[seam-commits] Seam SVN: r7550 - in trunk/src/main/org/jboss/seam: security and 2 other directories.
seam-commits at lists.jboss.org
seam-commits at lists.jboss.org
Thu Mar 13 00:32:40 EDT 2008
Author: shane.bryzak at jboss.com
Date: 2008-03-13 00:32:39 -0400 (Thu, 13 Mar 2008)
New Revision: 7550
Added:
trunk/src/main/org/jboss/seam/security/permission/
trunk/src/main/org/jboss/seam/security/permission/DynamicPermissionResolver.java
trunk/src/main/org/jboss/seam/security/permission/PermissionCheck.java
trunk/src/main/org/jboss/seam/security/permission/PermissionMapper.java
trunk/src/main/org/jboss/seam/security/permission/PermissionResolver.java
trunk/src/main/org/jboss/seam/security/permission/ResolverChain.java
trunk/src/main/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java
Removed:
trunk/src/main/org/jboss/seam/security/DynamicPermissionResolver.java
trunk/src/main/org/jboss/seam/security/PermissionCheck.java
trunk/src/main/org/jboss/seam/security/PermissionMapper.java
trunk/src/main/org/jboss/seam/security/PermissionResolver.java
trunk/src/main/org/jboss/seam/security/ResolverChain.java
trunk/src/main/org/jboss/seam/security/RuleBasedPermissionResolver.java
Modified:
trunk/src/main/org/jboss/seam/init/ComponentDescriptor.java
trunk/src/main/org/jboss/seam/security/Identity.java
trunk/src/main/org/jboss/seam/security/management/IdentityStore.java
Log:
refactored
Modified: trunk/src/main/org/jboss/seam/init/ComponentDescriptor.java
===================================================================
--- trunk/src/main/org/jboss/seam/init/ComponentDescriptor.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/init/ComponentDescriptor.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -8,7 +8,7 @@
import org.jboss.seam.annotations.Install;
import org.jboss.seam.annotations.Startup;
import org.jboss.seam.core.Init;
-import org.jboss.seam.security.PermissionResolver;
+import org.jboss.seam.security.permission.PermissionResolver;
import org.jboss.seam.web.AbstractResource;
/**
Deleted: trunk/src/main/org/jboss/seam/security/DynamicPermissionResolver.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/DynamicPermissionResolver.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/security/DynamicPermissionResolver.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -1,17 +0,0 @@
-package org.jboss.seam.security;
-
-import java.io.Serializable;
-
-/**
- * Resolves permissions dynamically assigned in a peristent store, such as a
- * database, for example.
- *
- * @author Shane Bryzak
- */
-public class DynamicPermissionResolver implements PermissionResolver, Serializable
-{
- public boolean hasPermission(Object target, String action)
- {
- return true;
- }
-}
Modified: trunk/src/main/org/jboss/seam/security/Identity.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/Identity.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/security/Identity.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -39,6 +39,7 @@
import org.jboss.seam.log.LogProvider;
import org.jboss.seam.log.Logging;
import org.jboss.seam.persistence.PersistenceProvider;
+import org.jboss.seam.security.permission.PermissionMapper;
import org.jboss.seam.util.Strings;
import org.jboss.seam.web.Session;
Deleted: trunk/src/main/org/jboss/seam/security/PermissionCheck.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/PermissionCheck.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/security/PermissionCheck.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -1,62 +0,0 @@
-package org.jboss.seam.security;
-
-/**
- * Used to assert permission requirements into a WorkingMemory when evaluating
- * a @Restrict expression. The consequence of the rule is responsible for
- * granting the permission.
