[jboss-cvs] JBossAS SVN: r101727 - in projects/security/security-xacml/trunk/jboss-xacml: src/main/java/org/jboss/security/xacml/locators and 8 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Mar 2 12:09:14 EST 2010
Author: anil.saldhana at jboss.com
Date: 2010-03-02 12:09:13 -0500 (Tue, 02 Mar 2010)
New Revision: 101727
Added:
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseActionAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseEnvAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseResourceAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseSubjectAttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/SecurityActions.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/
projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/DatabaseAttributeLocatorUnitTestCase.java
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/data_stores/
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/data_stores/db.properties
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocatorResourceAttribute-request.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocatorSubjectAttribute-request.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocator_policy.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/db_resource_attrib_locator-config.xml
projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/db_subject_attrib_locator-config.xml
Modified:
projects/security/security-xacml/trunk/jboss-xacml/pom.xml
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/AttributeLocator.java
projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/util/JBossXACMLUtil.java
Log:
SECURITY-454: db attrib locator
Modified: projects/security/security-xacml/trunk/jboss-xacml/pom.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/pom.xml 2010-03-02 17:07:31 UTC (rev 101726)
+++ projects/security/security-xacml/trunk/jboss-xacml/pom.xml 2010-03-02 17:09:13 UTC (rev 101727)
@@ -39,11 +39,6 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>stax</groupId>
- <artifactId>stax-api</artifactId>
- <version>1.0</version>
- </dependency>
- <dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
@@ -62,10 +57,16 @@
<scope>test</scope>
</dependency>
<dependency>
+ <groupId>hsqldb</groupId>
+ <artifactId>hsqldb</artifactId>
+ <version>1.8.0.2</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>test</scope>
</dependency>
</dependencies>
-</project>
\ No newline at end of file
+</project>
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/AttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/AttributeLocator.java 2010-03-02 17:07:31 UTC (rev 101726)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/AttributeLocator.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -22,6 +22,7 @@
package org.jboss.security.xacml.locators;
import java.net.URI;
+import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
@@ -31,6 +32,8 @@
import org.jboss.security.xacml.interfaces.AbstractLocator;
import org.jboss.security.xacml.jaxb.Option;
+import org.jboss.security.xacml.sunxacml.attr.AttributeValue;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
import org.jboss.security.xacml.sunxacml.finder.AttributeFinderModule;
/**
@@ -39,9 +42,8 @@
* <b>Usage:</b>
* Remember, when a policy defines an attribute and the request does not contain
* it, then the PDP will ask the AttributeLocator for a value.
- *
- * The following methods need to be overridden in your attribute locators
- * @see AttributeFinderModule#findAttribute(String, org.w3c.dom.Node, URI, org.jboss.security.xacml.sunxacml.EvaluationCtx, String)
+ *
+ * The following method needs to be overridden in your attribute locator
* @see AttributeFinderModule#findAttribute(URI, URI, URI, URI, org.jboss.security.xacml.sunxacml.EvaluationCtx, int)
*
* @author Anil.Saldhana at redhat.com
@@ -49,19 +51,19 @@
*/
public class AttributeLocator extends AttributeFinderModule implements AbstractLocator
{
- private String identifier = null;
+ protected String identifier = null;
- private boolean attributeDesignatorSupported = true;
+ protected boolean attributeDesignatorSupported = true;
- private boolean attributeSelectorSupported = true;
+ protected boolean attributeSelectorSupported = true;
- private Set<Integer> designatorTypes = new HashSet<Integer>();
+ protected Set<Integer> designatorTypes = new HashSet<Integer>();
- private Set<URI> ids = new HashSet<URI>();
+ protected Set<URI> ids = new HashSet<URI>();
- private List<Option> options = new ArrayList<Option>();
+ protected List<Option> options = new ArrayList<Option>();
- private Map<String,Object> map = new HashMap<String,Object>();
+ protected Map<String,Object> map = new HashMap<String,Object>();
public void setOptions(List<Option> options)
{
@@ -131,26 +133,82 @@
String value = (String) values.get(0);
- if(AbstractLocator.IDENTIFIER_TAG.equals(tag))
- {
- this.identifier = value;
- }
- else if(AbstractLocator.ATTRIBUTE_DESIGNATOR_SUPPORT_TAG.equals(tag))
- {
- this.attributeDesignatorSupported = Boolean.parseBoolean(value);
- }
- else if(AbstractLocator.ATTRIBUTE_SELECTOR_SUPPORT_TAG.equals(tag))
- {
- this.attributeSelectorSupported = Boolean.parseBoolean(value);
- }
- else if(AbstractLocator.ATTRIBUTE_SUPPORTED_ID_TAG.equals(tag))
- {
- this.ids.add(new URI(value));
- }
- else if(AbstractLocator.ATTRIBUTE_DESIGNATOR_INTEGER_TAG.equals(tag))
- {
- this.designatorTypes.add(Integer.parseInt(value));
- }
+ this.usePassedOption(tag, value);
}
}
+
+ /**
+ * <p>
+ * An opportunity for sub-classes to process the passed option tag and value
+ * </p>
+ * <p>
+ * <b>NOTE:</b> Subclasses should override this method and allow super class processing
+ * before their own processing in the method via the <i>super.usePassedOption()</i> call.
