Author: sohil.shah(a)jboss.com
Date: 2008-11-13 03:10:07 -0500 (Thu, 13 Nov 2008)
New Revision: 12290
Modified:
modules/authorization/trunk/PAP/pom.xml
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/hierarchial/HierarchialPolicy.java
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemWebTierPolicyManager.java
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestWebTierPolicyManager.java
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/xacml/AttributeDesignatorUtil.java
Log:
backing up some code
Modified: modules/authorization/trunk/PAP/pom.xml
===================================================================
--- modules/authorization/trunk/PAP/pom.xml 2008-11-12 23:51:15 UTC (rev 12289)
+++ modules/authorization/trunk/PAP/pom.xml 2008-11-13 08:10:07 UTC (rev 12290)
@@ -58,7 +58,8 @@
<artifactId>maven-surefire-plugin</artifactId>
<version>2.3.1</version>
<configuration>
- <includes>
+ <includes>
+ <include>**/TestWebTierPolicyManager.java</include>
</includes>
</configuration>
</plugin>
Modified:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/hierarchial/HierarchialPolicy.java
===================================================================
---
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/hierarchial/HierarchialPolicy.java 2008-11-12
23:51:15 UTC (rev 12289)
+++
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/hierarchial/HierarchialPolicy.java 2008-11-13
08:10:07 UTC (rev 12290)
@@ -128,11 +128,14 @@
}
//Process the Rule Target
- List<AttributeExpression> actionMatches =
rule.getTarget().getActionMatches();
- if(actionMatches != null && !actionMatches.isEmpty())
+ if(rule.getTarget() != null)
{
- TargetType ruleTarget = this.generateRuleActions(actionMatches);
- ruleType.setTarget(ruleTarget);
+ List<AttributeExpression> actionMatches =
rule.getTarget().getActionMatches();
+ if(actionMatches != null && !actionMatches.isEmpty())
+ {
+ TargetType ruleTarget = this.generateRuleActions(actionMatches);
+ ruleType.setTarget(ruleTarget);
+ }
}
//Process the Rule Expression/Condition
Modified:
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemWebTierPolicyManager.java
===================================================================
---
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemWebTierPolicyManager.java 2008-11-12
23:51:15 UTC (rev 12289)
+++
modules/authorization/trunk/PAP/src/main/java/org/jboss/security/authz/pap/service/FileSystemWebTierPolicyManager.java 2008-11-13
08:10:07 UTC (rev 12290)
@@ -22,7 +22,29 @@
******************************************************************************/
package org.jboss.security.authz.pap.service;
+import java.io.InputStream;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.util.Set;
+import java.util.HashSet;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.DocumentBuilder;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import org.jboss.security.authz.model.Attribute;
+import org.jboss.security.authz.model.AttributeExpression;
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.PolicyException;
import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.Target;
+import org.jboss.security.authz.model.Rule;
+import org.jboss.security.authz.pap.hierarchial.HierarchialPolicy;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.security.xacml.interfaces.XMLSchemaConstants;
/**
* The PolicyManager provides implementation for the Configuration related services of
the PolicyManager. It extends the FileSystemPolicyManager in order to store the managed
Policies
@@ -33,7 +55,7 @@
*
*/
public class FileSystemWebTierPolicyManager extends FileSystemPolicyManager
-{
+{
/**
*
*
@@ -50,8 +72,158 @@
* @param xmlConfiguration User Friendly XML configuration within the context of the
Web Tier of an Application
* @return a Policy that can be represented in system level XACML format
*/
- public Policy generatePolicy(String xmlConfiguration)
+ public Policy generatePolicy(String xmlConfiguration) throws PolicyException
{
- return null;
- }
+ InputStream xmlStream = null;
+ try
+ {
+ Policy policy = null;
+
+ xmlStream = new ByteArrayInputStream(xmlConfiguration.getBytes());