- *
- * @author Shane Bryzak
- */
-public class PermissionCheck
-{
- private Object target;
-
- @Deprecated
- private String name;
-
- private String action;
- private boolean granted;
-
- public PermissionCheck(Object target, String action)
- {
- if (target instanceof String)
- {
- this.name = (String) target;
- }
-
- this.target = target;
- this.action = action;
- granted = false;
- }
-
- public Object getTarget()
- {
- return target;
- }
-
- @Deprecated
- public String getName()
- {
- return name;
- }
-
- public String getAction()
- {
- return action;
- }
-
- public void grant()
- {
- this.granted = true;
- }
-
- public void revoke()
- {
- this.granted = false;
- }
-
- public boolean isGranted()
- {
- return granted;
- }
-}
Deleted: trunk/src/main/org/jboss/seam/security/PermissionMapper.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/PermissionMapper.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/security/PermissionMapper.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -1,118 +0,0 @@
-package org.jboss.seam.security;
-
-import static org.jboss.seam.ScopeType.APPLICATION;
-import static org.jboss.seam.annotations.Install.BUILT_IN;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import org.jboss.seam.Component;
-import org.jboss.seam.ScopeType;
-import org.jboss.seam.annotations.Install;
-import org.jboss.seam.annotations.Name;
-import org.jboss.seam.annotations.Scope;
-import org.jboss.seam.annotations.Startup;
-import org.jboss.seam.annotations.intercept.BypassInterceptors;
-import org.jboss.seam.contexts.Contexts;
-import org.jboss.seam.core.Init;
-
-/**
- * Maps permission checks to resolver chains
- *
- * @author Shane Bryzak
- */
- at Scope(APPLICATION)
- at Name("org.jboss.seam.security.permissionMapper")
- at Install(precedence = BUILT_IN)
- at BypassInterceptors
- at Startup
-public class PermissionMapper
-{
- private Map<Class,Map<String,String>> resolverChains = new HashMap<Class,Map<String,String>>();
-
- private String defaultResolverChain;
-
- private static final String DEFAULT_RESOLVER_CHAIN = "org.jboss.seam.security.defaultResolverChain";
-
- private ResolverChain getResolverChain(Object target, String action)
- {
- Class targetClass = null;
-
- if (target instanceof Class)
- {
- targetClass = (Class) target;
- }
- else
- {
- // TODO target may be a component name, or an object, or a view name (or arbitrary name) -
- // we need to deal with all of these possibilities
- }
-
- if (targetClass != null)
- {
- Map<String,String> chains = resolverChains.get(target);
- if (chains != null && chains.containsKey(action))
- {
- return (ResolverChain) Component.getInstance(chains.get(action), true);
- }
- }
-
- if (defaultResolverChain != null && !"".equals(defaultResolverChain))
- {
- return (ResolverChain) Component.getInstance(defaultResolverChain, true);
- }
-
- return createDefaultResolverChain();
- }
-
- public boolean resolvePermission(Object target, String action)
- {
- ResolverChain chain = getResolverChain(target, action);
- for (PermissionResolver resolver : chain.getResolvers())
- {
- if (resolver.hasPermission(target, action))
- {
- return true;
- }
- }
-
- return false;
- }
-
- private ResolverChain createDefaultResolverChain()
- {
- ResolverChain chain = (ResolverChain) Contexts.getSessionContext().get(DEFAULT_RESOLVER_CHAIN);
-
- if (chain == null)
- {
- chain = new ResolverChain();
-
- for (String resolverName : Init.instance().getPermissionResolvers())
- {
- chain.getResolvers().add((PermissionResolver) Component.getInstance(resolverName, true));
- }
-
- Contexts.getSessionContext().set(DEFAULT_RESOLVER_CHAIN, chain);
- }
-
- return chain;
- }
-
- public static PermissionMapper instance()
- {
- if ( !Contexts.isApplicationContextActive() )
- {
- throw new IllegalStateException("No active application context");
- }
-
- PermissionMapper instance = (PermissionMapper) Component.getInstance(