+ * </p>
+ * @param optionTag
+ * @param optionValue
+ */
+ protected void usePassedOption(String optionTag, String optionValue)
+ {
+ if(AbstractLocator.IDENTIFIER_TAG.equals(optionTag))
+ {
+ this.identifier = optionValue;
+ }
+ else if(AbstractLocator.ATTRIBUTE_DESIGNATOR_SUPPORT_TAG.equals(optionTag))
+ {
+ this.attributeDesignatorSupported = Boolean.parseBoolean(optionValue);
+ }
+ else if(AbstractLocator.ATTRIBUTE_SELECTOR_SUPPORT_TAG.equals(optionTag))
+ {
+ this.attributeSelectorSupported = Boolean.parseBoolean(optionValue);
+ }
+ else if(AbstractLocator.ATTRIBUTE_SUPPORTED_ID_TAG.equals(optionTag))
+ {
+ try
+ {
+ this.ids.add(new URI(optionValue));
+ }
+ catch (URISyntaxException e)
+ {
+ throw new RuntimeException("Unable to create URI:", e);
+ }
+ }
+ else if(AbstractLocator.ATTRIBUTE_DESIGNATOR_INTEGER_TAG.equals(optionTag))
+ {
+ this.designatorTypes.add(Integer.parseInt(optionValue));
+ }
+ }
+
+ /**
+ * Given an <i>option tag</i>, get the <i>option value</i>
+ * @param optionTag
+ * @return value of the option
+ */
+ protected String getOptionValue(String optionTag)
+ {
+ int index = options.indexOf(optionTag);
+ if(index > -1)
+ {
+ Option option = options.get(index);
+ if(option != null)
+ return (String) option.getContent().get(0);
+ }
+ return null;
+ }
+
+ /**
+ * Given a <code>EvaluationResult</code>, return the attribute value contained
+ * @param evalResult
+ * @param attributeType
+ * @return attribute value such as String, Integer etc.
+ */
+ protected Object getAttributeValue(EvaluationResult evalResult, URI attributeType)
+ {
+ if(evalResult != null)
+ {
+ AttributeValue attr = evalResult.getAttributeValue();
+ return attr.getValue();
+ }
+ return null;
+ }
}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseActionAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseActionAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseActionAttributeLocator.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,56 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+
+/**
+ * Locates an attribute about an Action from the DB
+ *
+ *
+ * An example of the Locator configuration is here:
+ *
+ * <ns:Locator Name="org.jboss.security.xacml.locators.attrib.DatabaseActionAttributeLocator"> <br/>
+ <ns:Option Name="DATABASE_FILE_NAME">data_stores/db.properties</ns:Option> <br/>
+ <ns:Option Name="sql">SELECT account_status FROM resource where owner_id=?;</ns:Option> <br/>
+ <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:resource:account-status</ns:Option> <br/>
+ <ns:Option Name="preparedStatementValue">urn:xacml:2.0:interop:example:resource:owner-id</ns:Option> <br/>
+ <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option> <br/>
+ <ns:Option Name="columnName">account_status</ns:Option> <br/>
+ </ns:Locator> <br/>
+
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 2, 2010
+ */
+public class DatabaseActionAttributeLocator extends DatabaseAttributeLocator
+{
+ protected Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException
+ {
+ EvaluationResult evalResult = evaluationCtx.getActionAttribute(new URI(valueDataType), new URI(preparedStatementValue), null);
+
+ return this.getAttributeValue(evalResult, attributeType);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseAttributeLocator.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,266 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.HashSet;
+import java.util.Properties;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.sql.DataSource;
+
+import org.jboss.security.xacml.locators.AttributeLocator;
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.attr.BagAttribute;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+import org.jboss.security.xacml.util.JBossXACMLUtil;
+
+/**
+ * An attribute locator that gets the attributes from the DB
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 1, 2010
+ */
+public abstract class DatabaseAttributeLocator extends AttributeLocator
+{
+ private static Logger log = Logger.getLogger(DatabaseAttributeLocator.class.getName());
+
+ //JNDI name to look for the data source
+ protected String dsJNDIName = null;
+
+ //Name of the file containing the DB connection information for jdbc
+ protected String dbFileName = null;
+
+ //The Prepared Statement SQL
+ protected String sqlStatement = null;
+
+ //The Prepared Statement plugin Value
+ protected String preparedStatementValue = null;
+
+ //The data type of the prepared statement plugin value
+ protected String valueDataType = null;
+
+ //Column Name to be returned as part of the sql statement
+ protected String columnName = null;
+
+ //Constants
+ public static final String DS_JNDI_NAME = "DATASOURCE_JNDI_NAME";
+
+ public static final String DB_FILE_NAME = "DATABASE_FILE_NAME";
+
