Author: sohil.shah(a)jboss.com
Date: 2008-12-12 14:54:33 -0500 (Fri, 12 Dec 2008)
New Revision: 12378
Added:
modules/authorization/trunk/http-authz/src/main/java/org/
modules/authorization/trunk/http-authz/src/main/java/org/jboss/
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/FileSystemPolicyStore.java
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java
modules/authorization/trunk/http-authz/src/test/java/org/
modules/authorization/trunk/http-authz/src/test/java/org/jboss/
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpPolicyConfig.java
modules/authorization/trunk/http-authz/src/test/resources/log4j.properties
Removed:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemWebTierPolicyManager.java
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestWebTierPolicyManager.java
Modified:
modules/authorization/trunk/PAP/pom.xml
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/policy/HierarchialPolicy.java
modules/authorization/trunk/PEP/pom.xml
modules/authorization/trunk/PEP/src/test/java/org/jboss/security/authz/test/pep/TestPDP.java
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/model/ExpressionBuilder.java
modules/authorization/trunk/http-authz/
modules/authorization/trunk/http-authz/pom.xml
modules/authorization/trunk/pom.xml
Log:
code backup
Modified: modules/authorization/trunk/PAP/pom.xml
===================================================================
--- modules/authorization/trunk/PAP/pom.xml 2008-12-12 00:22:37 UTC (rev 12377)
+++ modules/authorization/trunk/PAP/pom.xml 2008-12-12 19:54:33 UTC (rev 12378)
@@ -75,7 +75,7 @@
<version>2.3.1</version>
<configuration>
<includes>
- <include>**/TestServer.java</include>
+ <include>**/TestHierarchialPolicy.java</include>
</includes>
</configuration>
</plugin>
Modified:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/policy/HierarchialPolicy.java
===================================================================
---
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/policy/HierarchialPolicy.java 2008-12-12
00:22:37 UTC (rev 12377)
+++
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/policy/HierarchialPolicy.java 2008-12-12
19:54:33 UTC (rev 12378)
@@ -26,6 +26,7 @@
import java.util.Set;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
+import java.util.UUID;
import javax.xml.bind.JAXBElement;
@@ -36,6 +37,7 @@
import org.jboss.security.authz.model.Effect;
import org.jboss.security.authz.model.PolicyException;
import org.jboss.security.authz.model.AttributeExpression;
+import org.jboss.security.authz.model.Attribute;
import org.jboss.security.authz.model.DroolsRuleExpression;
import org.jboss.security.authz.model.Expression;
import org.jboss.security.authz.xacml.AttributeDesignatorUtil;
@@ -118,20 +120,21 @@
if(resourceMatches != null && !resourceMatches.isEmpty())
{
ResourcesType resourcesType = new ResourcesType();
- targetType.setResources(resourcesType);
-
- AttributeExpression resourceMatch = resourceMatches.get(0);
+ targetType.setResources(resourcesType);
ResourceType resourceType = new ResourceType();
- ResourceMatchType rmt = new ResourceMatchType();
- rmt.setMatchId(resourceMatch.getFunctionId());
+ for(AttributeExpression resourceMatch: resourceMatches)
+ {
+ ResourceMatchType rmt = new ResourceMatchType();
+
+ rmt.setMatchId(resourceMatch.getFunctionId());
+
rmt.setResourceAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(resourceMatch.getAttribute()));
+ rmt.setAttributeValue(PolicyAttributeFactory
+ .createStringAttributeType(resourceMatch.getAttribute().getValue()));
+
+ resourceType.getResourceMatch().add(rmt);
+ }
-
rmt.setResourceAttributeDesignator(AttributeDesignatorUtil.getAttributeDesignator(resourceMatch.getAttribute()));
-
- rmt.setAttributeValue(PolicyAttributeFactory
- .createStringAttributeType(resourceMatch.getAttribute().getValue()));
-
- resourceType.getResourceMatch().add(rmt);
resourcesType.getResource().add(resourceType);
}
@@ -281,7 +284,12 @@
}
return condition;
- }
+ }
+
+ private String generateUniqueId()
+ {
+ return UUID.randomUUID().toString();
+ }
//---------A Developer Friendly API for generating Hierarchial
Policies-------------------------------------------------------------------------------------------------------------------------
/**
* Specifies that this Hierarchial Policy should be applied the specified Resource
identified by the Unique Resource Uri
@@ -301,6 +309,37 @@
}
/**
+ * Specifies that this Hierarchial Policy should be applied the specified Resource
identified by the Unique Resource Uri And the other
+ * Attribute Data associated with this Resource, such as Http Parameters in the case
of an Http Request Resource
+ *
+ * @param resourceUri Unique identifier for the Resource being protected by this
Hierarchial Policy
+ * @param otherResourceCriteria Other Attribute Data associated with this Resource
which should match as well for the Policy to apply
+ */
+ public void setResourceCriteria(String resourceUri, List<Attribute>
otherResourceCriteria)
+ {
+ if(resourceUri == null || resourceUri.trim().length() == 0)
+ {
+ throw new IllegalArgumentException("Resource Criteria cannot be
Empty");
+ }
+
+ if(otherResourceCriteria == null)
+ {
+ throw new IllegalArgumentException("Other Criteria cannot be Null");
+ }
+
+ Target target = new Target();
+
target.addResourceMatch(ExpressionBuilder.getInstance().createResourceIdExpression(resourceUri));
+
+ for(Attribute attribute: otherResourceCriteria)
+ {
+ target.addResourceMatch(ExpressionBuilder.getInstance().
