Author: sohil.shah(a)jboss.com Date: 2009-04-05 10:58:26 -0400 (Sun, 05 Apr 2009) New Revision: 13151 Added: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Delete.java modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Head.java modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Options.java modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Put.java modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Trace.java modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/testwithparams.html Modified: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/model/AttributeExpression.java modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/xacml/AttributeDesignatorUtil.java modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/test/MockPolicy.java modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/enforcement/SecurityFilter.java modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/WEB-INF/http-policy.xml modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java Log: http security profile integration via a servlet filter Modified: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/model/AttributeExpression.java =================================================================== --- modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/model/AttributeExpression.java 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/model/AttributeExpression.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -32,6 +32,7 @@ { private String functionId = null; private Attribute attribute = null; + private boolean designatorMustBePresent = true; //mustbepresent by default public AttributeExpression() { @@ -72,5 +73,23 @@ public void setFunctionId(String functionId) { this.functionId = functionId; - } + } + + /** + * + * @return + */ + public boolean designatorMustBePresent() + { + return designatorMustBePresent; + } + + /** + * + * @param designatorMustBePresent + */ + public void setDesignatorMustBePresent(boolean designatorMustBePresent) + { + this.designatorMustBePresent = designatorMustBePresent; + } } Modified: modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/xacml/AttributeDesignatorUtil.java =================================================================== --- modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/xacml/AttributeDesignatorUtil.java 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/common-api/src/main/java/org/jboss/security/authz/xacml/AttributeDesignatorUtil.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -43,7 +43,7 @@ * @param attribute * @return */ - public static AttributeDesignatorType getAttributeDesignator(Attribute attribute) + public static AttributeDesignatorType getAttributeDesignator(Attribute attribute, boolean mustBePresent) { AttributeDesignatorType attributeDesignator = null; @@ -57,11 +57,11 @@ ) { attributeDesignator = PolicyAttributeFactory.createSubjectAttributeDesignatorType(attribute.getUri(), - attribute.getDatatType(), null, true, null); + attribute.getDatatType(), null, mustBePresent, null); } else { - attributeDesignator = PolicyAttributeFactory.createAttributeDesignatorType(attribute.getUri(), attribute.getDatatType(), null, true); + attributeDesignator = PolicyAttributeFactory.createAttributeDesignatorType(attribute.getUri(), attribute.getDatatType(), null, mustBePresent); } return attributeDesignator; @@ -72,12 +72,12 @@ * @param attribute * @return */ - public static JAXBElement<? extends AttributeDesignatorType> getAttributeDesignatorXml(Attribute attribute) + public static JAXBElement<? extends AttributeDesignatorType> getAttributeDesignatorXml(Attribute attribute, boolean mustBePresent) { JAXBElement<? extends AttributeDesignatorType> xmlRep = null; ObjectFactory objectFactory = new ObjectFactory(); - AttributeDesignatorType attributeDesignator = AttributeDesignatorUtil.getAttributeDesignator(attribute); + AttributeDesignatorType attributeDesignator = AttributeDesignatorUtil.getAttributeDesignator(attribute, mustBePresent); if(attributeDesignator instanceof SubjectAttributeDesignatorType) { Added: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Delete.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Delete.java (rev 0) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Delete.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -0,0 +1,37 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.components.action.http; + +import org.jboss.security.authz.components.action.Operation; + +/** + * Get represents a "GET" action that can be performed on a Http Servlet + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class Delete extends Operation +{ + public Delete() + { + this.name = "delete"; + } +} Added: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Head.