JBoss Portal SVN: r13330 - in modules/authorization/trunk: policy-server/src/main/java/org/jboss/security/authz/policy/server/decision and 1 other directories.
1:35 p.m.
Author: sohil.shah(a)jboss.com
Date: 2009-05-09 14:35:59 -0400 (Sat, 09 May 2009)
New Revision: 13330
Added:
modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestHierarchialPropagation.java
Modified:
modules/authorization/trunk/enforcement/src/main/java/org/jboss/security/authz/enforcement/Request.java
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java
Log:
first successful pass at recursive access for hierarchial objects
Modified:
modules/authorization/trunk/enforcement/src/main/java/org/jboss/security/authz/enforcement/Request.java
===================================================================
---
modules/authorization/trunk/enforcement/src/main/java/org/jboss/security/authz/enforcement/Request.java 2009-05-08
19:18:25 UTC (rev 13329)
+++
modules/authorization/trunk/enforcement/src/main/java/org/jboss/security/authz/enforcement/Request.java 2009-05-09
18:35:59 UTC (rev 13330)
@@ -45,6 +45,11 @@
private Action action;
private Environment environment;
+ /**
+ * Used to indicate if this request should go through access check based on the tree
hierarchy of resources represented by its unique resource URI
+ */
+ private boolean activateHierarchialEnforcement;
+
public Request()
{
this.resources = new HashSet<Resource>();
@@ -101,6 +106,17 @@
this.subjects.add(subject);
}
+
+ public boolean isActivateHierarchialEnforcement()
+ {
+ return activateHierarchialEnforcement;
+ }
+
+ public void setActivateHierarchialEnforcement(boolean activateHierarchialEnforcement)
+ {
+ this.activateHierarchialEnforcement = activateHierarchialEnforcement;
+ }
+
public RequestType encode()
{
RequestType jaxbObject = new RequestType();
Modified:
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java
===================================================================
---
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java 2009-05-08
19:18:25 UTC (rev 13329)
+++
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/decision/PolicyDecisionPoint.java 2009-05-09
18:35:59 UTC (rev 13330)
@@ -26,6 +26,7 @@
import java.io.OutputStream;
import java.io.FileOutputStream;
import java.io.IOException;
+import java.util.StringTokenizer;
import org.apache.log4j.Logger;
@@ -33,7 +34,10 @@
import org.jboss.security.authz.enforcement.Request;
import org.jboss.security.authz.enforcement.Response;
import org.jboss.security.authz.policy.server.PolicyServerException;
+import org.jboss.security.authz.model.Resource;
+import org.jboss.security.authz.model.Attribute;
+
import org.jboss.security.xacml.factories.RequestResponseContextFactory;
import org.jboss.security.xacml.interfaces.RequestContext;
import org.jboss.security.xacml.interfaces.ResponseContext;
@@ -43,6 +47,7 @@
import org.jboss.security.xacml.sunxacml.PDPConfig;
import org.jboss.security.xacml.sunxacml.ctx.RequestCtx;
import org.jboss.security.xacml.sunxacml.ctx.ResponseCtx;
+import org.jboss.security.xacml.core.model.context.RequestType;
/**
* This component processes all incoming Authorization requests and responds with a
response
@@ -137,41 +142,13 @@
{
try
{
- Response response = new Response();
- RequestContext requestContext = RequestResponseContextFactory.createRequestCtx();
- requestContext.setRequest(request.encode());
-
- requestContext.marshall(System.out);
-
- RequestCtx xacmlRequestCtx =
(RequestCtx)requestContext.get(XACMLConstants.REQUEST_CTX);
- ResponseCtx xacmlResponseCtx = this.policyDecisionPoint.evaluate(xacmlRequestCtx);
-
- ResponseContext responseContext =
RequestResponseContextFactory.createResponseContext();
- responseContext.set(XACMLConstants.RESPONSE_CTX, xacmlResponseCtx);
