[jboss-cvs] JBossAS SVN: r107792 - in projects/security/security-xacml/trunk/jboss-xacml/src: main/java/org/jboss/security/xacml/locators/attrib and 8 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Aug 25 17:37:27 EDT 2010
Author: anil.saldhana at jboss.com
Date: 2010-08-25 17:37:26 -0400 (Wed, 25 Aug 2010)
New Revision: 107792
Added:
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPActionAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPEnvAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPResourceAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPSubjectAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/StorageAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/util/LDAPCommon.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/LDAPAttributeLocatorUnitTestCase.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/locators/LDAPPolicyLocatorUnitTestCase.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/ldap_resource_attrib_locator-config.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/ldap_subject_attrib_locator-config.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/ldif/ldap-attrib.ldif
Modified:
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/AttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseActionAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseEnvAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseResourceAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseSubjectAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/policy/JBossLDAPPolicyLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/ldap/LDAPUnitTestCase.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties
Log:
SECURITY-455: attribute locator using ldap
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/AttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/AttributeLocator.java 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/AttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -98,14 +98,14 @@
return this.identifier;
}
- @SuppressWarnings("unchecked")
+ @SuppressWarnings("rawtypes")
@Override
public Set getSupportedDesignatorTypes()
{
return this.designatorTypes;
}
- @SuppressWarnings("unchecked")
+ @SuppressWarnings("rawtypes")
@Override
public Set getSupportedIds()
{
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseActionAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseActionAttributeLocator.java 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseActionAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -46,10 +46,12 @@
* @since Mar 2, 2010
*/
public class DatabaseActionAttributeLocator extends DatabaseAttributeLocator
-{
- protected Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException
- {
- EvaluationResult evalResult = evaluationCtx.getActionAttribute(new URI(valueDataType), new URI(preparedStatementValue), null);
+{
+ @Override
+ protected Object getSubstituteValue(URI attributeType, EvaluationCtx context) throws URISyntaxException
+ {
+ EvaluationResult evalResult = context.getActionAttribute(new URI(dataTypeOfSubstituteValue),
+ new URI( substituteValue ), null);
return this.getAttributeValue(evalResult, attributeType);
}
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseAttributeLocator.java 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -39,7 +39,6 @@
import javax.naming.InitialContext;
import javax.sql.DataSource;
-import org.jboss.security.xacml.locators.AttributeLocator;
import org.jboss.security.xacml.sunxacml.EvaluationCtx;
import org.jboss.security.xacml.sunxacml.attr.BagAttribute;
import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
@@ -54,7 +53,7 @@
* @author Anil.Saldhana at redhat.com
* @since Mar 1, 2010
*/
-public abstract class DatabaseAttributeLocator extends AttributeLocator
+public abstract class DatabaseAttributeLocator extends StorageAttributeLocator
{
private static Logger log = Logger.getLogger(DatabaseAttributeLocator.class.getName());
@@ -67,12 +66,6 @@
//The Prepared Statement SQL
protected String sqlStatement = null;
- //The Prepared Statement plugin Value
- protected String preparedStatementValue = null;
-
- //The data type of the prepared statement plugin value
- protected String valueDataType = null;
-
//Column Name to be returned as part of the sql statement
protected String columnName = null;
@@ -81,16 +74,6 @@
public static final String DB_FILE_NAME = "DATABASE_FILE_NAME";
- public DatabaseAttributeLocator()
- {
- this.attributeDesignatorSupported = true;
- this.attributeSelectorSupported = true;
-
- this.designatorTypes.add(Integer.valueOf(0));
- this.designatorTypes.add(Integer.valueOf(1));
- this.designatorTypes.add(Integer.valueOf(2));
- }
-
@SuppressWarnings("unchecked")
@Override
public EvaluationResult findAttribute(URI attributeType, URI attributeId, URI issuer, URI subjectCategory,
@@ -134,11 +117,11 @@
}
if("preparedStatementValue".equals(optionTag))
{
- this.preparedStatementValue = optionValue;
+ this.substituteValue = optionValue;
}
if("valueDataType".equals(optionTag))
{
- this.valueDataType = optionValue;
+ this.dataTypeOfSubstituteValue = optionValue;
}
if("columnName".equals(optionTag))
{
@@ -194,7 +177,7 @@
}
}
return connection;
- }
+ }
/**
* Get the value of the attribute we are interested in
@@ -219,7 +202,7 @@
Object pluginValue = null;
try
{
- pluginValue = getPreparedStatementPluginValue(context, attributeType);
+ pluginValue = getSubstituteValue( attributeType, context );
}
catch (URISyntaxException e)
{
@@ -271,16 +254,5 @@
}
return columnValue;
- }
-
- /**
- * <p>
- * Get the value to be plugged into the PreparedStatement using the <code>EvaluationCtx</code>
- * </p>
- * @param evaluationCtx
- * @param attributeType
- * @return
- * @throws URISyntaxException
- */
- protected abstract Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException;
+ }
}
\ No newline at end of file
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseEnvAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseEnvAttributeLocator.java 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseEnvAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -46,9 +46,11 @@
