Author: sohil.shah(a)jboss.com Date: 2009-02-09 04:06:31 -0500 (Mon, 09 Feb 2009) New Revision: 12799 Added: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Operation.java modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/URIResource.java modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestImpliedActions.java Removed: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/http/ Modified: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Manage.java modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Read.java modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Write.java modules/authorization/trunk/core-components/src/test/java/org/jboss/security/authz/components/http/TestHttpResource.java modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java modules/authorization/trunk/policy-server/pom.xml modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestPolicyServer.java modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestEnterprisePolicyFinderModule.java Log: more core-component robustness Modified: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Manage.java =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Manage.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Manage.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -22,69 +22,38 @@ package org.jboss.security.authz.components.action; import org.jboss.security.authz.model.Attribute; -import org.jboss.security.authz.model.AttributeExpression; import org.jboss.security.authz.model.Action; -import org.jboss.security.authz.model.Target; import org.jboss.security.xacml.interfaces.XACMLConstants; import org.jboss.security.xacml.interfaces.XMLSchemaConstants; /** - * Read represents a "Manage" action that can be performed on a Resource + * Read represents a "manage" action that can be performed on a Resource * - * Management of a Resource involves all kinds of operations including Reading and Writing + * Management of a Resource involves all kinds of operations including read, write, delete, rename, move etc * * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> */ -public class Manage +public class Manage extends Operation { public Manage() { - - } - //-----Services for Policy Generation------------------------------------------------------------------------------------------------------------------------------------------------ - /** - * A Target used for Matching a "MANAGE" Action within a Policy Definition - * - * @return target - */ - public Target getTarget() - { - Target target = new Target(); - - AttributeExpression expression = new AttributeExpression(); - expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, - XMLSchemaConstants.DATATYPE_STRING, "MANAGE"); - expression.setAttribute(attribute); - - target.addActionMatch(expression); - - return target; + this.name = "manage"; } - //-----Services for Request Generation---------------------------------------------------------------------------------------------------------------------- - /** - * Creates a "MANAGE" Action for the RequestContext - * - * @return action - */ + + @Override public Action getAction() { - Action action = new Action(); - - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, - XMLSchemaConstants.DATATYPE_STRING, - "MANAGE" - ); - Attribute impliesRead = new Attribute(XACMLConstants.ATTRIBUTEID_IMPLIED_ACTION, + Action action = super.getAction(); + + Attribute impliesRead = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, XMLSchemaConstants.DATATYPE_STRING, - "READ" + new Read().getName() ); - Attribute impliesWrite = new Attribute(XACMLConstants.ATTRIBUTEID_IMPLIED_ACTION, + Attribute impliesWrite = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, XMLSchemaConstants.DATATYPE_STRING, - "WRITE" + new Write().getName() ); - action.addAttribute(attribute); action.addAttribute(impliesRead); action.addAttribute(impliesWrite); Added: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Operation.java =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Operation.java (rev 0) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Operation.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -0,0 +1,87 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.components.action; + +import org.jboss.security.authz.model.Attribute; +import org.jboss.security.authz.model.AttributeExpression; +import org.jboss.security.authz.model.Target; +import org.jboss.security.authz.model.Action; +import org.jboss.security.xacml.interfaces.XACMLConstants; +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + +/** + * Represents any Operation that can be performed on a Resource + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public abstract class Operation +{ + protected String name; + + public Operation() + { + + } + + public String getName() + { + return this.name; + } + //-------Policy Generation Services--------------------------------------------------------------------------------------------------------------------- + /** + * A Target used for Matching this Action within a Policy Definition + * + * @return