3:23 p.m.
Author: sohil.shah(a)jboss.com
Date: 2009-03-26 16:23:08 -0400 (Thu, 26 Mar 2009)
New Revision: 13088
Added:
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Get.java
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Post.java
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/board/
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/board/index.html
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/index.html
Removed:
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestHelloWorldHttpServlet.java
Modified:
modules/authorization/trunk/.classpath
modules/authorization/trunk/common-api/pom.xml
modules/authorization/trunk/core-components-api/pom.xml
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java
modules/authorization/trunk/enforcement/pom.xml
modules/authorization/trunk/enforcement/src/main/java/org/jboss/security/authz/enforcement/Response.java
modules/authorization/trunk/http-profile/pom.xml
modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java
modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/enforcement/SecurityFilter.java
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/provisioning/TestHttpPolicyConfig.java
modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/WEB-INF/http-policy.xml
modules/authorization/trunk/policy-server/pom.xml
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java
modules/authorization/trunk/pom.xml
Log:
code backup
* first pass at supporting access control on http methods (GET, POST) etc.....more
refinement needed
Modified: modules/authorization/trunk/.classpath
===================================================================
--- modules/authorization/trunk/.classpath 2009-03-26 13:58:58 UTC (rev 13087)
+++ modules/authorization/trunk/.classpath 2009-03-26 20:23:08 UTC (rev 13088)
@@ -39,5 +39,6 @@
<classpathentry kind="var"
path="M2_REPO/org/jboss/microcontainer/jboss-dependency/2.0.2.GA/jboss-dependency-2.0.2.GA.jar"/>
<classpathentry kind="var"
path="M2_REPO/org/jboss/jboss-common-core/2.2.9.GA/jboss-common-core-2.2.9.GA.jar"/>
<classpathentry kind="var"
path="M2_REPO/javax/servlet/servlet-api/2.4/servlet-api-2.4.jar"/>
+ <classpathentry kind="var"
path="M2_REPO/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar"/>
<classpathentry kind="output" path="bin"/>
</classpath>
Modified: modules/authorization/trunk/common-api/pom.xml
===================================================================
--- modules/authorization/trunk/common-api/pom.xml 2009-03-26 13:58:58 UTC (rev 13087)
+++ modules/authorization/trunk/common-api/pom.xml 2009-03-26 20:23:08 UTC (rev 13088)
@@ -19,19 +19,5 @@
<groupId>org.jboss.security</groupId>
<artifactId>jboss-xacml</artifactId>
</dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-plugin</artifactId>
- <version>2.3.1</version>
- <configuration>
- <includes>
- </includes>
- </configuration>
- </plugin>
- </plugins>
- </build>
+ </dependencies>
</project>
Modified: modules/authorization/trunk/core-components-api/pom.xml
===================================================================
--- modules/authorization/trunk/core-components-api/pom.xml 2009-03-26 13:58:58 UTC (rev
13087)
+++ modules/authorization/trunk/core-components-api/pom.xml 2009-03-26 20:23:08 UTC (rev
13088)
@@ -35,19 +35,5 @@
<groupId>org.drools</groupId>
<artifactId>drools-compiler</artifactId>
</dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-plugin</artifactId>
- <version>2.3.1</version>
- <configuration>
- <includes>
- </includes>
- </configuration>
- </plugin>
- </plugins>
- </build>
+ </dependencies>
</project>
Added:
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Get.java
===================================================================
---
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Get.java
(rev 0)
+++
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Get.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -0,0 +1,37 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
+package org.jboss.security.authz.components.action.http;
+
+import org.jboss.security.authz.components.action.Operation;
+
+/**
+ * Get represents a "GET" action that can be performed on a Http Servlet
+ *
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ */
+public class Get extends Operation
+{
+ public Get()
+ {
+ this.name = "get";
+ }
+}
Added:
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Post.java
===================================================================
---
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Post.java
(rev 0)
+++
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/action/http/Post.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -0,0 +1,37 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
