Author: sohil.shah(a)jboss.com Date: 2009-02-14 12:04:26 -0500 (Sat, 14 Feb 2009) New Revision: 12820 Added: modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/ modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java Modified: modules/authorization/trunk/.classpath modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/URIResource.java modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/http/TestHttpResource.java modules/authorization/trunk/http-profile/pom.xml modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java Log: url-pattern matching for the http profile Modified: modules/authorization/trunk/.classpath =================================================================== --- modules/authorization/trunk/.classpath 2009-02-13 16:19:19 UTC (rev 12819) +++ modules/authorization/trunk/.classpath 2009-02-14 17:04:26 UTC (rev 12820) @@ -7,11 +7,11 @@ <classpathentry kind="src" path="core-components-api/src/main/java"/> <classpathentry kind="src" path="core-components-api/src/main/resources"/> <classpathentry kind="src" path="core-components-api/src/test/java"/> - <classpathentry kind="src" path="core-components-api/src/test/resources"/> + <classpathentry kind="src" path="core-components-api/src/test/resources"/> <classpathentry kind="src" path="enforcement/src/main/java"/> <classpathentry kind="src" path="enforcement/src/main/resources"/> <classpathentry kind="src" path="enforcement/src/test/java"/> - <classpathentry kind="src" path="enforcement/src/test/resources"/> + <classpathentry kind="src" path="enforcement/src/test/resources"/> <classpathentry kind="src" path="policy-server/src/main/java"/> <classpathentry kind="src" path="policy-server/src/main/resources"/> <classpathentry kind="src" path="policy-server/src/test/java"/> @@ -20,17 +20,17 @@ <classpathentry kind="src" path="http-profile/src/main/resources"/> <classpathentry kind="src" path="http-profile/src/test/java"/> <classpathentry kind="src" path="http-profile/src/test/resources"/> - <classpathentry kind="src" path="documentation/reference-guide/en/modules"/> + <classpathentry kind="src" path="documentation/reference-guide/en/modules"/> <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/> <classpathentry kind="var" path="M2_REPO/asm/asm/1.5.3/asm-1.5.3.jar"/> <classpathentry kind="var" path="M2_REPO/cglib/cglib/2.1_3/cglib-2.1_3.jar"/> - <classpathentry kind="var" path="M2_REPO/commons-beanutils/commons-beanutils/1.6/commons-beanutils-1.6.jar"/> - <classpathentry kind="var" path="M2_REPO/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar"/> + <classpathentry kind="var" path="M2_REPO/commons-beanutils/commons-beanutils/1.6/commons-beanutils-1.6.jar"/> + <classpathentry kind="var" path="M2_REPO/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar"/> <classpathentry kind="var" path="M2_REPO/sun-jaxb/jaxb-api/2.1.4/jaxb-api-2.1.4.jar"/> <classpathentry kind="var" path="M2_REPO/sun-jaxb/jaxb-impl/2.1.4/jaxb-impl-2.1.4.jar"/> <classpathentry kind="var" path="M2_REPO/sun-jaxb/jaxb-xjc/2.1.4/jaxb-xjc-2.1.4.jar"/> <classpathentry kind="var" path="M2_REPO/junit/junit/3.8.2/junit-3.8.2.jar"/> - <classpathentry kind="var" path="M2_REPO/org/jboss/security/jboss-sunxacml/2.0.3-SNAPSHOT/jboss-sunxacml-2.0.3-SNAPSHOT.jar" sourcepath="M2_REPO/org/jboss/security/jboss-sunxacml/2.0.3-SNAPSHOT/jboss-sunxacml-2.0.3-SNAPSHOT-sources.jar"/> + <classpathentry kind="var" path="M2_REPO/org/jboss/security/jboss-sunxacml/2.0.3-SNAPSHOT/jboss-sunxacml-2.0.3-SNAPSHOT.jar" sourcepath="/M2_REPO/org/jboss/security/jboss-sunxacml/2.0.3-SNAPSHOT/jboss-sunxacml-2.0.3-SNAPSHOT-sources.jar"/> <classpathentry kind="var" path="M2_REPO/org/jboss/security/jboss-xacml/2.0.3-SNAPSHOT/jboss-xacml-2.0.3-SNAPSHOT.jar" sourcepath="M2_REPO/org/jboss/security/jboss-xacml/2.0.3-SNAPSHOT/jboss-xacml-2.0.3-SNAPSHOT-sources.jar"/> <classpathentry kind="var" path="M2_REPO/apache-log4j/log4j/1.2.14/log4j-1.2.14.jar"/> <classpathentry kind="var" path="M2_REPO/org/drools/drools-core/4.0.7/drools-core-4.0.7.jar"/> Modified: modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/URIResource.java =================================================================== --- modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/URIResource.java 2009-02-13 16:19:19 UTC (rev 12819) +++ modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/resource/URIResource.java 2009-02-14 17:04:26 UTC (rev 12820) @@ -143,10 +143,39 @@ Target target = new Target(); - AttributeExpression urlExpression = ExpressionBuilder.getInstance().createResourceIdExpression(this.uri.toString()); + + AttributeExpression urlExpression = new AttributeExpression(); + + String uriStr = this.uri.toString(); + + if(uriStr.charAt(0) == '/' && uriStr.endsWith("/*")) + { + //If URL starts with '/' and ends with "/*", use a regular expression to match it (In consistency with the servlet spec) + urlExpression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_STRING_MATCH); + + String uriexp = uriStr.substring(1, uriStr.length()-2); + StringBuilder buffer = new StringBuilder(); + buffer.append("^/"+uriexp+"$|"); + buffer.append("^"+uriexp+"$|"); + buffer.append("^/"+uriexp+"/.*|"); + buffer.append("^"+uriexp+"/.*"); + + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_RESOURCE_ID, + XMLSchemaConstants.DATATYPE_STRING, buffer.toString()); + urlExpression.setAttribute(attribute); + } + else + { + //use an exact match + urlExpression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); + + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_RESOURCE_ID, + XMLSchemaConstants.DATATYPE_STRING, uriStr); + urlExpression.setAttribute(attribute); + } + target.addResourceMatch(urlExpression); - - + return target; } Modified: modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/http/TestHttpResource.java =================================================================== --- modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/http/TestHttpResource.java 2009-02-13 16:19:19 UTC (rev 12819) +++ modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/http/TestHttpResource.java 2009-02-14 17:04:26 UTC (rev 12820) @@ -21,8 +21,6 @@ */ package org.jboss.security.authz.components.http; -import java.util.HashSet; -import java.util.Set; import java.net.URI; import junit.framework.TestCase; @@ -30,9 +28,7 @@ import org.apache.log4j.Logger; import org.jboss.security.authz.components.resource.HttpResource; -import org.jboss.security.authz.model.Target; import org.jboss.security.authz.model.Policy; -import org.jboss.security.authz.model.Rule; import org.jboss.security.authz.test.MockPolicy; @@ -96,5 +92,20 @@ log.info("------------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); - } + } + + public void testURLPattern() throws Exception + { + HttpResource httpResource = new HttpResource(); + httpResource.setUri(new URI("/portal/*")); + httpResource.addParameter("test1", "test1://value"); + httpResource.addParameter("test2", "test2://value"); + httpResource.addAllowed("admin"); + httpResource.addDenied("anonymous"); + + Policy policy = new MockPolicy("testURLPattern", httpResource.getPolicyMetaData()); + + log.info("------------------------------------------------------------------"); + log.info(policy.generateXACMLPolicy()); + } } Modified: modules/authorization/trunk/http-profile/pom.xml =================================================================== --- modules/authorization/trunk/http-profile/pom.xml 2009-02-13 16:19:19 UTC (rev 12819) +++ modules/authorization/trunk/http-profile/pom.xml 2009-02-14 17:04:26 UTC (rev 12820) @@ -36,7 +36,24 @@ <groupId>org.jboss.security</groupId> <artifactId>jboss-xacml</artifactId> <scope>test</scope> - </dependency> + </dependency> + <!-- jboss microcontainer --> + <dependency> + <groupId>org.jboss.microcontainer</groupId> + <artifactId>jboss-kernel</artifactId> + <scope>test</scope> + </dependency> + <!