-
- responseContext.marshall(System.out);
-
- if(responseContext.getDecision() == XACMLConstants.DECISION_PERMIT)
- {
- response.setAccessGranted(true);
- response.setMessage("permit");
- }
- else if(responseContext.getDecision() == XACMLConstants.DECISION_DENY)
- {
- response.setAccessGranted(false);
- response.setMessage("deny");
- }
- else if(responseContext.getDecision() == XACMLConstants.DECISION_INDETERMINATE)
- {
- response.setAccessGranted(false);
- response.setMessage("indeterminate");
- }
- else if(responseContext.getDecision() == XACMLConstants.DECISION_NOT_APPLICABLE)
- {
- response.setAccessGranted(false);
- response.setMessage("notapplicable");
- }
+ if(request.isActivateHierarchialEnforcement())
+ {
+ return this.checkHierarchialAccess(request);
+ }
+
+ Response response = this.check(request.encode());
return response;
}
@@ -213,4 +190,98 @@
{
return this.policyDecisionPoint;
}
+ //-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ private Response checkHierarchialAccess(Request request) throws Exception
+ {
+ Response response = new Response();
+
+ //Check for explicit access control
+ response = this.check(request.encode());
+
+ if(response.isNotApplicable())
+ {
+ //Need to go into snapshot mode
+ Resource resource = request.getResources().iterator().next();
+ Attribute uri = resource.getAttributes().iterator().next();
+ String fullResourceURI = uri.getValue();
+
+ StringBuilder buffer = new StringBuilder("/");
+ StringTokenizer tokenizer = new StringTokenizer(fullResourceURI, "/");
+ Response permitResponse = null;
+ while(tokenizer.hasMoreTokens())
+ {
+ buffer.append(tokenizer.nextToken());
+ uri.setValue(buffer.toString());
+
+ response = this.check(request.encode());
+
+ if(response.getMessage().equalsIgnoreCase("deny"))
+ {
+ permitResponse = null;
+ break;
+ }
+
+ if(response.isAccessGranted())
+ {
+ permitResponse = response;
+ }
+
+ buffer.append("/");
+ }
+
+ if(permitResponse == null)
+ {
+ response = new Response();
+ response.setAccessGranted(false);
+ response.setMessage("deny");
+ }
+ else
+ {
+ response = permitResponse;
+ }
+ }
+
+ return response;
+ }
+
+ private Response check(RequestType xacmlRequest) throws Exception
+ {
+ Response response = new Response();
+
+ //Check for explicit access control
+ RequestContext requestContext = RequestResponseContextFactory.createRequestCtx();
+ requestContext.setRequest(xacmlRequest);
+ requestContext.marshall(System.out);
+
+ RequestCtx xacmlRequestCtx =
(RequestCtx)requestContext.get(XACMLConstants.REQUEST_CTX);
+ ResponseCtx xacmlResponseCtx = this.policyDecisionPoint.evaluate(xacmlRequestCtx);
+
+ ResponseContext responseContext =
RequestResponseContextFactory.createResponseContext();
+ responseContext.set(XACMLConstants.RESPONSE_CTX, xacmlResponseCtx);
+
+ responseContext.marshall(System.out);
+
+ if(responseContext.getDecision() == XACMLConstants.DECISION_PERMIT)
+ {
+ response.setAccessGranted(true);
+ response.setMessage("permit");
+ }
+ else if(responseContext.getDecision() == XACMLConstants.DECISION_DENY)
+ {
+ response.setAccessGranted(false);
+ response.setMessage("deny");
+ }
+ else if(responseContext.getDecision() == XACMLConstants.DECISION_INDETERMINATE)
+ {
+ response.setAccessGranted(false);
+ response.setMessage("indeterminate");
+ }
+ else if(responseContext.getDecision() == XACMLConstants.DECISION_NOT_APPLICABLE)
+ {
+ response.setAccessGranted(false);
+ response.setMessage("notapplicable");
+ }
+
+ return response;
+ }
}
Added:
modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestHierarchialPropagation.java
===================================================================
---
modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestHierarchialPropagation.java
(rev 0)
+++