+package org.jboss.security.authz.components.action.http;
+
+import org.jboss.security.authz.components.action.Operation;
+
+/**
+ * Post represents a "POST" action that can be performed on a Http Servlet
+ *
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ */
+public class Post extends Operation
+{
+ public Post()
+ {
+ this.name = "post";
+ }
+}
Modified:
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java
===================================================================
---
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -30,8 +30,12 @@
import org.jboss.security.authz.model.Attribute;
import org.jboss.security.authz.model.Resource;
import org.jboss.security.authz.model.PolicyMetaData;
+import org.jboss.security.authz.model.Target;
import org.jboss.security.authz.xacml.ExpressionBuilder;
+import org.jboss.security.authz.components.action.Operation;
+
+import org.jboss.security.xacml.interfaces.XACMLConstants;
import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
/**
@@ -43,12 +47,17 @@
* @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
*
*/
-public class HttpResource extends URIResource
+public class HttpResource extends URIResource implements Cloneable
{
/**
* The HTTP Parameters that are used to access this resource
*/
private Map<String, String> parameters;
+
+ /**
+ * Used to apply the Policy based on Http Method being invoked
+ */
+ private Operation httpMethod;
/**
*
@@ -77,6 +86,16 @@
{
this.getParameters().put(name, value);
}
+
+ public Operation getHttpMethod()
+ {
+ return this.httpMethod;
+ }
+
+ public void setHttpMethod(Operation httpMethod)
+ {
+ this.httpMethod = httpMethod;
+ }
//-------Services for Policy
Creation---------------------------------------------------------------------------------------------------------------------------------------------------------------------
/**
* Produces PolicyMeta used to generate a Policy object to be registered with the
Policy Server
@@ -98,6 +117,19 @@
metadata.getTarget().addResourceMatch(paramExpression);
}
}
+
+ if(this.httpMethod != null)
+ {
+ AttributeExpression actionExpression = new AttributeExpression();
+
+ actionExpression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID,
+ XMLSchemaConstants.DATATYPE_STRING, this.httpMethod.getName());
+ actionExpression.setAttribute(attribute);
+
+ Target actionTarget = this.httpMethod.getTarget();
+
metadata.getTarget().addActionMatch(actionTarget.getActionMatches().iterator().next());
+ }
return metadata;
}
@@ -128,4 +160,9 @@
return urlResource;
}
+
//-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ public Object clone() throws CloneNotSupportedException
+ {
+ return super.clone();
+ }
}
Modified: modules/authorization/trunk/enforcement/pom.xml
===================================================================
--- modules/authorization/trunk/enforcement/pom.xml 2009-03-26 13:58:58 UTC (rev 13087)
+++ modules/authorization/trunk/enforcement/pom.xml 2009-03-26 20:23:08 UTC (rev 13088)
@@ -25,19 +25,5 @@
<groupId>org.jboss.security</groupId>
<artifactId>jboss-xacml</artifactId>
</dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-plugin</artifactId>
- <version>2.3.1</version>
- <configuration>
- <includes>
- </includes>
- </configuration>
- </plugin>
- </plugins>
- </build>
+ </dependencies>
</project>
Modified:
modules/authorization/trunk/enforcement/src/main/java/org/jboss/security/authz/enforcement/Response.java
===================================================================
---
modules/authorization/trunk/enforcement/src/main/java/org/jboss/security/authz/enforcement/Response.java 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/enforcement/src/main/java/org/jboss/security/authz/enforcement/Response.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -57,4 +57,28 @@
{
this.message = message;
}
+
+ public boolean isIndeterminate()
+ {
+ boolean isIndeterminate = false;
+
+ if(this.message.toLowerCase().contains("indeterminate"))
+ {
+ isIndeterminate = true;
+ }
+
+ return isIndeterminate;
+ }
+
+ public boolean isNotApplicable()
+ {
+ boolean isNotApplicable = false;
+
+ if(this.message.toLowerCase().contains("notapplicable"))
+ {
+ isNotApplicable = true;
+ }
+
+ return isNotApplicable;
+ }
}
Modified: modules/authorization/trunk/http-profile/pom.xml
===================================================================
--- modules/authorization/trunk/http-profile/pom.xml 2009-03-26 13:58:58 UTC (rev 13087)
+++ modules/authorization/trunk/http-profile/pom.xml 2009-03-26 20:23:08 UTC (rev 13088)
@@ -68,7 +68,9 @@
<version>2.3.1</version>
<configuration>
<includes>
+ <!--
<include>**/components/Test*.java</include>
+ -->
<include>**/provisioning/Test*.java</include>
</includes>
</configuration>