- PermissionMapper.class, ScopeType.APPLICATION);
-
- if (instance == null)
- {
- throw new IllegalStateException("No PermissionMapper could be created");
- }
-
- return instance;
- }
-}
Deleted: trunk/src/main/org/jboss/seam/security/PermissionResolver.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/PermissionResolver.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/security/PermissionResolver.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -1,6 +0,0 @@
-package org.jboss.seam.security;
-
-public interface PermissionResolver
-{
- boolean hasPermission(Object target, String action);
-}
Deleted: trunk/src/main/org/jboss/seam/security/ResolverChain.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/ResolverChain.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/security/ResolverChain.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -1,26 +0,0 @@
-package org.jboss.seam.security;
-
-import static org.jboss.seam.ScopeType.SESSION;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.jboss.seam.annotations.Scope;
-import org.jboss.seam.annotations.intercept.BypassInterceptors;
-
- at Scope(SESSION)
- at BypassInterceptors
-public class ResolverChain
-{
- private List<PermissionResolver> resolvers = new ArrayList<PermissionResolver>();
-
- public List<PermissionResolver> getResolvers()
- {
- return resolvers;
- }
-
- public void setResolvers(List<PermissionResolver> resolvers)
- {
- this.resolvers = resolvers;
- }
-}
Deleted: trunk/src/main/org/jboss/seam/security/RuleBasedPermissionResolver.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/RuleBasedPermissionResolver.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/security/RuleBasedPermissionResolver.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -1,246 +0,0 @@
-package org.jboss.seam.security;
-
-import static org.jboss.seam.ScopeType.SESSION;
-import static org.jboss.seam.annotations.Install.FRAMEWORK;
-
-import java.io.Serializable;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.ArrayList;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.List;
-
-import org.drools.FactHandle;
-import org.drools.RuleBase;
-import org.drools.StatefulSession;
-import org.drools.base.ClassObjectFilter;
-import org.jboss.seam.Component;
-import org.jboss.seam.ScopeType;
-import org.jboss.seam.Seam;
-import org.jboss.seam.annotations.Create;
-import org.jboss.seam.annotations.Install;
-import org.jboss.seam.annotations.Name;
-import org.jboss.seam.annotations.Observer;
-import org.jboss.seam.annotations.Scope;
-import org.jboss.seam.annotations.Startup;
-import org.jboss.seam.annotations.intercept.BypassInterceptors;
-import org.jboss.seam.contexts.Contexts;
-import org.jboss.seam.log.LogProvider;
-import org.jboss.seam.log.Logging;
-import org.jboss.seam.security.management.JpaIdentityStore;
-import org.jboss.seam.security.management.UserAccount;
-
- at Name("org.jboss.seam.security.ruleBasedPermissionResolver")
- at Scope(SESSION)
- at BypassInterceptors
- at Install(precedence=FRAMEWORK, classDependencies="org.drools.WorkingMemory")
- at Startup
-public class RuleBasedPermissionResolver implements PermissionResolver, Serializable
-{
- public static final String RULES_COMPONENT_NAME = "securityRules";
-
- private static final LogProvider log = Logging.getLogProvider(RuleBasedPermissionResolver.class);
-
- private StatefulSession securityContext;
-
- private RuleBase securityRules;
-
- @Create
- public boolean create()
- {
- initSecurityContext();
- return getSecurityContext() != null;
- }
-
- protected void initSecurityContext()
- {
- if (getSecurityRules() == null)
- {
- setSecurityRules((RuleBase) Component.getInstance(RULES_COMPONENT_NAME, true));
- }
-
- if (getSecurityRules() != null)
- {
- setSecurityContext(getSecurityRules().newStatefulSession(false));
- }
-
- if (getSecurityContext() == null)
- {
