[jboss-cvs] JBossAS SVN: r67661 - in trunk/tomcat/src/main/org/jboss/web/tomcat/security: authorization/delegates and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Nov 30 14:35:50 EST 2007
Author: anil.saldhana at jboss.com
Date: 2007-11-30 14:35:50 -0500 (Fri, 30 Nov 2007)
New Revision: 67661
Modified:
trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/authorization/delegates/WebJACCPolicyModuleDelegate.java
Log:
JBAS-5025: WebResource changes
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java 2007-11-30 19:35:25 UTC (rev 67660)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java 2007-11-30 19:35:50 UTC (rev 67661)
@@ -27,7 +27,6 @@
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
-import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
@@ -66,10 +65,8 @@
import org.jboss.security.audit.AuditManager;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.security.auth.certs.SubjectDNMapping;
-import org.jboss.security.authorization.AuthorizationContext;
-import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.ResourceKeys;
-import org.jboss.security.authorization.resources.WebResource;
+import org.jboss.security.integration.web.WebAuthorizationHelper;
//$Id$
@@ -114,7 +111,7 @@
* false - consider, true - do not consider
*/
protected boolean ignoreBaseDecision = false;
-
+
/**
* Set the class name of the CertificatePrincipal used for mapping X509 cert
* chains to a Princpal.
@@ -128,7 +125,7 @@
try
{
ClassLoader loader = Thread.currentThread().getContextClassLoader();
- Class cpClass = loader.loadClass(className);
+ Class<?> cpClass = loader.loadClass(className);
certMapping = (CertificatePrincipal) cpClass.newInstance();
}
catch (Exception e)
@@ -165,14 +162,13 @@
public void setIgnoreBaseDecision(boolean ignoreBaseDecision)
{
this.ignoreBaseDecision = ignoreBaseDecision;
- }
+ }
//*************************************************************************
// Realm.Authenticate Methods
//*************************************************************************
-
-/**
+ /**
* Return the Principal associated with the specified chain of X509 client
* certificates. If there is none, return <code>null</code>.
*
@@ -465,15 +461,22 @@
Subject caller = this.establishSubjectContext(request.getPrincipal());
- Map<String,Object> map = new HashMap<String,Object>();
- map.put(ResourceKeys.WEB_REQUEST, request);
- map.put(ResourceKeys.WEB_RESPONSE, response);
- map.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, securityConstraints);
- map.put(ResourceKeys.WEB_CONTEXT, context);
- map.put(ResourceKeys.CALLER_SUBJECT, caller);
- map.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
- int permit = authorize(map);
- boolean authzDecision = (permit == AuthorizationContext.PERMIT);
+ SecurityContext sc = SecurityAssociationActions.getSecurityContext();
+ AuthorizationManager am = getAuthorizationManager();
+ Map<String,Object> contextMap = new HashMap<String,Object>();
+ contextMap.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
+ contextMap.put(ResourceKeys.AUTHORIZATION_MANAGER, am);
+
+ contextMap.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, securityConstraints);
+
+ WebAuthorizationHelper helper = new WebAuthorizationHelper(sc, this.enableAudit);
+ boolean authzDecision = helper.checkResourcePermission(contextMap, request, response,
+ caller, am,
+ requestURI(request));
+
+ //Do an AND of the RealmBase decision and the authorization framework decision
+ //By default, the authorization framework always returns PERMIT such that the
+ //decision of the realm base holds.
