3:24 a.m.
Author: sohil.shah(a)jboss.com
Date: 2009-01-27 04:24:27 -0500 (Tue, 27 Jan 2009)
New Revision: 12655
Added:
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java
Removed:
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/hierarchial/
Modified:
modules/authorization/trunk/
modules/authorization/trunk/.classpath
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/policy/HierarchialPolicy.java
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/subject/Identity.java
modules/authorization/trunk/http-authz/pom.xml
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java
Log:
starting to mold security provisioning code into a component/profile oriented approach
Property changes on: modules/authorization/trunk
___________________________________________________________________
Name: svn:ignore
+ bin
Modified: modules/authorization/trunk/.classpath
===================================================================
--- modules/authorization/trunk/.classpath 2009-01-26 22:47:49 UTC (rev 12654)
+++ modules/authorization/trunk/.classpath 2009-01-27 09:24:27 UTC (rev 12655)
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<classpath>
+<classpath>
<classpathentry kind="src" path="common/src/main/java"/>
<classpathentry kind="src" path="common/src/main/resources"/>
<classpathentry kind="src" path="common/src/test/java"/>
@@ -16,39 +16,22 @@
<classpathentry kind="src"
path="http-authz/src/main/resources"/>
<classpathentry kind="src" path="http-authz/src/test/java"/>
<classpathentry kind="src"
path="http-authz/src/test/resources"/>
- <classpathentry kind="src"
path="security-console/ejb/src/main/java"/>
<classpathentry kind="con"
path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
- <classpathentry kind="output" path="classes"/>
- <classpathentry kind="var"
path="M2_REPO/antlr/antlr/2.7.6/antlr-2.7.6.jar"/>
<classpathentry kind="var"
path="M2_REPO/asm/asm/1.5.3/asm-1.5.3.jar"/>
- <classpathentry kind="var"
path="M2_REPO/asm/asm-attrs/1.5.3/asm-attrs-1.5.3.jar"/>
<classpathentry kind="var"
path="M2_REPO/cglib/cglib/2.1_3/cglib-2.1_3.jar"/>
- <classpathentry kind="var"
path="M2_REPO/commons-beanutils/commons-beanutils/1.6/commons-beanutils-1.6.jar"/>
- <classpathentry kind="var"
path="M2_REPO/commons-collections/commons-collections/2.1.1/commons-collections-2.1.1.jar"/>
- <classpathentry kind="var"
path="M2_REPO/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar"/>
- <classpathentry kind="var"
path="M2_REPO/dom4j/dom4j/1.6.1-jboss/dom4j-1.6.1-jboss.jar"/>
- <classpathentry kind="var"
path="M2_REPO/net/sf/ehcache/ehcache/1.2.3/ehcache-1.2.3.jar"/>
- <classpathentry kind="var"
path="M2_REPO/javax/ejb/ejb-api/3.0/ejb-api-3.0.jar"/>
- <classpathentry kind="var"
path="M2_REPO/javax/el/el-api/1.0/el-api-1.0.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/hibernate/hibernate/3.2.4.sp1/hibernate-3.2.4.sp1.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/hibernate/hibernate-validator/3.0.0.GA/hibernate-validator-3.0.0.GA.jar"/>
- <classpathentry kind="var"
path="M2_REPO/javassist/javassist/3.3.GA/javassist-3.3.GA.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/jboss/el/jboss-el/2.0.1.GA/jboss-el-2.0.1.GA.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/jboss/seam/jboss-seam/2.0.2.SP1/jboss-seam-2.0.2.SP1.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/jboss/seam/jboss-seam-ui/2.0.2.SP1/jboss-seam-ui-2.0.2.SP1.jar"/>
- <classpathentry kind="var"