*/
public class DatabaseEnvAttributeLocator extends DatabaseAttributeLocator
{
- protected Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException
- {
- EvaluationResult evalResult = evaluationCtx.getEnvironmentAttribute(new URI(valueDataType), new URI(preparedStatementValue), null);
+ @Override
+ protected Object getSubstituteValue(URI attributeType, EvaluationCtx context) throws URISyntaxException
+ {
+ EvaluationResult evalResult = context.getEnvironmentAttribute(new URI(dataTypeOfSubstituteValue),
+ new URI( substituteValue ), null);
return this.getAttributeValue(evalResult, attributeType);
}
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseResourceAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseResourceAttributeLocator.java 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseResourceAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -46,9 +46,11 @@
*/
public class DatabaseResourceAttributeLocator extends DatabaseAttributeLocator
{
- protected Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException
- {
- EvaluationResult evalResult = evaluationCtx.getResourceAttribute(new URI(valueDataType), new URI(preparedStatementValue), null);
+ @Override
+ protected Object getSubstituteValue(URI attributeType, EvaluationCtx context) throws URISyntaxException
+ {
+ EvaluationResult evalResult = context.getResourceAttribute(new URI(dataTypeOfSubstituteValue),
+ new URI( substituteValue ), null);
return this.getAttributeValue(evalResult, attributeType);
}
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseSubjectAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseSubjectAttributeLocator.java 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseSubjectAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -47,13 +47,15 @@
*/
public class DatabaseSubjectAttributeLocator extends DatabaseAttributeLocator
{
- protected Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException
- {
+ @Override
+ protected Object getSubstituteValue(URI attributeType, EvaluationCtx context) throws URISyntaxException
+ {
String category = AttributeDesignator.SUBJECT_CATEGORY_DEFAULT;
- EvaluationResult evalResult = evaluationCtx.getSubjectAttribute(new URI(valueDataType), new URI(preparedStatementValue),
- new URI(category));
-
+ EvaluationResult evalResult = context.getSubjectAttribute(new URI(dataTypeOfSubstituteValue),
+ new URI( substituteValue ),
+ new URI(category));
+
return this.getAttributeValue(evalResult, attributeType);
}
}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPActionAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPActionAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPActionAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+
+/**
+ * LDAP Attribute Locator to obtain the action attribute
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public class LDAPActionAttributeLocator extends LDAPAttributeLocator
+{
+ @Override
+ protected Object getSubstituteValue(URI attributeType, EvaluationCtx context) throws URISyntaxException
+ {
+ EvaluationResult evalResult = context.getActionAttribute( new URI( dataTypeOfSubstituteValue ),
+ new URI( substituteValue ), null);
+
+ return this.getAttributeValue( evalResult, attributeType);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,152 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.SearchResult;
+
+import org.jboss.security.xacml.jaxb.Option;
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.attr.AttributeValue;
+import org.jboss.security.xacml.sunxacml.attr.BagAttribute;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+import org.jboss.security.xacml.util.JBossXACMLUtil;
+import org.jboss.security.xacml.util.LDAPCommon;
+
+/**
+ * An attribute locator getting attribute values from an LDAP
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public abstract class LDAPAttributeLocator extends StorageAttributeLocator
+{
+ private static Logger log = Logger.getLogger( LDAPAttributeLocator.class.getName() );
+
+ protected LDAPCommon ldapCommon = new LDAPCommon();
+
+ public LDAPAttributeLocator()
+ {
+ this.attributeDesignatorSupported = true;
+ this.attributeSelectorSupported = true;
+
+ this.designatorTypes.add(Integer.valueOf(0));
+ this.designatorTypes.add(Integer.valueOf(1));
+ this.designatorTypes.add(Integer.valueOf(2));
+ }
+
+ @Override
+ public void setOptions(List<Option> theoptions)
+ {
+ super.setOptions(theoptions);
+ ldapCommon.processOptions(theoptions);
+
+ ldapCommon.validateConfiguration( LDAPCommon.TYPE.ATTRIBUTE );
+ }
+
+ @Override
+ public EvaluationResult findAttribute(URI attributeType, URI attributeId, URI issuer, URI subjectCategory,
+ EvaluationCtx context, int designatorType)
+ {
+ if(ids.contains(attributeId) == false)
+ {
+ if(attributeType != null)
+ return new EvaluationResult(BagAttribute.createEmptyBag(attributeType));
+ else
+
+ return new EvaluationResult(BagAttribute.createEmptyBag(attributeId));
+ }
+
+ this.dataTypeOfSubstituteValue = ldapCommon.getDataTypeOfSubstituteValue();
+ this.substituteValue = ldapCommon.getSubsititeValue();
+
+ Object columnValue = null ;
+ try
+ {
+ columnValue = getSubstituteValue( attributeType, context );
+ }
+ catch (URISyntaxException e)
+ {
+ log.log( Level.SEVERE, "Syntax error in uri:", e );
+ }
+
+ Object[] filterArgs = new Object[] { columnValue };
+
+ NamingEnumeration<SearchResult> results = null;
+
+ try
+ {
+ ldapCommon.constructJNDIContext();
+
+ results = ldapCommon.search( filterArgs );
+ while (results.hasMore())
+ {
+ SearchResult rs = results.next();
+ Attributes attributes = rs.getAttributes();
+ if (attributes != null)
+ {
+ Attribute ldapAttribute = attributes.get( ldapCommon.getLdapAttribute() );
+ if (ldapAttribute != null)
+ {
+ attributeValue = ldapAttribute.get();
+ }
+ }
+ }
+ }
+ catch (NamingException e)
+ {
+ log.severe(e.getMessage());
+ throw new IllegalStateException(e);
+ }
+ finally
+ {
+ if( results != null )
+ {
+ try { results.close(); } catch ( NamingException ignore ) {}
+ }
+
+ try { ldapCommon.closeJNDIContext(); } catch (NamingException ignore ) {}
