[jboss-cvs] JBossAS SVN: r67662 - in trunk/security: src/main/org/jboss/security/integration and 3 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Nov 30 14:36:26 EST 2007
Author: anil.saldhana at jboss.com
Date: 2007-11-30 14:36:26 -0500 (Fri, 30 Nov 2007)
New Revision: 67662
Added:
trunk/security/src/main/org/jboss/security/integration/web/
trunk/security/src/main/org/jboss/security/integration/web/WebAuthorizationHelper.java
Modified:
trunk/security/.classpath
trunk/security/src/main/org/jboss/security/integration/ejb/EJBAuthorizationHelper.java
trunk/security/src/main/org/jboss/security/integration/ejb/SecurityHelper.java
trunk/security/src/main/org/jboss/security/plugins/AuthorizationManagerService.java
Log:
JBAS-5025: WebResource/EJBResource changes
Modified: trunk/security/.classpath
===================================================================
--- trunk/security/.classpath 2007-11-30 19:35:50 UTC (rev 67661)
+++ trunk/security/.classpath 2007-11-30 19:36:26 UTC (rev 67662)
@@ -5,7 +5,7 @@
<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
<classpathentry kind="lib" path="/thirdparty/jboss/jbosssx/lib/jbosssx.jar" sourcepath="/thirdparty/jboss/security/lib/jbosssx-sources.jar"/>
<classpathentry kind="lib" path="/thirdparty/jboss/jboss-security-spi/lib/jboss-security-spi.jar" sourcepath="/thirdparty/jboss/jboss-security-spi/lib/jboss-security-spi-sources.jar"/>
- <classpathentry kind="lib" path="/thirdparty/jboss/jboss-jaspi-api/lib/jboss-jaspi-api.jar" />
+ <classpathentry kind="lib" path="/thirdparty/jboss/jboss-jaspi-api/lib/jboss-jaspi-api.jar"/>
<classpathentry kind="lib" path="/thirdparty/jboss/common-logging-spi/lib/jboss-logging-spi.jar" sourcepath="/thirdparty/jboss/common-logging-spi/lib/jboss-logging-spi-sources.jar"/>
<classpathentry kind="lib" path="/thirdparty/jboss/common-logging-spi/lib/jboss-logging-spi-sources.jar"/>
<classpathentry kind="lib" path="/thirdparty/javassist/lib/javassist.jar" sourcepath="/thirdparty/javassist/lib/javassist-src.jar"/>
@@ -19,5 +19,6 @@
<classpathentry kind="lib" path="/thirdparty/junit/lib/junit.jar" sourcepath="/thirdparty/junit/lib/junit-src.zip"/>
<classpathentry kind="lib" path="/thirdparty/jboss/jboss-javaee/lib/jboss-javaee.jar" sourcepath="/thirdparty/jboss/jboss-javaee/lib/jboss-javaee-sources.jar"/>
<classpathentry kind="lib" path="/thirdparty/jboss/microcontainer/lib/jboss-deployers-core-spi.jar" sourcepath="/thirdparty/jboss/microcontainer/lib/jboss-deployers-core-spi-sources.jar"/>
+ <classpathentry kind="lib" path="/thirdparty/jboss/metadata/lib/jboss-metadata.jar" sourcepath="/thirdparty/jboss/metadata/lib/jboss-metadata-sources.jar"/>
<classpathentry kind="output" path="output/eclipse-classes"/>
</classpath>
Modified: trunk/security/src/main/org/jboss/security/integration/ejb/EJBAuthorizationHelper.java
===================================================================
--- trunk/security/src/main/org/jboss/security/integration/ejb/EJBAuthorizationHelper.java 2007-11-30 19:35:50 UTC (rev 67661)
+++ trunk/security/src/main/org/jboss/security/integration/ejb/EJBAuthorizationHelper.java 2007-11-30 19:36:26 UTC (rev 67662)
@@ -25,15 +25,16 @@
import java.security.CodeSource;
import java.security.Principal;
import java.util.HashMap;
-import java.util.Map;
+import java.util.HashSet;
import java.util.Set;
-import javax.security.auth.Subject;
+import javax.security.auth.Subject;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAs;
import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityRoleRef;
import org.jboss.security.audit.AuditLevel;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.ResourceKeys;
@@ -78,17 +79,28 @@
AuthorizationManager am = securityContext.getAuthorizationManager();
HashMap<String,Object> map = new HashMap<String,Object>();
+ map.put(ResourceKeys.AUTHORIZATION_MANAGER, am);
+ /*
map.put(ResourceKeys.EJB_NAME , ejbName);
map.put(ResourceKeys.EJB_METHOD,ejbMethod);
map.put(ResourceKeys.EJB_PRINCIPAL, ejbPrincipal);
map.put(ResourceKeys.EJB_METHODINTERFACE, invocationInterfaceString);
map.put(ResourceKeys.EJB_CODESOURCE, ejbCS);