path="M2_REPO/javax/faces/jsf-api/1.2_04-p02/jsf-api-1.2_04-p02.jar"/>
- <classpathentry kind="var"
path="M2_REPO/javax/transaction/jta/1.0.1B/jta-1.0.1B.jar"/>
- <classpathentry kind="var"
path="M2_REPO/javax/persistence/persistence-api/1.0/persistence-api-1.0.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/commons-beanutils/commons-beanutils/1.6/commons-beanutils-1.6.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar"/>
<classpathentry kind="var"
path="M2_REPO/sun-jaxb/jaxb-api/2.1.4/jaxb-api-2.1.4.jar"/>
- <classpathentry kind="var"
path="M2_REPO/sun-jaxb/jaxb-impl/2.1.4/jaxb-impl-2.1.4.jar"/>
- <classpathentry kind="var"
path="M2_REPO/sun-jaxb/jaxb-xjc/2.1.4/jaxb-xjc-2.1.4.jar"/>
- <classpathentry kind="var"
path="M2_REPO/junit/junit/3.8.2/junit-3.8.2.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/jboss/security/jboss-sunxacml/2.0.3-SNAPSHOT/jboss-sunxacml-2.0.3-SNAPSHOT.jar"
sourcepath="M2_REPO/org/jboss/security/jboss-sunxacml/2.0.3-SNAPSHOT/jboss-sunxacml-2.0.3-SNAPSHOT-sources.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/jboss/security/jboss-xacml/2.0.3-SNAPSHOT/jboss-xacml-2.0.3-SNAPSHOT.jar"
sourcepath="M2_REPO/org/jboss/security/jboss-xacml/2.0.3-SNAPSHOT/jboss-xacml-2.0.3-SNAPSHOT-sources.jar"/>
- <classpathentry kind="var"
path="M2_REPO/apache-log4j/log4j/1.2.14/log4j-1.2.14.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/drools/drools-core/4.0.7/drools-core-4.0.7.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/drools/drools-compiler/4.0.7/drools-compiler-4.0.7.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/jboss/microcontainer/jboss-kernel/2.0.2.GA/jboss-kernel-2.0.2.GA.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/jboss/microcontainer/jboss-dependency/2.0.2.GA/jboss-dependency-2.0.2.GA.jar"/>
- <classpathentry kind="var"
path="M2_REPO/org/jboss/jboss-common-core/2.2.9.GA/jboss-common-core-2.2.9.GA.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/sun-jaxb/jaxb-impl/2.1.4/jaxb-impl-2.1.4.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/sun-jaxb/jaxb-xjc/2.1.4/jaxb-xjc-2.1.4.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/junit/junit/3.8.2/junit-3.8.2.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/org/jboss/security/jboss-sunxacml/2.0.3-SNAPSHOT/jboss-sunxacml-2.0.3-SNAPSHOT.jar"
sourcepath="M2_REPO/org/jboss/security/jboss-sunxacml/2.0.3-SNAPSHOT/jboss-sunxacml-2.0.3-SNAPSHOT-sources.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/org/jboss/security/jboss-xacml/2.0.3-SNAPSHOT/jboss-xacml-2.0.3-SNAPSHOT.jar"
sourcepath="M2_REPO/org/jboss/security/jboss-xacml/2.0.3-SNAPSHOT/jboss-xacml-2.0.3-SNAPSHOT-sources.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/apache-log4j/log4j/1.2.14/log4j-1.2.14.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/org/drools/drools-core/4.0.7/drools-core-4.0.7.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/org/drools/drools-compiler/4.0.7/drools-compiler-4.0.7.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/org/jboss/microcontainer/jboss-kernel/2.0.2.GA/jboss-kernel-2.0.2.GA.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/org/jboss/microcontainer/jboss-dependency/2.0.2.GA/jboss-dependency-2.0.2.GA.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/org/jboss/jboss-common-core/2.2.9.GA/jboss-common-core-2.2.9.GA.jar"/>
+ <classpathentry kind="output" path="bin"/>
</classpath>
Modified:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/policy/HierarchialPolicy.java