target + */ + public Target getTarget() + { + Target target = new Target(); + + AttributeExpression expression = new AttributeExpression(); + expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, + XMLSchemaConstants.DATATYPE_STRING, this.name); + expression.setAttribute(attribute); + + target.addActionMatch(expression); + + return target; + } + //-------Request Context Generation Services------------------------------------------------------------------------------------------------------------- + /** + * Creates this Action for the RequestContext + * + * @return action + */ + public Action getAction() + { + Action action = new Action(); + + Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, + XMLSchemaConstants.DATATYPE_STRING, + this.name + ); + action.addAttribute(attribute); + + return action; + } +} Modified: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Read.java =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Read.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Read.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -21,61 +21,15 @@ */ package org.jboss.security.authz.components.action; -import org.jboss.security.authz.model.Attribute; -import org.jboss.security.authz.model.AttributeExpression; -import org.jboss.security.authz.model.Action; -import org.jboss.security.authz.model.Target; - -import org.jboss.security.xacml.interfaces.XACMLConstants; -import org.jboss.security.xacml.interfaces.XMLSchemaConstants; - /** * Read represents a "read" action that can be performed on a Resource * * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> */ -public class Read +public class Read extends Operation { public Read() { - - } - //-----Services for Policy Generation------------------------------------------------------------------------------------------------------------------------------------------------ - /** - * A Target used for Matching a "READ" Action within a Policy Definition - * - * @return target - */ - public Target getTarget() - { - Target target = new Target(); - - AttributeExpression expression = new AttributeExpression(); - expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, - XMLSchemaConstants.DATATYPE_STRING, "READ"); - expression.setAttribute(attribute); - - target.addActionMatch(expression); - - return target; - } - //-----Services for Request Generation---------------------------------------------------------------------------------------------------------------------- - /** - * Creates a "READ" Action for the RequestContext - * - * @return action - */ - public Action getAction() - { - Action action = new Action(); - - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, - XMLSchemaConstants.DATATYPE_STRING, - "READ" - ); - action.addAttribute(attribute); - - return action; - } + this.name = "read"; + } } Modified: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Write.java =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Write.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/action/Write.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -22,65 +22,34 @@ package org.jboss.security.authz.components.action; import org.jboss.security.authz.model.Attribute; -import org.jboss.security.authz.model.AttributeExpression; import org.jboss.security.authz.model.Action; -import org.jboss.security.authz.model.Target; import org.jboss.security.xacml.interfaces.XACMLConstants; import org.jboss.security.xacml.interfaces.XMLSchemaConstants; /** - * Read represents a "Write" action that can be performed on a Resource + * Read represents a "write" action that can be performed on a Resource * * Write operation also implies that read operations are implied * * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> */ -public class Write +public class Write extends Operation { public Write() { - + this.name = "write"; } - //-----Services for Policy Generation------------------------------------------------------------------------------------------------------------------------------------------------ - /** - * A Target used for Matching a "WRITE" Action within a Policy Definition - * - * @return target - */ - public Target getTarget() - { - Target target = new Target(); - - AttributeExpression expression = new AttributeExpression(); - expression.setFunctionId(XACMLConstants.FUNCTION_STRING_EQUAL); - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, - XMLSchemaConstants.DATATYPE_STRING, "WRITE"); - expression.setAttribute(attribute); - - target.addActionMatch(expression); - - return target; - } - //-----Services for Request Generation---------------------------------------------------------------------------------------------------------------------- - /** - * Creates a "WRITE" Action for the RequestContext - * - * @return action - */ + + @Override public Action getAction() { - Action action = new Action(); - - Attribute attribute = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, - XMLSchemaConstants.DATATYPE_STRING, - "WRITE" - ); - Attribute impliesRead = new Attribute(XACMLConstants.ATTRIBUTEID_IMPLIED_ACTION, + Action action = super.getAction(); + + Attribute impliesRead = new Attribute(XACMLConstants.ATTRIBUTEID_ACTION_ID, XMLSchemaConstants.DATATYPE_STRING, - "READ" + new Read().getName() ); - action.addAttribute(attribute); action.addAttribute(impliesRead); return action; Copied: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java (from rev 12795, modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/http/HttpResource.java) =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java (rev 0) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/HttpResource.