- log.warn("no security rule base available - please install a RuleBase with the name '" +
- RULES_COMPONENT_NAME + "' if permission checks are required.");
- }
- }
-
- @Observer(Identity.EVENT_POST_AUTHENTICATE)
- public void postAuthenticate()
- {
- if (getSecurityContext() != null)
- {
- getSecurityContext().insert(Identity.instance().getPrincipal());
- }
- }
-
- /**
- * Performs a permission check for the specified name and action
- *
- * @param target Object The target of the permission check
- * @param action String The action to be performed on the target
- * @return boolean True if the user has the specified permission
- */
- public boolean hasPermission(Object target, String action)
- {
- StatefulSession securityContext = getSecurityContext();
-
- if (securityContext == null) return false;
-
- List<FactHandle> handles = new ArrayList<FactHandle>();
-
- if (!(target instanceof String) && !(target instanceof Class))
- {
- handles.add( securityContext.insert(target) );
- }
-
- if (target instanceof Class)
- {
- String componentName = Seam.getComponentName((Class) target);
- target = componentName != null ? componentName : ((Class) target).getName();
- }
-
- PermissionCheck check = new PermissionCheck(target, action);
-
- synchronized( securityContext )
- {
- synchronizeContext();
-
- handles.add( securityContext.insert(check) );
-
- securityContext.fireAllRules();
-
- for (FactHandle handle : handles)
- securityContext.retract(handle);
- }
-
- return check.isGranted();
- }
-
- @SuppressWarnings("unchecked")
- @Observer(Identity.EVENT_LOGGED_OUT)
- public void unAuthenticate()
- {
- if (getSecurityContext() != null)
- {
- getSecurityContext().dispose();
- setSecurityContext(null);
- }
- initSecurityContext();
- }
-
- /**
- * Synchronises the state of the security context with that of the subject
- */
- private void synchronizeContext()
- {
- Identity identity = Identity.instance();
-
- getSecurityContext().insert(identity.getPrincipal());
-
- if (getSecurityContext() != null)
- {
- for ( Group sg : identity.getSubject().getPrincipals(Group.class) )
- {
- if ( Identity.ROLES_GROUP.equals( sg.getName() ) )
- {
- Enumeration e = sg.members();
- while (e.hasMoreElements())
- {
- Principal role = (Principal) e.nextElement();
-
- boolean found = false;
- Iterator<Role> iter = getSecurityContext().iterateObjects(new ClassObjectFilter(Role.class));
- while (iter.hasNext())
- {
- Role r = iter.next();
- if (r.getName().equals(role.getName()))
- {
- found = true;
- break;
- }
- }
-
- if (!found)
- {
- getSecurityContext().insert(new Role(role.getName()));
- }
-
- }
- }
- }
-
- Iterator<Role> iter = getSecurityContext().iterateObjects(new ClassObjectFilter(Role.class));
- while (iter.hasNext())
- {
- Role r = iter.next();
- if (!identity.hasRole(r.getName()))
- {
- FactHandle fh = getSecurityContext().getFactHandle(r);
- getSecurityContext().retract(fh);
- }
- }
- }
- }
-
-
- public StatefulSession getSecurityContext()
- {
- return securityContext;
- }
-
- public void setSecurityContext(StatefulSession securityContext)
- {
- this.securityContext = securityContext;
- }
-
-
- public RuleBase getSecurityRules()
- {
- return securityRules;
- }
-
- public void setSecurityRules(RuleBase securityRules)
- {
- this.securityRules = securityRules;
- }
-
- public static RuleBasedPermissionResolver instance()
- {
- if ( !Contexts.isSessionContextActive() )
- {
- throw new IllegalStateException("No active session context");
- }
-
- RuleBasedPermissionResolver instance = (RuleBasedPermissionResolver) Component.getInstance(
- RuleBasedPermissionResolver.class, ScopeType.SESSION);
-
- if (instance == null)
- {
- throw new IllegalStateException("No RuleBasedPermissionResolver could be created");
- }
-
- return instance;
- }
-
- /**
- * If we were authenticated with the JpaIdentityStore, then insert the authenticated
- * UserAccount into the security context.