+ }
+
+ Set<AttributeValue> bagSet = new HashSet<AttributeValue>();
+ bagSet.add( JBossXACMLUtil.getAttributeValue( attributeValue ) );
+
+ return new EvaluationResult( new BagAttribute( attributeType, bagSet ));
+ }
+
+ @Override
+ protected void usePassedOption(String optionTag, String optionValue)
+ {
+ super.usePassedOption(optionTag, optionValue);
+ ldapCommon.processPassedOption(optionTag, optionValue);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPEnvAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPEnvAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPEnvAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+
+/**
+ * LDAP Attribute Locator that will get an environment attribute
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public class LDAPEnvAttributeLocator extends LDAPAttributeLocator
+{
+ @Override
+ protected Object getSubstituteValue(URI attributeType, EvaluationCtx context) throws URISyntaxException
+ {
+ EvaluationResult evalResult = context.getEnvironmentAttribute( new URI( dataTypeOfSubstituteValue ),
+ new URI( substituteValue ), null);
+
+ return this.getAttributeValue( evalResult, attributeType );
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPResourceAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPResourceAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPResourceAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+
+/**
+ * Locates an attribute about the resource from the LDAP
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public class LDAPResourceAttributeLocator extends LDAPAttributeLocator
+{
+ @Override
+ protected Object getSubstituteValue(URI attributeType, EvaluationCtx context) throws URISyntaxException
+ {
+ EvaluationResult evalResult = context.getResourceAttribute( new URI( dataTypeOfSubstituteValue ),
+ new URI( substituteValue ), null);
+
+ return this.getAttributeValue(evalResult, attributeType);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPSubjectAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPSubjectAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/LDAPSubjectAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,49 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.attr.AttributeDesignator;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+
+/**
+ * Locates an attribute about the subject from the LDAP
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public class LDAPSubjectAttributeLocator extends LDAPAttributeLocator
+{
+ @Override
+ protected Object getSubstituteValue(URI attributeType, EvaluationCtx context) throws URISyntaxException
+ {
+ String category = AttributeDesignator.SUBJECT_CATEGORY_DEFAULT;
+
+ EvaluationResult evalResult = context.getSubjectAttribute(new URI(dataTypeOfSubstituteValue),
+ new URI( substituteValue ),
+ new URI(category));
+
+ return this.getAttributeValue(evalResult, attributeType);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/StorageAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/StorageAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/StorageAttributeLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,63 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.locators.AttributeLocator;
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+
+/**
+ * Common base class for attribute locators using external storage
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public abstract class StorageAttributeLocator extends AttributeLocator
+{
+ //The data type of the attribute value that we are substituting in
+ //prepared statement or ldap query
+ protected String dataTypeOfSubstituteValue = null;
+
+ /**
+ * Represents an URI that we will use to pick from the xacml
+ * request to substitute in a DB prepared statement or ldap DN
+ * to authenticate/identify the target/person/employee we are trying
+ * to get an attribute for.
+ */
+ protected String substituteValue = null;
+
+ //The value of the attribute we are seeking
+ protected Object attributeValue = null;
+
+ public StorageAttributeLocator()
+ {
+ this.attributeDesignatorSupported = true;
+ this.attributeSelectorSupported = true;
+
+ this.designatorTypes.add(Integer.valueOf(0));
+ this.designatorTypes.add(Integer.valueOf(1));
+ this.designatorTypes.add(Integer.valueOf(2));
+ }
+
+ protected abstract Object getSubstituteValue( URI attributeType, EvaluationCtx context ) throws URISyntaxException;
+}
\ No newline at end of file
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/policy/JBossLDAPPolicyLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/policy/JBossLDAPPolicyLocator.java 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/policy/JBossLDAPPolicyLocator.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -25,22 +25,14 @@
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.List;
-import java.util.Properties;
import java.util.Set;
import java.util.logging.Logger;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.PBEParameterSpec;
-import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
-import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
-import javax.naming.ldap.InitialLdapContext;
import org.jboss.security.xacml.bridge.PolicySetFinderModule;
import org.jboss.security.xacml.bridge.WrapperPolicyFinderModule;
@@ -52,7 +44,7 @@
import org.jboss.security.xacml.sunxacml.AbstractPolicy;
import org.jboss.security.xacml.sunxacml.Policy;
import org.jboss.security.xacml.sunxacml.PolicySet;
-import org.jboss.security.xacml.util.PBEUtils;
+import org.jboss.security.xacml.util.LDAPCommon;
/**
*
@@ -61,6 +53,7 @@
* This PolicyLocator is configured with the following options:
*
* url - The LDAP server URL to connect to
+ * factory - The JNDI factory that is JDK specific such as "com.sun.jndi.ldap.LdapCtxFactory"
* username - The username to connect to the LDAP server. This user must have search privileges
* password - The password of the user to connect to the LDAP server
* filter - The search filter to be used to find the entries that have a policy
@@ -76,56 +69,15 @@
* Those options must have the same value used for encryption.