===================================================================
---
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/policy/HierarchialPolicy.java 2009-01-26
22:47:49 UTC (rev 12654)
+++
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/policy/HierarchialPolicy.java 2009-01-27
09:24:27 UTC (rev 12655)
@@ -30,14 +30,12 @@
import javax.xml.bind.JAXBElement;
-import org.jboss.security.authz.model.ExpressionBuilder;
import org.jboss.security.authz.model.Policy;
import org.jboss.security.authz.model.Rule;
import org.jboss.security.authz.model.Target;
import org.jboss.security.authz.model.Effect;
import org.jboss.security.authz.model.PolicyException;
import org.jboss.security.authz.model.AttributeExpression;
-import org.jboss.security.authz.model.Attribute;
import org.jboss.security.authz.model.DroolsRuleExpression;
import org.jboss.security.authz.model.Expression;
import org.jboss.security.authz.xacml.AttributeDesignatorUtil;
@@ -86,14 +84,7 @@
public HierarchialPolicy(String policyUri, Target target, Set<Rule> rules)
throws PolicyException
{
- super(policyUri, target, rules);
-
- //Validate the state of the data
- //Make sure there is only one ResourceMatch specified
- if(target.getResourceMatches() == null || target.getResourceMatches().size()>1)
- {
- throw new PolicyException("The HierarchialPolicy type requires there is
exactly one match specified for a Resource inside the Policy definition");
- }
+ super(policyUri, target, rules);
}
@@ -289,325 +280,5 @@
private String generateUniqueId()
{
return UUID.randomUUID().toString();
- }
- //---------A Developer Friendly API for generating Hierarchial
Policies-------------------------------------------------------------------------------------------------------------------------
- /**
- * Specifies that this Hierarchial Policy should be applied the specified Resource
identified by the Unique Resource Uri
- *
- * @param resourceUri Unique identifier for the Resource being protected by this
Hierarchial Policy
- */
- public void setResourceCriteria(String resourceUri)
- {
- if(resourceUri == null || resourceUri.trim().length() == 0)
- {
- throw new IllegalArgumentException("Resource Criteria cannot be
Empty");
- }
-
- Target target = new Target();
-
target.addResourceMatch(ExpressionBuilder.getInstance().createResourceIdExpression(resourceUri));
- this.target = target;
- }
-
- /**
- * Specifies that this Hierarchial Policy should be applied the specified Resource
identified by the Unique Resource Uri And the other
- * Attribute Data associated with this Resource, such as Http Parameters in the case
of an Http Request Resource
- *
- * @param resourceUri Unique identifier for the Resource being protected by this
Hierarchial Policy
- * @param otherResourceCriteria Other Attribute Data associated with this Resource
which should match as well for the Policy to apply
- */
- public void setResourceCriteria(String resourceUri, List<Attribute>
otherResourceCriteria)
- {
- if(resourceUri == null || resourceUri.trim().length() == 0)
- {
- throw new IllegalArgumentException("Resource Criteria cannot be
Empty");
- }
-
- if(otherResourceCriteria == null)
- {
- throw new IllegalArgumentException("Other Criteria cannot be Null");
- }
-
- Target target = new Target();
-
target.addResourceMatch(ExpressionBuilder.getInstance().createResourceIdExpression(resourceUri));
-
- for(Attribute attribute: otherResourceCriteria)
- {
- target.addResourceMatch(ExpressionBuilder.getInstance().