- */
- @Observer(Identity.EVENT_POST_AUTHENTICATE)
- public void setUserAccountInSecurityContext()
- {
- if (Contexts.isEventContextActive() && Contexts.isSessionContextActive() &&
- Contexts.getEventContext().isSet(JpaIdentityStore.AUTHENTICATED_USER))
- {
- getSecurityContext().insert(Contexts.getEventContext().get(JpaIdentityStore.AUTHENTICATED_USER));
- }
- }
-}
Modified: trunk/src/main/org/jboss/seam/security/management/IdentityStore.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/management/IdentityStore.java 2008-03-13 01:11:48 UTC (rev 7549)
+++ trunk/src/main/org/jboss/seam/security/management/IdentityStore.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -43,12 +43,6 @@
this.features = features;
}
- public FeatureSet addFeature(int feature)
- {
- features |= feature;
- return this;
- }
-
public int getFeatures()
{
return features;
Added: trunk/src/main/org/jboss/seam/security/permission/DynamicPermissionResolver.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/permission/DynamicPermissionResolver.java (rev 0)
+++ trunk/src/main/org/jboss/seam/security/permission/DynamicPermissionResolver.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -0,0 +1,31 @@
+package org.jboss.seam.security.permission;
+
+import static org.jboss.seam.ScopeType.APPLICATION;
+import static org.jboss.seam.annotations.Install.FRAMEWORK;
+
+import java.io.Serializable;
+
+import org.jboss.seam.annotations.Install;
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.Startup;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+
+/**
+ * Resolves permissions dynamically assigned in a persistent store, such as a
+ * database, for example.
+ *
+ * @author Shane Bryzak
+ */
+ at Name("org.jboss.seam.security.dynamicPermissionResolver")
+ at Scope(APPLICATION)
+ at BypassInterceptors
+ at Install(precedence=FRAMEWORK)
+ at Startup
+public class DynamicPermissionResolver implements PermissionResolver, Serializable
+{
+ public boolean hasPermission(Object target, String action)
+ {
+ return true;
+ }
+}
Added: trunk/src/main/org/jboss/seam/security/permission/PermissionCheck.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/permission/PermissionCheck.java (rev 0)
+++ trunk/src/main/org/jboss/seam/security/permission/PermissionCheck.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -0,0 +1,62 @@
+package org.jboss.seam.security.permission;
+
+/**
+ * Used to assert permission requirements into a WorkingMemory when evaluating
+ * a @Restrict expression. The consequence of the rule is responsible for
+ * granting the permission.
+ *
+ * @author Shane Bryzak
+ */
+public class PermissionCheck
+{
+ private Object target;
+
+ @Deprecated
+ private String name;
+
+ private String action;
+ private boolean granted;
+
+ public PermissionCheck(Object target, String action)
+ {
+ if (target instanceof String)
+ {
+ this.name = (String) target;
+ }
+
+ this.target = target;
+ this.action = action;
+ granted = false;
+ }
+
+ public Object getTarget()
+ {
+ return target;
+ }
+
+ @Deprecated
+ public String getName()
+ {
+ return name;
+ }
+
+ public String getAction()
+ {
+ return action;
+ }
+
+ public void grant()
+ {
+ this.granted = true;
+ }
+
+ public void revoke()
+ {
+ this.granted = false;
+ }
+
+ public boolean isGranted()
+ {
+ return granted;
+ }
+}
Added: trunk/src/main/org/jboss/seam/security/permission/PermissionMapper.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/permission/PermissionMapper.java (rev 0)
+++ trunk/src/main/org/jboss/seam/security/permission/PermissionMapper.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -0,0 +1,118 @@
+package org.jboss.seam.security.permission;