-- Drools --> + <dependency> + <groupId>org.drools</groupId> + <artifactId>drools-core</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.drools</groupId> + <artifactId>drools-compiler</artifactId> + <scope>test</scope> + </dependency> </dependencies> <build> @@ -46,10 +63,11 @@ <artifactId>maven-surefire-plugin</artifactId> <version>2.3.1</version> <configuration> - <includes> + <includes> + <include>**/TestURLPattern.java</include> </includes> </configuration> </plugin> </plugins> </build> -</project> +</project> \ No newline at end of file Added: modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java =================================================================== --- modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java (rev 0) +++ modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java 2009-02-14 17:04:26 UTC (rev 12820) @@ -0,0 +1,151 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.http.components; + +import java.net.URI; +import java.util.regex.Pattern; + +import org.apache.log4j.Logger; +import org.jboss.security.authz.components.action.Read; +import org.jboss.security.authz.components.resource.HttpResource; +import org.jboss.security.authz.components.subject.Roles; +import org.jboss.security.authz.enforcement.Request; +import org.jboss.security.authz.enforcement.Response; + +import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.model.PolicyMetaData; +import org.jboss.security.authz.model.Resource; +import org.jboss.security.authz.policy.server.PolicyServer; +import org.jboss.security.authz.policy.server.Server; + +import junit.framework.TestCase; + +/** + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class TestURLPattern extends TestCase +{ + private static Logger log = Logger.getLogger(TestURLPattern.class); + + private PolicyServer policyServer; + + public void setUp() throws Exception + { + Server.bootstrap(); + this.policyServer = (PolicyServer)Server.lookup("/policy-server/PolicyServer"); + } + + public void testRegex() throws Exception + { + /** + * Rule = "/prefix/url/*" matches any URL starting with /prefix/url, + * including prefix/url itself. It does not match /prefix/urlfoo because any slash must immediately follow url + */ + String regex = "^/prefix/url$|^prefix/url$|^/prefix/url/.*|^prefix/url/.*"; + + //Should Match + assertTrue("Match(/prefix/url/)", Pattern.matches(regex, "/prefix/url/")); + assertTrue("Match(/prefix/url)", Pattern.matches(regex, "/prefix/url")); + assertTrue("Match(prefix/url/)",Pattern.matches(regex, "prefix/url/")); + assertTrue("Match(prefix/url)",Pattern.matches(regex, "prefix/url")); + assertTrue("Match(/prefix/url/index.html)",Pattern.matches(regex, "/prefix/url/index.html")); + assertTrue("Match(prefix/url/index.html)",Pattern.matches(regex, "prefix/url/index.html")); + + //Should Not Match + assertFalse("Match(/prefix/urlfoo)",Pattern.matches(regex, "/prefix/urlfoo")); + assertFalse("Match(/prefix/urlfoo/)",Pattern.matches(regex, "/prefix/urlfoo/")); + assertFalse("Match(prefix/urlfoo)",Pattern.matches(regex, "prefix/urlfoo")); + assertFalse("Match(prefix/urlfoo/)",Pattern.matches(regex, "prefix/urlfoo/")); + assertFalse("Match(/blah/prefix/url/index.html)",Pattern.matches(regex, "/blah/prefix/url/index.html")); + + HttpResource httpResource = new HttpResource(); + httpResource.setUri(new URI("/prefix/url/*")); + httpResource.addAllowed("Admin"); + + PolicyMetaData policyMetaData = httpResource.getPolicyMetaData(); + this.policyServer.newPolicy(policyMetaData); + + //Assert Policy State of the Server + Policy[] policies = this.policyServer.readAllPolicies(); + + assertTrue("Policy Store must not be empty!!", (policies != null && policies.length == 1)); + log.info("------------------------------------------------------------------------------"); + log.info(policies[0].generateXACMLPolicy()); + + //Access Granted + this.enforce(this.createRequest("/prefix/url"), true); + this.enforce(this.createRequest("/prefix/url/"), true); + this.enforce(this.createRequest("prefix/url"), true); + this.enforce(this.createRequest("prefix/url/"), true); + this.enforce(this.createRequest("/prefix/url/index.html"), true); + this.enforce(this.createRequest("prefix/url/index.html"), true); + + //Access Denied + this.enforce(this.createRequest("/prefix/urlfoo"), false); + this.enforce(this.createRequest("/prefix/urlfoo/"), false); + this.enforce(this.createRequest("prefix/urlfoo"), false); + this.enforce(this.createRequest("prefix/urlfoo/"), false); + this.enforce(this.createRequest("/blah"), false); + this.enforce(this.createRequest("/blah/prefix/url/index.html"), false); + } + //----------------------------------------------------------------------------------------------------------------------------------------------------- + private void enforce(Request request, boolean mustBePermitted) throws Exception + { + + Response response = this.policyServer.evaluate(request); + + assertNotNull(response); + log.info("-----------------------------------"); + log.info("Decision="+response.getMessage()); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", response.isAccessGranted()); + } + else + { + assertFalse("Access must be denied!!!", response.isAccessGranted()); + } + } + + private Request createRequest(String uri) throws Exception + { + //Create a RequestType + Request request = new Request(); + + //Create Subjects + Roles roles = new Roles(); + roles.addName("Admin"); + request.addSubject(roles.getSubject()); + + //Create Resource + HttpResource httpResource = new HttpResource(); + httpResource.setUri(new URI(uri)); + Resource urlResource = httpResource.getResource(); + request.addResource(urlResource); + + //Create Action + request.setAction(new Read().getAction()); + + return request; + } +} Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java 2009-02-13 16:19:19 UTC (rev 12819) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java 2009-02-14 17:04:26 UTC (rev 12820) @@ -22,10 +22,14 @@ package org.jboss.security.authz.policy.server.decision; import java.io.File; +import java.io.InputStream; +import java.io.OutputStream; +import java.io.FileOutputStream; +import java.io.IOException; import org.apache.log4j.Logger; -import org.jboss.security.authz.xacml.PolicyUtil; +import org.jboss.security.authz.tools.GeneralTool; import org.jboss.security.authz.enforcement.Request; import org.jboss.security.authz.enforcement.Response; import org.jboss.security.authz.policy.server.PolicyServerException; @@ -63,10 +67,26 @@ public void start() { + InputStream is = null; + OutputStream os = null; + File tmpFile = null; try { - this.store = new ConfigurationStore(new File(Thread.currentThread().getContextClassLoader(). - getResource("META-INF/pdp-config.xml").getFile())); + //Create a temp file + is = Thread.currentThread().getContextClassLoader(). + getResourceAsStream("META-INF/pdp-config.xml"); + tmpFile = File.createTempFile(GeneralTool.generateUniqueId()+"-pdp-config", ".xml"); + byte[] buffer = new byte[1000]; + int length = -1; + os = new FileOutputStream(tmpFile); + while((length = is.read(buffer)) != -1) + { + os.write(buffer, 0, length); + os.flush(); + } + + + this.store = new ConfigurationStore(tmpFile); this.store.useDefaultFactories(); this.policyDecisionPoint = new PDP(this.store.getDefaultPDPConfig()); @@ -80,6 +100,23 @@ log.error(this, e); throw new RuntimeException(e); } + finally + { + if(is != null) + { + try{is.close();}catch(IOException ioe){} + } + + if(os != null) + { + try{os.close();}catch(IOException ioe){} + } + + if(tmpFile != null) + { + tmpFile.delete(); + } + } } public void stop() @@ -105,7 +142,7 @@ RequestContext requestContext = RequestResponseContextFactory.createRequestCtx(); requestContext.setRequest(request.encode()); - //requestContext.marshall(System.out); + requestContext.marshall(System.out); RequestCtx xacmlRequestCtx = (RequestCtx)requestContext.get(XACMLConstants.REQUEST_CTX); ResponseCtx xacmlResponseCtx = this.policyDecisionPoint.evaluate(xacmlRequestCtx); @@ -113,7 +150,7 @@ ResponseContext responseContext = RequestResponseContextFactory.createResponseContext(); responseContext.set(XACMLConstants.RESPONSE_CTX, xacmlResponseCtx); - //responseContext.marshall(System.out); + responseContext.marshall(System.out); if(responseContext.getDecision() == XACMLConstants.DECISION_PERMIT) {