boolean finalDecision = baseDecision && authzDecision;
if(trace)
log.trace("hasResourcePerm:RealmBase says:" + baseDecision +
@@ -536,14 +539,11 @@
}
boolean baseDecision = ignoreBaseDecision ? true : super.hasRole(principal, role);
- Map<String,Object> map = new HashMap<String,Object>();
- map.put(ResourceKeys.ROLENAME, roleName);
- map.put(ResourceKeys.HASROLE_PRINCIPAL, principal);
- map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
- map.put(ResourceKeys.SERVLET_NAME, servletName);
- map.put(ResourceKeys.PRINCIPAL_ROLES, this.getPrincipalRoles(principal));
- int permit = authorize(map);
- boolean authzDecision = (permit == AuthorizationContext.PERMIT);
+
+ SecurityContext sc = SecurityAssociationActions.getSecurityContext();
+ WebAuthorizationHelper wah = new WebAuthorizationHelper(sc, this.enableAudit);
+ boolean authzDecision = wah.hasRole(roleName, principal, servletName,
+ getPrincipalRoles(principal), getAuthorizationManager());
boolean finalDecision = baseDecision && authzDecision;
if(trace)
log.trace("hasRole:RealmBase says:" + baseDecision +
@@ -561,13 +561,18 @@
Principal requestPrincipal = request.getPrincipal();
establishSubjectContext(requestPrincipal);
Map<String,Object> map = new HashMap<String,Object>();
- map.put(ResourceKeys.WEB_REQUEST, request);
- map.put(ResourceKeys.WEB_RESPONSE, response);
+
map.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, constraints);
map.put(ResourceKeys.USERDATA_PERM_CHECK, Boolean.TRUE);
- int permit = authorize(map);
- boolean ok = (permit == AuthorizationContext.PERMIT);
+ SecurityContext sc = SecurityAssociationActions.getSecurityContext();
+ AuthorizationManager am = getAuthorizationManager();
+
+ if(am == null)
+ throw new IllegalStateException("Null AuthorizationManager for SC:"+sc.getSecurityDomain());
+ WebAuthorizationHelper wah = new WebAuthorizationHelper(sc, this.enableAudit);
+ boolean ok = wah.hasUserDataPermission(map, request, response, am);
+
/* If the constraint is not valid delegate to super to redirect to the
ssl port if allowed
*/
@@ -596,11 +601,11 @@
Subject subject)
{
// Cache the user roles in the principal
- Set userRoles = realmMapping.getUserRoles(authPrincipal);
- ArrayList roles = new ArrayList();
+ Set<Principal> userRoles = realmMapping.getUserRoles(authPrincipal);
+ ArrayList<String> roles = new ArrayList<String>();
if (userRoles != null)
{
- Iterator iterator = userRoles.iterator();
+ Iterator<Principal> iterator = userRoles.iterator();
while (iterator.hasNext())
{
Principal role = (Principal) iterator.next();
@@ -663,13 +668,13 @@
* and visible from the HttpServletRequest.getUserPrincipal
* @return a possible null Set<Principal> for the caller roles
*/
- protected Set getPrincipalRoles(Principal principal)
+ protected Set<Principal> getPrincipalRoles(Principal principal)
{
if( (principal instanceof GenericPrincipal) == false )
throw new IllegalStateException("Expected GenericPrincipal, but saw: "+principal.getClass());
GenericPrincipal gp = (GenericPrincipal) principal;
String[] roleNames = gp.getRoles();
- Set userRoles = new HashSet();
+ Set<Principal> userRoles = new HashSet<Principal>();
if( roleNames != null )
{
for(int n = 0; n < roleNames.length; n ++)
@@ -684,31 +689,6 @@
//*****************************************************************************
// PRIVATE METHODS
//*****************************************************************************
- private int authorize(Map<String,Object> map)
- {
- AuthorizationManager authzMgr = this.getAuthorizationManager();
- if(authzMgr == null)
- throw new IllegalStateException("Authorization manager is null");
-
- map.put(ResourceKeys.AUTHORIZATION_MANAGER, authzMgr);
- Map readOnlyMap = Collections.unmodifiableMap(map);
- WebResource webResource = new WebResource(readOnlyMap);
- int permit = AuthorizationContext.DENY;
- try
- {
- permit = authzMgr.authorize(webResource);
- String level = (permit == AuthorizationContext.PERMIT ? AuditLevel.SUCCESS : AuditLevel.FAILURE);
- authorizationAudit(level,webResource);
- }
- catch (AuthorizationException e)
- {
- if(trace)
- log.trace("hasResourcePermission:",e);
- permit = AuthorizationContext.DENY;
- authorizationAudit(AuditLevel.ERROR,webResource);
- }
- return permit;
- }
/**
* Ensure that the JACC PolicyContext Subject handler has access to the
@@ -796,7 +776,7 @@
org.apache.catalina.Context context)
{
SecurityConstraint[] scarr = null;
- Class[] sig = {Request.class, Context.class};
+ Class<?>[] sig = {Request.class, Context.class};
Object[] args = {request, context};
Method findsc = null;
@@ -807,11 +787,12 @@
Policy policy = Policy.getPolicy();
findsc = policy.getClass().getMethod("findSecurityConstraints", sig);
scarr = (SecurityConstraint[])findsc.invoke(policy, args);