+
+import static org.jboss.seam.ScopeType.APPLICATION;
+import static org.jboss.seam.annotations.Install.BUILT_IN;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.jboss.seam.Component;
+import org.jboss.seam.ScopeType;
+import org.jboss.seam.annotations.Install;
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.Startup;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+import org.jboss.seam.contexts.Contexts;
+import org.jboss.seam.core.Init;
+
+/**
+ * Maps permission checks to resolver chains
+ *
+ * @author Shane Bryzak
+ */
+ at Scope(APPLICATION)
+ at Name("org.jboss.seam.security.permissionMapper")
+ at Install(precedence = BUILT_IN)
+ at BypassInterceptors
+ at Startup
+public class PermissionMapper
+{
+ private Map<Class,Map<String,String>> resolverChains = new HashMap<Class,Map<String,String>>();
+
+ private String defaultResolverChain;
+
+ private static final String DEFAULT_RESOLVER_CHAIN = "org.jboss.seam.security.defaultResolverChain";
+
+ private ResolverChain getResolverChain(Object target, String action)
+ {
+ Class targetClass = null;
+
+ if (target instanceof Class)
+ {
+ targetClass = (Class) target;
+ }
+ else
+ {
+ // TODO target may be a component name, or an object, or a view name (or arbitrary name) -
+ // we need to deal with all of these possibilities
+ }
+
+ if (targetClass != null)
+ {
+ Map<String,String> chains = resolverChains.get(target);
+ if (chains != null && chains.containsKey(action))
+ {
+ return (ResolverChain) Component.getInstance(chains.get(action), true);
+ }
+ }
+
+ if (defaultResolverChain != null && !"".equals(defaultResolverChain))
+ {
+ return (ResolverChain) Component.getInstance(defaultResolverChain, true);
+ }
+
+ return createDefaultResolverChain();
+ }
+
+ public boolean resolvePermission(Object target, String action)
+ {
+ ResolverChain chain = getResolverChain(target, action);
+ for (PermissionResolver resolver : chain.getResolvers())
+ {
+ if (resolver.hasPermission(target, action))
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ private ResolverChain createDefaultResolverChain()
+ {
+ ResolverChain chain = (ResolverChain) Contexts.getSessionContext().get(DEFAULT_RESOLVER_CHAIN);
+
+ if (chain == null)
+ {
+ chain = new ResolverChain();
+
+ for (String resolverName : Init.instance().getPermissionResolvers())
+ {
+ chain.getResolvers().add((PermissionResolver) Component.getInstance(resolverName, true));
+ }
+
+ Contexts.getSessionContext().set(DEFAULT_RESOLVER_CHAIN, chain);
+ }
+
+ return chain;
+ }
+
+ public static PermissionMapper instance()
+ {
+ if ( !Contexts.isApplicationContextActive() )
+ {
+ throw new IllegalStateException("No active application context");
+ }
+
+ PermissionMapper instance = (PermissionMapper) Component.getInstance(
+ PermissionMapper.class, ScopeType.APPLICATION);
+
+ if (instance == null)
+ {
+ throw new IllegalStateException("No PermissionMapper could be created");
+ }
+
+ return instance;
+ }
+}
Added: trunk/src/main/org/jboss/seam/security/permission/PermissionResolver.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/permission/PermissionResolver.java (rev 0)
+++ trunk/src/main/org/jboss/seam/security/permission/PermissionResolver.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -0,0 +1,6 @@
+package org.jboss.seam.security.permission;
+
+public interface PermissionResolver
+{
+ boolean hasPermission(Object target, String action);
+}
Added: trunk/src/main/org/jboss/seam/security/permission/ResolverChain.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/permission/ResolverChain.java (rev 0)
+++ trunk/src/main/org/jboss/seam/security/permission/ResolverChain.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -0,0 +1,26 @@