+ DocumentBuilder builder =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ Document document = builder.parse(xmlStream);
+
+ Target target = this.parseTarget(document);
+
+ Set<Rule> rules = this.parseRules(document);
+
+ policy = new HierarchialPolicy(String.valueOf(this.getUniqueId()), target,
rules);
+
+ return policy;
+ }
+ catch(Exception e)
+ {
+ throw new PolicyException(e);
+ }
+ finally
+ {
+ if(xmlStream != null)
+ {
+ try{xmlStream.close();}catch(IOException ioe){}
+ }
+ }
+ }
+
//XMLParsing----------------------------------------------------------------------------------------------------------------------------------------------------
+ private Target parseTarget(Document document) throws Exception
+ {
+ Target target = new Target();
+
+ Element resourceElem =
(Element)document.getElementsByTagName("resource").item(0);
+ Element requestUriElem =
(Element)resourceElem.getElementsByTagName("request-uri").item(0);
+
+ //Add RequestUri as a Resource To Match
+ String requestUri = requestUriElem.getTextContent();
+ AttributeExpression requestUriMatch = new AttributeExpression();
+ requestUriMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ Attribute attribute = new Attribute("request-uri",
+ XMLSchemaConstants.DATATYPE_STRING, requestUri);
+ requestUriMatch.setAttribute(attribute);
+ target.addResourceMatch(requestUriMatch);
+
+ //Process Parameters
+ NodeList parameters = resourceElem.getElementsByTagName("param");
+ for(int i=0; i<parameters.getLength(); i++)
+ {
+ Element parameter = (Element)parameters.item(i);
+
+ String name =
((Element)parameter.getElementsByTagName("name").item(0)).getTextContent();
+ String value =
((Element)parameter.getElementsByTagName("value").item(0)).getTextContent();
+
+ //Add Parameter as a Resource To Match
+ AttributeExpression paramMatch = new AttributeExpression();
+ paramMatch.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ Attribute paramAttribute = new Attribute(name,
+ XMLSchemaConstants.DATATYPE_STRING, value);
+ paramMatch.setAttribute(paramAttribute);
+ target.addResourceMatch(paramMatch);
+ }
+
+ return target;
+ }
+
+ private Set<Rule> parseRules(Document document) throws Exception
+ {
+ Set<Rule> rules = new HashSet<Rule>();
+
+ NodeList conditionNodes = document.getElementsByTagName("condition");
+ for(int i=0; i<conditionNodes.getLength(); i++)
+ {
+ Element conditionElement = (Element)conditionNodes.item(i);
+
+ //Process Roles related conditions
+ NodeList roleNodes =
conditionElement.getElementsByTagName("role-name");
+ if(roleNodes.getLength() >0)
+ {
+ rules.addAll(this.parseRoleRules(roleNodes));
+ }
+
+ //Process IP Ranges
+ NodeList ipNodes = conditionElement.getElementsByTagName("ip-range");
+ if(ipNodes.getLength() >0)
+ {
+ rules.addAll(this.parseIpRules(ipNodes));
+ }
+ }
+
+ return rules;
+ }
+
+ private Set<Rule> parseRoleRules(NodeList roleNodes)
+ {
+ Set<Rule> roleRules = new HashSet<Rule>();
+
+ for(int j=0; j<roleNodes.getLength(); j++)
+ {
+ Element roleNameElem = (Element)roleNodes.item(j);
+ String roleName = roleNameElem.getTextContent();
+
+ Rule roleRule = new Rule();
+ roleRule.setRuleId(String.valueOf(this.getUniqueId()));
+ roleRule.setEffect(Effect.PERMIT);
+
+ AttributeExpression roleExpression = new AttributeExpression();
+ roleExpression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL);
+ Attribute roleAttribute = new Attribute(XACMLConstants.ATTRIBUTEID_ROLE,
+ XMLSchemaConstants.DATATYPE_STRING, roleName);
+ roleExpression.setAttribute(roleAttribute);
+
+ roleRule.setExpression(roleExpression);
+
+ roleRules.add(roleRule);
+ }
+
+ return roleRules;
+ }
+
+ private Set<Rule> parseIpRules(NodeList ipNodes)
+ {
+ Set<Rule> ipRules = new HashSet<Rule>();
+
+ for(int j=0; j<ipNodes.getLength(); j++)
+ {
+ Element ipElem = (Element)ipNodes.item(j);
+ String ipRange = ipElem.getTextContent();
+
+ Rule rule = new Rule();
+ rule.setRuleId(String.valueOf(this.getUniqueId()));
+ rule.setEffect(Effect.PERMIT);
+
+ AttributeExpression expression = new AttributeExpression();