+ createCustomResourceExpression(attribute.getUri(), attribute.getValue()));
+ }
+
+ this.target = target;
+ }
+
+ /**
* Specifies a Policy Rule that must be applied to the specified "Action"
such that the specified "Role" should be allowed
* to execute this "Action" on the Resource protected by this Policy
instance
*
@@ -336,6 +375,32 @@
}
/**
+ * Specifies a Policy Rule that says the specified "Role" should be allowed
to access the "Resource" protected by this Policy
+ *
+ * @param role the Role that is permitted to access the Resource
+ */
+ public void setPermitCriteria(String role)
+ {
+ if(role == null || role.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Role cannot be Empty");
+ }
+
+ Rule permitRule = new Rule();
+ Target ruleTarget = new Target();
+
+ permitRule.setRuleId(this.generateUniqueId());
+ permitRule.setEffect(Effect.PERMIT);
+ permitRule.setTarget(ruleTarget);
+
+ //Create a Subject Match Function
+
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
+
+ //Add the Rule to the Policy
+ this.rules.add(permitRule);
+ }
+
+ /**
* Specifies a Policy Rule that must be applied to the specified "Action"
such that the specified "Role" should *NOT* be allowed
* to execute this "Action" on the Resource protected by this Policy
instance
*
@@ -371,6 +436,32 @@
}
/**
+ * Specifies a Policy Rule that says the specified "Role" should be *Not* be
allowed to access the "Resource" protected by this Policy
+ *
+ * @param role the Role that is *NOT* allowed to access the Resource
+ */
+ public void setDenyCriteria(String role)
+ {
+ if(role == null || role.trim().length()==0)
+ {
+ throw new IllegalArgumentException("Role cannot be Empty");
+ }
+
+ Rule permitRule = new Rule();
+ Target ruleTarget = new Target();
+
+ permitRule.setRuleId(this.generateUniqueId());
+ permitRule.setEffect(Effect.DENY);
+ permitRule.setTarget(ruleTarget);
+
+ //Create a Subject Match Function
+
ruleTarget.addSubjectMatch(ExpressionBuilder.getInstance().createBelongsToRoleExpression(role));
+
+ //Add the Rule to the Policy
+ this.rules.add(permitRule);
+ }
+
+ /**
* Specifies a Policy Rule that must be applied to the specified "Action"
such that the Authenticated User will be permitted to
* execute it if he/she belongs to any of the specified "Roles"
*
Deleted:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemWebTierPolicyManager.java
===================================================================
---
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemWebTierPolicyManager.java 2008-12-12
00:22:37 UTC (rev 12377)
+++
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemWebTierPolicyManager.java 2008-12-12
19:54:33 UTC (rev 12378)
@@ -1,229 +0,0 @@
-/******************************************************************************
- * JBoss, a division of Red Hat *
- * Copyright 2006, Red Hat Middleware, LLC, and individual *
- * contributors as indicated by the @authors tag. See the *
- * copyright.txt in the distribution for a full listing of *
- * individual contributors. *
- * *
- * This is free software; you can redistribute it and/or modify it *
- * under the terms of the GNU Lesser General Public License as *
- * published by the Free Software Foundation; either version 2.1 of *
- * the License, or (at your option) any later version. *
- * *
- * This software is distributed in the hope that it will be useful, *
- * but WITHOUT ANY WARRANTY; without even the implied warranty of *
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
- * Lesser General Public License for more details. *
- * *
- * You should have received a copy of the GNU Lesser General Public *
- * License along with this software; if not, write to the Free *
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
- * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
- ******************************************************************************/
-package org.jboss.security.authz.pap.service;
-
-import java.io.InputStream;
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.util.Set;
-import java.util.HashSet;
-
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.DocumentBuilder;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.NodeList;
-
-import org.jboss.security.authz.model.Attribute;
-import org.jboss.security.authz.model.AttributeExpression;
-import org.jboss.security.authz.model.Effect;
-import org.jboss.security.authz.model.PolicyException;
-import org.jboss.security.authz.model.Policy;
-import org.jboss.security.authz.model.Target;
-import org.jboss.security.authz.model.Rule;
-import org.jboss.security.authz.pap.policy.HierarchialPolicy;
-import org.jboss.security.xacml.interfaces.XACMLConstants;
-import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
-
-/**
- * The PolicyManager provides implementation for the Configuration related services of
the PolicyManager. It extends the FileSystemPolicyManager in order to store the managed
Policies
- * on the local file system. This PolicyManager process configuration provided for
securing Resources within the Web Tier of an application.