Modified:
modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java
===================================================================
---
modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -39,6 +39,8 @@
import org.w3c.dom.NodeList;
import org.jboss.security.authz.components.resource.HttpResource;
+import org.jboss.security.authz.components.action.http.Get;
+import org.jboss.security.authz.components.action.http.Post;
import org.jboss.security.authz.model.Policy;
import org.jboss.security.authz.tools.GeneralTool;
import org.jboss.security.authz.policy.server.plugin.HierarchialPolicy;
@@ -128,29 +130,67 @@
policyResource.setUri(new URI(urlPattern.getTextContent().trim()));
this.parseParameters(policyResource, webResource);
- webResources.add(policyResource);
+ List<HttpResource> methodResources = this.parseHttpMethods(policyResource,
webResource);
+ if(methodResources != null && !methodResources.isEmpty())
+ {
+ webResources.addAll(methodResources);
+ }
+ else
+ {
+ webResources.add(policyResource);
+ }
}
}
return webResources;
}
+ private List<HttpResource> parseHttpMethods(HttpResource policyResource, Element
webResource) throws Exception
+ {
+ List<HttpResource> webResources = new ArrayList<HttpResource>();
+ NodeList httpMethods = webResource.getElementsByTagName("http-method");
+ if(httpMethods != null)
+ {
+ for(int i=0; i<httpMethods.getLength(); i++)
+ {
+ Element httpMethodElem = (Element)httpMethods.item(i);
+
+ String httpMethod = httpMethodElem.getTextContent();
+ HttpResource methodResource = (HttpResource)policyResource.clone();
+
+ if(httpMethod.equalsIgnoreCase("get"))
+ {
+ methodResource.setHttpMethod(new Get());
+ }
+ else if(httpMethod.equalsIgnoreCase("post"))
+ {
+ methodResource.setHttpMethod(new Post());
+ }
+ webResources.add(methodResource);
+ }
+ }
+ return webResources;
+ }
+
private void parseParameters(HttpResource policyResource, Element webResource) throws
Exception
{
//Process Parameters
Element parameters =
(Element)webResource.getElementsByTagName("parameters").item(0);
- NodeList params = parameters.getElementsByTagName("parameter");
- if(params != null)
+ if(parameters != null)
{
- for(int i=0, length=params.getLength(); i<length; i++)
- {
- Element parameter = (Element)params.item(i);
-
- String name = parameter.getAttribute("name").trim();
- String value = parameter.getTextContent().trim();
-
- policyResource.addParameter(name, value);
- }
+ NodeList params = parameters.getElementsByTagName("parameter");
+ if(params != null)
+ {
+ for(int i=0, length=params.getLength(); i<length; i++)
+ {
+ Element parameter = (Element)params.item(i);
+
+ String name = parameter.getAttribute("name").trim();
+ String value = parameter.getTextContent().trim();
+
+ policyResource.addParameter(name, value);
+ }
+ }
}
}
Modified:
modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/enforcement/SecurityFilter.java
===================================================================
---
modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/enforcement/SecurityFilter.java 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/enforcement/SecurityFilter.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -21,8 +21,11 @@
*/
package org.jboss.security.authz.http.enforcement;
+import java.util.Enumeration;
import java.io.IOException;
import java.io.InputStream;
+import java.io.ByteArrayInputStream;
+import java.net.URI;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
@@ -31,16 +34,32 @@
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.UnavailableException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import org.w3c.dom.Element;
+import org.w3c.dom.Document;
+
import org.jboss.security.authz.http.configuration.HttpPolicyConfig;
+import org.jboss.security.authz.tools.GeneralTool;
+
import org.jboss.security.authz.model.Policy;
+
import org.jboss.security.authz.policy.server.Server;
import org.jboss.security.authz.policy.server.PolicyServer;
import org.jboss.security.authz.policy.server.spi.PolicyConfig;
-import org.jboss.security.authz.tools.GeneralTool;
+import org.jboss.security.authz.enforcement.Request;
+import org.jboss.security.authz.enforcement.Response;
+import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.resource.HttpResource;
+import org.jboss.security.authz.components.subject.Roles;
+
+
/**
* @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
*/
@@ -49,6 +68,7 @@
private static Logger log = Logger.getLogger(SecurityFilter.class);
private PolicyServer policyServer;
+ private boolean isPolicyMatchMandatory = false; //set to "false" by default
public SecurityFilter()
{
@@ -73,8 +93,9 @@
PolicyConfig policyConfig = new HttpPolicyConfig();
is =
config.getServletContext().getResourceAsStream("/WEB-INF/http-policy.xml");