*
* @author <a href="mmoyses at redhat.com">Marcus Moyses</a>
+ * @author Anil.Saldhana at redhat.com
* @version $Revision: 1 $
*/
public class JBossLDAPPolicyLocator extends AbstractJBossPolicyLocator
-{
-
- protected static final String XACML_LDAP_URL = "url";
-
- protected String url;
-
- protected static final String XACML_LDAP_USERNAME = "username";
-
- protected String username;
-
- protected static final String XACML_LDAP_PASSWORD = "password";
-
- protected String password;
-
- protected static final String XACML_LDAP_FILTER = "filter";
-
- protected String filter;
-
- protected static final String XACML_LDAP_ATTRIBUTE = "attribute";
-
- protected String attribute;
-
- protected static final String XACML_LDAP_SEARCH_SCOPE = "searchScope";
-
- protected int searchScope = SearchControls.SUBTREE_SCOPE;
-
- protected static final String XACML_LDAP_SEARCH_TIMELIMIT = "searchTimeLimit";
-
- protected int searchTimeLimit = 10000;
-
- protected static final String XACML_LDAP_BASEDN = "baseDN";
-
- protected String baseDN;
-
- protected static final String XACML_LDAP_SALT = "salt";
-
- protected String salt;
-
- protected static final String XACML_LDAP_COUNT = "iterationCount";
-
- protected int iterationCount;
-
- protected static final String XACML_LDAP_PASSWORD_PREFIX = "MASK-";
-
- protected Properties env = new Properties();
-
+{
protected static Logger log = Logger.getLogger(JBossLDAPPolicyLocator.class.getName());
+
+ // Common Utility class that is common for ldap integration
+ protected LDAPCommon ldapCommon = new LDAPCommon();
public JBossLDAPPolicyLocator()
{
@@ -140,114 +92,41 @@
public void setOptions(List<Option> theoptions)
{
super.setOptions(theoptions);
-
- for (Option option : options)
- {
- String name = option.getName();
- if (name.equals(XACML_LDAP_URL))
- url = (String) option.getContent().iterator().next();
- else if (name.equals(XACML_LDAP_USERNAME))
- username = (String) option.getContent().iterator().next();
- else if (name.equals(XACML_LDAP_PASSWORD))
- password = (String) option.getContent().iterator().next();
- else if (name.equals(XACML_LDAP_FILTER))
- filter = (String) option.getContent().iterator().next();
- else if (name.equals(XACML_LDAP_ATTRIBUTE))
- attribute = (String) option.getContent().iterator().next();
- else if (name.equals(XACML_LDAP_BASEDN))
- baseDN = (String) option.getContent().iterator().next();
- else if (name.equals(XACML_LDAP_SEARCH_TIMELIMIT))
- {
- String timeLimit = (String) option.getContent().iterator().next();
- if (timeLimit != null)
- {
- try
- {
- searchTimeLimit = Integer.parseInt(timeLimit);
- }
- catch (NumberFormatException e)
- {
- log.fine("Failed to parse: " + timeLimit + ", using searchTimeLimit = " + searchTimeLimit + ". "
- + e.getMessage());
- }
- }
- }
- else if (name.equals(XACML_LDAP_SEARCH_SCOPE))
- {
- String scope = (String) option.getContent().iterator().next();
- if ("OBJECT_SCOPE".equalsIgnoreCase(scope))
- searchScope = SearchControls.OBJECT_SCOPE;
- else if ("ONELEVEL_SCOPE".equalsIgnoreCase(scope))
- searchScope = SearchControls.ONELEVEL_SCOPE;
- if ("SUBTREE_SCOPE".equalsIgnoreCase(scope))
- searchScope = SearchControls.SUBTREE_SCOPE;
- }
- else if (name.equals(XACML_LDAP_SALT))
- salt = (String) option.getContent().iterator().next();
- else if (name.equals(XACML_LDAP_COUNT))
- iterationCount = Integer.parseInt((String) option.getContent().iterator().next());
- }
-
+ ldapCommon.processOptions(theoptions);
+
init();
}
protected void init()
- {
- // check options. username and password can be null as the ldap server may allow anonymous search
- if (url == null)
- throw new IllegalArgumentException("Option " + XACML_LDAP_URL + " cannot be null");
- if (filter == null)
- throw new IllegalArgumentException("Option " + XACML_LDAP_FILTER + " cannot be null");
- if (attribute == null)
- throw new IllegalArgumentException("Option " + XACML_LDAP_ATTRIBUTE + " cannot be null");
+ {
+ ldapCommon.validateConfiguration( LDAPCommon.TYPE.POLICY );
- if (password != null && password.startsWith(XACML_LDAP_PASSWORD_PREFIX))
- {
- // try to decode password
- if (salt == null || salt.equals("") || salt.length() != 8)
- throw new IllegalArgumentException("Option " + XACML_LDAP_SALT + " is not set correctly");
- if (iterationCount == 0)
- throw new IllegalArgumentException("Option " + XACML_LDAP_COUNT + " must be a positive integer");
- password = decodePassword(password);
- }
-
- env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
- env.put(Context.PROVIDER_URL, url);
- if (username != null)
- env.put(Context.SECURITY_PRINCIPAL, username);
- if (password != null)
- env.put(Context.SECURITY_CREDENTIALS, password);
-
search();
}
- protected void search()
- {
- InitialLdapContext ctx = null;
+ protected void search()
+ {
NamingEnumeration<SearchResult> results = null;
+
try
{
- ctx = new InitialLdapContext(env, null);
- SearchControls constraints = new SearchControls();