+ public DatabaseAttributeLocator()
+ {
+ this.attributeDesignatorSupported = true;
+ this.attributeSelectorSupported = true;
+
+ this.designatorTypes.add(Integer.valueOf(0));
+ this.designatorTypes.add(Integer.valueOf(1));
+ this.designatorTypes.add(Integer.valueOf(2));
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public EvaluationResult findAttribute(URI attributeType, URI attributeId, URI issuer, URI subjectCategory,
+ EvaluationCtx context, int designatorType)
+ {
+ if(ids.contains(attributeId) == false)
+ {
+ if(attributeType != null)
+ return new EvaluationResult(BagAttribute.createEmptyBag(attributeType));
+ else
+
+ return new EvaluationResult(BagAttribute.createEmptyBag(attributeId));
+ }
+
+ Object columnValue = null;
+ //Do DB stuff here
+ Connection connection = getConnection();
+
+ PreparedStatement statement = null;
+ ResultSet resultSet = null;
+
+ try
+ {
+ statement = connection.prepareStatement(sqlStatement);
+
+ Object pluginValue = null;
+ try
+ {
+ pluginValue = getPreparedStatementPluginValue(context, attributeType);
+ }
+ catch (URISyntaxException e)
+ {
+ throw new RuntimeException(e);
+ }
+ statement.setObject(1, pluginValue);
+
+ statement.addBatch();
+ connection.setAutoCommit(false);
+ resultSet = statement.executeQuery();
+ connection.setAutoCommit(true);
+
+ while (resultSet.next())
+ {
+ columnValue = resultSet.getObject(columnName);
+ break;
+ }
+ }
+ catch (SQLException e)
+ {
+ throw new RuntimeException(e);
+ }
+ finally
+ {
+ try
+ {
+ if(resultSet != null)
+ resultSet.close();
+ }
+ catch (SQLException e)
+ {}
+
+ try
+ {
+ if(statement != null)
+ statement.close();
+ }
+ catch (SQLException e)
+ {}
+
+ try
+ {
+ if(connection != null)
+ connection.close();
+ }
+ catch (SQLException e)
+ {
+ }
+ }
+ Set bagSet = new HashSet();
+ bagSet.add(JBossXACMLUtil.getAttributeValue(columnValue));
+
+ return new EvaluationResult(new BagAttribute(attributeType, bagSet));
+ }
+
+
+ @Override
+ protected void usePassedOption(String optionTag, String optionValue)
+ {
+ super.usePassedOption(optionTag, optionValue);
+
+ if(DS_JNDI_NAME.equals(optionTag))
+ {
+ this.dsJNDIName = optionValue;
+ }
+ if(DB_FILE_NAME.equals(optionTag))
+ {
+ this.dbFileName = optionValue;
+ }
+ if("sql".equals(optionTag))
+ {
+ this.sqlStatement = optionValue;
+ }
+ if("preparedStatementValue".equals(optionTag))
+ {
+ this.preparedStatementValue = optionValue;
+ }
+ if("valueDataType".equals(optionTag))
+ {
+ this.valueDataType = optionValue;
+ }
+ if("columnName".equals(optionTag))
+ {
+ this.columnName = optionValue;
+ }
+ }
+
+ protected Connection getConnection()
+ {
+ Connection connection = null;
+ if(dsJNDIName != null)
+ {
+ try
+ {
+ Context ctx = new InitialContext();
+ DataSource ds = (DataSource) ctx.lookup(dsJNDIName);
+ connection = ds.getConnection();
+ }
+ catch(Exception e)
+ {
+ if(log.isLoggable(Level.FINE))
+ log.fine("Error looking up connection via Datasource:" + e.getLocalizedMessage());
+ }
+ }
+ if(connection == null && dbFileName != null)
+ {
+ Properties props = new Properties();
+ ClassLoader tcl = SecurityActions.getContextClassLoader();
+ try
+ {
+ props.load(tcl.getResourceAsStream(dbFileName));
+ }
+ catch (IOException e)
+ {
+ throw new RuntimeException("Error loading DB file", e);
+ }
+
+ try
+ {
+ Class.forName(props.getProperty("driverName"));
+ }
+ catch (ClassNotFoundException e)
+ {
+ throw new RuntimeException("DB Driver not found:",e);
+ }
+ try
+ {
+ connection = DriverManager.getConnection(props.getProperty("connectionURL"));
+ }
+ catch (SQLException e)
+ {
+ throw new RuntimeException("Cannot get DB Connection:",e);
+ }
+ }
+ return connection;
+ }
+
+ /**
+ * <p>
+ * Get the value to be plugged into the PreparedStatement using the <code>EvaluationCtx</code>
+ * </p>
+ * @param evaluationCtx
+ * @param attributeType
+ * @return
+ * @throws URISyntaxException
+ */
+ protected abstract Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException;
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseEnvAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseEnvAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseEnvAttributeLocator.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,55 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+
+/**
+ * Locates an attribute about Environment from the DB
+ *
+ * An example of the Locator configuration is here:
+ *
+ * <ns:Locator Name="org.jboss.security.xacml.locators.attrib.DatabaseEnvAttributeLocator"> <br/>
+ <ns:Option Name="DATABASE_FILE_NAME">data_stores/db.properties</ns:Option> <br/>
+ <ns:Option Name="sql">SELECT account_status FROM resource where owner_id=?;</ns:Option> <br/>
+ <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:resource:account-status</ns:Option> <br/>