+ String httpPolicy = GeneralTool.readStream(is);
- Policy[] policies = policyConfig.configure(GeneralTool.readStream(is));
+ Policy[] policies = policyConfig.configure(httpPolicy);
log.debug("----------------------------------------------------------");
for(Policy policy: policies)
@@ -84,6 +105,10 @@
}
log.debug("----------------------------------------------------------");
+ //Parse the enforcement configuration
+ this.configure(httpPolicy);
+
+
log.info("----------------------------------------------------------");
log.info("Security Filter successfully
initialized...................");
log.info("----------------------------------------------------------");
@@ -111,9 +136,98 @@
public void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException, ServletException
{
- log.info("--------------------------------------------------------");
- log.info("Security Filter successfully called.....................");
+ try
+ {
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ HttpServletResponse httpResponse = (HttpServletResponse)response;
+
+ //Perform a Security check
+ Request authzRequest = this.createAuthorizationRequest(httpRequest);
+ Response authzResponse = this.policyServer.evaluate(authzRequest);
+
+ //Process the authorization response and allow or deny further processing
+ if(!authzResponse.isAccessGranted())
+ {
+ if(authzResponse.isIndeterminate() ||
+ (authzResponse.isNotApplicable() && this.isPolicyMatchMandatory)
+ )
+ {
+ //Send back an access denied status
+ httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+ }
+
+ chain.doFilter(request, response);
+ }
+ catch(Exception e)
+ {
+ log.error(this, e);
+ throw new ServletException(e);
+ }
+ }
+ //------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ private Request createAuthorizationRequest(HttpServletRequest httpRequest) throws
Exception
+ {
+ Request authzRequest = new Request();
- chain.doFilter(request, response);
- }
+ HttpResource contextResource = new HttpResource();
+
+ //Setup URI pattern context
+ String contextPath = httpRequest.getContextPath();
+ String requestURI = httpRequest.getRequestURI();
+ String uri = requestURI.substring(contextPath.length());
+ contextResource.setUri(new URI(uri));
+
+ //Setup Role context
+ //TODO: replace mock code with actual loading of Roles information of the authenticated
user via the new Identity API
+ Roles roles = new Roles();
+ roles.addName("Admin");
+ authzRequest.addSubject(roles.getSubject());
+
+ //Setup Parameter context
+ Enumeration parameters = httpRequest.getParameterNames();
+ while(parameters.hasMoreElements())
+ {
+ String name = (String)parameters.nextElement();
+ String value = httpRequest.getParameter(name);
+ contextResource.addParameter(name, value);
+ }
+
+
+ //Setup Resource context
+ authzRequest.addResource(contextResource.getResource());
+
+ //Setup Action context
+ //TODO: add support for all the Http methods here and not just GET
+ authzRequest.setAction(new Read().getAction());
+
+ return authzRequest;
+ }
+
+ private void configure(String httpPolicy) throws Exception
+ {
+ InputStream xmlStream = null;
+ try
+ {
+ xmlStream = new ByteArrayInputStream(httpPolicy.getBytes());
+ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ Document document = builder.parse(xmlStream);
+
+ Element enforcementConfig =
(Element)document.getElementsByTagName("enforcement-config").item(0);
+ if(enforcementConfig != null)
+ {
+ Element policyMatchMandatory =
(Element)enforcementConfig.getElementsByTagName("policy-match-mandatory").item(0);
+
+ this.isPolicyMatchMandatory =
Boolean.parseBoolean(policyMatchMandatory.getTextContent());
+ }
+ }
+ finally
+ {
+ if(xmlStream != null)
+ {
+ xmlStream.close();
+ }
+ }
+ }
}
Deleted:
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestHelloWorldHttpServlet.java
===================================================================
---
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestHelloWorldHttpServlet.java 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestHelloWorldHttpServlet.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -1,54 +0,0 @@
-/******************************************************************************
- * JBoss, a division of Red Hat *
- * Copyright 2006, Red Hat Middleware, LLC, and individual *
- * contributors as indicated by the @authors tag. See the *
- * copyright.txt in the distribution for a full listing of *
- * individual contributors. *
- * *
- * This is free software; you can redistribute it and/or modify it *
- * under the terms of the GNU Lesser General Public License as *
- * published by the Free Software Foundation; either version 2.1 of *
- * the License, or (at your option) any later version. *
