[jboss-cvs] JBossAS SVN: r67474 - in projects/security/security-jboss-sx/trunk/jbosssx/src: main/org/jboss/security/authorization/modules and 5 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Nov 26 20:43:14 EST 2007
Author: anil.saldhana at jboss.com
Date: 2007-11-26 20:43:14 -0500 (Mon, 26 Nov 2007)
New Revision: 67474
Added:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebJACCPolicyModuleDelegate.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/resources/JavaEEResource.java
projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/web/
projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/web/WebAuthorizationUnitTestCase.java
Modified:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/config/AuthorizationModuleEntry.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/AbstractAuthorizationModule.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/DelegatingAuthorizationModule.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebPolicyModuleDelegate.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebXACMLPolicyModuleDelegate.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebXACMLUtil.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/resources/WebResource.java
projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java
projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/xacml/WebXACMLUnitTestCase.java
Log:
SECURITY-95: WebResource has methods rather than context map
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/config/AuthorizationModuleEntry.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/config/AuthorizationModuleEntry.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/config/AuthorizationModuleEntry.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -39,7 +39,7 @@
{
private String policyModuleName;
private ControlFlag controlFlag;
- private Map options = new HashMap();
+ private Map<String,Object> options = new HashMap<String,Object>();
/**
* Create a new AuthorizationModuleEntry.
@@ -57,7 +57,7 @@
* @param name Policy Module Name
* @param options Options
*/
- public AuthorizationModuleEntry(String name, Map options)
+ public AuthorizationModuleEntry(String name, Map<String,Object> options)
{
this.policyModuleName = name;
this.options = options;
@@ -81,7 +81,7 @@
* Get the options
* @return
*/
- public Map getOptions()
+ public Map<String,Object> getOptions()
{
return options;
}
@@ -103,4 +103,4 @@
{
this.controlFlag = controlFlag;
}
-}
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/AbstractAuthorizationModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/AbstractAuthorizationModule.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/AbstractAuthorizationModule.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -53,7 +53,7 @@
protected Logger log = null;
/** Map of delegates for the various layers */
- protected Map delegateMap = new HashMap();
+ protected Map<ResourceType,String> delegateMap = new HashMap<ResourceType,String>();
/**
* @see AuthorizationModule#authorize(Resource)
@@ -156,7 +156,7 @@
throws Exception
{
ClassLoader tcl = Thread.currentThread().getContextClassLoader();
- Class clazz = tcl.loadClass(delegateStr);
+ Class<?> clazz = tcl.loadClass(delegateStr);
return (AuthorizationModuleDelegate)clazz.newInstance();
}
@@ -175,7 +175,7 @@
throw new IllegalStateException("DelegateMap entry invalid:"+keyPair);
String key = keyst.nextToken();
String value = keyst.nextToken();
- this.delegateMap.put(key,value);
+ this.delegateMap.put(ResourceType.valueOf(key),value);
}
- }
-}
+ }
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/DelegatingAuthorizationModule.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/DelegatingAuthorizationModule.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/DelegatingAuthorizationModule.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -24,6 +24,8 @@
import org.jboss.logging.Logger;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceType;
+import org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate;
+import org.jboss.security.authorization.modules.web.WebPolicyModuleDelegate;
//$Id$
@@ -39,10 +41,8 @@
public DelegatingAuthorizationModule()
{
log = Logger.getLogger(getClass());
- delegateMap.put(ResourceType.WEB,
- "org.jboss.security.authorization.modules.web.WebPolicyModuleDelegate");
- delegateMap.put(ResourceType.EJB,
- "org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate");
+ delegateMap.put(ResourceType.WEB, WebPolicyModuleDelegate.class.getName());
+ delegateMap.put(ResourceType.EJB, EJBPolicyModuleDelegate.class.getName());
}
/**
@@ -52,4 +52,4 @@
{
return this.invokeDelegate(resource);
}
-}
+}
\ No newline at end of file