+ expression.setFunctionId(XACMLConstants.FUNCTION_REGEXP_IPADDRESS_MATCH);
+ Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_IP_ADDRESS,
+ XMLSchemaConstants.DATATYPE_IPADDRESS, ipRange);
+ expression.setAttribute(attribute);
+
+ rule.setExpression(expression);
+
+ ipRules.add(rule);
+ }
+
+ return ipRules;
+ }
+
+ private synchronized long getUniqueId()
+ {
+ return System.currentTimeMillis();
+ }
}
Modified:
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestWebTierPolicyManager.java
===================================================================
---
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestWebTierPolicyManager.java 2008-11-12
23:51:15 UTC (rev 12289)
+++
modules/authorization/trunk/PAP/src/test/java/org/jboss/security/authz/pap/service/TestWebTierPolicyManager.java 2008-11-13
08:10:07 UTC (rev 12290)
@@ -57,6 +57,10 @@
"<name>page</name>"+
"<value>marketing_index.html</value>"+
"</param>"+
+ "<param>"+
+
"<name>action</name>"+
+
"<value>update</value>"+
+
"</param>"+
"</params>"+
"</resource>"+
"<conditions>"+
@@ -71,8 +75,50 @@
"</web-acl>";
/**
+ * A complex developer-friendly web tier policy that specifies:
*
+ * "Only Root Portal User and Users in the Marketing Department of the
organization must be allowed to Modify the Layout of the "Main Marketing Portal Page
+ * as long as they are Logged in from a range of allowed IP addresses
+ * "
+ *
+ * Notice: This configuration is not muddled by the vast low-level details of XACML
Policy representation. That part is automated by the
+ * PAP (Policy Administration Point) Component of the Authorization System
*/
+ private static String complexWebTierPolicy = "<?xml version=\"1.0\"
encoding=\"UTF-8\"?>"+
+ "<web-acl>"+
+ "<acl-rule>"+
+ "<resource>"+
+
"<request-uri>/portal/admin-tool/modifyLayout</request-uri>"+
+ "<params>"+
+ "<param>"+
+
"<name>page</name>"+
+
"<value>marketing_index.html</value>"+
+
"</param>"+
+ "<param>"+
+
"<name>action</name>"+
+
"<value>update</value>"+
+
"</param>"+
+ "</params>"+
+ "</resource>"+
+ "<conditions>"+
+ "<condition>"+
+ "<roles>"+
+
"<role-name>Root-Admin</role-name>"+
+
"<role-name>Marketing Team</role-name>"+
+ "</roles>"+
+ "</condition>"+
+ "<condition>"+
+
"<ip-address>"+
+
"<ip-range>192.168.xxx.xxx</ip-range>"+
+
"</ip-address>"+
+ "</condition>"+
+ "</conditions>"+
+ "</acl-rule>"+
+ "</web-acl>";
+
+ /**
+ *
+ */
protected void setUp() throws Exception
{
}
@@ -82,17 +128,28 @@
{
}
- /**
- *
- * @throws Exception
- */
+
public void testSimpleWebTierPolicy() throws Exception
{
PolicyManager policyManager = new FileSystemWebTierPolicyManager();
Policy policy = policyManager.generatePolicy(simpleWebTierPolicy);
+ assertNotNull(policy);
+
log.info("------------------------------------------------------");
log.info(policy.generateXACMLPolicy());
log.info("------------------------------------------------------");
}
+
+ public void testComplexWebTierPolicy() throws Exception
+ {
+ PolicyManager policyManager = new FileSystemWebTierPolicyManager();
+ Policy policy = policyManager.generatePolicy(complexWebTierPolicy);
+
+ assertNotNull(policy);
+
+ log.info("------------------------------------------------------");
+ log.info(policy.generateXACMLPolicy());
+ log.info("------------------------------------------------------");
+ }
}
Modified:
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/xacml/AttributeDesignatorUtil.java
===================================================================
---
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/xacml/AttributeDesignatorUtil.java 2008-11-12
23:51:15 UTC (rev 12289)
+++
modules/authorization/trunk/common/src/main/java/org/jboss/security/authz/xacml/AttributeDesignatorUtil.java 2008-11-13
08:10:07 UTC (rev 12290)
@@ -50,7 +50,8 @@
String uri = attribute.getUri();
//TODO: add all the conditions to detect a Subject Attribute
- if(uri.equals(XACMLConstants.ATTRIBUTEID_ROLE)
+ if(uri.equals(XACMLConstants.ATTRIBUTEID_ROLE) ||
+ uri.equals(XACMLConstants.ATTRIBUTEID_IP_ADDRESS)
)
{
attributeDesignator =
PolicyAttributeFactory.createSubjectAttributeDesignatorType(attribute.getUri(),
Show replies by date