map.put(ResourceKeys.CALLER_SUBJECT, callerSubject);
- map.put(ResourceKeys.AUTHORIZATION_MANAGER, am);
map.put(ResourceKeys.RUNASIDENTITY, callerRunAs);
map.put(ResourceKeys.EJB_METHODROLES, methodRoles);
+ */
+ EJBResource ejbResource = new EJBResource(map);
+ ejbResource.setCallerRunAsIdentity(callerRunAs);
+ ejbResource.setEjbName(ejbName);
+ ejbResource.setEjbMethod(ejbMethod);
+ ejbResource.setPrincipal(ejbPrincipal);
+ ejbResource.setEjbMethodInterface(invocationInterfaceString);
+ ejbResource.setCodeSource(ejbCS);
+ ejbResource.setCallerRunAsIdentity(callerRunAs);
+ ejbResource.setCallerSubject(callerSubject);
+ ejbResource.setMethodRoles(methodRoles);
- EJBResource ejbResource = new EJBResource(map);
boolean isAuthorized = false;
try
{
@@ -123,7 +135,8 @@
return caller;
}
- public boolean isCallerInRole(String roleName,String ejbName, Principal ejbPrincipal,Set securityRoleRefs )
+ public boolean isCallerInRole(String roleName,String ejbName, Principal ejbPrincipal,
+ Set<SecurityRoleRef> securityRoleRefs )
{
boolean isAuthorized = false;
AuthorizationManager am = securityContext.getAuthorizationManager();
@@ -132,15 +145,21 @@
throw new IllegalStateException("AuthorizationManager is null");
HashMap<String,Object> map = new HashMap<String,Object>();
- map.put(ResourceKeys.EJB_NAME ,ejbName);
- map.put(ResourceKeys.EJB_PRINCIPAL, ejbPrincipal);
+
map.put(ResourceKeys.AUTHORIZATION_MANAGER,am);
- map.put(ResourceKeys.RUNASIDENTITY, securityContext.getIncomingRunAs());
- map.put(ResourceKeys.SECURITY_ROLE_REFERENCES, securityRoleRefs);
map.put(ResourceKeys.ROLENAME, roleName);
map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
-
+
+
EJBResource ejbResource = new EJBResource(map);
+
+ RunAs callerRunAs = securityContext.getIncomingRunAs();
+
+ ejbResource.setEjbName(ejbName);
+ ejbResource.setPrincipal(ejbPrincipal);
+ ejbResource.setCallerRunAsIdentity(callerRunAs);
+ ejbResource.setSecurityRoleReferences(securityRoleRefs);
+
try
{
int check = am.authorize(ejbResource);
@@ -154,21 +173,5 @@
authorizationAudit(AuditLevel.ERROR,ejbResource,e);
}
return isAuthorized;
- }
-
-
- //******************************************************
- // Audit Methods
- //******************************************************
-
- private void authorizationAudit(String level, EJBResource resource, Exception e)
- {
- //Authorization Exception stacktrace is huge. Scale it down
- //as the original stack trace can be seen in server.log (if needed)
- String exceptionMessage = e != null ? e.getLocalizedMessage() : "";
- Map<String,Object> cmap = new HashMap<String,Object>();
- cmap.putAll(resource.getMap());
- cmap.put("Exception:", exceptionMessage);
- audit(level,cmap,null);
- }
-}
+ }
+}
\ No newline at end of file
Modified: trunk/security/src/main/org/jboss/security/integration/ejb/SecurityHelper.java
===================================================================
--- trunk/security/src/main/org/jboss/security/integration/ejb/SecurityHelper.java 2007-11-30 19:35:50 UTC (rev 67661)
+++ trunk/security/src/main/org/jboss/security/integration/ejb/SecurityHelper.java 2007-11-30 19:36:26 UTC (rev 67662)
@@ -28,6 +28,7 @@
import org.jboss.logging.Logger;
import org.jboss.security.SecurityContext;
import org.jboss.security.audit.AuditEvent;
+import org.jboss.security.authorization.Resource;
//$Id$
@@ -56,14 +57,25 @@
//******************************************************
// Audit Methods
//******************************************************
+ protected void authorizationAudit(String level, Resource resource, Exception e)
+ {
+ //Authorization Exception stacktrace is huge. Scale it down
+ //as the original stack trace can be seen in server.log (if needed)
+ String exceptionMessage = e != null ? e.getLocalizedMessage() : "";
+ Map<String,Object> cmap = new HashMap<String,Object>();
+ cmap.putAll(resource.getMap());
+ cmap.put("Resource:", resource.toString());
+ cmap.put("Exception:", exceptionMessage);
+ audit(level,cmap,null);
+ }
+
protected void audit(String level,
Map<String,Object> contextMap, Exception e)
{
contextMap.put("Source", getClass().getName());