- * It uses the HierarchialPolicy implementation to represent the Web Tier Policies
- *
- * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
- *
- */
-public class FileSystemWebTierPolicyManager extends FileSystemPolicyManager
-{
- /**
- *
- *
- */
- public FileSystemWebTierPolicyManager()
- {
- }
- //------Configuration service of the PolicyManager
implementation----------------------------------------------------------------------------------------------------------------
- /**
- * Generates a Policy that can be represented in system level XACML format. The
xmlConfiguration is a user friendly XML configuration that is within the context
- * of the Web Tier of an Application. For instance, to apply Access Control at the Web
Tier, the XML configuration consists of Resources and
- * Actions in the context of the Web Tier such as HTTP Uris, HttpServletRequest
parameters, HTTP actions like GET, POST, PUT, etc
- *
- * @param xmlConfiguration User Friendly XML configuration within the context of the
Web Tier of an Application
- * @return a Policy that can be represented in system level XACML format
- */
- public Policy generatePolicy(String xmlConfiguration) throws PolicyException
- {
- InputStream xmlStream = null;
- try
- {
- Policy policy = null;
-
- xmlStream = new ByteArrayInputStream(xmlConfiguration.getBytes());
- DocumentBuilder builder =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
- Document document = builder.parse(xmlStream);
-
- Target target = this.parseTarget(document);
-
- Set<Rule> rules = this.parseRules(document);
-
- policy = new HierarchialPolicy(String.valueOf(this.getUniqueId()), target,
rules);
-
- return policy;
- }
- catch(Exception e)
- {
- throw new PolicyException(e);
- }
- finally
- {
- if(xmlStream != null)
- {
- try{xmlStream.close();}catch(IOException ioe){}
- }
- }
- }
-
//XMLParsing----------------------------------------------------------------------------------------------------------------------------------------------------
- private Target parseTarget(Document document) throws Exception
- {
- Target target = new Target();
-
- Element resourceElem =
(Element)document.getElementsByTagName("resource").item(0);
- Element requestUriElem =
(Element)resourceElem.getElementsByTagName("request-uri").item(0);
-
- //Add RequestUri as a Resource To Match
- String requestUri = requestUriElem.getTextContent();
- AttributeExpression requestUriMatch = new AttributeExpression();
- requestUriMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
- Attribute attribute = new Attribute("request-uri",
- XMLSchemaConstants.DATATYPE_STRING, requestUri);
- requestUriMatch.setAttribute(attribute);
- target.addResourceMatch(requestUriMatch);
-
- //Process Parameters
- NodeList parameters = resourceElem.getElementsByTagName("param");
- for(int i=0; i<parameters.getLength(); i++)
- {
- Element parameter = (Element)parameters.item(i);
-
- String name =
((Element)parameter.getElementsByTagName("name").item(0)).getTextContent();
- String value =
((Element)parameter.getElementsByTagName("value").item(0)).getTextContent();
-
- //Add Parameter as a Resource To Match
- AttributeExpression paramMatch = new AttributeExpression();
- paramMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
- Attribute paramAttribute = new Attribute(name,
- XMLSchemaConstants.DATATYPE_STRING, value);
- paramMatch.setAttribute(paramAttribute);
- target.addResourceMatch(paramMatch);
- }
-
- return target;
- }
-
- private Set<Rule> parseRules(Document document) throws Exception
- {
- Set<Rule> rules = new HashSet<Rule>();
-
- NodeList conditionNodes = document.getElementsByTagName("condition");
- for(int i=0; i<conditionNodes.getLength(); i++)
- {
- Element conditionElement = (Element)conditionNodes.item(i);
-
- //Process Roles related conditions
- NodeList roleNodes =
conditionElement.getElementsByTagName("role-name");
- if(roleNodes.getLength() >0)
- {
- rules.addAll(this.parseRoleRules(roleNodes));
- }
-
- //Process IP Ranges
- NodeList ipNodes = conditionElement.getElementsByTagName("ip-range");
- if(ipNodes.getLength() >0)
- {
- rules.addAll(this.parseIpRules(ipNodes));
- }
- }
-
- return rules;
- }
-
- private Set<Rule> parseRoleRules(NodeList roleNodes)
- {
- Set<Rule> roleRules = new HashSet<Rule>();
-
- for(int j=0; j<roleNodes.getLength(); j++)
- {
- Element roleNameElem = (Element)roleNodes.item(j);
- String roleName = roleNameElem.getTextContent();
-
- Rule roleRule = new Rule();
- roleRule.setRuleId(String.valueOf(this.getUniqueId()));
- roleRule.setEffect(Effect.PERMIT);
-
- AttributeExpression roleExpression = new AttributeExpression();
- roleExpression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
- Attribute roleAttribute = new Attribute(XACMLConstants.ATTRIBUTEID_ROLE,