+ <ns:Option Name="preparedStatementValue">urn:xacml:2.0:interop:example:resource:owner-id</ns:Option> <br/>
+ <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option> <br/>
+ <ns:Option Name="columnName">account_status</ns:Option> <br/>
+ </ns:Locator> <br/>
+
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 2, 2010
+ */
+public class DatabaseEnvAttributeLocator extends DatabaseAttributeLocator
+{
+ protected Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException
+ {
+ EvaluationResult evalResult = evaluationCtx.getEnvironmentAttribute(new URI(valueDataType), new URI(preparedStatementValue), null);
+
+ return this.getAttributeValue(evalResult, attributeType);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseResourceAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseResourceAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseResourceAttributeLocator.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,55 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+
+/**
+ * Locates an attribute about the resource from the DB
+ *
+ * An example of the Locator configuration is here:
+ *
+ * <ns:Locator Name="org.jboss.security.xacml.locators.attrib.DatabaseResourceAttributeLocator"> <br/>
+ <ns:Option Name="DATABASE_FILE_NAME">data_stores/db.properties</ns:Option> <br/>
+ <ns:Option Name="sql">SELECT account_status FROM resource where owner_id=?;</ns:Option> <br/>
+ <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:resource:account-status</ns:Option> <br/>
+ <ns:Option Name="preparedStatementValue">urn:xacml:2.0:interop:example:resource:owner-id</ns:Option> <br/>
+ <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option> <br/>
+ <ns:Option Name="columnName">account_status</ns:Option> <br/>
+ </ns:Locator> <br/>
+
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 2, 2010
+ */
+public class DatabaseResourceAttributeLocator extends DatabaseAttributeLocator
+{
+ protected Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException
+ {
+ EvaluationResult evalResult = evaluationCtx.getResourceAttribute(new URI(valueDataType), new URI(preparedStatementValue), null);
+
+ return this.getAttributeValue(evalResult, attributeType);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseSubjectAttributeLocator.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseSubjectAttributeLocator.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/DatabaseSubjectAttributeLocator.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,59 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.jboss.security.xacml.sunxacml.EvaluationCtx;
+import org.jboss.security.xacml.sunxacml.attr.AttributeDesignator;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+
+/**
+ * Locates an attribute about the subject from the DB
+ *
+ * An example of the Locator configuration is here:
+ *
+ * <ns:Locator Name="org.jboss.security.xacml.locators.attrib.DatabaseSubjectAttributeLocator"> <br/>
+ <ns:Option Name="DATABASE_FILE_NAME">data_stores/db.properties</ns:Option> <br/>
+ <ns:Option Name="sql">SELECT account_status FROM resource where owner_id=?;</ns:Option> <br/>
+ <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:resource:account-status</ns:Option> <br/>
+ <ns:Option Name="preparedStatementValue">urn:xacml:2.0:interop:example:resource:owner-id</ns:Option> <br/>
+ <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option> <br/>
+ <ns:Option Name="columnName">account_status</ns:Option> <br/>
+ </ns:Locator> <br/>
+
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 2, 2010
+ */
+public class DatabaseSubjectAttributeLocator extends DatabaseAttributeLocator
+{
+ protected Object getPreparedStatementPluginValue(EvaluationCtx evaluationCtx, URI attributeType) throws URISyntaxException
+ {
+ String category = AttributeDesignator.SUBJECT_CATEGORY_DEFAULT;
+
+ EvaluationResult evalResult = evaluationCtx.getSubjectAttribute(new URI(valueDataType), new URI(preparedStatementValue),
+ new URI(category));
+
+ return this.getAttributeValue(evalResult, attributeType);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/SecurityActions.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/SecurityActions.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/locators/attrib/SecurityActions.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,51 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.xacml.locators.attrib;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+
+/**
+ * Privileged Blocks
+ * @author Anil.Saldhana at redhat.com
+ * @since Jul 10, 2007
+ * @version $Revision$
+ */
+class SecurityActions
+{
+ /**
+ * Obtain the Thread Context ClassLoader
+ * @return
+ */
+ static ClassLoader getContextClassLoader()
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
+ {