- * *
- * This software is distributed in the hope that it will be useful, *
- * but WITHOUT ANY WARRANTY; without even the implied warranty of *
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
- * Lesser General Public License for more details. *
- * *
- * You should have received a copy of the GNU Lesser General Public *
- * License along with this software; if not, write to the Free *
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org. *
- ******************************************************************************/
-package org.jboss.security.authz.http.container;
-
-import junit.framework.TestCase;
-
-import org.apache.log4j.Logger;
-
-/**
- * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
- *
- */
-public class TestHelloWorldHttpServlet extends TestCase
-{
- /**
- *
- */
- private static Logger log = Logger.getLogger(TestHelloWorldHttpServlet.class);
-
-
- /**
- *
- */
- protected void setUp() throws Exception
- {
-
- }
-
//------------------------------------------------------------------------------------------------------------------------------------------------------
- public void testHelloWorld() throws Exception
- {
- String url = "/httpprofile-testsuite/index.html";
- Thread.currentThread().sleep(20000);
- }
-}
Copied:
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java
(from rev 13005,
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestHelloWorldHttpServlet.java)
===================================================================
---
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java
(rev 0)
+++
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -0,0 +1,72 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.security.authz.http.container;
+
+import junit.framework.TestCase;
+
+import org.apache.log4j.Logger;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.HttpStatus;
+import org.apache.commons.httpclient.methods.GetMethod;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ *
+ */
+public class TestSecurityFilterDeployment extends TestCase
+{
+ /**
+ *
+ */
+ private static Logger log = Logger.getLogger(TestSecurityFilterDeployment.class);
+
+
+ /**
+ *
+ */
+ protected void setUp() throws Exception
+ {
+
+ }
+
//------------------------------------------------------------------------------------------------------------------------------------------------------
+ public void test() throws Exception
+ {
+ HttpClient client = new HttpClient();
+ String url = "http://localhost:8080/httpprofile-testsuite/index.html";
+ GetMethod method = new GetMethod(url);
+
+ int status = client.executeMethod(method);
+ String response = method.getResponseBodyAsString();
+
+ log.info("-----------------------------------------------------------");
+ log.info("Status="+status);
+ log.info(response);
+ log.info("-----------------------------------------------------------");
+
+ assertEquals("Request Failed!!", status, HttpStatus.SC_OK);
+ assertTrue("Proper content must be present!!",
response.contains("<h1>Http Profile Container TestSuite</h1>"));
+
+ Thread.currentThread().sleep(20000);
+ }
+}
Property changes on:
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/container/TestSecurityFilterDeployment.java
___________________________________________________________________
Name: svn:mergeinfo
+
Modified:
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/provisioning/TestHttpPolicyConfig.java
===================================================================
---
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/provisioning/TestHttpPolicyConfig.java 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/provisioning/TestHttpPolicyConfig.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -29,7 +29,8 @@
import org.apache.log4j.Logger;
-import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.action.http.Get;
+import org.jboss.security.authz.components.action.http.Post;
import org.jboss.security.authz.components.resource.HttpResource;
import org.jboss.security.authz.components.subject.Roles;
import org.jboss.security.authz.enforcement.Request;
@@ -74,8 +75,11 @@
for(int i=0; i<policies.length; i++)
{
+ String xacmlPolicy = policies[i].generateXACMLPolicy();
+ this.policyServer.newPolicy(policies[i].getMetaData());
+
log.info("------------------------------------------------------");
- this.policyServer.newPolicy(policies[i].getMetaData());
+ log.info(xacmlPolicy);
log.info("------------------------------------------------------");
}
@@ -87,16 +91,18 @@
incoming.addParameter("id", "1234");
//Executive is allowed
- this.enforce(this.createRequest(incoming, new String[]{"executive"}),
true);
+ this.enforce(this.createGetRequest(incoming, new String[]{"executive"}),
true);