- XMLSchemaConstants.DATATYPE_STRING, roleName);
- roleExpression.setAttribute(roleAttribute);
-
- roleRule.setExpression(roleExpression);
-
- roleRules.add(roleRule);
- }
-
- return roleRules;
- }
-
- private Set<Rule> parseIpRules(NodeList ipNodes)
- {
- Set<Rule> ipRules = new HashSet<Rule>();
-
- for(int j=0; j<ipNodes.getLength(); j++)
- {
- Element ipElem = (Element)ipNodes.item(j);
- String ipRange = ipElem.getTextContent();
-
- Rule rule = new Rule();
- rule.setRuleId(String.valueOf(this.getUniqueId()));
- rule.setEffect(Effect.PERMIT);
-
- AttributeExpression expression = new AttributeExpression();
- expression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_IPADDRESS_MATCH);
- Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_IP_ADDRESS,
- XMLSchemaConstants.DATATYPE_IPADDRESS, ipRange);
- expression.setAttribute(attribute);
-
- rule.setExpression(expression);
-
- ipRules.add(rule);
- }
-
- return ipRules;
- }
-
- private synchronized long getUniqueId()
- {
- return System.currentTimeMillis();
- }
-}
Deleted:
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestWebTierPolicyManager.java
===================================================================
---
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestWebTierPolicyManager.java 2008-12-12
00:22:37 UTC (rev 12377)
+++
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestWebTierPolicyManager.java 2008-12-12
19:54:33 UTC (rev 12378)
@@ -1,155 +0,0 @@
-/******************************************************************************
- * JBoss, a division of Red Hat *
- * Copyright 2006, Red Hat Middleware, LLC, and individual *
- * contributors as indicated by the @authors tag. See the *
- * copyright.txt in the distribution for a full listing of *
- * individual contributors. *
- * *
- * This is free software; you can redistribute it and/or modify it *
- * under the terms of the GNU Lesser General Public License as *
- * published by the Free Software Foundation; either version 2.1 of *
- * the License, or (at your option) any later version. *
- * *
- * This software is distributed in the hope that it will be useful, *
- * but WITHOUT ANY WARRANTY; without even the implied warranty of *
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
- * Lesser General Public License for more details. *
- * *
- * You should have received a copy of the GNU Lesser General Public *
- * License along with this software; if not, write to the Free *
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
- * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
- ******************************************************************************/
-package org.jboss.security.authz.pap.service;
-
-import junit.framework.TestCase;
-
-import org.apache.log4j.Logger;
-
-import org.jboss.security.authz.model.Policy;
-
-/**
- * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
- *
- */
-public class TestWebTierPolicyManager extends TestCase
-{
- /**
- *
- */
- private static Logger log = Logger.getLogger(TestWebTierPolicyManager.class);
-
- /**
- * A simple developer-friendly web tier policy that specifies:
- *
- * "Only Root Portal User and Users in the Marketing Department of the
organization must be allowed to Modify the Layout of the "Main Marketing Portal
Page"
- *
- * Notice: This configuration is not muddled by the vast low-level details of XACML
Policy representation. That part is automated by the
- * PAP (Policy Administration Point) Component of the Authorization System
- */
- private static String simpleWebTierPolicy = "<?xml version=\"1.0\"
encoding=\"UTF-8\"?>"+
- "<web-acl>"+
- "<acl-rule>"+
- "<resource>"+
-
"<request-uri>/portal/admin-tool/modifyLayout</request-uri>"+
- "<params>"+
- "<param>"+
-
"<name>page</name>"+
-
"<value>marketing_index.html</value>"+
-
"</param>"+
- "<param>"+
-
"<name>action</name>"+
-
"<value>update</value>"+
-
"</param>"+
- "</params>"+
- "</resource>"+
- "<conditions>"+
- "<condition>"+
- "<roles>"+
-
"<role-name>Root-Admin</role-name>"+
-
"<role-name>Marketing Team</role-name>"+
- "</roles>"+
- "</condition>"+
- "</conditions>"+
- "</acl-rule>"+
- "</web-acl>";
-
- /**
- * A complex developer-friendly web tier policy that specifies:
- *
- * "Only Root Portal User and Users in the Marketing Department of the
organization must be allowed to Modify the Layout of the "Main Marketing Portal Page
- * as long as they are Logged in from a range of allowed IP addresses
- * "
- *
- * Notice: This configuration is not muddled by the vast low-level details of XACML
Policy representation. That part is automated by the
- * PAP (Policy Administration Point) Component of the Authorization System
- */
- private static String complexWebTierPolicy = "<?xml version=\"1.0\"
encoding=\"UTF-8\"?>"+
- "<web-acl>"+
- "<acl-rule>"+