- createCustomResourceExpression(attribute.getUri(), attribute.getValue()));
- }
-
- this.target = target;
- }
-
- /**
- * Specifies a Policy Rule that must be applied to the specified "Action"
such that the specified "Role" should be allowed
- * to execute this "Action" on the Resource protected by this Policy
instance
- *
- * @param action Action for which this Rule applies
- * @param role the Role that is permitted to execute this Action
- */
- public void setPermitCriteria(String action, String role)
- {
- if(action == null || action.trim().length()==0)
- {
- throw new IllegalArgumentException("Action cannot be Empty");
- }
- if(role == null || role.trim().length()==0)
- {
- throw new IllegalArgumentException("Role cannot be Empty");
- }
-
- Rule permitRule = new Rule();
- Target ruleTarget = new Target();
-
- permitRule.setRuleId(action);
- permitRule.setEffect(Effect.PERMIT);
- permitRule.setTarget(ruleTarget);
-
- //Create an Action Match Function
-
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
-
- //Create a Subject Match Function
-
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
-
- //Add the Rule to the Policy
- this.rules.add(permitRule);
- }
-
- /**
- * Specifies a Policy Rule that says the specified "Role" should be allowed
to access the "Resource" protected by this Policy
- *
- * @param role the Role that is permitted to access the Resource
- */
- public void setPermitCriteria(String role)
- {
- if(role == null || role.trim().length()==0)
- {
- throw new IllegalArgumentException("Role cannot be Empty");
- }
-
- Rule permitRule = new Rule();
- Target ruleTarget = new Target();
-
- permitRule.setRuleId(this.generateUniqueId());
- permitRule.setEffect(Effect.PERMIT);
- permitRule.setTarget(ruleTarget);
-
- //Create a Subject Match Function
-
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
-
- //Add the Rule to the Policy
- this.rules.add(permitRule);
- }
-
- /**
- * Specifies a Policy Rule that must be applied to the specified "Action"
such that the specified "Role" should *NOT* be allowed
- * to execute this "Action" on the Resource protected by this Policy
instance
- *
- * @param action Action for which this Rule applies
- * @param role the Role that is *NOT* permitted to execute this Action
- */
- public void setDenyCriteria(String action, String role)
- {
- if(action == null || action.trim().length()==0)
- {
- throw new IllegalArgumentException("Action cannot be Empty");
- }
- if(role == null || role.trim().length()==0)
- {
- throw new IllegalArgumentException("Role cannot be Empty");
- }
-
- Rule permitRule = new Rule();
- Target ruleTarget = new Target();
-
- permitRule.setRuleId(action);
- permitRule.setEffect(Effect.DENY);
- permitRule.setTarget(ruleTarget);
-
- //Create an Action Match Function
-
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
-
- //Create a Subject Match Function
-
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
-
- //Add the Rule to the Policy
- this.rules.add(permitRule);
- }
-
- /**
- * Specifies a Policy Rule that says the specified "Role" should be *Not* be
allowed to access the "Resource" protected by this Policy
- *
- * @param role the Role that is *NOT* allowed to access the Resource
- */
- public void setDenyCriteria(String role)
- {
- if(role == null || role.trim().length()==0)
- {
- throw new IllegalArgumentException("Role cannot be Empty");
- }
-
- Rule permitRule = new Rule();
- Target ruleTarget = new Target();
-
- permitRule.setRuleId(this.generateUniqueId());
- permitRule.setEffect(Effect.DENY);
- permitRule.setTarget(ruleTarget);
-
- //Create a Subject Match Function
-
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
-
- //Add the Rule to the Policy
- this.rules.add(permitRule);
- }
-
- /**
- * Specifies a Policy Rule that must be applied to the specified "Action"
such that the Authenticated User will be permitted to
- * execute it if he/she belongs to any of the specified "Roles"
- *
- * @param action Action for which this Rule applies
- * @param roles a list of permitted roles for this Action
- */
- public void setPermitCriteria(String action, String[] roles)
- {
- if(action == null || action.trim().length()==0)
- {
- throw new IllegalArgumentException("Action cannot be Empty");
- }
-
-
- Rule permitRule = new Rule();
- Target ruleTarget = new Target();