Added: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebJACCPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebJACCPolicyModuleDelegate.java (rev 0)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebJACCPolicyModuleDelegate.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -0,0 +1,304 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2005, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.authorization.modules.web;
+
+import java.io.IOException;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.Policy;
+import java.security.Principal;
+import java.security.ProtectionDomain;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.jacc.WebResourcePermission;
+import javax.security.jacc.WebRoleRefPermission;
+import javax.security.jacc.WebUserDataPermission;
+import javax.servlet.http.HttpServletRequest;
+
+import org.jboss.logging.Logger;
+import org.jboss.security.AuthorizationManager;
+import org.jboss.security.authorization.AuthorizationContext;
+import org.jboss.security.authorization.PolicyRegistration;
+import org.jboss.security.authorization.Resource;
+import org.jboss.security.authorization.ResourceKeys;
+import org.jboss.security.authorization.modules.AuthorizationModuleDelegate;
+import org.jboss.security.authorization.resources.WebResource;
+
+
+//$Id: WebJACCPolicyModuleDelegate.java 62923 2007-05-09 03:08:14Z anil.saldhana at jboss.com $
+
+/**
+ * JACC based authorization module helper that deals with the web layer
+ * authorization decisions
+ * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
+ * @since July 7, 2006
+ * @version $Revision: 62923 $
+ */
+public class WebJACCPolicyModuleDelegate extends AuthorizationModuleDelegate
+{
+ private Policy policy = Policy.getPolicy();
+ private AuthorizationManager authorizationManager;
+ private HttpServletRequest request = null;
+ private CodeSource webCS = null;
+
+ private String canonicalRequestURI = null;
+
+ public WebJACCPolicyModuleDelegate()
+ {
+ log = Logger.getLogger(WebJACCPolicyModuleDelegate.class);
+ trace = log.isTraceEnabled();
+ }
+
+ /**
+ * @see AuthorizationModuleDelegate#authorize(Resource)
+ */
+ public int authorize(Resource resource)
+ {
+ if(resource instanceof WebResource == false)
+ throw new IllegalArgumentException("resource is not a WebResource");
+
+ WebResource webResource = (WebResource) resource;
+
+ //Get the context map
+ Map<String,Object> map = resource.getMap();
+ if(map == null)
+ throw new IllegalStateException("Map from the Resource is null");
+
+ //Get the Authorization Manager
+ authorizationManager = (AuthorizationManager)map.get(ResourceKeys.AUTHORIZATION_MANAGER);
+ if(authorizationManager == null)
+ throw new IllegalStateException("Authorization Manager is null");
+
+ //Get the Request Object
+ request = (HttpServletRequest) webResource.getServletRequest();
+
+ webCS = webResource.getCodeSource();
+ this.canonicalRequestURI = webResource.getCanonicalRequestURI();
+
+ //Obtained by establishing subject context
+ Subject callerSubject = webResource.getCallerSubject();
+
+ String roleName = (String)map.get(ResourceKeys.ROLENAME);
+ Principal principal = (Principal)map.get(ResourceKeys.HASROLE_PRINCIPAL);
+ Set<Principal> roles = (Set<Principal>)map.get(ResourceKeys.PRINCIPAL_ROLES);
+ String servletName = (String)map.get(ResourceKeys.SERVLET_NAME);
+ Boolean resourceCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.RESOURCE_PERM_CHECK));
+ Boolean userDataCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.USERDATA_PERM_CHECK));
+ Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK));
+
+ validatePermissionChecks(resourceCheck,userDataCheck,roleRefCheck);
+
+ boolean decision = false;
+
+ try
+ {
+ if(resourceCheck)
+ decision = this.hasResourcePermission(callerSubject);
+ else
+ if(userDataCheck)
+ decision = this.hasUserDataPermission();
+ else
+ if(roleRefCheck)
+ decision = this.hasRole(principal, roleName, roles, servletName);
+ else
+ if(trace)
+ log.trace("Check is not for resourcePerm, userDataPerm or roleRefPerm.");
+ }
+ catch(IOException ioe)
+ {
+ if(trace)
+ log.trace("IOException:",ioe);
+ }
+ return decision ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
+ }
+
+ /**
+ * @see AuthorizationModuleDelegate#setPolicyRegistrationManager(PolicyRegistration)
+ */
+ public void setPolicyRegistrationManager(PolicyRegistration authzM)
+ {
+ this.policyRegistration = authzM;
+ }
+
+ //****************************************************************************
+ // PRIVATE METHODS
+ //****************************************************************************
+ /** See if the given JACC permission is implied using the caller as
+ * obtained from either the
+ * PolicyContext.getContext(javax.security.auth.Subject.container) or
+ * the info associated with the requestPrincipal.
