[jboss-cvs] JBossAS SVN: r63113 - in projects/security/security-docs/trunk/docs/guide/en: modules and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu May 17 02:19:56 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-05-17 02:19:55 -0400 (Thu, 17 May 2007)
New Revision: 63113
Added:
projects/security/security-docs/trunk/docs/guide/en/modules/impl/jbossauthorizationmgr.xml
Modified:
projects/security/security-docs/trunk/docs/guide/en/master.xml
projects/security/security-docs/trunk/docs/guide/en/modules/authorizationmgr.xml
Log:
SECURITY-53: integration doc
Modified: projects/security/security-docs/trunk/docs/guide/en/master.xml
===================================================================
--- projects/security/security-docs/trunk/docs/guide/en/master.xml 2007-05-17 05:48:52 UTC (rev 63112)
+++ projects/security/security-docs/trunk/docs/guide/en/master.xml 2007-05-17 06:19:55 UTC (rev 63113)
@@ -14,6 +14,7 @@
<!ENTITY seccontextfactory SYSTEM "modules/impl/seccontextfactory.xml">
<!ENTITY seccontextassociation SYSTEM "modules/impl/seccontextassociation.xml">
<!ENTITY jbossauthenticationmgr SYSTEM "modules/impl/jbossauthenticationmgr.xml">
+<!ENTITY jbossauthorizationmgr SYSTEM "modules/impl/jbossauthorizationmgr.xml">
]>
<book lang="en">
<bookinfo>
@@ -71,4 +72,5 @@
&seccontextassociation;
&jbossauthenticationmgr;
+ &jbossauthorizationmgr;
</book>
Modified: projects/security/security-docs/trunk/docs/guide/en/modules/authorizationmgr.xml
===================================================================
--- projects/security/security-docs/trunk/docs/guide/en/modules/authorizationmgr.xml 2007-05-17 05:48:52 UTC (rev 63112)
+++ projects/security/security-docs/trunk/docs/guide/en/modules/authorizationmgr.xml 2007-05-17 06:19:55 UTC (rev 63113)
@@ -77,4 +77,101 @@
//Return the contextual map
public Map getMap();
}</programlisting>
+
+ <para>An authorization module interface looks as follows:</para>
+
+ <programlisting>package org.jboss.security.authorization;
+
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+
+/**
+ * Represents a Policy Decision Module that is used by the
+ * Authorization Context
+ */
+public interface AuthorizationModule
+{
+ /**
+ * Abort the Authorization Process
+ * @return true - abort passed, false-otherwise
+ */
+ boolean abort() throws AuthorizationException;
+
+ /**
+ * Overall authorization process has succeeded.
+ * The module can commit any decisions it has made, with
+ * third party systems like a database.
+ * @return
+ */
+ boolean commit() throws AuthorizationException;
+
+ /**
+ * Initialize the module
+ *
+ * @param subject the authenticated subject
+ * @param handler CallbackHandler
+ * @param sharedState state shared with other configured modules
+ * @param options options specified in the Configuration
+ * for this particular module
+ */
+ void initialize(Subject subject, CallbackHandler handler,
+ Map sharedState, Map options);
+
+ /**
+ * Authorize the resource
+ * @param resource
+ * @return AuthorizationContext.PERMIT or AuthorizationContext.DENY
+ */
+ int authorize(Resource resource);
+
+ /**
+ * A final cleanup opportunity offered
+ * @return cleanup by the module passed or not
+ */
+ boolean destroy();
+}</programlisting>
+
+ <para>There is a PolicyRegistration interface that implementers can use to
+ provide a mechanism to register policies (example: XACML Policy). The
+ interface looks as follows:</para>
+
+ <programlisting>package org.jboss.security.authorization;
+
+/**
+ * Interface to register policies
+ */
+public interface PolicyRegistration
+{
+ /**
+ * Register a policy given the location and a context id
+ * @param contextID
+ * @param location location of the Policy File
+ */
+ void registerPolicy(String contextID, URL location);
+
+ /**
+ *
+ * Register a policy given a xml based stream and a context id
+ *
+ * @param contextID
+ * @param stream InputStream that is an XML stream
+ */
+ void registerPolicy(String contextID, InputStream stream);
+
+ /**
+ * Unregister a policy
+ * @param contextID Context ID
+ */
+ void deRegisterPolicy(String contextID);
+
+ /**
+ * Obtain the registered policy for the context id
+ * @param contextID Context ID
+ * @param contextMap A map that can be used by the implementation
+ * to determine the policy choice (typically null)
+ */
+ Object getPolicy(String contextID, Map contextMap);
+}</programlisting>
</chapter>
\ No newline at end of file
Added: projects/security/security-docs/trunk/docs/guide/en/modules/impl/jbossauthorizationmgr.xml
===================================================================
--- projects/security/security-docs/trunk/docs/guide/en/modules/impl/jbossauthorizationmgr.xml (rev 0)
+++ projects/security/security-docs/trunk/docs/guide/en/modules/impl/jbossauthorizationmgr.xml 2007-05-17 06:19:55 UTC (rev 63113)
@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<chapter id="jbossauthorizationmgr">
+ <title>JBoss Authorization Manager</title>
+
+ <para>JBossSX includes an implementation of the AuthorizationManager
+ interface called as JBossAuthorizationManager. Very fine-grained and
+ pluggable authorization can be obtained via the authorization module
+ implementations. This implementation also provides the PolicyRegistration
+ interface support.</para>
+
+ <para>The outline of the class looks as follows:</para>
+
+ <programlisting>package org.jboss.security.plugins;
+...