- constraints.setSearchScope(searchScope);
- constraints.setTimeLimit(searchTimeLimit);
- constraints.setReturningAttributes(new String[] {attribute});
-
- results = ctx.search(baseDN, filter, constraints);
+ ldapCommon.constructJNDIContext();
+ results = ldapCommon.search( null );
while (results.hasMore())
{
SearchResult rs = results.next();
Attributes attributes = rs.getAttributes();
if (attributes != null)
{
- Attribute xml = attributes.get(attribute);
+ Attribute xml = attributes.get( ldapCommon.getLdapAttribute() );
if (xml != null)
{
String xmlString = (String) xml.get();
try
{
- XACMLPolicy policy = PolicyFactory.createPolicy(new ByteArrayInputStream(xmlString.getBytes("UTF-8")));
+ byte[] xmlStream = xmlString.getBytes("UTF-8");
+ XACMLPolicy policy = PolicyFactory.createPolicy( new ByteArrayInputStream( xmlStream ));
if (policy != null)
{
if (policy.getType() == XACMLPolicy.POLICY)
@@ -274,6 +153,7 @@
}
}
this.map.put(XACMLConstants.POLICY_FINDER_MODULE, pfml);
+
}
catch (NamingException e)
{
@@ -282,52 +162,27 @@
}
finally
{
- if (results != null)
+ if( results != null )
{
try
{
results.close();
}
- catch (NamingException e)
- {
+ catch ( NamingException ignore )
+ {
}
}
- if (ctx != null)
+
+ try
{
- try
- {
- ctx.close();
- }
- catch (NamingException e)
- {
- }
+ ldapCommon.closeJNDIContext();
}
+ catch (NamingException ignore )
+ {
+ }
}
- }
+ }
- protected String decodePassword(String encodedPassword)
- {
- try
- {
- // remove prefix
- String password = encodedPassword.substring(XACML_LDAP_PASSWORD_PREFIX.length());
- byte[] salt = this.salt.getBytes();
- char[] p = "somearbitrarycrazystringthatdoesnotmatter".toCharArray();
- PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, iterationCount);
- PBEKeySpec keySpec = new PBEKeySpec(p);
- String cipherAlgorithm = "PBEwithMD5andDES";
- SecretKeyFactory factory = SecretKeyFactory.getInstance(cipherAlgorithm);
- SecretKey cipherKey = factory.generateSecret(keySpec);
- //TODO move these utils to a separate project
- return PBEUtils.decode64(password, cipherAlgorithm, cipherKey, cipherSpec);
- }
- catch (Exception e)
- {
- log.severe("Could not decode masked password. " + e.getMessage());
- throw new IllegalStateException(e);
- }
- }
-
private PolicySetFinderModule getPopulatedPolicySetFinderModule(XACMLPolicy xpolicy)
{
PolicySetFinderModule psfm = new PolicySetFinderModule();
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/util/LDAPCommon.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/util/LDAPCommon.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/util/LDAPCommon.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,333 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.util;
+
+import java.util.List;
+import java.util.Properties;
+import java.util.logging.Logger;
+
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
+import javax.naming.Context;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.InitialLdapContext;
+
+import org.jboss.security.xacml.jaxb.Option;
+
+/**
+ * Common Utility class for LDAP integration
+ *
+ * @author <a href="mmoyses at redhat.com">Marcus Moyses</a>
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public class LDAPCommon
+{
+ private static Logger log = Logger.getLogger( LDAPCommon.class.getName() );
+
+ public enum TYPE { POLICY, ATTRIBUTE };
+
+ private static final String XACML_LDAP_URL = "url";
+
+ private String url;
+
+ private static final String XACML_LDAP_FACTORY = "factory";
+
+ private String factory;
+
+ private static final String XACML_LDAP_USERNAME = "username";
+
+ private String username;
+
+ private static final String XACML_LDAP_PASSWORD = "password";
+
+ private String password;
+
+ private static final String XACML_LDAP_FILTER = "filter";
+
+ private String filter;
+
+ private static final String XACML_LDAP_ATTRIBUTE = "attribute";
+
+ private String attribute;
+
+ private static final String XACML_LDAP_SEARCH_SCOPE = "searchScope";
+
+ private int searchScope = SearchControls.SUBTREE_SCOPE;
+
+ private static final String XACML_LDAP_SEARCH_TIMELIMIT = "searchTimeLimit";
+
+ private int searchTimeLimit = 10000;
+
+ private static final String XACML_LDAP_BASEDN = "baseDN";
+
+ private String baseDN;
+
+ private static final String XACML_LDAP_SALT = "salt";
+
+ private String salt;
+
+ private static final String XACML_LDAP_COUNT = "iterationCount";
+
+ private int iterationCount;
+
+ private static final String XACML_LDAP_PASSWORD_PREFIX = "MASK-";
+
+ private static final String XACML_LDAP_ATTRIBUTE_SUPPORTED_ID = "attributeSupportedId";
+ private String attributeSupportedId;
+
+ private static final String XACML_LDAP_SUBSTITUTE_VALUE = "substituteValue";
+ private String substituteValue;
+
+ private static final String XACML_LDAP_VALUE_DATA_TYPE = "valueDataType";
+ private String valueDataType;
+
+ private Properties env = new Properties();
+