+ *
+ * @param perm - the JACC permission to check
+ * @param requestPrincpal - the http request getPrincipal
+ * @param caller the authenticated subject obtained by establishSubjectContext
+ * @return true if the permission is allowed, false otherwise
+ */
+ private boolean checkSecurityAssociation(Permission perm, Principal requestPrincpal,
+ Subject caller)
+ {
+ // Get the caller principals, its null if there is no caller
+ Principal[] principals = null;
+
+ //Previously we relied on principals in the subject. Now we use
+ //the security context roles
+ if(authorizationManager != null)
+ {
+ Set<Principal> roleset = authorizationManager.getUserRoles(requestPrincpal);
+ principals = new Principal[roleset.size()];
+ roleset.toArray(principals);
+ }
+
+ return checkSecurityAssociation(perm, principals);
+ }
+
+
+ /** See if the given permission is implied by the Policy. This calls
+ * Policy.implies(pd, perm) with the ProtectionDomain built from the
+ * active CodeSource set by the JaccContextValve, and the given
+ * principals.
+ *
+ * @param perm - the JACC permission to evaluate
+ * @param principals - the possibly null set of principals for the caller
+ * @return true if the permission is allowed, false otherwise
+ */
+ private boolean checkSecurityAssociation(Permission perm, Principal[] principals)
+ {
+ ProtectionDomain pd = new ProtectionDomain(webCS, null, null, principals);
+ boolean allowed = policy.implies(pd, perm);
+ if( trace )
+ {
+ String msg = (allowed ? "Allowed: " : "Denied: ") +perm;
+ log.trace(msg);
+ }
+ return allowed;
+ }
+
+ /**
+ * Ensure that the bool is a valid value
+ * @param bool
+ * @return bool or Boolean.FALSE (when bool is null)
+ */
+ private Boolean checkBooleanValue(Boolean bool)
+ {
+ if(bool == null)
+ return Boolean.FALSE;
+ return bool;
+ }
+
+
+ /**
+ * Perform hasResourcePermission Check
+ * @param request
+ * @param response
+ * @param securityConstraints
+ * @param context
+ * @param caller
+ * @return
+ * @throws IOException
+ */
+ private boolean hasResourcePermission(Subject caller)
+ throws IOException
+ {
+ Principal requestPrincipal = request.getUserPrincipal();
+ WebResourcePermission perm = new WebResourcePermission(this.canonicalRequestURI,
+ request.getMethod());
+ boolean allowed = checkSecurityAssociation(perm, requestPrincipal, caller );
+ if( trace )
+ log.trace("hasResourcePermission, perm="+perm+", allowed="+allowed);
+ return allowed;
+ }
+
+ /**
+ * Perform hasRole check
+ * @param principal
+ * @param role
+ * @param roles
+ * @return
+ */
+ private boolean hasRole(Principal principal, String roleName,
+ Set<Principal> roles, String servletName)
+ {
+ WebRoleRefPermission perm = new WebRoleRefPermission(servletName, roleName);
+ Principal[] principals = {principal};
+ if( roles != null )
+ {
+ principals = new Principal[roles.size()];
+ roles.toArray(principals);
+ }
+ boolean allowed = checkSecurityAssociation(perm, principals);
+ if( trace )
+ log.trace("hasRole, perm="+perm+", allowed="+allowed);
+ return allowed;
+ }
+
+ /**
+ * Perform hasUserDataPermission check for the realm.