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -0,0 +1,131 @@ +/****************************************************************************** + * JBoss, a division of Red Hat * + * Copyright 2006, Red Hat Middleware, LLC, and individual * + * contributors as indicated by the @authors tag. See the * + * copyright.txt in the distribution for a full listing of * + * individual contributors. * + * * + * This is free software; you can redistribute it and/or modify it * + * under the terms of the GNU Lesser General Public License as * + * published by the Free Software Foundation; either version 2.1 of * + * the License, or (at your option) any later version. * + * * + * This software is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * + * Lesser General Public License for more details. * + * * + * You should have received a copy of the GNU Lesser General Public * + * License along with this software; if not, write to the Free * + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. * + ******************************************************************************/ +package org.jboss.security.authz.components.resource; + +import java.util.Map; +import java.util.Set; +import java.util.HashMap; + +import org.jboss.security.authz.model.AttributeExpression; +import org.jboss.security.authz.model.Attribute; +import org.jboss.security.authz.model.Resource; +import org.jboss.security.authz.model.PolicyMetaData; +import org.jboss.security.authz.xacml.ExpressionBuilder; + +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + +/** + * The HttpResource Policy Component represents a System Resource available via the HTTP Protocol + * + * This Component provides an easy to use Developer API for generating commonly used Expressions/Logic related to Http information that must be + * represented within an Authorization Policy + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + * + */ +public class HttpResource extends URIResource +{ + /** + * The HTTP Parameters that are used to access this resource + */ + private Map<String, String> parameters; + + /** + * + */ + public HttpResource() + { + this.parameters = new HashMap<String, String>(); + } + + public Map<String, String> getParameters() + { + if(this.parameters == null) + { + this.parameters = new HashMap<String, String>(); + } + return parameters; + } + + + public void setParameters(Map<String, String> parameters) + { + this.parameters = parameters; + } + + public void addParameter(String name, String value) + { + this.getParameters().put(name, value); + } + //-------Services for Policy Creation--------------------------------------------------------------------------------------------------------------------------------------------------------------------- + /** + * Produces PolicyMeta used to generate a Policy object to be registered with the Policy Server + * + * @return the policy meta data + */ + public PolicyMetaData getPolicyMetaData() + { + PolicyMetaData metadata = super.getPolicyMetaData(); + + if(!this.getParameters().isEmpty()) + { + Set<String> names = this.parameters.keySet(); + for(String name: names) + { + String value = this.parameters.get(name); + + AttributeExpression paramExpression = ExpressionBuilder.getInstance().createCustomResourceExpression(name, value); + metadata.getTarget().addResourceMatch(paramExpression); + } + } + + return metadata; + } + //---------Services for RequestContext Generation------------------------------------------------------------------------------------------------------------------------------ + /** + * Represents the Resource that is currently being accessed + * + * @return the Resource + */ + public Resource getResource() + { + Resource urlResource = super.getResource(); + + if(!this.getParameters().isEmpty()) + { + Set<String> names = this.parameters.keySet(); + for(String name: names) + { + String value = this.parameters.get(name); + + Attribute customAttribute = new Attribute(); + customAttribute.setUri(name); + customAttribute.setDatatType(XMLSchemaConstants.DATATYPE_STRING); + customAttribute.setValue(value); + urlResource.addAttribute(customAttribute); + } + } + + return urlResource; + } +} Added: modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/URIResource.java =================================================================== --- modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/URIResource.java (rev 0) +++ modules/authorization/trunk/core-components/src/main/java/org/jboss/security/authz/components/resource/URIResource.