+import static org.jboss.security.SecurityConstants.ROLES_IDENTIFIER;
+
+/**
+ * Authorization Manager implementation
+ */
+public class JBossAuthorizationManager
+implements AuthorizationManager,PolicyRegistration
+{
+ private String securityDomain;
+
+ private Map contextIdToPolicy = new HashMap();
+ protected boolean trace = log.isTraceEnabled();
+
+ private CallbackHandler callbackHandler = null;
+
+ public JBossAuthorizationManager(String securityDomainName)
+ {
+ }
+
+ public JBossAuthorizationManager(String securityDomainName, CallbackHandler cbh)
+ {
+ }
+
+ /**
+ * @see AuthorizationManager#authorize(Resource)
+ */
+ public int authorize(Resource resource) throws AuthorizationException
+ {
+ String SUBJECT_CONTEXT_KEY = SecurityConstants.SUBJECT_CONTEXT_KEY;
+ Subject subject = null;
+ try
+ {
+ subject = (Subject) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
+ }
+ catch (PolicyContextException e)
+ {
+ log.error("Error obtaining AuthenticatedSubject:",e);
+ }
+ AuthorizationContext ac = new JBossAuthorizationContext(this.securityDomain,subject,
+ this.callbackHandler );
+ return ac.authorize(resource);
+ }
+
+ /** Does the current Subject have a role(a Principal) that equates to one
+ of the role names. This method obtains the Group named 'Roles' from
+ the principal set of the currently authenticated Subject as determined
+ by the SecurityAssociation.getSubject() method and then creates a
+ SimplePrincipal for each name in roleNames. If the role is a member of the
+ Roles group, then the user has the role. This requires that the caller
+ establish the correct SecurityAssociation subject prior to calling this
+ method. In the past this was done as a side-effect of an isValid() call,
+ but this is no longer the case.
+
+ @param principal - ignored. The current authenticated Subject determines
+ the active user and assigned user roles.
+ @param rolePrincipals - a Set of Principals for the roles to check.
+
+ @see java.security.acl.Group;
+ @see Subject#getPrincipals()
+ */
+ public boolean doesUserHaveRole(Principal principal, Set rolePrincipals)
+ {
+ }
+
+ /** Does the current Subject have a role(a Principal) that equates to one
+ of the role names.
+
+ @see #doesUserHaveRole(Principal, Set)
+
+ @param principal - ignored. The current authenticated Subject determines
+ the active user and assigned user roles.
+ @param role - the application domain role that the principal is to be
+ validated against.
+ @return true if the active principal has the role, false otherwise.
+ */
+ public boolean doesUserHaveRole(Principal principal, Principal role)
+ {
+ }
+
+ /** Return the set of domain roles the current active Subject 'Roles' group
+ found in the subject Principals set.
+
+ @param principal - ignored. The current authenticated Subject determines
+ the active user and assigned user roles.
+ @return The Set<Principal> for the application domain roles that the
+ principal has been assigned.
+ */
+ public Set getUserRoles(Principal principal)
+ {
+ }
+
+
+ /** Check that the indicated application domain role is a member of the
+ user's assigned roles. This handles the special AnybodyPrincipal and
+ NobodyPrincipal independent of the Group implementation.
+
+ @param role , the application domain role required for access
+ @param userRoles , the set of roles assigned to the user
+ @return true if role is in userRoles or an AnybodyPrincipal instance, false
+ if role is a NobodyPrincipal or no a member of userRoles
+ */
+ protected boolean doesRoleGroupHaveRole(Principal role, Group userRoles)
+ {
+ }
+
+ /**
+ * @see PolicyRegistration#registerPolicy(String, URL)
+ */
+ public void registerPolicy(String contextID, URL location)
+ {
+ }
+
+ /**
+ * @see PolicyRegistration#registerPolicy(String, InputStream)
+ */
+ public void registerPolicy(String contextID, InputStream stream)
+ {
+ }
+
+ /**
+ * @see PolicyRegistration#deRegisterPolicy(String)
+ */
+ public void deRegisterPolicy(String contextID)
+ {
+ }
+
+ /**
+ * @see PolicyRegistration#getPolicy(String, Map)
+ */
+ public Object getPolicy(String contextID, Map contextMap)
+ {
+ }
+
+ /**
+ * @see AuthorizationManager#getTargetRoles(Principal, Map)
+ */
+ public Group getTargetRoles(Principal targetPrincipal, Map contextMap)
+ {
+ throw new RuntimeException("Not implemented");
+ }
+}</programlisting>
+</chapter>
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list