Author: sohil.shah(a)jboss.com
Date: 2008-11-14 16:07:02 -0500 (Fri, 14 Nov 2008)
New Revision: 12297
Added:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemPortalObjectPolicyManager.java
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestPortalObjectPolicyManager.java
Modified:
modules/authorization/trunk/PAP/pom.xml
Log:
backing up some code
Modified: modules/authorization/trunk/PAP/pom.xml
===================================================================
--- modules/authorization/trunk/PAP/pom.xml 2008-11-14 15:29:48 UTC (rev 12296)
+++ modules/authorization/trunk/PAP/pom.xml 2008-11-14 21:07:02 UTC (rev 12297)
@@ -59,7 +59,7 @@
<version>2.3.1</version>
<configuration>
<includes>
- <include>**/TestWebTierPolicyManager.java</include>
+ <include>**/TestPortalObjectPolicyManager.java</include>
</includes>
</configuration>
</plugin>
Added:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemPortalObjectPolicyManager.java
===================================================================
---
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemPortalObjectPolicyManager.java
(rev 0)
+++
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemPortalObjectPolicyManager.java 2008-11-14
21:07:02 UTC (rev 12297)
@@ -0,0 +1,239 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.security.authz.pap.service;
+
+import java.io.InputStream;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.Set;
+import java.util.HashSet;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.DocumentBuilder;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import org.jboss.security.authz.model.Attribute;
+import org.jboss.security.authz.model.AttributeExpression;
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.PolicyException;
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.Target;
+import org.jboss.security.authz.model.Rule;
+import org.jboss.security.authz.pap.hierarchial.HierarchialPolicy;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
+
+/**
+ * The PolicyManager provides implementation for the Configuration related services of
the PolicyManager. It extends the FileSystemPolicyManager in order to store the managed
Policies
+ * on the local file system. This PolicyManager process configuration provided for
securing Resources within Portal Object Container.
+ * It uses the HierarchialPolicy implementation to represent the Portal Object Policies
+ *
+ * The Policies allow for features such as "Implied Access" and "Recursive
Access"
+ *
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ *
+ */
+public class FileSystemPortalObjectPolicyManager extends FileSystemPolicyManager
+{
+ /**
+ *
+ *
+ */
+ public FileSystemPortalObjectPolicyManager()
+ {
+ }
+ //------Configuration service of the PolicyManager
implementation----------------------------------------------------------------------------------------------------------------
+ /**
+ * Generates a Policy that can be represented in system level XACML format. The
xmlConfiguration is a user friendly XML configuration that is within the context
+ * of the Portal Object Container. For instance, to apply Access Control at the Portal
Object Container, the XML configuration consists of Portal Resources such as
+ * Page, Portal, and Window and Actions in the context of the Portal Object Container
such as Render Portal Object, Render a particular Window State, Render a particular
+ * Portlet Mode etc
+ *
+ * @param xmlConfiguration User Friendly XML configuration within the context of the
Portal Object Container
+ * @return a Policy that can be represented in system level XACML format
+ */
+ public Policy generatePolicy(String xmlConfiguration) throws PolicyException
+ {
+ InputStream xmlStream = null;
+ try
+ {
+ Policy policy = null;
+
+ xmlStream = new ByteArrayInputStream(xmlConfiguration.getBytes());
