JBoss Portal SVN: r12356 - in modules/authorization/trunk/PAP/src: test/java/org/jboss/security/authz/pap/hierarchial and 1 other directory.
5:20 p.m.
Author: sohil.shah(a)jboss.com
Date: 2008-12-05 18:20:26 -0500 (Fri, 05 Dec 2008)
New Revision: 12356
Modified:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/hierarchial/HierarchialPolicy.java
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/hierarchial/TestHierarchialPolicy.java
Log:
code backup
Modified:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/hierarchial/HierarchialPolicy.java
===================================================================
---
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/hierarchial/HierarchialPolicy.java 2008-12-05
22:02:03 UTC (rev 12355)
+++
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/hierarchial/HierarchialPolicy.java 2008-12-05
23:20:26 UTC (rev 12356)
@@ -281,9 +281,9 @@
return condition;
}
- //---------More Developer Friendly
API-------------------------------------------------------------------------------------------------------------------------
+ //---------A Developer Friendly API for generating Hierarchial
Policies-------------------------------------------------------------------------------------------------------------------------
/**
- * Specifies that this Hierarchial Policy should be applied the specified unique
Resource Uri
+ * Specifies that this Hierarchial Policy should be applied the specified Resource
identified by the Unique Resource Uri
*
* @param resourceUri Unique identifier for the Resource being protected by this
Hierarchial Policy
*/
@@ -300,14 +300,23 @@
}
/**
- * Specifies a Policy Rule that must be applied to the specified "action"
such that the specified "role" should be allowed
- * to execute this "action" on the Resource protected by this Policy
instance
+ * Specifies a Policy Rule that must be applied to the specified "Action"
such that the specified "Role" should be allowed
+ * to execute this "Action" on the Resource protected by this Policy
instance
*
* @param action Action for which this Rule applies
* @param role the Role that is permitted to execute this Action
*/
public void setPermitCriteria(String action, String role)
{
+ if(action == null || action.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Action cannot be Empty");
+ }
+ if(role == null || role.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Role cannot be Empty");
+ }
+
Rule permitRule = new Rule();
Target ruleTarget = new Target();
@@ -326,14 +335,55 @@
}
/**
- * Specifies a Policy Rule that must be applied to the specified "action"
such that the Authenticated User will be permitted to
- * execute it if he/she belongs to any of the specified "roles"
+ * Specifies a Policy Rule that must be applied to the specified "Action"
such that the specified "Role" should *NOT* be allowed
+ * to execute this "Action" on the Resource protected by this Policy
instance
*
* @param action Action for which this Rule applies
+ * @param role the Role that is *NOT* permitted to execute this Action
+ */
+ public void setDenyCriteria(String action, String role)
+ {
+ if(action == null || action.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Action cannot be Empty");
+ }
+ if(role == null || role.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Role cannot be Empty");
+ }
+
+ Rule permitRule = new Rule();
+ Target ruleTarget = new Target();
+
+ permitRule.setRuleId(action);
+ permitRule.setEffect(Effect.DENY);
+ permitRule.setTarget(ruleTarget);
+
+ //Create an Action Match Function
+
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
+
+ //Create a Subject Match Function
+
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
+
+ //Add the Rule to the Policy
+ this.rules.add(permitRule);
+ }
+
+ /**
+ * Specifies a Policy Rule that must be applied to the specified "Action"
such that the Authenticated User will be permitted to
+ * execute it if he/she belongs to any of the specified "Roles"
+ *
+ * @param action Action for which this Rule applies
* @param roles a list of permitted roles for this Action
- */
+ */
public void setPermitCriteria(String action, String[] roles)
{
+ if(action == null || action.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Action cannot be Empty");
+ }
+
+
Rule permitRule = new Rule();
Target ruleTarget = new Target();
@@ -345,12 +395,83 @@
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
//Create a Subject Match Function
- for(int i=0; i<roles.length; i++)
+ if(roles != null)
{
-
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(roles[i]));
+ for(int i=0; i<roles.length; i++)
+ {
+
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(roles[i]));
+ }
}
//Add the Rule to the Policy
this.rules.add(permitRule);
}
+
+ /**
+ * Specifies a Policy Rule that must be applied to the specified "Action"