-
- permitRule.setRuleId(action);
- permitRule.setEffect(Effect.PERMIT);
- permitRule.setTarget(ruleTarget);
-
- //Create an Action Match Function
-
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
-
- //Create a Subject Match Function
- if(roles != null)
- {
- for(int i=0; i<roles.length; i++)
- {
-
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(roles[i]));
- }
- }
-
- //Add the Rule to the Policy
- this.rules.add(permitRule);
- }
-
- /**
- * Specifies a Policy Rule that must be applied to the specified "Action"
such that the Authenticated User will *NOT* be permitted to
- * execute it if he/she belongs to any of the specified "Roles"
- *
- * @param action Action for which this Rule applies
- * @param roles a list of roles that must *NOT* be allowed to execute for this Action
- */
- public void setDenyCriteria(String action, String[] roles)
- {
- if(action == null || action.trim().length()==0)
- {
- throw new IllegalArgumentException("Action cannot be Empty");
- }
-
-
- Rule permitRule = new Rule();
- Target ruleTarget = new Target();
-
- permitRule.setRuleId(action);
- permitRule.setEffect(Effect.DENY);
- permitRule.setTarget(ruleTarget);
-
- //Create an Action Match Function
-
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
-
- //Create a Subject Match Function
- if(roles != null)
- {
- for(int i=0; i<roles.length; i++)
- {
-
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(roles[i]));
- }
- }
-
- //Add the Rule to the Policy
- this.rules.add(permitRule);
- }
-
- /**
- * Specifies a Policy Rule that mush be applied to the specified "Action"
such that the specified Drools based Rule expression evaluates to
- * a "PERMIT" result. The Expression will work on arbitrary data specified
as Attributes within the Context of this particular Authorization Request
- *
- * @param action Action for which this Rule applies
- * @param ruleExpression A Drools based Rule Expression
- */
- public void setPermitCriteria(String action, DroolsRuleExpression ruleExpression)
- {
- if(action == null || action.trim().length()==0)
- {
- throw new IllegalArgumentException("Action cannot be Empty");
- }
- if(ruleExpression == null)
- {
- throw new IllegalArgumentException("RuleExpression cannot be Empty");
- }
-
- //TODO: Add the Drools Rule to the Drools Rule Repository
-
- Rule permitRule = new Rule();
- Target ruleTarget = new Target();
-
- permitRule.setRuleId(action);
- permitRule.setEffect(Effect.PERMIT);
- permitRule.setTarget(ruleTarget);
-
- //Create an Action Match Function
-
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
-
- //Create a pointer to the new Rule
- permitRule.setExpression(ruleExpression);
-
- //Add the Rule to the Policy
- this.rules.add(permitRule);
- }
-
- /**
- * Specifies a Policy Rule that mush be applied to the specified "Action"
such that the specified Drools based Rule expression evaluates to
- * a "DENY" result. The Expression will work on arbitrary data specified as
Attributes within the Context of this particular Authorization Request
- *
- * @param action Action for which this Rule applies
- * @param ruleExpression A Drools based Rule Expression
- */
- public void setDenyCriteria(String action, DroolsRuleExpression ruleExpression)
- {
- if(action == null || action.trim().length()==0)
- {
- throw new IllegalArgumentException("Action cannot be Empty");
- }
- if(ruleExpression == null)
- {
- throw new IllegalArgumentException("RuleExpression cannot be Empty");
- }
-
- //TODO: Add the Drools Rule to the Drools Rule Repository
-
- Rule permitRule = new Rule();
- Target ruleTarget = new Target();
-
- permitRule.setRuleId(action);
- permitRule.setEffect(Effect.DENY);
- permitRule.setTarget(ruleTarget);
-
- //Create an Action Match Function
-
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
-
- //Create a pointer to the new Rule
- permitRule.setExpression(ruleExpression);
-
- //Add the Rule to the Policy
- this.rules.add(permitRule);
- }
+ }
}
Modified:
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java
===================================================================
---
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-01-26
22:47:49 UTC (rev 12654)
+++
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-01-27
09:24:27 UTC (rev 12655)
@@ -22,14 +22,18 @@
