Author: sohil.shah(a)jboss.com Date: 2009-01-27 15:29:07 -0500 (Tue, 27 Jan 2009) New Revision: 12676 Added: modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/component/ modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/component/HttpResource.java Removed: modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/ Modified: modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java Log: HttpResource Security Component Copied: modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/component/HttpResource.java (from rev 12672, modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java) =================================================================== --- modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/component/HttpResource.java (rev 0) +++ modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/component/HttpResource.java 2009-01-27 20:29:07 UTC (rev 12676) @@ -0,0 +1,294 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2006, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.jboss.security.authz.http.component; + +import java.util.Map; +import java.util.HashMap; +import java.util.Set; +import java.util.HashSet; + +import org.jboss.security.authz.model.AttributeExpression; +import org.jboss.security.authz.model.Effect; +import org.jboss.security.authz.model.ExpressionBuilder; +import org.jboss.security.authz.model.Rule; +import org.jboss.security.authz.model.Target; +import org.jboss.security.authz.model.Attribute; +import org.jboss.security.authz.tools.GeneralTool; + +import org.jboss.security.xacml.interfaces.XACMLConstants; +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + +/** + * The HttpResource Policy Component represents a System Resource available via the HTTP Protocol + * + * This Component provides an easy to use Developer API for generating commonly used Expressions/Logic related to Http information that must be + * represented within an Authorization Policy + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + * + */ +public class HttpResource +{ + /** + * The URL that identifies this resource + */ + private String url; + + /** + * The HTTP Parameters that are used to access this resource + */ + private Map<String, String> parameters; + + /** + * Roles that are allowed access to this resource + */ + private Set<String> allowedRoles; + + /** + * Roles that are denied access to this resource + */ + private Set<String> deniedRoles; + + /** + * A Range/regular expression to specify client IP addresses that have access to this resource + */ + private Set<String> allowedIps; + + /** + * + */ + public HttpResource() + { + this.parameters = new HashMap<String, String>(); + this.allowedRoles = new HashSet<String>(); + this.deniedRoles = new HashSet<String>(); + this.allowedIps = new HashSet<String>(); + } + + public HttpResource(String url) + { + this(); + + if(url == null) + { + throw new IllegalArgumentException("URL Cannot Be Empty"); + } + + this.url = url; + } + + public Map<String, String> getParameters() + { + return parameters; + } + + + public void setParameters(Map<String, String> parameters) + { + this.parameters = parameters; + } + + + public String getUrl() + { + return url; + } + + + public void setUrl(String url) + { + this.url = url; + } + + public Set<String> getAllowedRoles() + { + return allowedRoles; + } + + public void setAllowedRoles(Set<String> allowedRoles) + { + this.allowedRoles = allowedRoles; + } + + public Set<String> getDeniedRoles() + { + return deniedRoles; + } + + public void setDeniedRoles(Set<String> deniedRoles) + { + this.deniedRoles = deniedRoles; + } + + public void addParameter(String name, String value) + { + this.parameters.put(name, value); + } + + public boolean hasParameters() + { + return (this.parameters != null && !this.parameters.isEmpty()); + } + + public void addAllowedRole(String allowedRole) + { + if(allowedRole == null || allowedRole.trim().length() == 0) + { + throw new IllegalArgumentException("Role Value Must Not Be Empty"); + } + + this.allowedRoles.add(allowedRole); + } + + public void addDeniedRole(String deniedRole) + { + if(deniedRole == null || deniedRole.trim().length() == 0) + { + throw new IllegalArgumentException("Role Value Must Not Be Empty"); + } + this.deniedRoles.add(deniedRole); + } + + public void addAllowedIp(String allowedIp) + { + if(allowedIp == null || allowedIp.trim().length() == 0) + { + throw new IllegalArgumentException("Allowed IP Must Not Be