+ DocumentBuilder builder =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ Document document = builder.parse(xmlStream);
+
+ Element portalAclElem =
(Element)document.getElementsByTagName("portal-acl").item(0);
+ Element pageElem =
(Element)portalAclElem.getElementsByTagName("page").item(0);
+
+ Target target = this.parseTarget(pageElem);
+
+ Set<Rule> rules = this.parseRules(pageElem);
+
+ policy = new HierarchialPolicy(String.valueOf(this.getUniqueId()), target,
rules);
+
+ return policy;
+ }
+ catch(Exception e)
+ {
+ throw new PolicyException(e);
+ }
+ finally
+ {
+ if(xmlStream != null)
+ {
+ try{xmlStream.close();}catch(IOException ioe){}
+ }
+ }
+ }
+
//XMLParsing----------------------------------------------------------------------------------------------------------------------------------------------------
+ private Target parseTarget(Element portalObjectElem) throws Exception
+ {
+ Target target = new Target();
+
+ //Add uniqueUri as a Resource To Match
+ Element uniqueUriElem =
(Element)portalObjectElem.getElementsByTagName("unique-uri").item(0);
+ String uniqueUri = uniqueUriElem.getTextContent();
+ AttributeExpression pageUriMatch = new AttributeExpression();
+ pageUriMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ Attribute attribute = new Attribute("unique-uri",
+ XMLSchemaConstants.DATATYPE_STRING, uniqueUri);
+ pageUriMatch.setAttribute(attribute);
+ target.addResourceMatch(pageUriMatch);
+
+ return target;
+ }
+
+ private Set<Rule> parseRules(Element portalObjectElem) throws Exception
+ {
+ Set<Rule> rules = new HashSet<Rule>();
+
+ NodeList actionNodes = portalObjectElem.getElementsByTagName("action");
+ for(int actionIndex=0; actionIndex<actionNodes.getLength(); actionIndex++)
+ {
+ Element actionElem = (Element)actionNodes.item(actionIndex);
+ String actionName =
((Element)actionElem.getElementsByTagName("name").item(0)).getTextContent();
+
+ NodeList conditionNodes =
actionElem.getElementsByTagName("condition");
+ for(int i=0; i<conditionNodes.getLength(); i++)
+ {
+ Element conditionElement = (Element)conditionNodes.item(i);
+
+ //Process Roles related conditions
+ NodeList roleNodes =
conditionElement.getElementsByTagName("role-name");
+ if(roleNodes.getLength() >0)
+ {
+ rules.addAll(this.parseRoleRules(actionName, roleNodes));
+ }
+
+ //Process IP Ranges
+ NodeList ipNodes =
conditionElement.getElementsByTagName("ip-range");
+ if(ipNodes.getLength() >0)
+ {
+ rules.addAll(this.parseIpRules(actionName, ipNodes));
+ }
+ }
+ }
+ return rules;
+ }
+
+ private Set<Rule> parseRoleRules(String actionName, NodeList roleNodes)
+ {
+ Set<Rule> roleRules = new HashSet<Rule>();
+
+ for(int j=0; j<roleNodes.getLength(); j++)
+ {
+ Element roleNameElem = (Element)roleNodes.item(j);
+ String roleName = roleNameElem.getTextContent();
+
+ Rule roleRule = new Rule();
+ roleRule.setRuleId(String.valueOf(this.getUniqueId()));
+ roleRule.setEffect(Effect.PERMIT);
+
+ AttributeExpression roleExpression = new AttributeExpression();
+ roleExpression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ Attribute roleAttribute = new Attribute(XACMLConstants.ATTRIBUTEID_ROLE,
+ XMLSchemaConstants.DATATYPE_STRING, roleName);
+ roleExpression.setAttribute(roleAttribute);
+
+ Target ruleTarget = new Target();
+ AttributeExpression actionMatch = new AttributeExpression();
+ actionMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ Attribute actionAttribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID,
+ XMLSchemaConstants.DATATYPE_STRING, actionName);
+ actionMatch.setAttribute(actionAttribute);
+ ruleTarget.addActionMatch(actionMatch);
+
+ roleRule.setTarget(ruleTarget);
+ roleRule.setExpression(roleExpression);
+
+ roleRules.add(roleRule);
+ }
+
+ return roleRules;
+ }
+