- }catch(Throwable t)
+ }
+ catch(Throwable t)
{
if(trace)
log.error("Error obtaining security constraints from policy",t);
-}
+ }
//If the policy provider did not provide the security constraints
//check if a seperate SC provider is plugged in
if(scarr == null || scarr.length == 0)
@@ -827,7 +808,7 @@
//Try to call the method on the provider class
try
{
- Class clazz = Thread.currentThread().getContextClassLoader().loadClass(securityConstraintProviderClass);
+ Class<?> clazz = SecurityAssociationActions.loadClass(securityConstraintProviderClass);
Object obj = clazz.newInstance();
findsc = clazz.getMethod("findSecurityConstraints", sig);
if(trace)
@@ -926,13 +907,4 @@
cmap.put("principal", principal);
audit(AuditLevel.ERROR,cmap,e);
}
-
- private void authorizationAudit(String level, WebResource resource)
- {
- if(!enableAudit)
- return;
- Map<String,Object> cmap = new HashMap<String,Object>();
- cmap.putAll(resource.getMap());
- audit(level,cmap,null);
- }
}
\ No newline at end of file
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java 2007-11-30 19:35:25 UTC (rev 67660)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java 2007-11-30 19:35:50 UTC (rev 67661)
@@ -294,4 +294,15 @@
{
AccessController.doPrivileged(ClearAuthExceptionAction.ACTION);
}
+
+ static Class<?> loadClass(final String fqn) throws PrivilegedActionException
+ {
+ return (Class<?>)AccessController.doPrivileged(new PrivilegedExceptionAction()
+ {
+ public Object run() throws PrivilegedActionException, ClassNotFoundException
+ {
+ return Thread.currentThread().getContextClassLoader().loadClass(fqn);
+ }
+ });
+ }
}
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java 2007-11-30 19:35:25 UTC (rev 67660)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/WebUtil.java 2007-11-30 19:35:50 UTC (rev 67661)
@@ -29,7 +29,7 @@
sb.append("[").append(httpRequest.getContextPath());
sb.append(":cookies=").append(httpRequest.getCookies()).append(":headers=");
//Append Header information
- Enumeration en = httpRequest.getHeaderNames();
+ Enumeration<?> en = httpRequest.getHeaderNames();
for(;en.hasMoreElements();)
{
String headerName = (String)en.nextElement();
@@ -39,7 +39,7 @@
sb.append("]");
//Append Request parameter information
sb.append("[parameters=");
- Enumeration enparam = httpRequest.getParameterNames();
+ Enumeration<?> enparam = httpRequest.getParameterNames();
for(;enparam.hasMoreElements();)
{
String paramName = (String)enparam.nextElement();
@@ -51,7 +51,7 @@
}
sb.append("][attributes=");
//Append Request attribute information
- Enumeration enu = httpRequest.getAttributeNames();
+ Enumeration<?> enu = httpRequest.getAttributeNames();
for(;enu.hasMoreElements();)
{
String attrName = (String)enu.nextElement();
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/authorization/delegates/WebJACCPolicyModuleDelegate.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/authorization/delegates/WebJACCPolicyModuleDelegate.java 2007-11-30 19:35:25 UTC (rev 67660)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/authorization/delegates/WebJACCPolicyModuleDelegate.java 2007-11-30 19:35:50 UTC (rev 67661)
@@ -34,12 +34,8 @@
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
-import javax.servlet.http.HttpServletRequest;
-
-import org.apache.catalina.Context;
-import org.apache.catalina.connector.Request;
-import org.apache.catalina.connector.Response;
-import org.apache.catalina.deploy.SecurityConstraint;
+import javax.servlet.http.HttpServletRequest;
+
import org.jboss.logging.Logger;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.authorization.AuthorizationContext;
@@ -47,6 +43,7 @@
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.authorization.modules.AuthorizationModuleDelegate;
+import org.jboss.security.authorization.resources.WebResource;
import org.jboss.web.tomcat.security.JaccContextValve;
@@ -75,8 +72,13 @@
*/
public int authorize(Resource resource)
{
+ if(resource instanceof WebResource == false)
+ throw new IllegalArgumentException("resource is not WebResource");
+
+ WebResource webResource = (WebResource) resource;
+
//Get the contextual map
- Map map = resource.getMap();
+ Map<String,Object> map = resource.getMap();
if(map == null)
throw new IllegalStateException("Map from the Resource is null");
@@ -88,20 +90,25 @@
throw new IllegalStateException("Authorization Manager is null");
//Get the Catalina Request Object
- Request request = (Request)map.get(ResourceKeys.WEB_REQUEST);
+ /*Request request = (Request)map.get(ResourceKeys.WEB_REQUEST);
Response response = (Response)map.get(ResourceKeys.WEB_RESPONSE);
SecurityConstraint[] constraints = (SecurityConstraint[])
map.get(ResourceKeys.WEB_SECURITY_CONSTRAINTS);