+ * If this module returns false, the base class (Realm) will
+ * make the decision as to whether a redirection to the ssl
+ * port needs to be done
+ * @param request
+ * @param response
+ * @param constraints
+ * @return
+ * @throws IOException
+ */
+ private boolean hasUserDataPermission() throws IOException
+ {
+ WebUserDataPermission perm = new WebUserDataPermission(this.canonicalRequestURI,
+ request.getMethod());
+ if( trace )
+ log.trace("hasUserDataPermission, p="+perm);
+ boolean ok = false;
+ try
+ {
+ Principal[] principals = null;
+ ok = checkSecurityAssociation(perm, principals);
+ }
+ catch(Exception e)
+ {
+ if( trace )
+ log.trace("Failed to checkSecurityAssociation", e);
+ }
+ return ok;
+ }
+
+ /**
+ * Validate that the access check is made only for one of the
+ * following
+ * @param resourceCheck
+ * @param userDataCheck
+ * @param roleRefCheck
+ */
+ private void validatePermissionChecks(Boolean resourceCheck,
+ Boolean userDataCheck, Boolean roleRefCheck)
+ {
+ if(trace)
+ log.trace("resourceCheck="+resourceCheck + " : userDataCheck=" + userDataCheck
+ + " : roleRefCheck=" + roleRefCheck);
+ if((resourceCheck == Boolean.TRUE && userDataCheck == Boolean.TRUE && roleRefCheck == Boolean.TRUE )
+ || (resourceCheck == Boolean.TRUE && userDataCheck == Boolean.TRUE)
+ || (userDataCheck == Boolean.TRUE && roleRefCheck == Boolean.TRUE))
+ throw new IllegalStateException("Permission checks must be different");
+ }
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebPolicyModuleDelegate.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebPolicyModuleDelegate.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -48,4 +48,4 @@
{
return AuthorizationContext.PERMIT;
}
-}
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebXACMLPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebXACMLPolicyModuleDelegate.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebXACMLPolicyModuleDelegate.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -22,22 +22,23 @@
package org.jboss.security.authorization.modules.web;
import java.security.Principal;
-import java.util.Map;
+import java.util.Map;
-import javax.security.jacc.PolicyContext;
+import javax.security.jacc.PolicyContext;
import javax.servlet.http.HttpServletRequest;
-
-import org.jboss.logging.Logger;
+
+import org.jboss.logging.Logger;
import org.jboss.security.AuthorizationManager;
-import org.jboss.security.authorization.AuthorizationContext;
-import org.jboss.security.authorization.Resource;
+import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.PolicyRegistration;
+import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.authorization.modules.AuthorizationModuleDelegate;
+import org.jboss.security.authorization.resources.WebResource;
import org.jboss.security.authorization.sunxacml.JBossXACMLUtil;
import com.sun.xacml.Policy;
-import com.sun.xacml.ctx.RequestCtx;
+import com.sun.xacml.ctx.RequestCtx;
//$Id: WebXACMLPolicyModuleDelegate.java 46543 2006-07-27 20:22:05Z asaldhana $
@@ -61,15 +62,23 @@
*/
public int authorize(Resource resource)
{
+ if(resource instanceof WebResource == false)
+ throw new IllegalArgumentException("resource is not a WebResource");
+
+ WebResource webResource = (WebResource) resource;
+
//Get the contextual map
- Map map = resource.getMap();
+ Map<String,Object> map = resource.getMap();
if(map == null)
throw new IllegalStateException("Map from the Resource is null");