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -0,0 +1,235 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.components.resource; + +import java.net.URI; +import java.util.HashSet; +import java.util.Set; + +import org.jboss.security.authz.model.PolicyMetaData; +import org.jboss.security.authz.model.Target; +import org.jboss.security.authz.model.Rule; +import org.jboss.security.authz.model.AttributeExpression; +import org.jboss.security.authz.model.Resource; +import org.jboss.security.authz.model.Attribute; +import org.jboss.security.authz.xacml.ExpressionBuilder; +import org.jboss.security.authz.components.subject.Roles; +import org.jboss.security.authz.components.action.Operation; + +import org.jboss.security.xacml.interfaces.XACMLConstants; +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + +/** + * Represents any System Resource uniquely identified by a URI + * + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class URIResource +{ + /** + * The unique URI that identifies this resource + */ + protected URI uri; + + /** + * Roles that are allowed access to this resource + */ + protected Roles allowed; + + /** + * Roles that are denied access to this resource + */ + protected Roles denied; + + /** + * Operation allowed on this resource + */ + protected Operation operation; + + + public URIResource() + { + + } + + public URI getUri() + { + return uri; + } + + public void setUri(URI uri) + { + this.uri = uri; + } + + public Roles getAllowed() + { + if(this.allowed == null) + { + this.allowed = new Roles(); + } + return allowed; + } + + public void setAllowed(Roles allowed) + { + this.allowed = allowed; + } + + public void addAllowed(String name) + { + this.getAllowed().addName(name); + } + + public Roles getDenied() + { + if(this.denied == null) + { + this.denied = new Roles(); + } + return denied; + } + + public void setDenied(Roles denied) + { + this.denied = denied; + } + + public void addDenied(String name) + { + this.getDenied().addName(name); + } + + public Operation getOperation() + { + return operation; + } + + public void setOperation(Operation operation) + { + this.operation = operation; + } + //-------Policy Services-------------------------------------------------------------------------------------------------------------------------------------------------- + /** + * Creates a Policy Target suggesting that the Policy should apply to this HttpResource + * + * @param matchAllParameters 'true' = include matching of all the parameters, 'false' = only url matching, parameters are excluded + */ + private Target getTarget() + { + if(this.uri == null) + { + throw new IllegalStateException("URI Cannot Be Empty"); + } + + Target target = new Target(); + + AttributeExpression urlExpression = ExpressionBuilder.getInstance().createResourceIdExpression(this.uri.toString()); + target.addResourceMatch(urlExpression); + + + return target; + } + + /** + * Creates a Policy Rule suggesting the allowed roles are permitted access to the 'Resource' designated in the Policy + * + * @return the rule + */ + private Rule allowIfUserHasRole() + { + Rule rule = this.getAllowed().allowIfUserHasRole(); + + if(this.operation != null) + { + rule.setTarget(this.operation.getTarget()); + } + + return rule; + } + + /** + * Creates a Policy Rule suggesting the denied roles are denied access to the 'Resource' designated in the Policy + * + * @return the role + */ + private Rule denyIfUserHasRole() + { + Rule rule = this.getDenied().denyIfUserHasRole(); + + if(this.operation != null) + { + rule.setTarget(this.operation.getTarget()); + } + + return rule; + } + + /** + * Produces PolicyMeta used to generate a Policy object to be registered with the Policy Server + * + * @return the policy meta data + */ + public PolicyMetaData getPolicyMetaData() + { + PolicyMetaData metadata = new PolicyMetaData(); + + Target target = this.getTarget(); + + Set<Rule> rules = new HashSet<Rule>(); + + //Permitted Roles + if(this.allowed != null) + { + rules.add(this.allowIfUserHasRole()); + } + + //Denied Roles + if(this.denied != null) + { + rules.add(this.denyIfUserHasRole()); + } + + metadata.setTarget(target); + metadata.setRules(rules); + + return metadata; + } + //-------Request Context Services--------------------------------------------------------------------------------------------------------------------------- + /** + * Represents the Resource that is currently being accessed + * + * @return the Resource + */ + public Resource getResource() + { + Resource uriResource = new Resource(); + + Attribute attribute = new Attribute(); + attribute.setUri(XACMLConstants.ATTRIBUTEID_RESOURCE_ID); + attribute.setDatatType(XMLSchemaConstants.DATATYPE_STRING); + attribute.setValue(this.uri.toString()); + uriResource.addAttribute(attribute); + + return uriResource; + } +} Modified: modules/authorization/trunk/core-components/src/test/java/org/jboss/security/authz/components/http/TestHttpResource.java =================================================================== --- modules/authorization/trunk/core-components/src/test/java/org/jboss/security/authz/components/http/TestHttpResource.