+ this.enforce(this.createPostRequest(incoming, new String[]{"executive"}),
true);
//Executive is allowed but Manager is not.....Permit overrides Deny according to the
Rule Combining Algorithm used for this Policy
- this.enforce(this.createRequest(incoming, new String[]{"executive",
"manager"}), true);
+ this.enforce(this.createGetRequest(incoming, new String[]{"executive",
"manager"}), true);
+ this.enforce(this.createPostRequest(incoming, new String[]{"executive",
"manager"}), true);
//Manager is Not Allowed
- this.enforce(this.createRequest(incoming, new String[]{"manager"}),
false);
+ this.enforce(this.createGetRequest(incoming, new String[]{"manager"}),
false);
//Anonymous is Not Allowed
- this.enforce(this.createRequest(incoming, new String[]{"anonymous"}),
false);
+ this.enforce(this.createGetRequest(incoming, new String[]{"anonymous"}),
false);
}
public void testBoardFiles() throws Exception
@@ -110,9 +116,11 @@
for(int i=0; i<policies.length; i++)
{
- log.info("------------------------------------------------------");
- this.policyServer.newPolicy(policies[i].getMetaData());
- log.info("------------------------------------------------------");
+ String xacmlPolicy = policies[i].generateXACMLPolicy();
+ this.policyServer.newPolicy(policies[i].getMetaData());
+ log.info("------------------------------------------------------");
+ log.info(xacmlPolicy);
+ log.info("------------------------------------------------------");
}
is.close();
@@ -123,17 +131,59 @@
incoming.addParameter("id", "5678");
//Executive is allowed
- this.enforce(this.createRequest(incoming, new String[]{"executive"}),
true);
+ this.enforce(this.createGetRequest(incoming, new String[]{"executive"}),
true);
+ this.enforce(this.createPostRequest(incoming, new String[]{"executive"}),
false);
//Executive is allowed but Manager is not.....Permit overrides Deny according to the
Rule Combining Algorithm used for this Policy
- this.enforce(this.createRequest(incoming, new String[]{"executive",
"manager"}), true);
+ this.enforce(this.createGetRequest(incoming, new String[]{"executive",
"manager"}), true);
+ this.enforce(this.createPostRequest(incoming, new String[]{"executive",
"manager"}), false);
//Manager is Not Allowed
- this.enforce(this.createRequest(incoming, new String[]{"manager"}),
false);
+ this.enforce(this.createGetRequest(incoming, new String[]{"manager"}),
false);
//Anonymous is Not Allowed
- this.enforce(this.createRequest(incoming, new String[]{"anonymous"}),
false);
+ this.enforce(this.createGetRequest(incoming, new String[]{"anonymous"}),
false);
}
+
+ public void testEditUser() throws Exception
+ {
+ PolicyConfig config = new HttpPolicyConfig();
+ InputStream is =
Thread.currentThread().getContextClassLoader().getResourceAsStream("http-policy.xml");
+
+ Policy[] policies = config.configure(GeneralTool.readStream(is));
+
+ assertNotNull(policies);
+
+ for(int i=0; i<policies.length; i++)
+ {
+ String xacmlPolicy = policies[i].generateXACMLPolicy();
+ this.policyServer.newPolicy(policies[i].getMetaData());
+ log.info("------------------------------------------------------");
+ log.info(xacmlPolicy);
+ log.info("------------------------------------------------------");
+ }
+
+ is.close();
+
+ //Perform an Enforcement
+ HttpResource incoming = new HttpResource();
+ incoming.setUri(new URI("/editUser"));
+ incoming.addParameter("userId", "9101112");
+
+ //Executive is allowed
+ this.enforce(this.createGetRequest(incoming, new String[]{"executive"}),
true);
+ this.enforce(this.createPostRequest(incoming, new String[]{"executive"}),
true);
+
+ //Executive is allowed but Manager is not.....Permit overrides Deny according to the
Rule Combining Algorithm used for this Policy
+ this.enforce(this.createGetRequest(incoming, new String[]{"executive",
"manager"}), true);
+ this.enforce(this.createPostRequest(incoming, new String[]{"executive",
"manager"}), true);
+
+ //Manager is Not Allowed
+ this.enforce(this.createGetRequest(incoming, new String[]{"manager"}),
false);
+
+ //Anonymous is Not Allowed
+ this.enforce(this.createGetRequest(incoming, new String[]{"anonymous"}),
false);
+ }
//-------------------------------------------------------------------------------------------------------------------------------------------------
private void enforce(Request request, boolean mustBePermitted) throws Exception
{
@@ -154,7 +204,7 @@
}
}
- private Request createRequest(HttpResource contextResource, String[] userRoles) throws
Exception
+ private Request createGetRequest(HttpResource contextResource, String[] userRoles)
throws Exception
{
//Create a RequestType
Request request = new Request();
@@ -171,8 +221,30 @@
request.addResource(contextResource.getResource());
//Create Action