modules/authorization/trunk/policy-server/src/test/java/org/jboss/security/authz/policy/server/TestHierarchialPropagation.java 2009-05-09
18:35:59 UTC (rev 13330)
@@ -0,0 +1,250 @@
+/*
+* JBoss, a division of Red Hat
+* Copyright 2006, Red Hat Middleware, LLC, and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
+package org.jboss.security.authz.policy.server;
+
+import java.net.URI;
+
+import junit.framework.TestCase;
+import org.apache.log4j.Logger;
+
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.PolicyMetaData;
+import org.jboss.security.authz.model.Resource;
+
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.components.action.Operation;
+import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.action.Write;
+import org.jboss.security.authz.components.action.Manage;
+
+import org.jboss.security.authz.enforcement.Request;
+import org.jboss.security.authz.enforcement.Response;
+import org.jboss.security.authz.policy.server.PolicyServer;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ */
+public class TestHierarchialPropagation extends TestCase
+{
+ private static Logger log = Logger.getLogger(TestHierarchialPropagation.class);
+
+ private PolicyServer policyServer;
+
+ public void setUp() throws Exception
+ {
+ Server.bootstrap();
+ this.policyServer =
(PolicyServer)Server.lookup("/policy-server/PolicyServer");
+ }
+
+ public void tearDown() throws Exception
+ {
+ }
+
+ public void testExplicitPermit() throws Exception
+ {
+ //SetUp Resource
+ URIResource resource = new URIResource();
+ resource.setUri(new URI("/root/level1/level2/index.html"));
+ resource.setOperation(new Read());
+ resource.addAllowed("user");
+
+ //Provision the new policy
+ PolicyMetaData metadata = resource.getPolicyMetaData();
+ policyServer.newPolicy(metadata);
+
+ //Go ahead and produce a RequestContext for a "Permit" Enforcement
+ URIResource contextResource = new URIResource();
+ contextResource.setUri(new URI("/root/level1/level2/index.html"));
+ contextResource.setOperation(new Read());
+
+ //Perform enforcement
+ this.enforce(this.createRequest(contextResource), true);
+ }
+
+ public void testExplicitDeny() throws Exception
+ {
+ //SetUp Resource
+ URIResource resource = new URIResource();
+ resource.setUri(new URI("/root/level1/level2/index.html"));
+ resource.setOperation(new Read());
+ resource.addDenied("user");
+
+ //Provision the new policy
+ PolicyMetaData metadata = resource.getPolicyMetaData();
+ policyServer.newPolicy(metadata);
+
+ //Go ahead and produce a RequestContext for a "Permit" Enforcement
+ URIResource contextResource = new URIResource();
+ contextResource.setUri(new URI("/root/level1/level2/index.html"));
+ contextResource.setOperation(new Read());
+
+ //Perform enforcement
+ this.enforce(this.createRequest(contextResource), false);
+ }
+
+ public void testPermitInheritance() throws Exception
+ {
+ //SetUp Resource
+ URIResource resource = new URIResource();
+ resource.setUri(new URI("/root/level1"));
+ resource.setOperation(new Read());
+ resource.addAllowed("user");
+
+ //Provision the new policy
+ PolicyMetaData metadata = resource.getPolicyMetaData();
+ policyServer.newPolicy(metadata);
+
+ //Go ahead and produce a RequestContext for a "Permit" Enforcement
+ URIResource contextResource = new URIResource();
+ contextResource.setUri(new URI("/root/level1/level2/index.html"));
+ contextResource.setOperation(new Read());
+
+ //Perform enforcement
+ this.enforce(this.createRequest(contextResource), true);
+ }
+
+ public void testDenyInheritance() throws Exception
+ {
+ //SetUp Resource
+ URIResource resource = new URIResource();
+ resource.setUri(new URI("/root/level1"));
+ resource.setOperation(new Read());
+ resource.addDenied("user");
+
+ //Provision the new policy