+package org.jboss.seam.security.permission;
+
+import static org.jboss.seam.ScopeType.SESSION;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+
+ at Scope(SESSION)
+ at BypassInterceptors
+public class ResolverChain
+{
+ private List<PermissionResolver> resolvers = new ArrayList<PermissionResolver>();
+
+ public List<PermissionResolver> getResolvers()
+ {
+ return resolvers;
+ }
+
+ public void setResolvers(List<PermissionResolver> resolvers)
+ {
+ this.resolvers = resolvers;
+ }
+}
Added: trunk/src/main/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java
===================================================================
--- trunk/src/main/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java (rev 0)
+++ trunk/src/main/org/jboss/seam/security/permission/RuleBasedPermissionResolver.java 2008-03-13 04:32:39 UTC (rev 7550)
@@ -0,0 +1,247 @@
+package org.jboss.seam.security.permission;
+
+import static org.jboss.seam.ScopeType.SESSION;
+import static org.jboss.seam.annotations.Install.FRAMEWORK;
+
+import java.io.Serializable;
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.List;
+
+import org.drools.FactHandle;
+import org.drools.RuleBase;
+import org.drools.StatefulSession;
+import org.drools.base.ClassObjectFilter;
+import org.jboss.seam.Component;
+import org.jboss.seam.ScopeType;
+import org.jboss.seam.Seam;
+import org.jboss.seam.annotations.Create;
+import org.jboss.seam.annotations.Install;
+import org.jboss.seam.annotations.Name;
+import org.jboss.seam.annotations.Observer;
+import org.jboss.seam.annotations.Scope;
+import org.jboss.seam.annotations.Startup;
+import org.jboss.seam.annotations.intercept.BypassInterceptors;
+import org.jboss.seam.contexts.Contexts;
+import org.jboss.seam.log.LogProvider;
+import org.jboss.seam.log.Logging;
+import org.jboss.seam.security.Identity;
+import org.jboss.seam.security.Role;
+import org.jboss.seam.security.management.JpaIdentityStore;
+
+ at Name("org.jboss.seam.security.ruleBasedPermissionResolver")
+ at Scope(SESSION)
+ at BypassInterceptors
+ at Install(precedence=FRAMEWORK, classDependencies="org.drools.WorkingMemory")
+ at Startup
+public class RuleBasedPermissionResolver implements PermissionResolver, Serializable
+{
+ public static final String RULES_COMPONENT_NAME = "securityRules";
+
+ private static final LogProvider log = Logging.getLogProvider(RuleBasedPermissionResolver.class);
+
+ private StatefulSession securityContext;
+
+ private RuleBase securityRules;
+
+ @Create
+ public boolean create()
+ {
+ initSecurityContext();
+ return getSecurityContext() != null;
+ }
+
+ protected void initSecurityContext()
+ {
+ if (getSecurityRules() == null)
+ {
+ setSecurityRules((RuleBase) Component.getInstance(RULES_COMPONENT_NAME, true));
+ }
+
+ if (getSecurityRules() != null)
+ {
+ setSecurityContext(getSecurityRules().newStatefulSession(false));
+ }
+
+ if (getSecurityContext() == null)
+ {
+ log.warn("no security rule base available - please install a RuleBase with the name '" +
+ RULES_COMPONENT_NAME + "' if permission checks are required.");
+ }
+ }
+
+ @Observer(Identity.EVENT_POST_AUTHENTICATE)
+ public void postAuthenticate()
+ {
+ if (getSecurityContext() != null)
+ {
+ getSecurityContext().insert(Identity.instance().getPrincipal());
+ }
+ }
+
+ /**
+ * Performs a permission check for the specified name and action
+ *
+ * @param target Object The target of the permission check
+ * @param action String The action to be performed on the target
+ * @return boolean True if the user has the specified permission
+ */
+ public boolean hasPermission(Object target, String action)
