original);
+         }
       }
 
       @Override
       public boolean invokeProtocolHandlersHandleFault(boolean requestor, MessageContext context)
       {
-         if (context.containsKey(KEY)) {
+         if (!skip && context.containsKey(KEY)) {
             return true;
          }
-         return super.invokeProtocolHandlersHandleFault(requestor, context);
+         ClassLoader original = SecurityActions.getContextClassLoader();
+         try {
+            if (original instanceof JAXPDelegateClassLoader) {
+               JAXPDelegateClassLoader jaxpLoader = (JAXPDelegateClassLoader)original;
+               SecurityActions.setContextClassLoader(jaxpLoader.getDelegate());
+            }
+            return super.invokeProtocolHandlersHandleFault(requestor, context);
+         } finally {
+            SecurityActions.setContextClassLoader(original);
+         }
       }
 
       protected void checkAuthorization(MessageContext ctx)
@@ -138,7 +206,7 @@ protected void checkAuthorization(MessageContext ctx)
          Exchange exchange = message.getExchange();
          Endpoint ep = exchange.get(Endpoint.class);
          EJBMethodSecurityAttributeProvider attributeProvider = ep
-               .getAttachment(EJBMethodSecurityAttributeProvider.class);
+                 .getAttachment(EJBMethodSecurityAttributeProvider.class);
          if (attributeProvider != null) //ejb endpoints only can be associated with this...
          {
             SecurityContext secCtx = message.get(SecurityContext.class);
@@ -174,5 +242,4 @@ protected void checkAuthorization(MessageContext ctx)
          }
       }
    }
-
-}
+}
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jboss.wsf.stack.cxf.interceptor;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import org.jboss.wsf.stack.cxf.JAXPDelegateClassLoader;
+
+/**
+ * 
+ * @author [email protected]
+ * @since 17-Feb-2010
+ *
+ */
+class SecurityActions
+{
+   /**
+    * Get context classloader.
+    * 
+    * @return the current context classloader
+    */
+   static ClassLoader getContextClassLoader()
+   {
+      SecurityManager sm = System.getSecurityManager();
+      if (sm == null)
+      {
+         return Thread.currentThread().getContextClassLoader();
+      }
+      else
+      {
+         return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+            public ClassLoader run()
+            {
+               return Thread.currentThread().getContextClassLoader();
+            }
+         });
+      }
+   }
+
+   /**
+    * Set context classloader.
+    *
+    * @param classLoader the classloader
+    */
+   static void setContextClassLoader(final ClassLoader classLoader)
+   {
+      if (System.getSecurityManager() == null)
+      {
+         Thread.currentThread().setContextClassLoader(classLoader);
+      }
+      else
+      {
+         AccessController.doPrivileged(new PrivilegedAction<Object>()
+         {
+            public Object run()
+            {
+               Thread.currentThread().setContextClassLoader(classLoader);
+               return null;
+            }
+         });
+      }
+   }
+}
@@ -106,6 +106,11 @@
           <artifactId>cxf-rt-features-throttling</artifactId>
           <scope>test</scope>
       </dependency>
+      <dependency>
+          <groupId>jakarta.enterprise</groupId>
+          <artifactId>jakarta.enterprise.cdi-api</artifactId>
+          <scope>test</scope>
+      </dependency>
   </dependencies>
   <!-- Profiles -->
   <profiles>