- "<resource>"+
-
"<request-uri>/portal/admin-tool/modifyLayout</request-uri>"+
- "<params>"+
- "<param>"+
-
"<name>page</name>"+
-
"<value>marketing_index.html</value>"+
-
"</param>"+
- "<param>"+
-
"<name>action</name>"+
-
"<value>update</value>"+
-
"</param>"+
- "</params>"+
- "</resource>"+
- "<conditions>"+
- "<condition>"+
- "<roles>"+
-
"<role-name>Root-Admin</role-name>"+
-
"<role-name>Marketing Team</role-name>"+
- "</roles>"+
- "</condition>"+
- "<condition>"+
-
"<ip-address>"+
-
"<ip-range>192.168.xxx.xxx</ip-range>"+
-
"</ip-address>"+
- "</condition>"+
- "</conditions>"+
- "</acl-rule>"+
- "</web-acl>";
-
- /**
- *
- */
- protected void setUp() throws Exception
- {
- }
-
-
- protected void tearDown() throws Exception
- {
- }
-
-
- public void testSimpleWebTierPolicy() throws Exception
- {
- PolicyManager policyManager = new FileSystemWebTierPolicyManager();
- Policy policy = policyManager.generatePolicy(simpleWebTierPolicy);
-
- assertNotNull(policy);
-
- log.info("------------------------------------------------------");
- log.info(policy.generateXACMLPolicy());
- log.info("------------------------------------------------------");
- }
-
- public void testComplexWebTierPolicy() throws Exception
- {
- PolicyManager policyManager = new FileSystemWebTierPolicyManager();
- Policy policy = policyManager.generatePolicy(complexWebTierPolicy);
-
- assertNotNull(policy);
-
- log.info("------------------------------------------------------");
- log.info(policy.generateXACMLPolicy());
- log.info("------------------------------------------------------");
- }
-}
Modified: modules/authorization/trunk/PEP/pom.xml
===================================================================
--- modules/authorization/trunk/PEP/pom.xml 2008-12-12 00:22:37 UTC (rev 12377)
+++ modules/authorization/trunk/PEP/pom.xml 2008-12-12 19:54:33 UTC (rev 12378)
@@ -58,7 +58,8 @@
<artifactId>maven-surefire-plugin</artifactId>
<version>2.3.1</version>
<configuration>
- <includes>
+ <includes>
+ <include>**/TestPDP.java</include>
</includes>
</configuration>
</plugin>
Modified:
modules/authorization/trunk/PEP/src/test/java/org/jboss/security/authz/test/pep/TestPDP.java
===================================================================
---
modules/authorization/trunk/PEP/src/test/java/org/jboss/security/authz/test/pep/TestPDP.java 2008-12-12
00:22:37 UTC (rev 12377)
+++
modules/authorization/trunk/PEP/src/test/java/org/jboss/security/authz/test/pep/TestPDP.java 2008-12-12
19:54:33 UTC (rev 12378)
@@ -141,7 +141,7 @@
}
- public void testSimpleDeny() throws Exception
+ /*public void testSimpleDeny() throws Exception
{
//PDP Setup
PDP pdp = new PDP(this.store.getDefaultPDPConfig());
@@ -168,7 +168,7 @@
log.info("-----------------------------------");
log.info("Decision="+responseContext.getDecision());
- }
+ }*/
/*public void testMultiTierPermit() throws Exception
@@ -570,7 +570,8 @@
TargetType targetType = new TargetType();
ResourcesType resourcesType = new ResourcesType();
- org.jboss.security.xacml.core.model.policy.ResourceType resourceType = new
org.jboss.security.xacml.core.model.policy.ResourceType();
+
+ org.jboss.security.xacml.core.model.policy.ResourceType resourceType = new
org.jboss.security.xacml.core.model.policy.ResourceType();
ResourceMatchType rmt = new ResourceMatchType();
rmt.setMatchId(XACMLConstants.FUNCTION_ANYURI_EQUAL);
rmt.setResourceAttributeDesignator(PolicyAttributeFactory.createAttributeDesignatorType(
@@ -579,9 +580,27 @@
.createAnyURIAttributeType(new
URI("http://www.redhat.com/protected/index.html")));
resourceType.getResourceMatch().add(rmt);
resourcesType.getResource().add(resourceType);
-
+
+ /*rmt = new ResourceMatchType();
+ rmt.setMatchId(XACMLConstants.FUNCTION_ANYURI_EQUAL);
+
rmt.setResourceAttributeDesignator(PolicyAttributeFactory.createAttributeDesignatorType(
+ XACMLConstants.ATTRIBUTEID_RESOURCE_LOCATION,
XMLSchemaConstants.DATATYPE_ANYURI, null, false));
+ rmt.setAttributeValue(PolicyAttributeFactory
+ .createAnyURIAttributeType(new URI("blahblah")));
+ resourceType.getResourceMatch().add(rmt);*/
+
+ resourceType = new org.jboss.security.xacml.core.model.policy.ResourceType();
+ rmt = new ResourceMatchType();
+ rmt.setMatchId(XACMLConstants.FUNCTION_ANYURI_EQUAL);
+
rmt.setResourceAttributeDesignator(PolicyAttributeFactory.createAttributeDesignatorType(
+ XACMLConstants.ATTRIBUTEID_RESOURCE_LOCATION,
XMLSchemaConstants.DATATYPE_ANYURI, null, false));
+ rmt.setAttributeValue(PolicyAttributeFactory
+ .createAnyURIAttributeType(new
URI("http://www.redhat.com/protected/index.html")));
+ resourceType.getResourceMatch().add(rmt);
+ resourcesType.getResource().add(resourceType);
+
+
targetType.setResources(resourcesType);
-
policyType.setTarget(targetType);
//Create a Rule
Modified:
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/model/ExpressionBuilder.java
===================================================================
---
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/model/ExpressionBuilder.java 2008-12-12
00:22:37 UTC (rev 12377)
+++
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/model/ExpressionBuilder.java 2008-12-12
19:54:33 UTC (rev 12378)
@@ -110,6 +110,26 @@
return expression;
}
+
+ /**
+ * Creates a custom expression corresponding to the specified Attribute id and value
+ *
+ * @param attributeId
+ * @param attributeValue
+ * @return
+ */
+ public AttributeExpression createCustomResourceExpression(String attributeId, String
attributeValue)
+ {
+ AttributeExpression expression = new AttributeExpression();
+
+ expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+
+ Attribute attribute = new Attribute(attributeId,
+ XMLSchemaConstants.DATATYPE_STRING, attributeValue);
+ expression.setAttribute(attribute);
+
+ return expression;
+ }
//---------Action
Expressions---------------------------------------------------------------------------------------------------------------------------------
/**
* Creates an expression for matching an Action
Property changes on: modules/authorization/trunk/http-authz
___________________________________________________________________
Name: svn:ignore
+ target
Modified: modules/authorization/trunk/http-authz/pom.xml
===================================================================
--- modules/authorization/trunk/http-authz/pom.xml 2008-12-12 00:22:37 UTC (rev 12377)
+++ modules/authorization/trunk/http-authz/pom.xml 2008-12-12 19:54:33 UTC (rev 12378)
@@ -13,7 +13,24 @@
<url>http://www.jboss.org</url>
<description>Contains Authorization Infrastructure for the HTTP
tier</description>
- <dependencies>
+ <dependencies>
+ <dependency>
+ <groupId>org.jboss.security.authz</groupId>
+ <artifactId>jboss-authz-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.security.authz</groupId>
+ <artifactId>jboss-authz-pap</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ <!-- jboss xacml -->
+ <dependency>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-xacml</artifactId>
+ </dependency>
+
<!-- junit -->
<dependency>
<groupId>junit</groupId>
Added:
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/FileSystemPolicyStore.java
===================================================================
---
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/FileSystemPolicyStore.java
(rev 0)
+++
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/FileSystemPolicyStore.java 2008-12-12
19:54:33 UTC (rev 12378)
@@ -0,0 +1,32 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.security.authz.http.pap;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ *
+ */
+public class FileSystemPolicyStore
+{
+
+}
Added:
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java
===================================================================
---
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java
(rev 0)
+++
modules/authorization/trunk/http-authz/src/main/java/org/jboss/security/authz/http/pap/HttpPolicyConfig.java 2008-12-12
19:54:33 UTC (rev 12378)
@@ -0,0 +1,212 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.security.authz.http.pap;
+
+import java.io.IOException;
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.UUID;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.apache.log4j.Logger;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import org.jboss.security.authz.model.Attribute;
+import org.jboss.security.authz.model.AttributeExpression;
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.Rule;
+import org.jboss.security.authz.pap.policy.HierarchialPolicy;
+import org.jboss.security.authz.pap.spi.PolicyConfig;
+
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ *
+ */
+public class HttpPolicyConfig implements PolicyConfig
+{
+ private static Logger log = Logger.getLogger(HttpPolicyConfig.class);
+
+ /**
+ * Configures the Policy instances that can be represented in system level XACML
format. The easyDomainXml is a user friendly XML configuration that is within the context
+ * of the application tier being protected. For instance, to apply Access Control at
the web tier, the XML configuration would consist of Resources and
+ * Actions in the context of the Web Tier such as HTTP Uris, HttpServletRequest
parameters, HTTP actions like GET, POST, PUT, etc
+ *
+ * @param easyDomainXml User Friendly XML configuration within the context of the
Application being protected
+ * @return a fully configured Policy instance
+ */
+ public Policy[] configure(String easyDomainXml)
+ {
+ InputStream xmlStream = null;
+ try
+ {
+ Policy[] policies = null;
+
+ List<Policy> cour = new ArrayList<Policy>();