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Head.java (rev 0) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Head.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -0,0 +1,37 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.components.action.http; + +import org.jboss.security.authz.components.action.Operation; + +/** + * Get represents a "GET" action that can be performed on a Http Servlet + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class Head extends Operation +{ + public Head() + { + this.name = "head"; + } +} Added: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Options.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Options.java (rev 0) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Options.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -0,0 +1,37 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.components.action.http; + +import org.jboss.security.authz.components.action.Operation; + +/** + * Get represents a "GET" action that can be performed on a Http Servlet + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class Options extends Operation +{ + public Options() + { + this.name = "options"; + } +} Added: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Put.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Put.java (rev 0) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Put.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -0,0 +1,37 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.components.action.http; + +import org.jboss.security.authz.components.action.Operation; + +/** + * Get represents a "GET" action that can be performed on a Http Servlet + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class Put extends Operation +{ + public Put() + { + this.name = "put"; + } +} Added: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Trace.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Trace.java (rev 0) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Trace.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -0,0 +1,37 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.components.action.http; + +import org.jboss.security.authz.components.action.Operation; + +/** + * Get represents a "GET" action that can be performed on a Http Servlet + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class Trace extends Operation +{ + public Trace() + { + this.name = "trace"; + } +} Modified: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -113,7 +113,8 @@ { String value = this.parameters.get(name); - AttributeExpression paramExpression = ExpressionBuilder.getInstance().createCustomResourceExpression(name, value); + AttributeExpression paramExpression = ExpressionBuilder.getInstance().createCustomResourceExpression(name, value); + paramExpression.setDesignatorMustBePresent(false); metadata.getTarget().addResourceMatch(paramExpression); } } Modified: modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/test/MockPolicy.java =================================================================== --- modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/test/MockPolicy.java 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/test/MockPolicy.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -110,7 +110,7 @@ ResourceMatchType rmt = new ResourceMatchType(); rmt.setMatchId(resourceMatch.getFunctionId()); - rmt.setResourceAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(resourceMatch.getAttribute())); + rmt.setResourceAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(resourceMatch.getAttribute(), true)); rmt.setAttributeValue(PolicyAttributeFactory .createStringAttributeType(resourceMatch.getAttribute().getValue())); @@ -194,7 +194,7 @@ ActionMatchType amct = new ActionMatchType(); amct.setMatchId(action.getFunctionId()); amct.setAttributeValue(PolicyAttributeFactory.createStringAttributeType(action.getAttribute().getValue())); - amct.setActionAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(action.getAttribute())); + amct.setActionAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(action.getAttribute(), true)); actionType.getActionMatch().add(amct); actions.getAction().add(actionType); } @@ -212,7 +212,7 @@ SubjectMatchType match = new SubjectMatchType(); match.setMatchId(subject.getFunctionId()); match.setAttributeValue(PolicyAttributeFactory.createStringAttributeType(subject.getAttribute().getValue())); - match.setSubjectAttributeDesignator((SubjectAttributeDesignatorType)AttributeDesignatorUtil.getAttributeDesignator(subject.getAttribute())); + match.setSubjectAttributeDesignator((SubjectAttributeDesignatorType)AttributeDesignatorUtil.getAttributeDesignator(subject.getAttribute(), true)); subjectType.getSubjectMatch().add(match); subjects.getSubject().add(subjectType); } @@ -243,7 +243,7 @@ apply.getExpression().add(jaxbAttrValue); //Place within the Context where this Value should exist during an Authorization Request - apply.getExpression().add(AttributeDesignatorUtil.getAttributeDesignatorXml(attributeExpression.getAttribute())); + apply.getExpression().add(AttributeDesignatorUtil.getAttributeDesignatorXml(attributeExpression.getAttribute(), true)); condition.setExpression(objectFactory.createApply(apply)); Modified: modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java =================================================================== --- modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -39,13 +39,20 @@ import org.w3c.dom.NodeList; import org.jboss.security.authz.components.resource.HttpResource; -import org.jboss.security.authz.components.action.http.Get; -import org.jboss.security.authz.components.action.http.Post; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.tools.GeneralTool; import org.jboss.security.authz.policy.server.plugin.HierarchialPolicy; import org.jboss.security.authz.policy.server.spi.PolicyConfig; +import org.jboss.security.authz.components.action.http.Get; +import org.jboss.security.authz.components.action.http.Post; +import org.jboss.security.authz.components.action.http.Delete; +import org.jboss.security.authz.components.action.http.Head; +import org.jboss.security.authz.components.action.http.Options; +import org.jboss.security.authz.components.action.http.Put; +import org.jboss.security.authz.components.action.http.Trace; + + /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> * @@ -166,6 +173,27 @@ { methodResource.setHttpMethod(new Post()); } + else if(httpMethod.equalsIgnoreCase("put")) + { + methodResource.setHttpMethod(new Put()); + } + else if(httpMethod.equalsIgnoreCase("delete")) + { + methodResource.setHttpMethod(new Delete()); + } + else if(httpMethod.equalsIgnoreCase("head")) + { + methodResource.setHttpMethod(new Head()); + } + else if(httpMethod.equalsIgnoreCase("options")) + { + methodResource.setHttpMethod(new Options()); + } + else if(httpMethod.equalsIgnoreCase("trace")) + { + methodResource.setHttpMethod(new Trace()); + } + webResources.add(methodResource); } } Modified: modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/enforcement/SecurityFilter.java =================================================================== --- modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/enforcement/SecurityFilter.java 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/enforcement/SecurityFilter.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -55,9 +55,15 @@ import org.jboss.security.authz.enforcement.Request; import org.jboss.security.authz.enforcement.Response; -import org.jboss.security.authz.components.action.Read; import org.jboss.security.authz.components.resource.HttpResource; import org.jboss.security.authz.components.subject.Roles; +import org.jboss.security.authz.components.action.http.Get; +import org.jboss.security.authz.components.action.http.Post; +import org.jboss.security.authz.components.action.http.Delete; +import org.jboss.security.authz.components.action.http.Head; +import org.jboss.security.authz.components.action.http.Options; +import org.jboss.security.authz.components.action.http.Put; +import org.jboss.security.authz.components.action.http.Trace; /** @@ -148,14 +154,17 @@ //Process the authorization response and allow or deny further processing if(!authzResponse.isAccessGranted()) { - if(authzResponse.isIndeterminate() || - (authzResponse.isNotApplicable() && this.isPolicyMatchMandatory) - ) + if(authzResponse.isNotApplicable() && this.isPolicyMatchMandatory) { //Send back an access denied status httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN); return; } + else if(authzResponse.isIndeterminate()) + { + httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + return; + } } chain.doFilter(request, response); @@ -179,12 +188,7 @@ String uri = requestURI.substring(contextPath.length()); contextResource.setUri(new URI(uri)); - //Setup Role context - //TODO: replace mock code with actual loading of Roles information of the authenticated user via the new Identity API - Roles roles = new Roles(); - roles.addName("Admin"); - authzRequest.addSubject(roles.getSubject()); - + //Setup Parameter context Enumeration parameters = httpRequest.getParameterNames(); while(parameters.hasMoreElements()) @@ -193,15 +197,46 @@ String value = httpRequest.getParameter(name); contextResource.addParameter(name, value); } - - + //Setup Resource context authzRequest.addResource(contextResource.getResource()); //Setup Action context - //TODO: add support for all the Http methods here and not just GET - authzRequest.setAction(new Read().getAction()); + if(httpRequest.getMethod().equalsIgnoreCase("get")) + { + authzRequest.setAction(new Get().getAction()); + } + else if(httpRequest.getMethod().equalsIgnoreCase("post")) + { + authzRequest.setAction(new Post().getAction()); + } + else if(httpRequest.getMethod().equalsIgnoreCase("put")) + { + authzRequest.setAction(new Put().getAction()); + } + else if(httpRequest.getMethod().equalsIgnoreCase("delete")) + { + authzRequest.setAction(new Delete().getAction()); + } + else if(httpRequest.getMethod().equalsIgnoreCase("head")) + { + authzRequest.setAction(new Head().getAction()); + } + else if(httpRequest.getMethod().equalsIgnoreCase("options")) + { + authzRequest.setAction(new Options().getAction()); + } + else if(httpRequest.getMethod().equalsIgnoreCase("trace")) + { + authzRequest.setAction(new Trace().getAction()); + } + //Setup Role context + //TODO: replace mock code with actual loading of Roles information of the authenticated user via the new Identity API + Roles roles = new Roles(); + roles.addName("Admin"); + authzRequest.addSubject(roles.getSubject()); + return authzRequest; } Modified: modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java =================================================================== --- modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -29,6 +29,7 @@ import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.HttpStatus; import org.apache.commons.httpclient.methods.GetMethod; +import org.apache.commons.httpclient.NameValuePair; /** * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> @@ -50,7 +51,7 @@ } //------------------------------------------------------------------------------------------------------------------------------------------------------ - public void test() throws Exception + public void testAnonymousIndex() throws Exception { HttpClient client = new HttpClient(); String url = "http://localhost:8080/httpprofile-testsuite/index.html"; @@ -66,7 +67,40 @@ assertEquals("Request Failed!!", status, HttpStatus.SC_OK); assertTrue("Proper content must be present!!", response.contains("<h1>Http Profile Container TestSuite</h1>")); + } + + public void testAnonymousExecutiveWithParameters() throws Exception + { + HttpClient client = new HttpClient(); + String url = "http://localhost:8080/httpprofile-testsuite/private/executives/testwithparams.html"; + GetMethod method = new GetMethod(url); + method.setQueryString(new NameValuePair[]{new NameValuePair("id", "1234")}); - Thread.currentThread().sleep(20000); - } + int status = client.executeMethod(method); + String response = method.getResponseBodyAsString(); + + log.info("-----------------------------------------------------------"); + log.info("Status="+status); + log.info(response); + log.info("-----------------------------------------------------------"); + + assertEquals("Request Should Have Been Denied!!", status, HttpStatus.SC_FORBIDDEN); + } + + public void testAnonymousExecutiveIndex() throws Exception + { + HttpClient client = new HttpClient(); + String url = "http://localhost:8080/httpprofile-testsuite/private/executives/index.html"; + GetMethod method = new GetMethod(url); + + int status = client.executeMethod(method); + String response = method.getResponseBodyAsString(); + + log.info("-----------------------------------------------------------"); + log.info("Status="+status); + log.info(response); + log.info("-----------------------------------------------------------"); + + assertEquals("Request Should Have Been Denied!!", status, HttpStatus.SC_FORBIDDEN); + } } Modified: modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml =================================================================== --- modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml 2009-04-05 14:58:26 UTC (rev 13151) @@ -47,7 +47,7 @@ </ip-range> </ip-address> --> - <!-- constraints based on data and/or time --> + <!-- constraints based on date and/or time --> </auth-constraint> </security-constraint> Modified: modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/WEB-INF/http-policy.xml =================================================================== --- modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/WEB-INF/http-policy.xml 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/WEB-INF/http-policy.xml 2009-04-05 14:58:26 UTC (rev 13151) @@ -12,31 +12,28 @@ The protection can be increased depending on the application by changing this to "true". In which case only Http Requests that have a matching "Security Policy" will be considered for "Access Control". All others will be "Denied" access. --> - <policy-match-mandatory>true</policy-match-mandatory> + <policy-match-mandatory>false</policy-match-mandatory> </enforcement-config> <security-constraint> <web-resource-collection> <web-resource> - <web-resource-name>Executive Files</web-resource-name> + <web-resource-name>Testing for Resources with Parameters</web-resource-name> <url-pattern>/private/executives/*</url-pattern> <parameters> <parameter name="id">1234</parameter> </parameters> + <http-method>GET</http-method> + <http-method>POST</http-method> <http-method>DELETE</http-method> <http-method>PUT</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> - <http-method>TRACE</http-method> - <http-method>GET</http-method> - <http-method>POST</http-method> + <http-method>TRACE</http-method> </web-resource> <web-resource> - <web-resource-name>Board/Investor Files</web-resource-name> - <url-pattern>/private/board/*</url-pattern> - <parameters> - <parameter name="id">5678</parameter> - </parameters> + <web-resource-name>Concrete Resource without parameters</web-resource-name> + <url-pattern>/private/executives/index.html</url-pattern> </web-resource> </web-resource-collection> <auth-constraint> @@ -44,29 +41,7 @@ <roles allow="true"> <role-name>Admin</role-name> <role-name>Executive</role-name> - </roles> - <roles allow="false"> - <role-name>Manager</role-name> - <role-name>Developer</role-name> - </roles> - - <!-- constants based on ip address of the connecting machine --> - <!-- - Still need to implement this functionality - <ip-address allow="true"> - <ip-range> - <address-from></address-from> - <address-to></address-to> - </ip-range> - </ip-address> - <ip-address allow="false"> - <ip-range> - <address-from></address-from> - <address-to></address-to> - </ip-range> - </ip-address> - --> - <!-- constraints based on data and/or time --> + </roles> </auth-constraint> </security-constraint> </web-security> \ No newline at end of file Added: modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/testwithparams.html =================================================================== --- modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/testwithparams.html (rev 0) +++ modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/testwithparams.html 2009-04-05 14:58:26 UTC (rev 13151) @@ -0,0 +1,8 @@ +<html> + <head> + <title>Http Profile Container TestSuite</title> + </head> + <body> + <h1>Test With Parameter Matching......</h1> + </body> +</html> \ No newline at end of file Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java 2009-04-03 20:33:51 UTC (rev 13150) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java 2009-04-05 14:58:26 UTC (rev 13151) @@ -114,8 +114,11 @@ { ResourceMatchType rmt = new ResourceMatchType(); - rmt.setMatchId(resourceMatch.getFunctionId()); - rmt.setResourceAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(resourceMatch.getAttribute())); + rmt.setMatchId(resourceMatch.getFunctionId()); + + rmt.setResourceAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(resourceMatch.getAttribute(), resourceMatch. + designatorMustBePresent())); + rmt.setAttributeValue(PolicyAttributeFactory .createStringAttributeType(resourceMatch.getAttribute().getValue())); @@ -211,7 +214,7 @@ ActionMatchType amct = new ActionMatchType(); amct.setMatchId(action.getFunctionId()); amct.setAttributeValue(PolicyAttributeFactory.createStringAttributeType(action.getAttribute().getValue())); - amct.setActionAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(action.getAttribute())); + amct.setActionAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(action.getAttribute(), true)); actionType.getActionMatch().add(amct); actions.getAction().add(actionType); } @@ -229,7 +232,7 @@ SubjectMatchType match = new SubjectMatchType(); match.setMatchId(subject.getFunctionId()); match.setAttributeValue(PolicyAttributeFactory.createStringAttributeType(subject.getAttribute().getValue())); - match.setSubjectAttributeDesignator((SubjectAttributeDesignatorType)AttributeDesignatorUtil.getAttributeDesignator(subject.getAttribute())); + match.setSubjectAttributeDesignator((SubjectAttributeDesignatorType)AttributeDesignatorUtil.getAttributeDesignator(subject.getAttribute(), true)); subjectType.getSubjectMatch().add(match); subjects.getSubject().add(subjectType); } @@ -260,7 +263,7 @@ apply.getExpression().add(jaxbAttrValue); //Place within the Context where this Value should exist during an Authorization Request - apply.getExpression().add(AttributeDesignatorUtil.getAttributeDesignatorXml(attributeExpression.getAttribute())); + apply.getExpression().add(AttributeDesignatorUtil.getAttributeDesignatorXml(attributeExpression.getAttribute(), true)); condition.setExpression(objectFactory.createApply(apply));