+ public ClassLoader run()
+ {
+ return Thread.currentThread().getContextClassLoader();
+ }
+ });
+ }
+
+}
Modified: projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/util/JBossXACMLUtil.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/util/JBossXACMLUtil.java 2010-03-02 17:07:31 UTC (rev 101726)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/main/java/org/jboss/security/xacml/util/JBossXACMLUtil.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -23,9 +23,15 @@
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
+import java.util.Date;
import org.jboss.security.xacml.factories.RequestResponseContextFactory;
import org.jboss.security.xacml.interfaces.ResponseContext;
+import org.jboss.security.xacml.sunxacml.attr.AttributeValue;
+import org.jboss.security.xacml.sunxacml.attr.BooleanAttribute;
+import org.jboss.security.xacml.sunxacml.attr.DateAttribute;
+import org.jboss.security.xacml.sunxacml.attr.IntegerAttribute;
+import org.jboss.security.xacml.sunxacml.attr.StringAttribute;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -61,4 +67,35 @@
return element;
}
+ /**
+ * <p>
+ * Given a value, construct an <code>AttributeValue</code>
+ * depending on the type of object
+ * @param value
+ * @return
+ */
+ public static AttributeValue getAttributeValue(Object value)
+ {
+ if(value == null)
+ throw new IllegalArgumentException("value passed is null");
+
+ if(value instanceof String)
+ return new StringAttribute((String) value);
+
+ if(value instanceof Integer)
+ return new IntegerAttribute((Integer) value);
+
+ if(value instanceof Boolean)
+ {
+ Boolean boolVal = (Boolean)value;
+ return BooleanAttribute.getInstance(boolVal);
+ }
+
+ if(value instanceof Date)
+ {
+ return new DateAttribute((Date) value);
+ }
+
+ throw new RuntimeException("unrecognized attribute value:" + value);
+ }
}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/DatabaseAttributeLocatorUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/DatabaseAttributeLocatorUnitTestCase.java (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/test/xacml/attriblocators/DatabaseAttributeLocatorUnitTestCase.java 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,155 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.test.xacml.attriblocators;
+
+import java.io.InputStream;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.PreparedStatement;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.xacml.core.JBossPDP;
+import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
+import org.jboss.security.xacml.interfaces.ResponseContext;
+import org.jboss.security.xacml.interfaces.XACMLConstants;
+import org.jboss.test.security.xacml.factories.util.XACMLTestUtil;
+
+/**
+ * Unit test the <code>DatabaseAttributeLocator</code>
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 1, 2010
+ */
+public class DatabaseAttributeLocatorUnitTestCase extends TestCase
+{
+ @Override
+ protected void setUp() throws Exception
+ {
+ Connection connection = null;
+ try
+ {
+ Class.forName("org.hsqldb.jdbcDriver");
+ }
+ catch (ClassNotFoundException e)
+ {
+ throw new RuntimeException("DB Driver not found:",e);
+ }
+ try
+ {
+ connection = DriverManager.getConnection("jdbc:hsqldb:target/XACMLDBAttributeLocator");
+ }
+ catch (SQLException e)
+ {
+ throw new RuntimeException("Cannot get DB Connection:",e);
+ }
+
+ Statement statement = null;
+
+ try
+ {
+ statement = connection.createStatement();
+ statement.executeUpdate("DROP TABLE IF EXISTS resource;");
+ statement.executeUpdate("CREATE TABLE resource(name VARCHAR, owner_id VARCHAR, account_status VARCHAR)");
+ PreparedStatement prep = connection.prepareStatement(
+ "INSERT INTO resource VALUES (?, ?, ?);");
+
+ prep.setString(1, "John Smith");
+ prep.setString(2, "123456");
+ prep.setString(3, "Active");
+ prep.addBatch();
+ connection.setAutoCommit(false);
+ prep.executeBatch();
+ connection.setAutoCommit(true);
+ }
+ catch (SQLException e)
+ {
+ throw new RuntimeException("SQL Exception in setting up DB:", e);
+ }
+
+ try
+ {
+ statement.close();
+ }
+ catch (SQLException e)
+ {
+ throw new RuntimeException("SQL Exception in closing DB connections:", e);
+ }
+
+ try
+ {
+ statement = connection.createStatement();
+ statement.executeUpdate("DROP TABLE IF EXISTS subject;");
+ statement.executeUpdate("CREATE TABLE subject(name VARCHAR, subject_id VARCHAR)");
+ PreparedStatement prep = connection.prepareStatement(
+ "INSERT INTO subject VALUES (?, ?);");
+
+ prep.setString(1, "John Smith");
+ prep.setString(2, "123456");
+ prep.addBatch();
+ connection.setAutoCommit(false);
+ prep.executeBatch();
+ connection.setAutoCommit(true);
+ }
+ catch (SQLException e)
+ {
+ throw new RuntimeException("SQL Exception in setting up DB:", e);
+ }
+
+ try
+ {
+ statement.close();