AuditEvent ae = new AuditEvent(level,contextMap,e);
securityContext.getAuditManager().audit(ae);
- }
-
+ }
protected Map<String,Object> getContextMap(Principal principal, String methodName)
{
@@ -72,4 +84,4 @@
cmap.put("method", methodName);
return cmap;
}
-}
+}
\ No newline at end of file
Added: trunk/security/src/main/org/jboss/security/integration/web/WebAuthorizationHelper.java
===================================================================
--- trunk/security/src/main/org/jboss/security/integration/web/WebAuthorizationHelper.java (rev 0)
+++ trunk/security/src/main/org/jboss/security/integration/web/WebAuthorizationHelper.java 2007-11-30 19:36:26 UTC (rev 67662)
@@ -0,0 +1,153 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.integration.web;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.jboss.security.AuthorizationManager;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.audit.AuditLevel;
+import org.jboss.security.authorization.AuthorizationContext;
+import org.jboss.security.authorization.AuthorizationException;
+import org.jboss.security.authorization.ResourceKeys;
+import org.jboss.security.authorization.resources.WebResource;
+import org.jboss.security.integration.ejb.SecurityHelper;
+
+//$Id$
+
+/**
+ * Helper Class for Web Authorization
+ * @author Anil.Saldhana at redhat.com
+ * @since Nov 26, 2007
+ * @version $Revision$
+ */
+public class WebAuthorizationHelper extends SecurityHelper
+{
+ private boolean enableAudit = true;
+
+ public WebAuthorizationHelper(SecurityContext sc, boolean enableAudit)
+ {
+ super(sc);
+ this.enableAudit = enableAudit;
+ }
+
+ public boolean checkResourcePermission(Map<String, Object> contextMap,
+ ServletRequest request, ServletResponse response,
+ Subject callerSubject, AuthorizationManager authzMgr, String canonicalRequestURI)
+ {
+ boolean isAuthorized = false;
+
+ WebResource webResource = new WebResource(Collections.unmodifiableMap(contextMap));
+ webResource.setServletRequest(request);
+ webResource.setServletResponse(response);
+ webResource.setCallerSubject(callerSubject);
+ webResource.setCanonicalRequestURI(canonicalRequestURI);
+
+ try
+ {
+ int permit = authzMgr.authorize(webResource);
+ isAuthorized = (permit == AuthorizationContext.PERMIT);
+ String level = (permit == AuthorizationContext.PERMIT ? AuditLevel.SUCCESS : AuditLevel.FAILURE);
+ if(this.enableAudit)
+ this.authorizationAudit(level,webResource, null);
+ }
+ catch (AuthorizationException e)
+ {
+ isAuthorized = false;
+ if(log.isTraceEnabled())
+ log.trace("hasResourcePermission check failed:"+e.getLocalizedMessage());
+ if(this.enableAudit)
+ authorizationAudit(AuditLevel.ERROR,webResource,e);
+ }
+ return isAuthorized;
+ }
+
+ public boolean hasRole(String roleName, Principal principal, String servletName,
+ Set<Principal> principalRoles, AuthorizationManager authzMgr)
+ {
+ boolean hasTheRole = false;
+ Map<String,Object> map = new HashMap<String,Object>();
+ map.put(ResourceKeys.ROLENAME, roleName);
+ map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
+ map.put(ResourceKeys.SERVLET_NAME, servletName);
+ map.put(ResourceKeys.PRINCIPAL_ROLES, principalRoles);
+
+ map.put(ResourceKeys.AUTHORIZATION_MANAGER, authzMgr);
+
+ WebResource webResource = new WebResource(Collections.unmodifiableMap(map));
+ webResource.setPrincipal(principal);
+ try
+ {
+ int permit = authzMgr.authorize(webResource);
+ hasTheRole = (permit == AuthorizationContext.PERMIT);
+ String level = (hasTheRole ? AuditLevel.SUCCESS : AuditLevel.FAILURE);
+ if(this.enableAudit)
+ this.authorizationAudit(level,webResource, null);
+ }
+ catch (AuthorizationException e)
+ {
+ hasTheRole = false;
+ if(log.isTraceEnabled())
+ log.trace("hasRole check failed:"+e.getLocalizedMessage());
+ if(this.enableAudit)
+ authorizationAudit(AuditLevel.ERROR,webResource,e);
+ }
+ return hasTheRole;
+ }
+
+ public boolean hasUserDataPermission(Map<String,Object> contextMap,
+ ServletRequest request, ServletResponse response,
+ AuthorizationManager authzMgr)
+ {
+ boolean hasPerm = false;
+ contextMap.put(ResourceKeys.AUTHORIZATION_MANAGER, authzMgr);
+