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/core-components/src/test/java/org/jboss/security/authz/components/http/TestHttpResource.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -23,12 +23,13 @@ import java.util.HashSet; import java.util.Set; +import java.net.URI; import junit.framework.TestCase; import org.apache.log4j.Logger; -import org.jboss.security.authz.components.http.HttpResource; +import org.jboss.security.authz.components.resource.HttpResource; import org.jboss.security.authz.model.Target; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.model.Rule; @@ -45,9 +46,9 @@ public void testGetURLTargetNoParameters() throws Exception { HttpResource httpResource = new HttpResource(); - httpResource.setUrl("/portal/admin-tool/modifyLayout"); + httpResource.setUri(new URI("/portal/admin-tool/modifyLayout")); - Policy policy = new MockPolicy("testGetURLTargetNoParameters", httpResource.getPolicyMetaData(false)); + Policy policy = new MockPolicy("testGetURLTargetNoParameters", httpResource.getPolicyMetaData()); log.info("------------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); @@ -56,12 +57,12 @@ public void testGetURLTargetWithParameters() throws Exception { HttpResource httpResource = new HttpResource(); - httpResource.setUrl("/portal/admin-tool/modifyLayout"); + httpResource.setUri(new URI("/portal/admin-tool/modifyLayout")); httpResource.addParameter("test1", "test1://value"); httpResource.addParameter("test2", "test2://value"); - Policy policy = new MockPolicy("testGetURLTargetWithParameters", httpResource.getPolicyMetaData(true)); + Policy policy = new MockPolicy("testGetURLTargetWithParameters", httpResource.getPolicyMetaData()); log.info("------------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); @@ -70,13 +71,13 @@ public void testRoleRules() throws Exception { HttpResource httpResource = new HttpResource(); - httpResource.setUrl("/portal/admin-tool/modifyLayout"); + httpResource.setUri(new URI("/portal/admin-tool/modifyLayout")); httpResource.addParameter("test1", "test1://value"); httpResource.addParameter("test2", "test2://value"); - httpResource.addAllowedRole("admin"); - httpResource.addDeniedRole("anonymous"); + httpResource.addAllowed("admin"); + httpResource.addDenied("anonymous"); - Policy policy = new MockPolicy("testRoleRules", httpResource.getPolicyMetaData(true)); + Policy policy = new MockPolicy("testRoleRules", httpResource.getPolicyMetaData()); log.info("------------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); @@ -85,13 +86,13 @@ public void testIPRules() throws Exception { HttpResource httpResource = new HttpResource(); - httpResource.setUrl("/portal/admin-tool/modifyLayout"); + httpResource.setUri(new URI("/portal/admin-tool/modifyLayout")); httpResource.addParameter("test1", "test1://value"); httpResource.addParameter("test2", "test2://value"); - httpResource.addAllowedRole("admin"); - httpResource.addDeniedRole("anonymous"); + httpResource.addAllowed("admin"); + httpResource.addDenied("anonymous"); - Policy policy = new MockPolicy("testIPRules", httpResource.getPolicyMetaData(true)); + Policy policy = new MockPolicy("testIPRules", httpResource.getPolicyMetaData()); log.info("------------------------------------------------------------------"); log.info(policy.generateXACMLPolicy()); Modified: modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java =================================================================== --- modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/http-profile/src/main/java/org/jboss/security/authz/http/configuration/HttpPolicyConfig.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -22,6 +22,7 @@ ******************************************************************************/ package org.jboss.security.authz.http.configuration; +import java.net.URI; import java.io.IOException; import java.io.ByteArrayInputStream; import java.io.InputStream; @@ -37,7 +38,7 @@ import org.w3c.dom.Element; import org.w3c.dom.NodeList; -import org.jboss.security.authz.components.http.HttpResource; +import org.jboss.security.authz.components.resource.HttpResource; import org.jboss.security.authz.model.Policy; import org.jboss.security.authz.policy.server.plugin.HierarchialPolicy; import org.jboss.security.authz.policy.server.spi.PolicyConfig; @@ -82,7 +83,7 @@ this.parseRules(httpResource, aclRuleElem); //Generate the policy from the HttpResource component - Policy policy = new HierarchialPolicy(policyUri, httpResource.getPolicyMetaData(true)); + Policy policy = new HierarchialPolicy(policyUri, httpResource.getPolicyMetaData()); cour.add(policy); } @@ -116,7 +117,7 @@ //Add RequestUri as a Resource To Match String requestUri = requestUriElem.getTextContent(); - httpResource.setUrl(requestUri); + httpResource.setUri(new URI(requestUri)); //Process Parameters NodeList parameters = resourceElem.getElementsByTagName("param"); @@ -166,7 +167,7 @@ { Element roleNameElem = (Element)roleNodes.item(j); String