+ connection.close();
+ }
+ catch (SQLException e)
+ {
+ throw new RuntimeException("SQL Exception in closing DB connections:", e);
+ }
+
+
+ }
+
+ public void testPDPUsingDatabaseResourceAttributeLocator() throws Exception
+ {
+ ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+
+ InputStream is = tcl.getResourceAsStream("locators/attrib/db_resource_attrib_locator-config.xml");
+ assertNotNull("Inputstream is not null?", is);
+ PolicyDecisionPoint pdp = new JBossPDP(is);
+ ResponseContext response = XACMLTestUtil.getResponse(pdp,"locators/attrib/attribLocatorResourceAttribute-request.xml");
+ int decision = response.getDecision();
+ assertEquals("PERMIT?", XACMLConstants.DECISION_PERMIT,decision);
+ }
+
+ public void testPDPUsingDatabaseSubjectAttributeLocator() throws Exception
+ {
+ ClassLoader tcl = Thread.currentThread().getContextClassLoader();
+
+ InputStream is = tcl.getResourceAsStream("locators/attrib/db_subject_attrib_locator-config.xml");
+ assertNotNull("Inputstream is not null?", is);
+ PolicyDecisionPoint pdp = new JBossPDP(is);
+ ResponseContext response = XACMLTestUtil.getResponse(pdp,"locators/attrib/attribLocatorSubjectAttribute-request.xml");
+ int decision = response.getDecision();
+ assertEquals("PERMIT?", XACMLConstants.DECISION_PERMIT,decision);
+ }
+}
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/data_stores/db.properties
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/data_stores/db.properties (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/data_stores/db.properties 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,2 @@
+driverName=org.hsqldb.jdbcDriver
+connectionURL=jdbc:hsqldb:target/XACMLDBAttributeLocator
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocatorResourceAttribute-request.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocatorResourceAttribute-request.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocatorResourceAttribute-request.xml 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xacml-context:Request
+ xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
+ http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
+ <Subject
+ SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
+ <AttributeValue>123456</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:user-name"
+ DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
+ <AttributeValue>John Smith</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"
+ Issuer="xacml20.interop.com">
+ <AttributeValue>1000</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"
+ Issuer="xacml20.interop.com">
+ <AttributeValue>1</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
+ DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
+ <AttributeValue>false</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
+ DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
+ <AttributeValue>false</AttributeValue>
+ </Attribute>
+ </Subject>
+ <Resource>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>CustomerAccount</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>123456</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-name"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>John Smith</AttributeValue>
+ </Attribute>
+
+ <!-- WE GET THIS VIA THE ATTRIBUTE LOCATOR
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>Active</AttributeValue>
+ </Attribute>
+ -->
+
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
+ DataType="http://www.w3.org/2001/XMLSchema#integer">
+ <AttributeValue>15000</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
+ DataType="http://www.w3.org/2001/XMLSchema#integer">
+ <AttributeValue>10000</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
+ DataType="http://www.w3.org/2001/XMLSchema#integer">
+ <AttributeValue>10000</AttributeValue>
+ </Attribute>
+ </Resource>
+ <Action>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>Buy</AttributeValue>
+ </Attribute>
+ </Action>
+ <Environment/>
+</xacml-context:Request>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocatorSubjectAttribute-request.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocatorSubjectAttribute-request.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocatorSubjectAttribute-request.xml 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xacml-context:Request
+ xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation=" urn:oasis:names:tc:xacml:2.0:context:schema:os
+ http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
+ <Subject
+ SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
+
+ <!-- WE GET THIS VIA THE SUBJECT ATTRIBUTE LOCATOR
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
+ <AttributeValue>123456</AttributeValue>
+ </Attribute>
+ -->
+
+
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:user-name"
+ DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
+ <AttributeValue>John Smith</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"
+ Issuer="xacml20.interop.com">
+ <AttributeValue>1000</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"
+ Issuer="xacml20.interop.com">
+ <AttributeValue>1</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:req-credit-ext-approval"
+ DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
+ <AttributeValue>false</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:subject:req-trade-approval"
+ DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="xacml20.interop.com">
+ <AttributeValue>false</AttributeValue>
+ </Attribute>
+ </Subject>
+ <Resource>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>CustomerAccount</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>123456</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:owner-name"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>John Smith</AttributeValue>
+ </Attribute>
+
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>Active</AttributeValue>
+ </Attribute>
+
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
+ DataType="http://www.w3.org/2001/XMLSchema#integer">
+ <AttributeValue>15000</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
+ DataType="http://www.w3.org/2001/XMLSchema#integer">
+ <AttributeValue>10000</AttributeValue>
+ </Attribute>
+ <Attribute AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
+ DataType="http://www.w3.org/2001/XMLSchema#integer">
+ <AttributeValue>10000</AttributeValue>
+ </Attribute>
+ </Resource>
+ <Action>
+ <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string">
+ <AttributeValue>Buy</AttributeValue>
+ </Attribute>
+ </Action>
+ <Environment/>
+</xacml-context:Request>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocator_policy.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocator_policy.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/attribLocator_policy.xml 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,176 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Policy
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+ http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
+ PolicyId="urn:xacml:2.0:interop:example:policyid:02"
+ RuleCombiningAlgId=
+ "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Description>
+ XACML 2.0 Interop Example Policy 02: Only allow a customer whose id matches the
+ account owner-id to access the account and only if the account status is active.
+ Only allow trades that have value within credit-line and trade-limit restrictions.
+ </Description>
+ <Target/>
+ <VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:01.2">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <ResourceAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:resource:owner-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Apply>
+ </VariableDefinition>
+ <VariableDefinition VariableId="urn:xacml:2.0:interop:example:variableid:02">
+ <!-- Function to evaluate: -->
+ <!-- ((buy-num-shares x buy-offer-price) lt -->
+ <!-- (credit-line - current-credit) ) and -->
+ <!-- ((buy-num-shares x buy-offer-price) lt trade-limit) -->
+ <!-- If both the above expressions true, then Request within limits -->
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId=
+ "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"/>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"/>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
+ <ResourceAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:resource:credit-line"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"/>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
+ <ResourceAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:resource:current-credit"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"/>
+ </Apply>
+ </Apply>
+ </Apply>
+ <Apply FunctionId=
+ "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-multiply">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:subject:buy-num-shares"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"/>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:subject:buy-offer-price"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"/>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only">
+ <ResourceAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:resource:trade-limit"
+ DataType="http://www.w3.org/2001/XMLSchema#integer"/>
+ </Apply>
+ </Apply>
+ </Apply>
+ </VariableDefinition>
+ <Rule RuleId="urn:xacml:2.0:interop:example:ruleid:02"
+ Effect="Permit">
+ <Description>
+ XACML 2.0 Interop Example Rule 02: Only allow a customer whose id matches the
+ account owner-id to access the account and only if the account status is active.
