[jboss-cvs] JBossAS SVN: r81312 - projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Nov 19 13:44:53 EST 2008
Author: anil.saldhana at jboss.com
Date: 2008-11-19 13:44:53 -0500 (Wed, 19 Nov 2008)
New Revision: 81312
Added:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/SecurityActions.java
Modified:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/WebResource.java
Log:
SECURITY-326: make the web audit configurable
Added: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/SecurityActions.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/SecurityActions.java (rev 0)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/SecurityActions.java 2008-11-19 18:44:53 UTC (rev 81312)
@@ -0,0 +1,44 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.authorization.resources;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ * @author Anil.Saldhana at redhat.com
+ * @since November 19, 2008
+ */
+class SecurityActions
+{
+ static String getSystemProperty(final String key, final String defaultValue)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<String>()
+ {
+ public String run()
+ {
+ return System.getProperty(key, defaultValue);
+ }
+ });
+ }
+}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/WebResource.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/WebResource.java 2008-11-19 18:42:32 UTC (rev 81311)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/WebResource.java 2008-11-19 18:44:53 UTC (rev 81312)
@@ -42,12 +42,34 @@
*/
public class WebResource extends JavaEEResource
{
+ /** System Property setting to configure the web audit
+ * off = turn it off
+ * headers = audit the headers
+ * cookies = audit the cookie
+ * parameters = audit the parameters
+ * attributes = audit the attributes
+ * headers,cookies,parameters = audit the headers,cookie and parameters
+ * headers,cookies = audit the headers and cookies
+ * and so on
+ *
+ * Note: If this flag is not set in the system property, then we get no
+ * audit data for the web request
+ * */
+ public static final String WEB_AUDIT_FLAG = "org.jboss.security.web.audit";
+
private ServletRequest servletRequest = null;
private ServletResponse servletResponse = null;
private String servletName = null;
private String canonicalRequestURI = null;
+
+ private static String auditFlag = " ";
+
+ static
+ {
+ auditFlag = SecurityActions.getSystemProperty(WEB_AUDIT_FLAG, " ").toLowerCase();
+ }
/**
* Create a new WebResource.
*/
@@ -122,8 +144,12 @@
{
StringBuffer buf = new StringBuffer();
buf.append("[").append(getClass().getName()).append(":contextMap=").append(map).
- append(",canonicalRequestURI=").append(this.canonicalRequestURI).
- append(",request=").append(deriveUsefulInfo()).
+ append(",canonicalRequestURI=").append(this.canonicalRequestURI);
+
+ /** Audit the request based on the audit flag */
+ if(!auditFlag.contains("off"))
+ buf.append(",request=").append(deriveUsefulInfo()).
+
append(",CodeSource=").append(this.codeSource).
append("]");
return buf.toString();
@@ -137,37 +163,52 @@
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
StringBuilder sb = new StringBuilder();
sb.append("[").append(httpRequest.getContextPath());
- sb.append(":cookies=").append(Arrays.toString(httpRequest.getCookies())).append(":headers=");
+ //Append cookies
+ if(auditFlag.contains("cookies"))
+ {
+ sb.append(":cookies=").append(Arrays.toString(httpRequest.getCookies()));
+ }
//Append Header information
- Enumeration<?> en = httpRequest.getHeaderNames();
- for(;en.hasMoreElements();)
+ if(auditFlag.contains("headers"))
{
- String headerName = (String)en.nextElement();
- sb.append(headerName).append("=");
- if(headerName.contains("authorization") == false)
- sb.append(httpRequest.getHeader(headerName)).append(",");
+ sb.append(":headers=");
+ Enumeration<?> en = httpRequest.getHeaderNames();
+ for(;en.hasMoreElements();)
+ {
+ String headerName = (String)en.nextElement();
+ sb.append(headerName).append("=");
+ if(headerName.contains("authorization") == false)
+ sb.append(httpRequest.getHeader(headerName)).append(",");
+ }
+ sb.append("]");
}
- sb.append("]");
+
//Append Request parameter information
- sb.append("[parameters=");
- Enumeration<?> enparam = httpRequest.getParameterNames();
- for(;enparam.hasMoreElements();)
+ if(auditFlag.contains("parameters"))
{
- String paramName = (String)enparam.nextElement();
- String[] paramValues = httpRequest.getParameterValues(paramName);
- int len = paramValues != null ? paramValues.length : 0;
- for(int i = 0 ; i < len ; i++)
- sb.append(paramValues[i]).append("::");
- sb.append(",");
+ sb.append("[parameters=");
+ Enumeration<?> enparam = httpRequest.getParameterNames();
+ for(;enparam.hasMoreElements();)
+ {
+ String paramName = (String)enparam.nextElement();
+ String[] paramValues = httpRequest.getParameterValues(paramName);
+ int len = paramValues != null ? paramValues.length : 0;
+ for(int i = 0 ; i < len ; i++)
+ sb.append(paramValues[i]).append("::");
+ sb.append(",");
+ }
}
- sb.append("][attributes=");
//Append Request attribute information
- Enumeration<?> enu = httpRequest.getAttributeNames();
- for(;enu.hasMoreElements();)
+ if(auditFlag.contains("attributes"))
{
- String attrName = (String)enu.nextElement();
- sb.append(attrName).append("=");
- sb.append(httpRequest.getAttribute(attrName)).append(",");
+ sb.append("][attributes=");
+ Enumeration<?> enu = httpRequest.getAttributeNames();
+ for(;enu.hasMoreElements();)
+ {
+ String attrName = (String)enu.nextElement();
+ sb.append(attrName).append("=");
+ sb.append(httpRequest.getAttribute(attrName)).append(",");
+ }
}
sb.append("]");
return sb.toString();
More information about the jboss-cvs-commits
mailing list