+ private Set<Rule> parseIpRules(String actionName, NodeList ipNodes)
+ {
+ Set<Rule> ipRules = new HashSet<Rule>();
+
+ for(int j=0; j<ipNodes.getLength(); j++)
+ {
+ Element ipElem = (Element)ipNodes.item(j);
+ String ipRange = ipElem.getTextContent();
+
+ Rule rule = new Rule();
+ rule.setRuleId(String.valueOf(this.getUniqueId()));
+ rule.setEffect(Effect.PERMIT);
+
+ AttributeExpression expression = new AttributeExpression();
+ expression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_IPADDRESS_MATCH);
+ Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_IP_ADDRESS,
+ XMLSchemaConstants.DATATYPE_IPADDRESS, ipRange);
+ expression.setAttribute(attribute);
+
+ Target ruleTarget = new Target();
+ AttributeExpression actionMatch = new AttributeExpression();
+ actionMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ Attribute actionAttribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID,
+ XMLSchemaConstants.DATATYPE_STRING, actionName);
+ actionMatch.setAttribute(actionAttribute);
+ ruleTarget.addActionMatch(actionMatch);
+
+ rule.setTarget(ruleTarget);
+ rule.setExpression(expression);
+
+ ipRules.add(rule);
+ }
+
+ return ipRules;
+ }
+
+ private synchronized long getUniqueId()
+ {
+ return System.currentTimeMillis();
+ }
+}
Added:
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestPortalObjectPolicyManager.java
===================================================================
---
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestPortalObjectPolicyManager.java
(rev 0)
+++
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestPortalObjectPolicyManager.java 2008-11-14
21:07:02 UTC (rev 12297)
@@ -0,0 +1,97 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.security.authz.pap.service;
+
+import junit.framework.TestCase;
+
+import org.apache.log4j.Logger;
+
+import org.jboss.security.authz.model.Policy;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ *
+ */
+public class TestPortalObjectPolicyManager extends TestCase
+{
+ /**
+ *
+ */
+ private static Logger log = Logger.getLogger(TestPortalObjectPolicyManager.class);
+
+ /**
+ * A simple developer-friendly Portal Page policy that specifies:
+ *
+ * This Policy suggests that the 'View Action on the specified Portal Page is
accessibly if the following conditions are met:
+ *
+ * a) The Logged in User Belongs to the specified 'Root-Admin' and
'Marketing Team' roles AND
+ * b) The User Logged in From the Internal Network only via a "Internal IP
Address"
+ *
+ * Notice: This configuration is not muddled by the vast low-level details of XACML
Policy representation. That part is automated by the
+ * PAP (Policy Administration Point) Component of the Authorization System
+ */
+ private static String simplePortalPagePolicy = "<?xml
version=\"1.0\" encoding=\"UTF-8\"?>"+
+ "<portal-acl>"+
+ "<page>"+
+
"<unique-uri>/{portal-name}/{portal-page}/{portal-sub-page}</unique-uri>"+
+ "<action>"+
+
"<name>View</name>"+
+ "<description>Ability
to Render this Page</description>"+
+ "<conditions>"+
+
"<condition>"+
+
"<role-name>Root-Admin</role-name>"+
+
"<role-name>Marketing Team</role-name>"+
+
"</condition>"+
+
"<condition>"+
+
"<ip-range>192.168.xxx.xxx</ip-range>"+
+
"</condition>"+
+ "</conditions>"+
+ "</action>"+
+ "</page>"+
+ "</portal-acl>";
+
+ /**
+ *
+ */
+ protected void setUp() throws Exception
+ {
+ }
+
+
+ protected void tearDown() throws Exception
+ {
+ }
+
+
+ public void testSimplePortalPagePolicy() throws Exception
+ {
+ PolicyManager policyManager = new FileSystemPortalObjectPolicyManager();
+ Policy policy = policyManager.generatePolicy(simplePortalPagePolicy);
+
+ assertNotNull(policy);
+
+ log.info("------------------------------------------------------");
+ log.info(policy.generateXACMLPolicy());
+ log.info("------------------------------------------------------");
+ }
+}