+ PolicyMetaData metadata = resource.getPolicyMetaData();
+ policyServer.newPolicy(metadata);
+
+ //Go ahead and produce a RequestContext for a "Permit" Enforcement
+ URIResource contextResource = new URIResource();
+ contextResource.setUri(new URI("/root/level1/level2/index.html"));
+ contextResource.setOperation(new Read());
+
+ //Perform enforcement
+ this.enforce(this.createRequest(contextResource), false);
+ }
+
+ public void testDenyOverridesPermitInheritance() throws Exception
+ {
+ //SetUp Permit policy
+ URIResource resource = new URIResource();
+ resource.setUri(new URI("/root/level1"));
+ resource.setOperation(new Read());
+ resource.addAllowed("user");
+
+ //Provision the new policy
+ PolicyMetaData metadata = resource.getPolicyMetaData();
+ policyServer.newPolicy(metadata);
+
+ //Setup denied policy
+ resource = new URIResource();
+ resource.setUri(new URI("/root/level1/level2"));
+ resource.setOperation(new Read());
+ resource.addDenied("user");
+
+ //Provision the new policy
+ metadata = resource.getPolicyMetaData();
+ policyServer.newPolicy(metadata);
+
+ //Go ahead and produce a RequestContext for a "Permit" Enforcement
+ URIResource contextResource = new URIResource();
+ contextResource.setUri(new URI("/root/level1/level2/index.html"));
+ contextResource.setOperation(new Read());
+
+ //Perform enforcement
+ this.enforce(this.createRequest(contextResource), false);
+ }
+
+ public void testNotApplicable() throws Exception
+ {
+ //SetUp Resource
+ URIResource resource = new URIResource();
+ resource.setUri(new URI("/root2"));
+ resource.setOperation(new Read());
+ resource.addAllowed("user");
+
+ //Provision the new policy
+ PolicyMetaData metadata = resource.getPolicyMetaData();
+ policyServer.newPolicy(metadata);
+
+ //Go ahead and produce a RequestContext for a "Permit" Enforcement
+ URIResource contextResource = new URIResource();
+ contextResource.setUri(new URI("/root/level1/level2/index.html"));
+ contextResource.setOperation(new Read());
+
+ //Perform enforcement
+ this.enforce(this.createRequest(contextResource), false);
+ }
+ //------------------------------------------------------------------------------------------------------------------------------------------------------
+ private Request createRequest(URIResource uriResource) throws Exception
+ {
+ //Create a RequestType
+ Request request = new Request();
+
+ //Enable Hierarchial Enforcement
+ request.setActivateHierarchialEnforcement(true);
+
+ //Create Resource
+ Resource urlResource = uriResource.getResource();
+ request.addResource(urlResource);
+
+ //Create Subjects
+ Roles roles = new Roles();
+ roles.addName("user");
+ request.addSubject(roles.getSubject());
+
+ //Create Action
+ request.setAction(uriResource.getOperation().getAction());
+
+ return request;
+ }
+
+ private void enforce(Request request, boolean mustBePermitted) throws Exception
+ {
+
+ Response response = this.policyServer.evaluate(request);
+
+ assertNotNull(response);
+ log.info("-----------------------------------");
+ log.info("Decision="+response.getMessage());
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", response.isAccessGranted());
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", response.isAccessGranted());
+ }
+ }
+
+ private void assertServerState() throws Exception
+ {
+ //Assert Policy State of the Server
+ Policy[] policies = policyServer.readAllPolicies();
+
+ assertTrue("Policy Store must not be empty!!", (policies != null &&
policies.length == 1));
+ log.info("------------------------------------------------------------------------------");
+ log.info(policies[0].generateXACMLPolicy());
+ }
+}
6222
days inactive
6222
days old
portal-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
portal-commits@lists.jboss.org