******************************************************************************/
package org.jboss.security.authz.components.resource;
-import java.net.URL;
import java.util.Map;
import java.util.HashMap;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Set;
-import org.jboss.security.authz.model.Attribute;
import org.jboss.security.authz.model.AttributeExpression;
-import org.jboss.security.xacml.interfaces.XACMLConstants;
-import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.ExpressionBuilder;
+import org.jboss.security.authz.model.Rule;
+import org.jboss.security.authz.model.Target;
+import org.jboss.security.authz.tools.GeneralTool;
/**
* The HttpResource Policy Component represents a System Resource available via the HTTP
Protocol
@@ -45,14 +49,14 @@
/**
* The URL that identifies this resource
*/
- private URL url;
+ private String url;
/**
* The HTTP Parameters that are used to access this resource
*/
private Map<String, String> parameters;
- public HttpResource(URL url)
+ public HttpResource(String url)
{
if(url == null)
{
@@ -75,13 +79,13 @@
}
- public URL getUrl()
+ public String getUrl()
{
return url;
}
- public void setUrl(URL url)
+ public void setUrl(String url)
{
this.url = url;
}
@@ -94,6 +98,11 @@
}
this.parameters.put(name, value);
}
+
+ public boolean hasParameters()
+ {
+ return (this.parameters != null && !this.parameters.isEmpty());
+ }
//------------------------------------------------------------------------------------------------------------------------------------------------------------
/**
* Creates an expression for matching the URL of the HttpResource
@@ -107,15 +116,7 @@
throw new IllegalStateException("Http URL cannot be Empty");
}
- AttributeExpression expression = new AttributeExpression();
-
- expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
-
- Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_RESOURCE_ID,
- XMLSchemaConstants.DATATYPE_STRING, this.url.toString());
- expression.setAttribute(attribute);
-
- return expression;
+ return ExpressionBuilder.getInstance().createResourceIdExpression(this.url);
}
/**
@@ -123,16 +124,81 @@
*
* @return the desired expression
*/
- public AttributeExpression createURLWithParametersExpression()
+ public List<AttributeExpression> createURLWithParametersExpression()
{
- AttributeExpression expression = new AttributeExpression();
+ List<AttributeExpression> expressions = new
ArrayList<AttributeExpression>();
- expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
-
- Attribute attribute = new
Attribute(XACMLConstants.ATTRIBUTEID_AUTHENTICATION_METHOD,
- XMLSchemaConstants.DATATYPE_STRING, this.authenticationMethod);
- expression.setAttribute(attribute);
-
- return expression;
+ expressions.add(this.createURLExpression());
+ if(this.parameters != null)
+ {
+ Set<String> names = this.parameters.keySet();
+ for(String name: names)
+ {
+ String value = this.parameters.get(name);
+
+ AttributeExpression expression =
ExpressionBuilder.getInstance().createCustomResourceExpression(name, value);
+ expressions.add(expression);
+ }
+ }
+
+ return expressions;
}
+
+ /**
+ * Creates a Policy Rule suggesting the specified 'Roles' are permitted access
to the 'Resource' designated in the Policy
+ *
+ * @param roles that must be allowed access to the 'Resource' in question in
the Policy
+ * @return the rules
+ */
+ public Rule createPermittedRolesRule(String[] roles)
+ {
+ if(roles == null || roles.length == 0)
+ {
+ throw new IllegalArgumentException("Roles must be specified!!");
+ }
+
+ Rule permitRule = new Rule();
+ Target ruleTarget = new Target();
+
+ permitRule.setRuleId(GeneralTool.generateUniqueId());
+ permitRule.setEffect(Effect.PERMIT);
+ permitRule.setTarget(ruleTarget);
+
+ //Create a Subject Match Function
+ for(String role: roles)
+ {
+
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
+ }
+
+ return permitRule;
+ }
+
+ /**
+ * Creates a Policy Rule suggesting the specified 'Roles' are denied access to
the 'Resource' designated in the Policy
+ *
+ * @param roles that must be denied access to the 'Resource' in question in
the Policy
+ * @return the rules
+ */
+ public Rule createDeniedRolesRule(String[] roles)
+ {
+ if(roles == null || roles.length == 0)
+ {
+ throw new IllegalArgumentException("Roles must be specified!!");
+ }
+
+ Rule denyRule = new Rule();