- request.setAction(new Read().getAction());
+ request.setAction(new Get().getAction());
return request;
- }
+ }
+
+ private Request createPostRequest(HttpResource contextResource, String[] userRoles)
throws Exception
+ {
+ //Create a RequestType
+ Request request = new Request();
+
+ //Create Subjects
+ Roles roles = new Roles();
+ for(int i=0; i<userRoles.length; i++)
+ {
+ roles.addName(userRoles[i]);
+ }
+ request.addSubject(roles.getSubject());
+
+ //Create Resource
+ request.addResource(contextResource.getResource());
+
+ //Create Action
+ request.setAction(new Post().getAction());
+
+ return request;
+ }
}
Modified: modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml
===================================================================
--- modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml 2009-03-26
13:58:58 UTC (rev 13087)
+++ modules/authorization/trunk/http-profile/src/test/resources/http-policy.xml 2009-03-26
20:23:08 UTC (rev 13088)
@@ -8,6 +8,8 @@
<parameters>
<parameter name="id">1234</parameter>
</parameters>
+ <http-method>GET</http-method>
+ <http-method>POST</http-method>
</web-resource>
<web-resource>
<web-resource-name>Board/Investor Files</web-resource-name>
@@ -15,6 +17,7 @@
<parameters>
<parameter name="id">5678</parameter>
</parameters>
+ <http-method>GET</http-method>
</web-resource>
</web-resource-collection>
<auth-constraint>
@@ -47,4 +50,34 @@
<!-- constraints based on data and/or time -->
</auth-constraint>
</security-constraint>
+
+ <!--
+ To demonstrate granularity of applying policies based on type of http method being
invoked on a resource
+
+ This Policy means apply this Security Policy on the "Http Resource", for both
"GET", and "POST" requests
+ -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource>
+ <web-resource-name>Edit User</web-resource-name>
+ <url-pattern>/editUser</url-pattern>
+ <parameters>
+ <parameter name="userId">9101112</parameter>
+ </parameters>
+ <http-method>GET</http-method>
+ <http-method>POST</http-method>
+ </web-resource>
+ </web-resource-collection>
+ <auth-constraint>
+ <!-- constaints based on user roles -->
+ <roles allow="true">
+ <role-name>Admin</role-name>
+ <role-name>Executive</role-name>
+ </roles>
+ <roles allow="false">
+ <role-name>Manager</role-name>
+ <role-name>Developer</role-name>
+ </roles>
+ </auth-constraint>
+ </security-constraint>
</web-security>
\ No newline at end of file
Modified:
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/WEB-INF/http-policy.xml
===================================================================
---
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/WEB-INF/http-policy.xml 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/WEB-INF/http-policy.xml 2009-03-26
20:23:08 UTC (rev 13088)
@@ -1,5 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
-<web-security>
+<web-security>
+ <enforcement-config>
+ <!--
+ default value, (false)
+ If resource match is set to "mandatory", it means that if there is an
http request to the web application,
+ that does not have any specified/matching "security policy" for it,
then this access should be "Denied".
+
+ The default value is set to "false" since this makes Policy
Provisioning less intensive for most web applications. This means that if
+ a "Policy" is not specified for a http request, it means that resource
does not need to be "protected", and access should be "Granted".
+
+ The protection can be increased depending on the application by changing this to
"true". In which case only Http Requests that have a matching "Security
Policy" will
+ be considered for "Access Control". All others will be
"Denied" access.
+ -->
+ <policy-match-mandatory>true</policy-match-mandatory>
+ </enforcement-config>
+
<security-constraint>
<web-resource-collection>
<web-resource>
@@ -8,6 +23,13 @@
<parameters>
<parameter name="id">1234</parameter>
</parameters>
+ <http-method>DELETE</http-method>
+ <http-method>PUT</http-method>
+ <http-method>HEAD</http-method>
+ <http-method>OPTIONS</http-method>
+ <http-method>TRACE</http-method>
+ <http-method>GET</http-method>
+ <http-method>POST</http-method>
</web-resource>
<web-resource>
<web-resource-name>Board/Investor Files</web-resource-name>
@@ -46,5 +68,5 @@
-->
<!-- constraints based on data and/or time -->
</auth-constraint>
- </security-constraint>
+ </security-constraint>
</web-security>
\ No newline at end of file
Added:
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/board/index.html
===================================================================
---
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/board/index.html
(rev 0)
+++
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/board/index.html 2009-03-26
20:23:08 UTC (rev 13088)