+ private InitialLdapContext ctx = null;
+
+ public void processOptions(List<Option> theoptions)
+ {
+ for( Option option : theoptions )
+ {
+ processPassedOption( option.getName(), (String) option.getContent().iterator().next() );
+ }
+
+ fillInMissingConfigurationWithDefaults();
+ }
+
+ public void processPassedOption( String optionTag, String optionValue)
+ {
+ String name =optionTag;
+
+ if (name.equals(XACML_LDAP_URL))
+ url = optionValue;
+ else if (name.equals(XACML_LDAP_FACTORY))
+ factory = optionValue;
+ else if (name.equals(XACML_LDAP_USERNAME))
+ username = optionValue;
+ else if (name.equals(XACML_LDAP_PASSWORD))
+ password = optionValue;
+ else if (name.equals(XACML_LDAP_FILTER))
+ filter = optionValue;
+ else if (name.equals(XACML_LDAP_ATTRIBUTE))
+ attribute = optionValue;
+ else if (name.equals(XACML_LDAP_BASEDN))
+ baseDN = optionValue;
+ else if (name.equals(XACML_LDAP_SEARCH_TIMELIMIT))
+ {
+ String timeLimit = optionValue;
+ if (timeLimit != null)
+ {
+ try
+ {
+ searchTimeLimit = Integer.parseInt(timeLimit);
+ }
+ catch (NumberFormatException e)
+ {
+ log.fine("Failed to parse: " + timeLimit + ", using searchTimeLimit = " + searchTimeLimit + ". "
+ + e.getMessage());
+ }
+ }
+ }
+ else if (name.equals(XACML_LDAP_SEARCH_SCOPE))
+ {
+ String scope = optionValue;
+ if ("OBJECT_SCOPE".equalsIgnoreCase(scope))
+ searchScope = SearchControls.OBJECT_SCOPE;
+ else if ("ONELEVEL_SCOPE".equalsIgnoreCase(scope))
+ searchScope = SearchControls.ONELEVEL_SCOPE;
+ if ("SUBTREE_SCOPE".equalsIgnoreCase(scope))
+ searchScope = SearchControls.SUBTREE_SCOPE;
+ }
+ else if (name.equals(XACML_LDAP_SALT))
+ salt = optionValue;
+ else if (name.equals(XACML_LDAP_COUNT))
+ iterationCount = Integer.parseInt( optionValue );
+ else if (name.equals( XACML_LDAP_ATTRIBUTE_SUPPORTED_ID ))
+ attributeSupportedId = optionValue;
+ else if (name.equals( XACML_LDAP_SUBSTITUTE_VALUE ))
+ substituteValue = optionValue;
+ else if (name.equals( XACML_LDAP_VALUE_DATA_TYPE ))
+ valueDataType = optionValue;
+ else if( name.equals( "java.naming.factory.initial" ))
+ factory = optionValue ;
+ else if( name.equals( "java.naming.provider.url" ))
+ url = optionValue;
+ }
+
+ /**
+ * Validate that the configuration has all the required parameters
+ * @param locatorType
+ */
+ public void validateConfiguration( TYPE locatorType )
+ {
+ // check options. username and password can be null as the ldap server may allow anonymous search
+ if (url == null)
+ throw new IllegalArgumentException("Option " + XACML_LDAP_URL + " cannot be null");
+ if (filter == null)
+ throw new IllegalArgumentException("Option " + XACML_LDAP_FILTER + " cannot be null");
+ if (attribute == null)
+ throw new IllegalArgumentException("Option " + XACML_LDAP_ATTRIBUTE + " cannot be null");
+
+ if( locatorType == TYPE.ATTRIBUTE )
+ {
+ if( valueDataType == null )
+ throw new IllegalArgumentException("Option " + XACML_LDAP_VALUE_DATA_TYPE + " cannot be null");
+ if( attributeSupportedId == null )
+ throw new IllegalArgumentException("Option " + XACML_LDAP_ATTRIBUTE_SUPPORTED_ID + " cannot be null");
+ if( substituteValue == null )
+ throw new IllegalArgumentException("Option " + XACML_LDAP_SUBSTITUTE_VALUE + " cannot be null");
+ }
+ }
+
+ /**
+ * Get the attribute name that we are interested in
+ * Examples include cn, uid, employeeType
+ * @return
+ */
+ public String getLdapAttribute()
+ {
+ return attribute;
+ }
+
+ /**
+ * Get the XML Data Type of the value that we are going to substitute
+ * in the wild card of the filter during searching
+ *
+ * The value will be picked up from the xacml request
+ * @return
+ */
+ public String getDataTypeOfSubstituteValue()
+ {
+ return this.valueDataType;
+ }
+
+ /**
+ * The namespace of the value that we are going to pick up
+ * from the xacml request to be substituted in the wildcard
+ * for the ldap search filter
+ * @return
+ */
+ public String getSubsititeValue()
+ {
+ return substituteValue;
+ }
+
+ /**
+ * Perform a search
+ *
+ * The {@code LDAPAttributeLocator} will always send a filterArg array
+ *
+ * @param filterArgs can be null. Contains the wildcard substitution for the filter
+ * @return
+ * @throws NamingException
+ */
+ public NamingEnumeration<SearchResult> search( Object[] filterArgs ) throws NamingException
+ {
+ InitialLdapContext ctx = new InitialLdapContext(env, null);
+
+ SearchControls constraints = new SearchControls();
+ constraints.setSearchScope(searchScope);
+ constraints.setTimeLimit(searchTimeLimit);
+ constraints.setReturningAttributes(new String[] { attribute }); //The attribute we are looking for
+
+ if( filterArgs != null )
+ return ctx.search( baseDN, filter, filterArgs, constraints );
+
+ return ctx.search(baseDN, filter, constraints);
+ }
+
+ /**
+ * Construct the JNDI Context. Must always be in a try/catch/finally
+ * @see {@link #closeJNDIContext()}
+ * @throws NamingException
+ */