+ WebResource webResource = new WebResource(Collections.unmodifiableMap(contextMap));
+ webResource.setServletRequest(request);
+ webResource.setServletResponse(response);
+ try
+ {
+ int permit = authzMgr.authorize(webResource);
+ hasPerm = (permit == AuthorizationContext.PERMIT);
+ String level = (hasPerm ? AuditLevel.SUCCESS : AuditLevel.FAILURE);
+ if(this.enableAudit)
+ this.authorizationAudit(level,webResource, null);
+ }
+ catch (AuthorizationException e)
+ {
+ hasPerm = false;
+ if(log.isTraceEnabled())
+ log.trace("hasRole check failed:"+e.getLocalizedMessage());
+ if(this.enableAudit)
+ authorizationAudit(AuditLevel.ERROR,webResource,e);
+ }
+ return hasPerm;
+ }
+}
\ No newline at end of file
Modified: trunk/security/src/main/org/jboss/security/plugins/AuthorizationManagerService.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/AuthorizationManagerService.java 2007-11-30 19:35:50 UTC (rev 67661)
+++ trunk/security/src/main/org/jboss/security/plugins/AuthorizationManagerService.java 2007-11-30 19:36:26 UTC (rev 67662)
@@ -38,7 +38,10 @@
import org.jboss.security.AuthorizationManager;
import org.jboss.security.SecurityConstants;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
+import org.jboss.security.authorization.AuthorizationException;
+import org.jboss.security.authorization.EntitlementHolder;
import org.jboss.security.authorization.Resource;
+import org.jboss.security.identity.Identity;
import org.jboss.system.ServiceMBeanSupport;
import org.jboss.util.CachePolicy;
@@ -60,16 +63,14 @@
/** The log4j interface */
private static Logger log = Logger.getLogger(AuthorizationManagerService.class);
private static String authorizationMgrClassName = SecurityConstants.DEFAULT_AUTHORIZATION_CLASS;
- private static Class authorizationMgrClass = JBossAuthorizationManager.class;
+ private static Class<?> authorizationMgrClass = JBossAuthorizationManager.class;
- private static Hashtable authorizationManagersMap = new Hashtable();
-
- private static int defaultCacheTimeout = 30*60;
- private static int defaultCacheResolution = 60;
-
+ private static Hashtable<String,AuthorizationManager> authorizationManagersMap
+ = new Hashtable<String,AuthorizationManager>();
+
/** The JAAS CallbackHandler interface implementation to use */
private static String callbackHandlerClassName = "org.jboss.security.auth.callback.SecurityAssociationHandler";
- private static Class callbackHandlerClass = SecurityAssociationHandler.class;
+ private static Class<?> callbackHandlerClass = SecurityAssociationHandler.class;
/**
* @see AuthorizationManagerServiceMBean#setAuthorizationManagerClassName(String)
@@ -115,7 +116,7 @@
/**
* @see AuthorizationManager#doesUserHaveRole(Principal, Set)
*/
- public boolean doesUserHaveRole(Principal principal, Set roles)
+ public boolean doesUserHaveRole(Principal principal, Set<Principal> roles)
{
String str = "Use getAuthorizationManager method and then call doesUserHaveRole";
throw new IllegalStateException(str);
@@ -212,11 +213,7 @@
log.debug("Created AuthorizationManager="+securityMgr);
CachePolicy cachePolicy = JaasSecurityManagerService.lookupCachePolicy(securityDomain);
- log.debug("Found Cache Policy="+cachePolicy);
- /*TimedCachePolicy cachePolicy = new TimedCachePolicy(defaultCacheTimeout,
- true, defaultCacheResolution);
- cachePolicy.create();
- cachePolicy.start(); */
+ log.debug("Found Cache Policy="+cachePolicy);
// See if the security mgr supports an externalized cache policy
setSecurityDomainCache(securityMgr, cachePolicy);
}
@@ -252,7 +249,7 @@
}
}
- public Group getTargetRoles(Principal targetPrincipal, Map contextMap)
+ public Group getTargetRoles(Principal targetPrincipal, Map<String, Object> contextMap)
{
throw new RuntimeException("Not implemented");
}
@@ -260,5 +257,11 @@
public String getSecurityDomain()
{
throw new RuntimeException("Call the method on the authorization manager");
- }
-}
+ }
+
+ public EntitlementHolder<?> entitlements(Resource resource, Identity identity)
+ throws AuthorizationException
+ {
+ throw new RuntimeException("Call the method on the authorization manager");
+ }
+}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list