+ {
+ StatefulSession securityContext = getSecurityContext();
+
+ if (securityContext == null) return false;
+
+ List<FactHandle> handles = new ArrayList<FactHandle>();
+
+ if (!(target instanceof String) && !(target instanceof Class))
+ {
+ handles.add( securityContext.insert(target) );
+ }
+
+ if (target instanceof Class)
+ {
+ String componentName = Seam.getComponentName((Class) target);
+ target = componentName != null ? componentName : ((Class) target).getName();
+ }
+
+ PermissionCheck check = new PermissionCheck(target, action);
+
+ synchronized( securityContext )
+ {
+ synchronizeContext();
+
+ handles.add( securityContext.insert(check) );
+
+ securityContext.fireAllRules();
+
+ for (FactHandle handle : handles)
+ securityContext.retract(handle);
+ }
+
+ return check.isGranted();
+ }
+
+ @SuppressWarnings("unchecked")
+ @Observer(Identity.EVENT_LOGGED_OUT)
+ public void unAuthenticate()
+ {
+ if (getSecurityContext() != null)
+ {
+ getSecurityContext().dispose();
+ setSecurityContext(null);
+ }
+ initSecurityContext();
+ }
+
+ /**
+ * Synchronises the state of the security context with that of the subject
+ */
+ private void synchronizeContext()
+ {
+ Identity identity = Identity.instance();
+
+ getSecurityContext().insert(identity.getPrincipal());
+
+ if (getSecurityContext() != null)
+ {
+ for ( Group sg : identity.getSubject().getPrincipals(Group.class) )
+ {
+ if ( Identity.ROLES_GROUP.equals( sg.getName() ) )
+ {
+ Enumeration e = sg.members();
+ while (e.hasMoreElements())
+ {
+ Principal role = (Principal) e.nextElement();
+
+ boolean found = false;
+ Iterator<Role> iter = getSecurityContext().iterateObjects(new ClassObjectFilter(Role.class));
+ while (iter.hasNext())
+ {
+ Role r = iter.next();
+ if (r.getName().equals(role.getName()))
+ {
+ found = true;
+ break;
+ }
+ }
+
+ if (!found)
+ {
+ getSecurityContext().insert(new Role(role.getName()));
+ }
+
+ }
+ }
+ }
+
+ Iterator<Role> iter = getSecurityContext().iterateObjects(new ClassObjectFilter(Role.class));
+ while (iter.hasNext())
+ {
+ Role r = iter.next();
+ if (!identity.hasRole(r.getName()))
+ {
+ FactHandle fh = getSecurityContext().getFactHandle(r);
+ getSecurityContext().retract(fh);
+ }
+ }
+ }
+ }
+
+
+ public StatefulSession getSecurityContext()
+ {
+ return securityContext;
+ }
+
+ public void setSecurityContext(StatefulSession securityContext)
+ {
+ this.securityContext = securityContext;
+ }
+
+
+ public RuleBase getSecurityRules()
+ {
+ return securityRules;
+ }
+
+ public void setSecurityRules(RuleBase securityRules)
+ {
+ this.securityRules = securityRules;
+ }
+
+ public static RuleBasedPermissionResolver instance()
+ {
+ if ( !Contexts.isSessionContextActive() )
+ {
+ throw new IllegalStateException("No active session context");
+ }
+
+ RuleBasedPermissionResolver instance = (RuleBasedPermissionResolver) Component.getInstance(
+ RuleBasedPermissionResolver.class, ScopeType.SESSION);
+
+ if (instance == null)
+ {
+ throw new IllegalStateException("No RuleBasedPermissionResolver could be created");
+ }
+
+ return instance;
+ }
+
+ /**
+ * If we were authenticated with the JpaIdentityStore, then insert the authenticated
+ * UserAccount into the security context.
+ */
+ @Observer(Identity.EVENT_POST_AUTHENTICATE)
+ public void setUserAccountInSecurityContext()
+ {
+ if (Contexts.isEventContextActive() && Contexts.isSessionContextActive() &&
+ Contexts.getEventContext().isSet(JpaIdentityStore.AUTHENTICATED_USER))
+ {
+ getSecurityContext().insert(Contexts.getEventContext().get(JpaIdentityStore.AUTHENTICATED_USER));
+ }
+ }
+}
More information about the seam-commits
mailing list