roleName = roleNameElem.getTextContent(); - httpResource.addAllowedRole(roleName); + httpResource.addAllowed(roleName); } } Modified: modules/authorization/trunk/policy-server/pom.xml =================================================================== --- modules/authorization/trunk/policy-server/pom.xml 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/policy-server/pom.xml 2009-02-09 09:06:31 UTC (rev 12799) @@ -65,7 +65,7 @@ <artifactId>maven-surefire-plugin</artifactId> <version>2.3.1</version> <configuration> - <includes> + <includes> </includes> </configuration> </plugin> Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -25,6 +25,7 @@ import org.apache.log4j.Logger; +import org.jboss.security.authz.xacml.PolicyUtil; import org.jboss.security.authz.enforcement.Request; import org.jboss.security.authz.enforcement.Response; import org.jboss.security.authz.policy.server.PolicyServerException; @@ -101,15 +102,19 @@ { Response response = new Response(); - RequestContext requestContext = RequestResponseContextFactory.createRequestCtx(); + RequestContext requestContext = RequestResponseContextFactory.createRequestCtx(); requestContext.setRequest(request.encode()); + //requestContext.marshall(System.out); + RequestCtx xacmlRequestCtx = (RequestCtx)requestContext.get(XACMLConstants.REQUEST_CTX); ResponseCtx xacmlResponseCtx = this.policyDecisionPoint.evaluate(xacmlRequestCtx); ResponseContext responseContext = RequestResponseContextFactory.createResponseContext(); responseContext.set(XACMLConstants.RESPONSE_CTX, xacmlResponseCtx); + //responseContext.marshall(System.out); + if(responseContext.getDecision() == XACMLConstants.DECISION_PERMIT) { response.setAccessGranted(true); Modified: modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java =================================================================== --- modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/HierarchialPolicy.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -156,8 +156,11 @@ } //Process the Rule Expression/Condition - ConditionType condition = this.generateCondition(objectFactory, rule.getExpression()); - ruleType.setCondition(condition); + if(rule.getExpression() != null) + { + ConditionType condition = this.generateCondition(objectFactory, rule.getExpression()); + ruleType.setCondition(condition); + } policyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(ruleType); } Added: modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestImpliedActions.java =================================================================== --- modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestImpliedActions.java (rev 0) +++ modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestImpliedActions.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -0,0 +1,136 @@ +/* +* JBoss, a division of Red Hat +* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated +* by the @authors tag. See the copyright.txt in the distribution for a +* full listing of individual contributors. +* +* This is free software; you can redistribute it and/or modify it +* under the terms of the GNU Lesser General Public License as +* published by the Free Software Foundation; either version 2.1 of +* the License, or (at your option) any later version. +* +* This software is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this software; if not, write to the Free +* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA +* 02110-1301 USA, or see the FSF site: http://www.fsf.org. +*/ +package org.jboss.security.authz.policy.server; + +import java.net.URI; + +import junit.framework.TestCase; +import org.apache.log4j.Logger; + +import org.jboss.security.authz.model.Attribute; +import org.jboss.security.authz.model.Policy; +import org.jboss.security.authz.model.PolicyMetaData; +import org.jboss.security.authz.model.Rule; +import org.jboss.security.authz.model.Effect; +import org.jboss.security.authz.model.Resource; +import org.jboss.security.authz.model.Subject; +import org.jboss.security.authz.enforcement.Request; +import org.jboss.security.authz.enforcement.Response; +import org.jboss.security.authz.components.resource.URIResource; +import org.jboss.security.authz.components.action.Operation; +import org.jboss.security.authz.components.action.Read; +import org.jboss.security.authz.components.action.Write; +import org.jboss.security.authz.components.action.Manage; +import org.jboss.security.authz.components.subject.Roles; +import org.jboss.security.authz.policy.server.PolicyServer; +import org.jboss.security.authz.tools.GeneralTool; +import org.jboss.security.xacml.interfaces.XACMLConstants; +import org.jboss.security.xacml.interfaces.XMLSchemaConstants; + +/** + * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a> + */ +public class TestImpliedActions extends TestCase +{ + private static Logger log = Logger.getLogger(TestImpliedActions.class); + + private PolicyServer policyServer; + + public void setUp() throws Exception + { + Server.bootstrap(); + this.policyServer = (PolicyServer)Server.lookup("/policy-server/PolicyServer"); + } + + public