such that the Authenticated User will *NOT* be permitted to
+ * execute it if he/she belongs to any of the specified "Roles"
+ *
+ * @param action Action for which this Rule applies
+ * @param roles a list of roles that must *NOT* be allowed to execute for this Action
+ */
+ public void setDenyCriteria(String action, String[] roles)
+ {
+ if(action == null || action.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Action cannot be Empty");
+ }
+
+
+ Rule permitRule = new Rule();
+ Target ruleTarget = new Target();
+
+ permitRule.setRuleId(action);
+ permitRule.setEffect(Effect.DENY);
+ permitRule.setTarget(ruleTarget);
+
+ //Create an Action Match Function
+
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
+
+ //Create a Subject Match Function
+ if(roles != null)
+ {
+ for(int i=0; i<roles.length; i++)
+ {
+
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(roles[i]));
+ }
+ }
+
+ //Add the Rule to the Policy
+ this.rules.add(permitRule);
+ }
+
+ public void setPermitCriteria(String action, DroolsRuleExpression ruleExpression)
+ {
+ if(action == null || action.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Action cannot be Empty");
+ }
+ if(ruleExpression == null)
+ {
+ throw new IllegalArgumentException("RuleExpression cannot be Empty");
+ }
+
+ //TODO: compile the Rule that is being added, and add it to the Drools Rule
Repository
+
+ Rule permitRule = new Rule();
+ Target ruleTarget = new Target();
+
+ permitRule.setRuleId(action);
+ permitRule.setEffect(Effect.PERMIT);
+ permitRule.setTarget(ruleTarget);
+
+ //Create an Action Match Function
+
ruleTarget.addActionMatch(ExpressionBuilder.getInstance().createActionExpression(action));
+
+ //Create a pointer to the new Rule
+ permitRule.setExpression(ruleExpression);
+
+ //Add the Rule to the Policy
+ this.rules.add(permitRule);
+ }
}
Modified:
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/hierarchial/TestHierarchialPolicy.java
===================================================================
---
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/hierarchial/TestHierarchialPolicy.java 2008-12-05
22:02:03 UTC (rev 12355)
+++
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/hierarchial/TestHierarchialPolicy.java 2008-12-05
23:20:26 UTC (rev 12356)
@@ -22,14 +22,11 @@
******************************************************************************/
package org.jboss.security.authz.pap.hierarchial;
-import java.util.Set;
-import java.util.HashSet;
-
import junit.framework.TestCase;
import org.apache.log4j.Logger;
-import org.jboss.security.authz.model.*;
+import org.jboss.security.authz.model.DroolsRuleExpression;
/**
@@ -48,9 +45,7 @@
{
}
- /**
- *
- */
+
public void testSimplePolicy() throws Exception
{
//Populate the HierarchialPolicy
@@ -78,4 +73,49 @@
log.info(xacmlPolicy);
log.info("--------------------------------------------------------------------");
}
+
+ public void testSimpleDeny() throws Exception
+ {
+ //Populate the HierarchialPolicy
+ HierarchialPolicy policy = new
HierarchialPolicy("simpleHierarchialPolicy");
+
policy.setResourceCriteria("http://www.redhat.com/protected/index.ht...;
+ policy.setDenyCriteria("Write", "developer");
+
+ String xacmlPolicy = policy.generateXACMLPolicy();
+
+
log.info("--------------------------------------------------------------------");
+ log.info(xacmlPolicy);
+
log.info("--------------------------------------------------------------------");
+ }
+
+ public void testMultiRoleDenyPolicy() throws Exception
+ {
+ //Populate the HierarchialPolicy
+ HierarchialPolicy policy = new
HierarchialPolicy("simpleHierarchialPolicy");
+
policy.setResourceCriteria("http://www.redhat.com/protected/index.ht...;
+ policy.setDenyCriteria("Write", new String[]{"developer",
"designer", "sysadmin"});
+
+ String xacmlPolicy = policy.generateXACMLPolicy();
+
+
log.info("--------------------------------------------------------------------");
+ log.info(xacmlPolicy);
+
log.info("--------------------------------------------------------------------");
+ }
+
+ public void testSimplePolicyWithDroolsExpression() throws Exception
+ {
+ //Populate the HierarchialPolicy
+ HierarchialPolicy policy = new
HierarchialPolicy("simpleHierarchialPolicy");
+
policy.setResourceCriteria("http://www.redhat.com/protected/index.ht...;
+
+ DroolsRuleExpression expression = new DroolsRuleExpression();
+ expression.setFunctionId("WriteRule");
+ policy.setPermitCriteria("Write", expression);
+
+ String xacmlPolicy = policy.generateXACMLPolicy();
+
+
log.info("--------------------------------------------------------------------");
+ log.info(xacmlPolicy);
+
log.info("--------------------------------------------------------------------");
+ }
}
6369
days inactive
6369
days old
portal-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
portal-commits@lists.jboss.org