+ Target ruleTarget = new Target();
+
+ denyRule.setRuleId(GeneralTool.generateUniqueId());
+ denyRule.setEffect(Effect.DENY);
+ denyRule.setTarget(ruleTarget);
+
+ //Create a Subject Match Function
+ for(String role: roles)
+ {
+
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
+ }
+
+ return denyRule;
+ }
}
Modified:
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/subject/Identity.java
===================================================================
---
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/subject/Identity.java 2009-01-26
22:47:49 UTC (rev 12654)
+++
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/subject/Identity.java 2009-01-27
09:24:27 UTC (rev 12655)
@@ -24,6 +24,8 @@
import org.jboss.security.authz.model.Attribute;
import org.jboss.security.authz.model.AttributeExpression;
+import org.jboss.security.authz.model.ExpressionBuilder;
+
import org.jboss.security.xacml.interfaces.XACMLConstants;
import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
@@ -83,16 +85,8 @@
* @return an expression that will be used within the Policy Definition
*/
public AttributeExpression createIdentityExpression()
- {
- AttributeExpression expression = new AttributeExpression();
-
- expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
-
- Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_SUBJECT_ID,
- XMLSchemaConstants.DATATYPE_STRING, this.name);
- expression.setAttribute(attribute);
-
- return expression;
+ {
+ return ExpressionBuilder.getInstance().createIdentityExpression(this.name);
}
/**
Modified: modules/authorization/trunk/http-authz/pom.xml
===================================================================
--- modules/authorization/trunk/http-authz/pom.xml 2009-01-26 22:47:49 UTC (rev 12654)
+++ modules/authorization/trunk/http-authz/pom.xml 2009-01-27 09:24:27 UTC (rev 12655)
@@ -52,9 +52,8 @@
<version>2.3.1</version>
<configuration>
<includes>
- <!--
- <include>**/TestHttpPolicyConfig.java</include>
- -->
+ <include>**/TestHttpResource.java</include>
+ <include>**/TestHttpPolicyConfig.java</include>
</includes>
</configuration>
</plugin>
Modified:
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java
===================================================================
---
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java 2009-01-26
22:47:49 UTC (rev 12654)
+++
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java 2009-01-27
09:24:27 UTC (rev 12655)
@@ -28,6 +28,8 @@
import java.util.List;
import java.util.ArrayList;
import java.util.UUID;
+import java.util.Set;
+import java.util.HashSet;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -43,6 +45,8 @@
import org.jboss.security.authz.model.Effect;
import org.jboss.security.authz.model.Policy;
import org.jboss.security.authz.model.Rule;
+import org.jboss.security.authz.model.Target;
+import org.jboss.security.authz.components.resource.HttpResource;
import org.jboss.security.authz.pap.policy.HierarchialPolicy;
import org.jboss.security.authz.pap.spi.PolicyConfig;
@@ -82,7 +86,9 @@
{
Element aclRuleElem = (Element)aclRules.item(i);
String policyUri = aclRuleElem.getAttribute("id");
- Policy policy = new HierarchialPolicy(policyUri);
+ Target target = new Target();
+ Set<Rule> rules = new HashSet<Rule>();
+ Policy policy = new HierarchialPolicy(policyUri, target, rules);
this.parseTarget((HierarchialPolicy)policy, aclRuleElem);
this.parseRules((HierarchialPolicy)policy, aclRuleElem);
@@ -113,13 +119,13 @@
//XMLParsing----------------------------------------------------------------------------------------------------------------------------------------------------
private void parseTarget(HierarchialPolicy policy, Element aclRuleElem) throws
Exception
- {
+ {
Element resourceElem =
(Element)aclRuleElem.getElementsByTagName("resource").item(0);
Element requestUriElem =
(Element)aclRuleElem.getElementsByTagName("request-uri").item(0);
//Add RequestUri as a Resource To Match
String requestUri = requestUriElem.getTextContent();
- List<Attribute> otherCriteria = new ArrayList<Attribute>();
+ HttpResource httpResource = new HttpResource(requestUri);
//Process Parameters
NodeList parameters = resourceElem.getElementsByTagName("param");
@@ -132,21 +138,21 @@
String name =
((Element)parameter.getElementsByTagName("name").item(0)).getTextContent();