if(map.size() == 0)
throw new IllegalStateException("Map from the Resource is size zero");
//Get the Catalina Request Object
- HttpServletRequest request = (HttpServletRequest)map.get(ResourceKeys.WEB_REQUEST);
+ //HttpServletRequest request = (HttpServletRequest)map.get(ResourceKeys.WEB_REQUEST);
+
+ HttpServletRequest request = (HttpServletRequest)webResource.getServletRequest();
+
AuthorizationManager am = (AuthorizationManager) map.get("authorizationManager");
if(am == null)
throw new IllegalStateException("Authorization Manager is null");
@@ -131,4 +140,4 @@
}
return result;
}
- }
+ }
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebXACMLUtil.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebXACMLUtil.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/web/WebXACMLUtil.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -101,10 +101,10 @@
actionSet.add(new Attribute(new URI(XACMLConstants.ACTION_IDENTIFIER),
null,null, new StringAttribute(action)));
- Enumeration enumer = request.getParameterNames();
+ Enumeration<String> enumer = request.getParameterNames();
while(enumer.hasMoreElements())
{
- String paramName = (String)enumer.nextElement();
+ String paramName = enumer.nextElement();
String paramValue = request.getParameter(paramName);
URI actionUri = new URI(actionURIBase + paramName);
Attribute actionAttr = new Attribute(actionUri,null,null,
@@ -132,15 +132,15 @@
return requestCtx;
}
- private Set getXACMLRoleSet(Set roles) throws Exception
+ private Set<Attribute> getXACMLRoleSet(Set<Principal> roles) throws Exception
{
URI roleURI = new URI(XACMLConstants.SUBJECT_ROLE_IDENTIFIER);
- Set roleset = new HashSet();
- Iterator iter = roles != null ? roles.iterator(): null;
+ Set<Attribute> roleset = new HashSet<Attribute>();
+ Iterator<Principal> iter = roles != null ? roles.iterator(): null;
while(iter != null && iter.hasNext())
{
- Principal role = (Principal)iter.next();
+ Principal role = iter.next();
if(role instanceof SimplePrincipal)
{
SimplePrincipal sp = (SimplePrincipal)role;
@@ -151,4 +151,4 @@
}
return roleset;
}
-}
+}
\ No newline at end of file
Added: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/resources/JavaEEResource.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/resources/JavaEEResource.java (rev 0)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/resources/JavaEEResource.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -0,0 +1,150 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.authorization.resources;
+
+import java.security.CodeSource;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityRoleRef;
+import org.jboss.security.authorization.Resource;
+import org.jboss.security.authorization.ResourceType;
+
+//$Id$
+
+/**
+ * Represents a Java EE Resource
+ * @author Anil.Saldhana at redhat.com
+ * @since Nov 26, 2007
+ * @version $Revision$
+ */
+public abstract class JavaEEResource implements Resource
+{
+ protected Map<String,Object> map = new HashMap<String,Object>();
+
+ protected Subject callerSubject = null;
+ protected RunAsIdentity callerRunAsIdentity = null;
+
+ protected CodeSource codeSource = null;
+
+ protected Principal principal = null;
+
+ protected Set<SecurityRoleRef> securityRoleReferences = null;
+
+ public abstract ResourceType getLayer();
+
+ /**
+ * @see Resource#getMap()
+ */
+ public Map<String, Object> getMap()
+ {
+ return map;
+ }
+
+ /**
+ * Get the Caller Subject
+ * @return
+ */