+ public void constructJNDIContext() throws NamingException
+ {
+ if (password != null && password.startsWith(XACML_LDAP_PASSWORD_PREFIX))
+ {
+ // try to decode password
+ if (salt == null || salt.equals("") || salt.length() != 8)
+ throw new IllegalArgumentException("Option " + XACML_LDAP_SALT + " is not set correctly");
+ if (iterationCount == 0)
+ throw new IllegalArgumentException("Option " + XACML_LDAP_COUNT + " must be a positive integer");
+ password = decodePassword(password);
+ }
+
+ env.put(Context.INITIAL_CONTEXT_FACTORY, factory );
+ env.put(Context.PROVIDER_URL, url);
+ if (username != null)
+ env.put(Context.SECURITY_PRINCIPAL, username);
+ if (password != null)
+ env.put(Context.SECURITY_CREDENTIALS, password);
+
+ ctx = new InitialLdapContext( env, null );
+ }
+
+ /**
+ * Close the JNDI Context
+ * @throws NamingException
+ */
+ public void closeJNDIContext() throws NamingException
+ {
+ if( ctx != null )
+ ctx.close();
+ }
+
+ /**
+ * If any configuration is missing and we know some defaults, use that
+ */
+ private void fillInMissingConfigurationWithDefaults()
+ {
+ if( factory == null )
+ factory = "com.sun.jndi.ldap.LdapCtxFactory";
+ }
+
+ private String decodePassword(String encodedPassword)
+ {
+ try
+ {
+ // remove prefix
+ String password = encodedPassword.substring(XACML_LDAP_PASSWORD_PREFIX.length());
+ byte[] salt = this.salt.getBytes();
+ char[] p = "somearbitrarycrazystringthatdoesnotmatter".toCharArray();
+ PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, iterationCount);
+ PBEKeySpec keySpec = new PBEKeySpec(p);
+ String cipherAlgorithm = "PBEwithMD5andDES";
+ SecretKeyFactory factory = SecretKeyFactory.getInstance(cipherAlgorithm);
+ SecretKey cipherKey = factory.generateSecret(keySpec);
+ //TODO move these utils to a separate project
+ return PBEUtils.decode64(password, cipherAlgorithm, cipherKey, cipherSpec);
+ }
+ catch (Exception e)
+ {
+ log.severe("Could not decode masked password. " + e.getMessage());
+ throw new IllegalStateException(e);
+ }
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/LDAPAttributeLocatorUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/LDAPAttributeLocatorUnitTestCase.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/LDAPAttributeLocatorUnitTestCase.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,82 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.test.xacml.attriblocators;
+
+import java.io.File;
+import java.io.InputStream;
+
+import org.jboss.security.xacml.core.JBossPDP;
+import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
+import org.jboss.security.xacml.interfaces.ResponseContext;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;
+import org.jboss.test.security.xacml.ldap.OpenDSUnitTestAdapter;
+import org.junit.Test;
+
+/**
+ * Unit test the {@code LDAPAttributeLocator}
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public class LDAPAttributeLocatorUnitTestCase extends OpenDSUnitTestAdapter
+{
+ public LDAPAttributeLocatorUnitTestCase(String name)
+ {
+ super(name);
+ }
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ // Let us add the ldap.ldif
+ String fileName = targetDir + "test" + fs + "ldif" + fs + "ldap-attrib.ldif";
+ boolean op = util.addLDIF(serverHost, port, adminDN, adminPW, new File(fileName).toURI().toURL());
+ assertTrue(op);
+ }
+
+ @Test
+ public void testPDPUsingLDAPResourceAttributeLocator() throws Exception
+ {
+ ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+
+ InputStream is = tcl.getResourceAsStream("locators/attrib/ldap_resource_attrib_locator-config.xml");
+ assertNotNull("Inputstream is not null?", is);
+ PolicyDecisionPoint pdp = new JBossPDP(is);
+ ResponseContext response = XACMLTestUtil.getResponse(pdp,"locators/attrib/attribLocatorResourceAttribute-request.xml");
+ int decision = response.getDecision();
+ assertEquals("PERMIT?", XACMLConstants.DECISION_PERMIT,decision);
+ }
+
+ @Test
+ public void testPDPUsingLDAPSubjectAttributeLocator() throws Exception
+ {
+ ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+
+ InputStream is = tcl.getResourceAsStream("locators/attrib/ldap_subject_attrib_locator-config.xml");
+ assertNotNull("Inputstream is not null?", is);
+ PolicyDecisionPoint pdp = new JBossPDP(is);
+ ResponseContext response = XACMLTestUtil.getResponse(pdp,"locators/attrib/attribLocatorSubjectAttribute-request.xml");
+ int decision = response.getDecision();
+ assertEquals("PERMIT?", XACMLConstants.DECISION_PERMIT,decision);
+ }
+}
\ No newline at end of file
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/ldap/LDAPUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/ldap/LDAPUnitTestCase.java 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/ldap/LDAPUnitTestCase.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -34,7 +34,7 @@
* LDAP Unit Test Case
* @author mmoyses at redhat.com
*/
-public class LDAPUnitTestCase extends OpenDSUnitTestAdapter