+ xmlStream = new ByteArrayInputStream(easyDomainXml.getBytes());
+ DocumentBuilder builder =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ Document document = builder.parse(xmlStream);
+
+ NodeList aclRules = document.getElementsByTagName("acl-rule");
+ for(int i=0, length=aclRules.getLength(); i< length; i++)
+ {
+ Element aclRuleElem = (Element)aclRules.item(i);
+ String policyUri = aclRuleElem.getAttribute("id");
+ Policy policy = new HierarchialPolicy(policyUri);
+
+ this.parseTarget((HierarchialPolicy)policy, aclRuleElem);
+ this.parseRules((HierarchialPolicy)policy, aclRuleElem);
+
+ cour.add(policy);
+ }
+
+ policies = cour.toArray(new Policy[0]);
+
+ return policies;
+ }
+ catch(Exception e)
+ {
+ log.error(this, e);
+ throw new RuntimeException(e);
+ }
+ finally
+ {
+ try
+ {
+ if(xmlStream != null)
+ {
+ xmlStream.close();
+ }
+ }catch(IOException ioe){log.warn(this, ioe);}
+ }
+ }
+
+
//XMLParsing----------------------------------------------------------------------------------------------------------------------------------------------------
+ private void parseTarget(HierarchialPolicy policy, Element aclRuleElem) throws
Exception
+ {
+ Element resourceElem =
(Element)aclRuleElem.getElementsByTagName("resource").item(0);
+ Element requestUriElem =
(Element)aclRuleElem.getElementsByTagName("request-uri").item(0);
+
+ //Add RequestUri as a Resource To Match
+ String requestUri = requestUriElem.getTextContent();
+ List<Attribute> otherCriteria = new ArrayList<Attribute>();
+
+ //Process Parameters
+ NodeList parameters = resourceElem.getElementsByTagName("param");
+ if(parameters != null)
+ {
+ for(int i=0, length=parameters.getLength(); i<length; i++)
+ {
+ Element parameter = (Element)parameters.item(i);
+
+ String name =
((Element)parameter.getElementsByTagName("name").item(0)).getTextContent();
+ String value =
((Element)parameter.getElementsByTagName("value").item(0)).getTextContent();
+
+ Attribute cour = new Attribute();
+ cour.setUri(name);
+ cour.setValue(value);
+
+ otherCriteria.add(cour);
+ }
+ }
+
+ if(!otherCriteria.isEmpty())
+ {
+ policy.setResourceCriteria(requestUri, otherCriteria);
+ }
+ else
+ {
+ policy.setResourceCriteria(requestUri);
+ }
+ }
+
+ private void parseRules(HierarchialPolicy policy, Element aclRuleElem) throws
Exception
+ {
+ NodeList conditionNodes = aclRuleElem.getElementsByTagName("condition");
+ if(conditionNodes != null)
+ {
+ for(int i=0, length=conditionNodes.getLength(); i<length; i++)
+ {
+ Element conditionElement = (Element)conditionNodes.item(i);
+
+ //Process Roles related conditions
+ NodeList roleNodes =
conditionElement.getElementsByTagName("role-name");
+ if(roleNodes != null && roleNodes.getLength()>0)
+ {
+ this.parseRoleRules(policy, roleNodes);
+ }
+
+ //Process IP Ranges
+ NodeList ipNodes =
conditionElement.getElementsByTagName("ip-range");
+ if(ipNodes != null && ipNodes.getLength() >0)
+ {
+ this.parseIpRules(policy, ipNodes);
+ }
+ }
+ }
+ }
+
+ private void parseRoleRules(HierarchialPolicy policy, NodeList roleNodes)
+ {
+ for(int j=0, length=roleNodes.getLength(); j<length; j++)
+ {
+ Element roleNameElem = (Element)roleNodes.item(j);
+ String roleName = roleNameElem.getTextContent();
+
+ policy.setPermitCriteria(roleName);
+ }
+ }
+
+ private void parseIpRules(HierarchialPolicy policy, NodeList ipNodes)
+ {
+ for(int j=0; j<ipNodes.getLength(); j++)
+ {
+ Element ipElem = (Element)ipNodes.item(j);
+ String ipRange = ipElem.getTextContent();
+
+ Rule rule = new Rule();
+ rule.setRuleId(UUID.randomUUID().toString());
+ rule.setEffect(Effect.PERMIT);
+
+ AttributeExpression expression = new AttributeExpression();
+ expression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_IPADDRESS_MATCH);
+ Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_IP_ADDRESS,
+ XMLSchemaConstants.DATATYPE_IPADDRESS, ipRange);
+ expression.setAttribute(attribute);
+
+ rule.setExpression(expression);
+
+ policy.getRules().add(rule);
+ }
+ }
+}
Added:
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpPolicyConfig.java
===================================================================
---
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpPolicyConfig.java
(rev 0)
+++
modules/authorization/trunk/http-authz/src/test/java/org/jboss/security/authz/http/pap/TestHttpPolicyConfig.java 2008-12-12
19:54:33 UTC (rev 12378)
@@ -0,0 +1,162 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.security.authz.http.pap;
+
+import junit.framework.TestCase;
+
+import org.apache.log4j.Logger;
+
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.pap.spi.PolicyConfig;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ *
+ */
+public class TestHttpPolicyConfig extends TestCase
+{
+ /**
+ *
+ */
+ private static Logger log = Logger.getLogger(TestHttpPolicyConfig.class);