+ public Subject getCallerSubject()
+ {
+ return callerSubject;
+ }
+
+ /**
+ * Set the Caller Subject
+ * @param callerSubject
+ */
+ public void setCallerSubject(Subject callerSubject)
+ {
+ this.callerSubject = callerSubject;
+ }
+
+ /**
+ * Get the Caller RunAsIdentity
+ * @return
+ */
+ public RunAsIdentity getCallerRunAsIdentity()
+ {
+ return callerRunAsIdentity;
+ }
+
+ /**
+ * Set the Caller RunAsIdentity
+ * @param callerRunAsIdentity
+ */
+ public void setCallerRunAsIdentity(RunAsIdentity callerRunAsIdentity)
+ {
+ this.callerRunAsIdentity = callerRunAsIdentity;
+ }
+
+ /**
+ * Get the CodeSource
+ * @return
+ */
+ public CodeSource getCodeSource()
+ {
+ return codeSource;
+ }
+
+ /**
+ * Set the CodeSource
+ * @param codeSource
+ */
+ public void setCodeSource(CodeSource codeSource)
+ {
+ this.codeSource = codeSource;
+ }
+
+ public Principal getPrincipal()
+ {
+ return principal;
+ }
+
+ public void setPrincipal(Principal principal)
+ {
+ this.principal = principal;
+ }
+
+ /**
+ * Get the set of Security Role Reference objects
+ * defined in the deployment descriptor
+ * @return
+ */
+ public Set<SecurityRoleRef> getSecurityRoleReferences()
+ {
+ return securityRoleReferences;
+ }
+
+ /**
+ * Set the security role references
+ * @param securityRoleReferences
+ */
+ public void setSecurityRoleReferences(Set<SecurityRoleRef> securityRoleReferences)
+ {
+ this.securityRoleReferences = securityRoleReferences;
+ }
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/resources/WebResource.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/resources/WebResource.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/resources/WebResource.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -21,9 +21,10 @@
*/
package org.jboss.security.authorization.resources;
-import java.util.HashMap;
import java.util.Map;
+import javax.servlet.ServletRequest;
+
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceType;
@@ -35,10 +36,11 @@
* @since Jun 18, 2006
* @version $Revision: 62260 $
*/
-public class WebResource implements Resource
-{
- private Map map = new HashMap();
+public class WebResource extends JavaEEResource
+{
+ private ServletRequest servletRequest = null;
+ private String canonicalRequestURI = null;
/**
* Create a new WebResource.
*/
@@ -52,7 +54,7 @@
*
* @param map Contextual Map
*/
- public WebResource(Map map)
+ public WebResource(Map<String,Object> map)
{
this.map = map;
}
@@ -63,29 +65,35 @@
public ResourceType getLayer()
{
return ResourceType.WEB;
+ }
+
+ public String getCanonicalRequestURI()
+ {
+ return canonicalRequestURI;
}
- /**
- * @see Resource#getMap()
- */
- public Map getMap()
+ public void setCanonicalRequestURI(String canonicalRequestURI)
{
- return map;
+ this.canonicalRequestURI = canonicalRequestURI;
}
-
- /**
- * Set the contextual map
- * @param m Contextual Map
- */
- public void setMap(Map m)
+
+ public ServletRequest getServletRequest()
{
- this.map = m;
- }
-
+ return servletRequest;
+ }
+
+ public void setServletRequest(ServletRequest servletRequest)
+ {
+ this.servletRequest = servletRequest;
+ }
+
public String toString()
{
StringBuffer buf = new StringBuffer();
- buf.append("[").append(getClass().getName()).append(":contextMap=").append(map).append("]");
+ buf.append("[").append(getClass().getName()).append(":contextMap=").append(map).
+ append("canonicalRequestURI=").append(this.canonicalRequestURI).
+ append("CodeSource=").append(this.codeSource).