Empty"); + } + this.allowedIps.add(allowedIp); + } + //---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- + public Target getURLTarget(boolean matchAllParameters) + { + if(this.url == null || this.url.trim().length()==0) + { + throw new IllegalStateException("URL Cannot Be Empty"); + } + + Target target = new Target(); + + AttributeExpression urlExpression = ExpressionBuilder.getInstance().createResourceIdExpression(this.url); + target.addResourceMatch(urlExpression); + + if(matchAllParameters) + { + if(this.parameters != null && !this.parameters.isEmpty()) + { + Set<String> names = this.parameters.keySet(); + for(String name: names) + { + String value = this.parameters.get(name); + + AttributeExpression paramExpression = ExpressionBuilder.getInstance().createCustomResourceExpression(name, value); + target.addResourceMatch(paramExpression); + } + } + } + + return target; + } + + /** + * Creates a Policy Rule suggesting the allowed roles are permitted access to the 'Resource' designated in the Policy + * + * @return the rule + */ + public Rule getPermittedRolesRule() + { + if(this.allowedRoles == null || this.allowedRoles.isEmpty()) + { + return null; + } + + Rule permitRule = new Rule(); + Target ruleTarget = new Target(); + + permitRule.setRuleId(GeneralTool.generateUniqueId()); + permitRule.setEffect(Effect.PERMIT); + permitRule.setTarget(ruleTarget); + + //Create a Subject Match Function + for(String role: this.allowedRoles) + { + ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role)); + } + + return permitRule; + } + + /** + * Creates a Policy Rule suggesting the denied roles are denied access to the 'Resource' designated in the Policy + * + * @return the role + */ + public Rule getDeniedRolesRule() + { + if(this.deniedRoles == null || this.deniedRoles.isEmpty()) + { + return null; + } + + Rule denyRule = new Rule(); + Target ruleTarget = new Target(); + + denyRule.setRuleId(GeneralTool.generateUniqueId()); + denyRule.setEffect(Effect.DENY); + denyRule.setTarget(ruleTarget); + + //Create a Subject Match Function + for(String role: this.deniedRoles) + { + ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role)); + } + + return denyRule; + } + + public Rule getAllowedIpsRule() + { + if(this.allowedIps == null || this.allowedIps.isEmpty()) + { + return null; + } + + Rule rule = new Rule(); + Target ruleTarget = new Target(); + + rule.setRuleId(GeneralTool.generateUniqueId()); + rule.setEffect(Effect.PERMIT); + rule.setTarget(ruleTarget); + + for(String allowedIp: this.allowedIps) + { + AttributeExpression expression = new AttributeExpression(); + expression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_IPADDRESS_MATCH); + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_IP_ADDRESS, + XMLSchemaConstants.DATATYPE_IPADDRESS, allowedIp); + expression.setAttribute(attribute); + + rule.setExpression(expression); + } + + return rule; + } +} Property changes on: modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/component/HttpResource.java ___________________________________________________________________ Name: svn:mergeinfo + Modified: modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java =================================================================== --- modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java 2009-01-27 20:29:06 UTC (rev 12675) +++ modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java 2009-01-27 20:29:07 UTC (rev 12676) @@ -39,10 +39,10 @@ import org.w3c.dom.Element; import org.w3c.dom.NodeList; +import org.jboss.security.authz.http.component.HttpResource; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.model.Target; -import org.jboss.security.authz.components.resource.HttpResource; import org.jboss.security.authz.pap.policy.HierarchialPolicy; import org.jboss.security.authz.pap.spi.PolicyConfig; Modified: modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java =================================================================== --- modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java 2009-01-27 20:29:06 UTC (rev 12675) +++ modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpResource.java 2009-01-27 20:29:07 UTC (rev 12676) @@ -28,7 +28,7 @@ import org.apache.log4j.Logger; -import org.jboss.security.authz.components.resource.HttpResource; +import org.jboss.security.authz.http.component.HttpResource; import org.jboss.security.authz.model.Target; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.Rule;