void tearDown() throws Exception + { + } + + public void testReadImpliedWithWrite() throws Exception + { + //SetUp Resource + URIResource resource = new URIResource(); + resource.setUri(new URI("/blah/index.html")); + resource.setOperation(new Read()); + resource.addAllowed("user"); + + + PolicyMetaData metadata = resource.getPolicyMetaData(); + + policyServer.newPolicy(metadata); + this.assertServerState(); + + //Go ahead and produce a RequestContext for a "Permit" Enforcement + this.enforce(this.createRequest(resource, new Write()), true); + } + //------------------------------------------------------------------------------------------------------------------------------------------------------ + private Request createRequest(URIResource uriResource, Operation operation) throws Exception + { + //Create a RequestType + Request request = new Request(); + + //Create Resource + Resource urlResource = uriResource.getResource(); + request.addResource(urlResource); + + //Create Subjects + Subject subject = new Subject(); + Attribute subjectAttr = new Attribute(XACMLConstants.ATTRIBUTEID_ROLE, + XMLSchemaConstants.DATATYPE_STRING, "user"); + subject.addAttribute(subjectAttr); + request.addSubject(subject); + + //Create Action + request.setAction(operation.getAction()); + + return request; + } + + private void enforce(Request request, boolean mustBePermitted) throws Exception + { + + Response response = this.policyServer.evaluate(request); + + assertNotNull(response); + log.info("-----------------------------------"); + log.info("Decision="+response.getMessage()); + + if(mustBePermitted) + { + assertTrue("Access must be granted!!!", response.isAccessGranted()); + } + else + { + assertFalse("Access must be denied!!!", response.isAccessGranted()); + } + } + + private void assertServerState() throws Exception + { + //Assert Policy State of the Server + Policy[] policies = policyServer.readAllPolicies(); + + assertTrue("Policy Store must not be empty!!", (policies != null && policies.length == 1)); + log.info("------------------------------------------------------------------------------"); + log.info(policies[0].generateXACMLPolicy()); + } +} Modified: modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestPolicyServer.java =================================================================== --- modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestPolicyServer.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestPolicyServer.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -21,11 +21,12 @@ */ package org.jboss.security.authz.policy.server; +import java.net.URI; import junit.framework.TestCase; import org.apache.log4j.Logger; import org.jboss.security.authz.model.Policy; -import org.jboss.security.authz.components.http.HttpResource; +import org.jboss.security.authz.components.resource.HttpResource; import org.jboss.security.authz.policy.server.PolicyServer; /** @@ -50,10 +51,10 @@ public void testNewPolicy() throws Exception { HttpResource httpResource = new HttpResource(); - httpResource.setUrl("/blah/index.html"); + httpResource.setUri(new URI("/blah/index.html")); httpResource.addParameter("param1", "param1Value"); - policyServer.newPolicy(httpResource.getPolicyMetaData(true)); + policyServer.newPolicy(httpResource.getPolicyMetaData()); //Assert Policy State of the Server Policy[] policies = policyServer.readAllPolicies(); Modified: modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestEnterprisePolicyFinderModule.java =================================================================== --- modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestEnterprisePolicyFinderModule.java 2009-02-09 04:14:02 UTC (rev 12798) +++ modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/plugin/TestEnterprisePolicyFinderModule.java 2009-02-09 09:06:31 UTC (rev 12799) @@ -21,6 +21,8 @@ */ package org.jboss.security.authz.policy.server.plugin; +import java.net.URI; + import junit.framework.TestCase; import org.apache.log4j.Logger; @@ -30,7 +32,7 @@ import org.jboss.security.authz.model.Subject; import org.jboss.security.authz.model.Action; import org.jboss.security.authz.model.Attribute; -import org.jboss.security.authz.components.http.HttpResource; +import org.jboss.security.authz.components.resource.HttpResource; import org.jboss.security.authz.enforcement.Request; import org.jboss.security.authz.enforcement.Response; import org.jboss.security.authz.policy.server.PolicyServer; @@ -61,12 +63,12 @@ public void testNewPolicyEnforcement() throws Exception { HttpResource httpResource = new HttpResource(); - httpResource.setUrl("/blah/index.html"); + httpResource.setUri(new URI("/blah/index.html")); httpResource.addParameter("param1", "param1Value"); httpResource.addParameter("param2", "param2Value"); - httpResource.addAllowedRole("Admin"); + httpResource.addAllowed("Admin"); - PolicyMetaData policyMetaData = httpResource.getPolicyMetaData(true); + PolicyMetaData policyMetaData = httpResource.getPolicyMetaData(); policyServer.newPolicy(policyMetaData);