@@ -0,0 +1,8 @@
+<html>
+ <head>
+ <title>Http Profile Container TestSuite</title>
+ </head>
+ <body>
+ <h1>Board Members</h1>
+ </body>
+</html>
\ No newline at end of file
Added:
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/index.html
===================================================================
---
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/index.html
(rev 0)
+++
modules/authorization/trunk/http-profile/src/test/resources/httpprofile-testsuite.war/private/executives/index.html 2009-03-26
20:23:08 UTC (rev 13088)
@@ -0,0 +1,8 @@
+<html>
+ <head>
+ <title>Http Profile Container TestSuite</title>
+ </head>
+ <body>
+ <h1>Company Executives</h1>
+ </body>
+</html>
\ No newline at end of file
Modified: modules/authorization/trunk/policy-server/pom.xml
===================================================================
--- modules/authorization/trunk/policy-server/pom.xml 2009-03-26 13:58:58 UTC (rev 13087)
+++ modules/authorization/trunk/policy-server/pom.xml 2009-03-26 20:23:08 UTC (rev 13088)
@@ -51,19 +51,5 @@
<groupId>org.drools</groupId>
<artifactId>drools-compiler</artifactId>
</dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-plugin</artifactId>
- <version>2.3.1</version>
- <configuration>
- <includes>
- </includes>
- </configuration>
- </plugin>
- </plugins>
- </build>
+ </dependencies>
</project>
Modified:
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java
===================================================================
---
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -155,13 +155,23 @@
if(responseContext.getDecision() == XACMLConstants.DECISION_PERMIT)
{
response.setAccessGranted(true);
- response.setMessage("ACCESS_GRANTED");
+ response.setMessage("permit");
}
- else
+ else if(responseContext.getDecision() == XACMLConstants.DECISION_DENY)
{
response.setAccessGranted(false);
- response.setMessage("ACCESS_DENIED");
+ response.setMessage("deny");
}
+ else if(responseContext.getDecision() == XACMLConstants.DECISION_INDETERMINATE)
+ {
+ response.setAccessGranted(false);
+ response.setMessage("indeterminate");
+ }
+ else if(responseContext.getDecision() == XACMLConstants.DECISION_NOT_APPLICABLE)
+ {
+ response.setAccessGranted(false);
+ response.setMessage("notapplicable");
+ }
return response;
}
Modified:
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java
===================================================================
---
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java 2009-03-26
13:58:58 UTC (rev 13087)
+++
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java 2009-03-26
20:23:08 UTC (rev 13088)
@@ -125,6 +125,15 @@
resourcesType.getResource().add(resourceType);
}
+ //Process Action Matches as Targets for the Policy
+ List<AttributeExpression> targetActionMatches =
this.metaData.getTarget().getActionMatches();
+ if(targetActionMatches != null && !targetActionMatches.isEmpty())
+ {
+ ActionsType actionsType = this.generateRuleActions(targetActionMatches);
+ targetType.setActions(actionsType);
+ }
+
+
//Process the Policy Rules
Set<Rule> rules = this.metaData.getRules();
if(rules != null && !rules.isEmpty())
Modified: modules/authorization/trunk/pom.xml
===================================================================
--- modules/authorization/trunk/pom.xml 2009-03-26 13:58:58 UTC (rev 13087)
+++ modules/authorization/trunk/pom.xml 2009-03-26 20:23:08 UTC (rev 13088)
@@ -44,7 +44,8 @@
<version.org.jboss.microcontainer>2.0.2.GA</version.org.jboss.microcontainer>
<version.org.jboss.jboss-reflect>2.0.2.GA</version.org.jboss.jboss-reflect>
<version.org.jboss.jboss-common-core>2.2.9.GA</version.org.jboss.jboss-common-core>
- <version.org.jboss.jboss-mdr>2.0.1.GA</version.org.jboss.jboss-mdr>
+ <version.org.jboss.jboss-mdr>2.0.1.GA</version.org.jboss.jboss-mdr>
+ <version.commons-httpclient>3.1</version.commons-httpclient>
</properties>
<dependencyManagement>
@@ -262,7 +263,14 @@
<version>${version.javax.servlet.servlet-api}</version>
<scope>provided</scope>
</dependency>
- </dependencies>
+
+ <!-- Commons Http Client -->
+ <dependency>
+ <groupId>commons-httpclient</groupId>
+ <artifactId>commons-httpclient</artifactId>
+ <version>${version.commons-httpclient}</version>
+ </dependency>
+ </dependencies>
</dependencyManagement>
<!-- project wide dependencies -->
@@ -285,6 +293,13 @@
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
+
+ <!-- http client -->
+ <dependency>
+ <groupId>commons-httpclient</groupId>
+ <artifactId>commons-httpclient</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
@@ -301,8 +316,7 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.3.1</version>
- <configuration>
- <skip>false</skip>
+ <configuration>
</configuration>
</plugin>
</plugins>