+ </Description>
+ <Target>
+ <!-- This rule permits access to CustomerAccount resources -->
+ <Resources>
+ <!-- CustomerAccount -->
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+ DataType="http://www.w3.org/2001/XMLSchema#string"
+ >CustomerAccount</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ <!-- Account must have Active status -->
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+ DataType="http://www.w3.org/2001/XMLSchema#string"
+ >Active</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:xacml:2.0:interop:example:resource:account-status"
+ DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ <!-- This rule only applies to the ViewAccount action -->
+ <Actions>
+ <Action>
+ <ActionMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+ DataType="http://www.w3.org/2001/XMLSchema#string"
+ >Buy</AttributeValue>
+ <ActionAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ActionMatch>
+ </Action>
+ </Actions>
+ </Target>
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:01.2"/>
+ <VariableReference VariableId="urn:xacml:2.0:interop:example:variableid:02"/>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule RuleId="urn:xacml:2.0:interop:example:ruleid:deny02" Effect="Deny">
+ <Description>
+ This Policy is permit-overrides, therefore if a rule above evaluated to
+ Permit this Rule will be skipped. However, if no Permit was obtained, this
+ Rule evaluates to true and so produces a Deny. Therefore evaluation of this
+ Policy results in either a Permit or Deny which is the intended effect.
+ </Description>
+ <Target/>
+ </Rule>
+ <Obligations>
+ <!-- These obligations tell PEP to provide specific data items to the response -->
+ <!-- This obligation says provide the xacml:Decision data to the response -->
+ <Obligation
+ ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
+ FulfillOn="Permit"/>
+ <!-- This obligation says provide the xacml:StatusCode data to the response -->
+ <Obligation
+ ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
+ FulfillOn="Permit"/>
+ <!-- This obligation says provide the xacml:StatusMessage data to the response -->
+ <Obligation
+ ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
+ FulfillOn="Permit"/>
+ <!-- This obligation says provide the xacml:Decision data to the response -->
+ <Obligation
+ ObligationId="urn:xacml:2.0:interop:example:obligation:decision"
+ FulfillOn="Deny"/>
+ <!-- This obligation says provide the xacml:StatusCode data to the response -->
+ <Obligation
+ ObligationId="urn:xacml:2.0:interop:example:obligation:status-code"
+ FulfillOn="Deny"/>
+ <!-- This obligation says provide the xacml:StatusMessage data to the response -->
+ <Obligation
+ ObligationId="urn:xacml:2.0:interop:example:obligation:status-message"
+ FulfillOn="Deny"/>
+ </Obligations>
+</Policy>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/db_resource_attrib_locator-config.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/db_resource_attrib_locator-config.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/db_resource_attrib_locator-config.xml 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,18 @@
+<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+ <ns:Policies>
+ <ns:Policy>
+ <ns:Location>locators/attrib/attribLocator_policy.xml</ns:Location>
+ </ns:Policy>
+ </ns:Policies>
+ <ns:Locators>
+ <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/>
+ <ns:Locator Name="org.jboss.security.xacml.locators.attrib.DatabaseResourceAttributeLocator">
+ <ns:Option Name="DATABASE_FILE_NAME">data_stores/db.properties</ns:Option>
+ <ns:Option Name="sql">SELECT account_status FROM resource where owner_id=?;</ns:Option>
+ <ns:Option Name="attributeSupportedId">urn:xacml:2.0:interop:example:resource:account-status</ns:Option>
+ <ns:Option Name="preparedStatementValue">urn:xacml:2.0:interop:example:resource:owner-id</ns:Option>
+ <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option>
+ <ns:Option Name="columnName">account_status</ns:Option>
+ </ns:Locator>
+ </ns:Locators>
+</ns:jbosspdp>
\ No newline at end of file
Added: projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/db_subject_attrib_locator-config.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/db_subject_attrib_locator-config.xml (rev 0)
+++ projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/locators/attrib/db_subject_attrib_locator-config.xml 2010-03-02 17:09:13 UTC (rev 101727)
@@ -0,0 +1,18 @@
+<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+ <ns:Policies>
+ <ns:Policy>
+ <ns:Location>locators/attrib/attribLocator_policy.xml</ns:Location>
+ </ns:Policy>
+ </ns:Policies>
+ <ns:Locators>
+ <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator"/>
+ <ns:Locator Name="org.jboss.security.xacml.locators.attrib.DatabaseSubjectAttributeLocator">
+ <ns:Option Name="DATABASE_FILE_NAME">data_stores/db.properties</ns:Option>
+ <ns:Option Name="sql">SELECT subject_id FROM subject where name=?;</ns:Option>
+ <ns:Option Name="attributeSupportedId">urn:oasis:names:tc:xacml:1.0:subject:subject-id</ns:Option>
+ <ns:Option Name="preparedStatementValue">urn:xacml:2.0:interop:example:subject:user-name</ns:Option>
+ <ns:Option Name="valueDataType">http://www.w3.org/2001/XMLSchema#string</ns:Option>
+ <ns:Option Name="columnName">subject_id</ns:Option>
+ </ns:Locator>
+ </ns:Locators>
+</ns:jbosspdp>
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list