String value =
((Element)parameter.getElementsByTagName("value").item(0)).getTextContent();
- Attribute cour = new Attribute();
- cour.setUri(name);
- cour.setValue(value);
-
- otherCriteria.add(cour);
+ httpResource.addParameter(name, value);
}
- }
+ }
- if(!otherCriteria.isEmpty())
+ if(httpResource.hasParameters())
{
- policy.setResourceCriteria(requestUri, otherCriteria);
+ List<AttributeExpression> exprs =
httpResource.createURLWithParametersExpression();
+ for(AttributeExpression expr: exprs)
+ {
+ policy.getTarget().addResourceMatch(expr);
+ }
}
else
{
- policy.setResourceCriteria(requestUri);
+ policy.getTarget().addResourceMatch(httpResource.createURLExpression());
}
}
@@ -181,9 +187,7 @@
for(int j=0, length=roleNodes.getLength(); j<length; j++)
{
Element roleNameElem = (Element)roleNodes.item(j);
- String roleName = roleNameElem.getTextContent();
-
- policy.setPermitCriteria(roleName);
+ String roleName = roleNameElem.getTextContent();
}
}
Added:
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java
===================================================================
---
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java
(rev 0)
+++
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java 2009-01-27
09:24:27 UTC (rev 12655)
@@ -0,0 +1,112 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
+package org.jboss.security.authz.http.pap;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.TestCase;
+
+import org.apache.log4j.Logger;
+
+import org.jboss.security.authz.components.resource.HttpResource;
+import org.jboss.security.authz.model.Target;
+import org.jboss.security.authz.model.AttributeExpression;
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.Rule;
+import org.jboss.security.authz.pap.policy.HierarchialPolicy;
+
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ */
+public class TestHttpResource extends TestCase
+{
+ private static Logger log = Logger.getLogger(TestHttpResource.class);
+
+ public void testCreateURLExpression() throws Exception
+ {
+ HttpResource httpResource = new
HttpResource("/portal/admin-tool/modifyLayout");
+
+ AttributeExpression urlExpression = httpResource.createURLExpression();
+ Target target = new Target();
+ target.addResourceMatch(urlExpression);
+
+ Policy policy = new HierarchialPolicy("testCreateURLExpression", target, new
HashSet<Rule>());
+
+ log.info("------------------------------------------------------------------");
+ log.info(policy.generateXACMLPolicy());
+ }
+
+ public void testCreateURLWithParametersExpression() throws Exception
+ {
+ HttpResource httpResource = new
HttpResource("/portal/admin-tool/modifyLayout");
+ httpResource.addParameter("test1", "test1://value");
+ httpResource.addParameter("test2", "test2://value");
+
+
+ List<AttributeExpression> parameterExpressions =
httpResource.createURLWithParametersExpression();
+ Target target = new Target();
+ for(AttributeExpression expression: parameterExpressions)
+ {
+ target.addResourceMatch(expression);
+ }
+
+ Policy policy = new
HierarchialPolicy("testCreateURLWithParametersExpression", target, new
HashSet<Rule>());
+
+ log.info("------------------------------------------------------------------");
+ log.info(policy.generateXACMLPolicy());
+ }
+
+ public void testRoleRules() throws Exception
+ {
+ HttpResource httpResource = new
HttpResource("/portal/admin-tool/modifyLayout");
+ httpResource.addParameter("test1", "test1://value");
+ httpResource.addParameter("test2", "test2://value");
+
+ //Resource expression
+ List<AttributeExpression> parameterExpressions =
httpResource.createURLWithParametersExpression();
+ Target target = new Target();
+ for(AttributeExpression expression: parameterExpressions)
+ {
+ target.addResourceMatch(expression);
+ }
+
+ //Role rule
+ Set<Rule> rules = new HashSet<Rule>();
+
+ //Permit rule
+ Rule permittedRoles = httpResource.createPermittedRolesRule(new
String[]{"admin1", "admin2"});
+ rules.add(permittedRoles);
+
+ //Deny rule
+ Rule deniedRoles = httpResource.createDeniedRolesRule(new
String[]{"anonymous", "user"});
+ rules.add(deniedRoles);
+
+
+ Policy policy = new HierarchialPolicy("testRoleRules", target, rules);
+
+ log.info("------------------------------------------------------------------");
+ log.info(policy.generateXACMLPolicy());
+ }
+}