+public abstract class LDAPUnitTestCase extends OpenDSUnitTestAdapter
{
@Override
protected void setUp() throws Exception
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/locators/LDAPPolicyLocatorUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/locators/LDAPPolicyLocatorUnitTestCase.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/locators/LDAPPolicyLocatorUnitTestCase.java 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,37 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.xacml.locators;
+
+import org.jboss.test.security.xacml.ldap.LDAPUnitTestCase;
+
+/**
+ * Test for the LDAP Policy Locator
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 25, 2010
+ */
+public class LDAPPolicyLocatorUnitTestCase extends LDAPUnitTestCase
+{
+ public LDAPPolicyLocatorUnitTestCase(String name)
+ {
+ super(name);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/ldap_resource_attrib_locator-config.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/ldap_resource_attrib_locator-config.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/ldap_resource_attrib_locator-config.xml 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,21 @@
+<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+ <ns:Policies>
+ <ns:Policy>
+ <ns:Location>locators/attrib/attribLocator_policy.xml</ns:Location>
+ </ns:Policy>
+ </ns:Policies>
+ <ns:Locators>
+ <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/>
+ <ns:Locator Name="org.jboss.security.xacml.locators.attrib.LDAPResourceAttributeLocator">
+ <ns:Option Name="url">ldap://localhost:10389</ns:Option>
+ <ns:Option Name="username">cn=Directory Manager</ns:Option>
+ <ns:Option Name="password">password</ns:Option>
+ <ns:Option Name="attribute">employeeType</ns:Option>
+ <ns:Option Name="baseDN">dc=jboss,dc=org</ns:Option>
+ <ns:Option Name="filter">(uid={0})</ns:Option>
+ <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option>
+ <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:resource:account-status</ns:Option>
+ <ns:Option Name="substituteValue">urn:xacml:2.0:interop:example:resource:owner-id</ns:Option>
+ </ns:Locator>
+ </ns:Locators>
+</ns:jbosspdp>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/ldap_subject_attrib_locator-config.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/ldap_subject_attrib_locator-config.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/ldap_subject_attrib_locator-config.xml 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,21 @@
+<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+ <ns:Policies>
+ <ns:Policy>
+ <ns:Location>locators/attrib/attribLocator_policy.xml</ns:Location>
+ </ns:Policy>
+ </ns:Policies>
+ <ns:Locators>
+ <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/>
+ <ns:Locator Name="org.jboss.security.xacml.locators.attrib.LDAPSubjectAttributeLocator">
+ <ns:Option Name="url">ldap://localhost:10389</ns:Option>
+ <ns:Option Name="username">cn=Directory Manager</ns:Option>
+ <ns:Option Name="password">password</ns:Option>
+ <ns:Option Name="attribute">uid</ns:Option>
+ <ns:Option Name="baseDN">dc=jboss,dc=org</ns:Option>
+ <ns:Option Name="filter">(cn={0})</ns:Option>
+ <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option>
+ <ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:subject:subject-id</ns:Option>
+ <ns:Option Name="substituteValue">urn:xacml:2.0:interop:example:subject:user-name</ns:Option>
+ </ns:Locator>
+ </ns:Locators>
+</ns:jbosspdp>
\ No newline at end of file
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties 2010-08-25 21:30:32 UTC (rev 107791)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties 2010-08-25 21:37:26 UTC (rev 107792)
@@ -18,4 +18,5 @@
# Set the default logging level for the logger named org.jboss
org.jboss.security.xacml.sunxacml.level = FINEST
+org.opends = FINEST
com.sun.xml.bind.level = OFF
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/ldif/ldap-attrib.ldif
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/ldif/ldap-attrib.ldif (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/ldif/ldap-attrib.ldif 2010-08-25 21:37:26 UTC (rev 107792)
@@ -0,0 +1,36 @@
+dn: dc=jboss,dc=org
+objectclass: dcObject
+objectclass: organization
+o: JBoss
+dc: JBoss
+
+dn: ou=People,dc=jboss,dc=org
+objectclass: top
+objectclass: organizationalUnit
+ou: People
+
+dn: uid=jduke,ou=People,dc=jboss,dc=org
+objectclass: top
+objectclass: uidObject
+objectclass: person
+objectclass: inetOrgPerson
+uid: jduke
+cn: Java Duke
+sn: Duke
+userPassword: theduke
+mail: theduke at somecastle.man
+employeeType: Active
+employeeNumber: 007
+
+dn: uid=123456,ou=People,dc=jboss,dc=org
+objectclass: top
+objectclass: uidObject
+objectclass: person
+objectclass: inetOrgPerson
+uid: 123456
+cn: John Smith
+sn: Duke
+userPassword: theduke
+mail: theduke at somecastle.man
+employeeType: Active
+employeeNumber: 007
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list