+ append("]");
return buf.toString();
}
-}
+}
\ No newline at end of file
Added: projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/web/WebAuthorizationUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/web/WebAuthorizationUnitTestCase.java (rev 0)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/web/WebAuthorizationUnitTestCase.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -0,0 +1,114 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.authorization.web;
+
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.jacc.PolicyContext;
+import javax.servlet.http.HttpServletRequest;
+
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextFactory;
+import org.jboss.security.SimpleGroup;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.auth.callback.AppCallbackHandler;
+import org.jboss.security.authorization.AuthorizationContext;
+import org.jboss.security.authorization.ResourceKeys;
+import org.jboss.security.authorization.config.AuthorizationModuleEntry;
+import org.jboss.security.authorization.modules.DelegatingAuthorizationModule;
+import org.jboss.security.authorization.resources.WebResource;
+import org.jboss.security.config.ApplicationPolicy;
+import org.jboss.security.config.AuthorizationInfo;
+import org.jboss.security.config.SecurityConfiguration;
+import org.jboss.security.jacc.SubjectPolicyContextHandler;
+import org.jboss.security.plugins.JBossAuthorizationManager;
+import org.jboss.security.plugins.SecurityContextAssociation;
+import org.jboss.security.plugins.authorization.JBossAuthorizationContext;
+import org.jboss.test.util.TestHttpServletRequest;
+
+import junit.framework.TestCase;
+
+//$Id$
+
+/**
+ * Unit Test the Web Authorization Modules
+ * @author Anil.Saldhana at redhat.com
+ * @since Nov 26, 2007
+ * @version $Revision$
+ */
+public class WebAuthorizationUnitTestCase extends TestCase
+{
+ protected void setUp() throws Exception
+ {
+ PolicyContext.registerHandler(SecurityConstants.SUBJECT_CONTEXT_KEY,
+ new SubjectPolicyContextHandler(), true);
+ }
+
+ public void testRegularWebAccess() throws Exception
+ {
+ Principal ejbPrincipal = new SimplePrincipal("SomePrincipal");
+ setUpRegularConfiguration(ejbPrincipal);
+
+ //Create a ContextMap
+ Map<String,Object> cmap = new HashMap<String,Object>();
+ cmap.put(ResourceKeys.AUTHORIZATION_MANAGER, new JBossAuthorizationManager("test"));
+
+ HttpServletRequest hsr = new TestHttpServletRequest(new SimplePrincipal("someprincipal"),
+ "/someuri", "GET");
+ WebResource webResource = new WebResource(cmap);
+ webResource.setServletRequest(hsr);
+
+ AuthorizationContext ac = new JBossAuthorizationContext("test",
+ new Subject(), new AppCallbackHandler("a","b".toCharArray()));
+ int result = ac.authorize(webResource);
+ assertEquals(AuthorizationContext.PERMIT, result);
+ }
+
+ private void setUpRegularConfiguration(Principal ejbPrincipal) throws Exception
+ {
+ Subject subject = new Subject();
+ SimpleGroup sg = new SimpleGroup(SecurityConstants.ROLES_IDENTIFIER);
+ sg.addMember(new SimplePrincipal("roleA"));
+ subject.getPrincipals().add(sg);
+
+ SecurityContext jsc = SecurityContextFactory.createSecurityContext("test");
+ jsc.getUtil().createSubjectInfo(ejbPrincipal, "dummy", subject);
+ SecurityContextAssociation.setSecurityContext(jsc);
+
+ SecurityConfiguration.addApplicationPolicy(getApplicationPolicy("test"));
+ }
+
+ private ApplicationPolicy getApplicationPolicy(String domain)
+ {
+ AuthorizationInfo ai = new AuthorizationInfo(domain);
+ String moduleName = DelegatingAuthorizationModule.class.getName();
+ AuthorizationModuleEntry ame = new AuthorizationModuleEntry(moduleName);
+ ai.add(ame);
+ ApplicationPolicy ap = new ApplicationPolicy(domain);
+ ap.setAuthorizationInfo(ai);
+ return ap;
+ }
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -70,26 +70,32 @@
setSecurityConfiguration();
}
- public void testEJBPolicyContextHandler() throws Exception
+ public void testValidEJBPolicyContextHandler() throws Exception
{
EJBXACMLPolicyModuleDelegate pc = new EJBXACMLPolicyModuleDelegate();
- Resource er = getEJBResource();