Context context = (Context)map.get(ResourceKeys.WEB_CONTEXT);
+ */
+ HttpServletRequest request = (HttpServletRequest) webResource.getServletRequest();
+
//Obtained by establishing subject context
- Subject callerSubject = (Subject)map.get(ResourceKeys.CALLER_SUBJECT);
- String roleName = (String)map.get(ResourceKeys.ROLENAME);
- Principal principal = (Principal)map.get(ResourceKeys.HASROLE_PRINCIPAL);
- Set roles = (Set)map.get(ResourceKeys.PRINCIPAL_ROLES);
+ Subject callerSubject = webResource.getCallerSubject();
+ Principal principal = webResource.getPrincipal();
+ String canonicalURI = webResource.getCanonicalRequestURI();
+
+ Set<Principal> roles = (Set<Principal>)map.get(ResourceKeys.PRINCIPAL_ROLES);
String servletName = (String)map.get(ResourceKeys.SERVLET_NAME);
Boolean resourceCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.RESOURCE_PERM_CHECK));
Boolean userDataCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.USERDATA_PERM_CHECK));
Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK));
+ String roleName = (String)map.get(ResourceKeys.ROLENAME);
validatePermissionChecks(resourceCheck,userDataCheck,roleRefCheck);
@@ -110,10 +117,10 @@
try
{
if(resourceCheck)
- decision = this.hasResourcePermission(request, response, constraints, context, callerSubject);
+ decision = this.hasResourcePermission(request, callerSubject, principal, canonicalURI);
else
if(userDataCheck)
- decision = this.hasUserDataPermission(request, response, constraints);
+ decision = this.hasUserDataPermission(request, canonicalURI);
else
if(roleRefCheck)
decision = this.hasRole(principal, roleName, roles, servletName);
@@ -136,21 +143,6 @@
{
this.policyRegistration = authzM;
}
-
- /**
- * Get the canonical request uri from the request mapping data requestPath
- * @param request
- * @return the request URI path
- */
- static String requestURI(Request request)
- {
- String uri = request.getMappingData().requestPath.getString();
- if( uri == null || uri.equals("/") )
- {
- uri = "";
- }
- return uri;
- }
//****************************************************************************
// PRIVATE METHODS
@@ -169,16 +161,7 @@
Subject caller)
{
// Get the caller principals, its null if there is no caller
- Principal[] principals = null;
- /*
- if( caller != null )
- {
- if( trace )
- log.trace("No active subject found, using ");
- Set principalsSet = caller.getPrincipals();
- principals = new Principal[principalsSet.size()];
- principalsSet.toArray(principals);
- }*/
+ Principal[] principals = null;
//Previously we relied on principals in the subject. Now we use
//the security context roles
@@ -238,14 +221,11 @@
* @return
* @throws IOException
*/
- private boolean hasResourcePermission(Request request, Response response,
- SecurityConstraint[] securityConstraints, Context context, Subject caller)
+ private boolean hasResourcePermission(HttpServletRequest httpRequest,
+ Subject caller, Principal requestPrincipal, String canonicalURI)
throws IOException
{
- Principal requestPrincipal = request.getPrincipal();
- HttpServletRequest httpRequest = request.getRequest();
- String uri = requestURI(request);
- WebResourcePermission perm = new WebResourcePermission(uri, httpRequest.getMethod());
+ WebResourcePermission perm = new WebResourcePermission(canonicalURI, httpRequest.getMethod());
boolean allowed = checkSecurityAssociation(perm, requestPrincipal, caller );
if( trace )
log.trace("hasResourcePermission, perm="+perm+", allowed="+allowed);
@@ -259,7 +239,7 @@
* @param roles
* @return
*/
- private boolean hasRole(Principal principal, String roleName, Set roles, String servletName)
+ private boolean hasRole(Principal principal, String roleName, Set<Principal> roles, String servletName)
{
WebRoleRefPermission perm = new WebRoleRefPermission(servletName, roleName);
Principal[] principals = {principal};
@@ -285,12 +265,10 @@
* @return
* @throws IOException
*/
- private boolean hasUserDataPermission(Request request, Response response,
- SecurityConstraint[] constraints) throws IOException
- {
- HttpServletRequest httpRequest = request.getRequest();
- String uri = requestURI(request);
- WebUserDataPermission perm = new WebUserDataPermission(uri, httpRequest.getMethod());
+ private boolean hasUserDataPermission(HttpServletRequest httpRequest,
+ String canonicalURI) throws IOException
+ {
+ WebUserDataPermission perm = new WebUserDataPermission(canonicalURI, httpRequest.getMethod());
if( trace )
log.trace("hasUserDataPermission, p="+perm);
boolean ok = false;
@@ -325,4 +303,4 @@
|| (userDataCheck == Boolean.TRUE && roleRefCheck == Boolean.TRUE))
throw new IllegalStateException("Permission checks must be different");
}
-}
+}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list