+
+ /**
+ * A simple developer-friendly web tier policy that specifies:
+ *
+ * "Only Root Portal User and Users in the Marketing Department of the
organization must be allowed to Modify the Layout of the "Main Marketing Portal
Page"
+ *
+ * Notice: This configuration is not muddled by the vast low-level details of XACML
Policy representation. That part is automated by the
+ * PAP (Policy Administration Point) Component of the Authorization System
+ */
+ private static String simpleWebTierPolicy = "<?xml version=\"1.0\"
encoding=\"UTF-8\"?>"+
+ "<web-acl>"+
+ "<acl-rule>"+
+ "<resource>"+
+
"<request-uri>/portal/admin-tool/modifyLayout</request-uri>"+
+ "<params>"+
+ "<param>"+
+
"<name>page</name>"+
+
"<value>marketing_index.html</value>"+
+
"</param>"+
+ "<param>"+
+
"<name>action</name>"+
+
"<value>update</value>"+
+
"</param>"+
+ "</params>"+
+ "</resource>"+
+ "<conditions>"+
+ "<condition>"+
+ "<roles>"+
+
"<role-name>Root-Admin</role-name>"+
+
"<role-name>Marketing Team</role-name>"+
+ "</roles>"+
+ "</condition>"+
+ "</conditions>"+
+ "</acl-rule>"+
+ "</web-acl>";
+
+ /**
+ * A complex developer-friendly web tier policy that specifies:
+ *
+ * "Only Root Portal User and Users in the Marketing Department of the
organization must be allowed to Modify the Layout of the "Main Marketing Portal Page
+ * as long as they are Logged in from a range of allowed IP addresses
+ * "
+ *
+ * Notice: This configuration is not muddled by the vast low-level details of XACML
Policy representation. That part is automated by the
+ * PAP (Policy Administration Point) Component of the Authorization System
+ */
+ private static String complexWebTierPolicy = "<?xml version=\"1.0\"
encoding=\"UTF-8\"?>"+
+ "<web-acl>"+
+ "<acl-rule>"+
+ "<resource>"+
+
"<request-uri>/portal/admin-tool/modifyLayout</request-uri>"+
+ "<params>"+
+ "<param>"+
+
"<name>page</name>"+
+
"<value>marketing_index.html</value>"+
+
"</param>"+
+ "<param>"+
+
"<name>action</name>"+
+
"<value>update</value>"+
+
"</param>"+
+ "</params>"+
+ "</resource>"+
+ "<conditions>"+
+ "<condition>"+
+ "<roles>"+
+
"<role-name>Root-Admin</role-name>"+
+
"<role-name>Marketing Team</role-name>"+
+ "</roles>"+
+ "</condition>"+
+ "<condition>"+
+
"<ip-address>"+
+
"<ip-range>192.168.xxx.xxx</ip-range>"+
+
"</ip-address>"+
+ "</condition>"+
+ "</conditions>"+
+ "</acl-rule>"+
+ "</web-acl>";
+
+ /**
+ *
+ */
+ protected void setUp() throws Exception
+ {
+ }
+
+
+ protected void tearDown() throws Exception
+ {
+ }
+
+
+ public void testSimpleWebTierPolicy() throws Exception
+ {
+ PolicyConfig config = new HttpPolicyConfig();
+ Policy[] policies = config.configure(simpleWebTierPolicy);
+
+ assertNotNull(policies);
+
+ for(int i=0; i<policies.length; i++)
+ {
+ log.info("------------------------------------------------------");
+ log.info(policies[i].generateXACMLPolicy());
+ log.info("------------------------------------------------------");
+ }
+ }
+
+ public void testComplexWebTierPolicy() throws Exception
+ {
+ PolicyConfig config = new HttpPolicyConfig();
+ Policy[] policies = config.configure(complexWebTierPolicy);
+
+ assertNotNull(policies);
+
+ for(int i=0; i<policies.length; i++)
+ {
+ log.info("------------------------------------------------------");
+ log.info(policies[i].generateXACMLPolicy());
+ log.info("------------------------------------------------------");
+ }
+ }
+}
Added: modules/authorization/trunk/http-authz/src/test/resources/log4j.properties
===================================================================
--- modules/authorization/trunk/http-authz/src/test/resources/log4j.properties
(rev 0)
+++ modules/authorization/trunk/http-authz/src/test/resources/log4j.properties 2008-12-12
19:54:33 UTC (rev 12378)
@@ -0,0 +1,8 @@
+# Set root category priority to INFO and its only appender to CONSOLE.
+log4j.rootCategory=INFO, CONSOLE
+
+# CONSOLE is set to be a ConsoleAppender using a PatternLayout.
+log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
+log4j.appender.CONSOLE.Threshold=INFO
+log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
+log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n
Modified: modules/authorization/trunk/pom.xml
===================================================================
--- modules/authorization/trunk/pom.xml 2008-12-12 00:22:37 UTC (rev 12377)
+++ modules/authorization/trunk/pom.xml 2008-12-12 19:54:33 UTC (rev 12378)
@@ -10,13 +10,13 @@
<description>JBoss Authorization</description>
<modules>
- <module>common</module>
+ <module>common</module>
+ <module>PEP</module>
+ <module>PAP</module>
+ <module>http-authz</module>
<!--
<module>security-console</module>
-->
- <module>PEP</module>
- <module>PAP</module>
- <module>http-authz</module>
</modules>
<properties>