- assertEquals(AuthorizationContext.PERMIT, pc.authorize(er));
- //Now change the ejb principal
- er.getMap().put(ResourceKeys.EJB_PRINCIPAL, new SimplePrincipal("baduser"));
+ EJBResource er = getEJBResource();
+ assertEquals(AuthorizationContext.PERMIT, pc.authorize(er));
+ }
+
+ public void testInvalidEJBPolicyContextHandler() throws Exception
+ {
+ EJBXACMLPolicyModuleDelegate pc = new EJBXACMLPolicyModuleDelegate();
+ EJBResource er = getEJBResource();
+ er.setPrincipal(new SimplePrincipal("baduser"));
assertEquals(AuthorizationContext.DENY, pc.authorize(er));
}
- private Resource getEJBResource()
+ private EJBResource getEJBResource()
{
- HashMap map = new HashMap();
- map.put(ResourceKeys.EJB_NAME, "StatelessSession");
- map.put(ResourceKeys.EJB_METHOD, StatelessSession.class.getMethods()[0]);
+ HashMap<String,Object> map = new HashMap<String,Object>();
map.put(ResourceKeys.SECURITY_CONTEXT_ROLES, getRoleGroup());
map.put(ResourceKeys.AUTHORIZATION_MANAGER, this.getAuthorizationManager());
- map.put(ResourceKeys.EJB_PRINCIPAL, p);
- return new EJBResource(map);
+ EJBResource er = new EJBResource(map);
+ er.setEjbName("StatelessSession");
+ er.setEjbMethod(StatelessSession.class.getMethods()[0]);
+ er.setPrincipal(p);
+ return er;
}
private AuthorizationManager getAuthorizationManager()
@@ -146,4 +152,4 @@
{
public void echo(){}
}
-}
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/xacml/WebXACMLUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/xacml/WebXACMLUnitTestCase.java 2007-11-27 01:42:02 UTC (rev 67473)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/tests/org/jboss/test/authorization/xacml/WebXACMLUnitTestCase.java 2007-11-27 01:43:14 UTC (rev 67474)
@@ -35,10 +35,10 @@
import org.jboss.security.AuthorizationManager;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextFactory;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.authorization.AuthorizationContext;
-import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.authorization.modules.web.WebXACMLPolicyModuleDelegate;
import org.jboss.security.authorization.resources.WebResource;
@@ -47,7 +47,6 @@
import org.jboss.security.jacc.SubjectPolicyContextHandler;
import org.jboss.security.plugins.JBossAuthorizationManager;
import org.jboss.security.plugins.SecurityContextAssociation;
-import org.jboss.security.SecurityContextFactory;
import org.jboss.test.SecurityActions;
import org.jboss.test.util.TestHttpServletRequest;
@@ -73,22 +72,34 @@
setSecurityConfiguration();
}
- public void testWebPolicyContextHandler() throws Exception
+ public void testValidWebPolicyContextHandler() throws Exception
{
WebXACMLPolicyModuleDelegate pc = new WebXACMLPolicyModuleDelegate();
- Resource er = getResource();
+ WebResource er = getResource();
+ er.setServletRequest(new TestHttpServletRequest(p, uri, "GET"));
assertEquals(AuthorizationContext.PERMIT, pc.authorize(er));
Principal principal = new SimplePrincipal("Notjduke");
HttpServletRequest hsr = new TestHttpServletRequest(principal, uri, "GET");
- //Now change the ejb principal
- er.getMap().put(ResourceKeys.WEB_REQUEST, hsr);
+ //Now change the ejb principal
+ er.setServletRequest(hsr);
assertEquals(AuthorizationContext.DENY, pc.authorize(er));
}
- private Resource getResource()
+ public void testInvalidWebPolicyContextHandler() throws Exception
+ {
+ WebXACMLPolicyModuleDelegate pc = new WebXACMLPolicyModuleDelegate();
+ WebResource er = getResource();
+ Principal principal = new SimplePrincipal("Notjduke");
+ HttpServletRequest hsr = new TestHttpServletRequest(principal, uri, "GET");
+ //Now change the ejb principal
+ er.setServletRequest(hsr);
+ assertEquals(AuthorizationContext.DENY, pc.authorize(er));
+ }
+
+ private WebResource getResource()
{
HashMap map = new HashMap();
- map.put(ResourceKeys.WEB_REQUEST, new TestHttpServletRequest(p, uri, "GET"));
+ // map.put(ResourceKeys.WEB_REQUEST, new TestHttpServletRequest(p, uri, "GET"));
map.put(ResourceKeys.AUTHORIZATION_MANAGER, this.getAuthorizationManager());
return new WebResource(map);
More information about the jboss-cvs-commits
mailing list