[jboss-cvs] Picketbox SVN: r104 - in trunk/security-jboss-sx/jbosssx/src: test/java/org/jboss/test/authorization/xacml and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Sep 10 16:07:20 EDT 2010
Author: anil.saldhana at jboss.com
Date: 2010-09-10 16:07:19 -0400 (Fri, 10 Sep 2010)
New Revision: 104
Modified:
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLPolicyModuleDelegate.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLUtil.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java
trunk/security-jboss-sx/jbosssx/src/test/resources/authorization/xacml/jboss-xacml-ejb-policy.xml
Log:
SECURITY-519: EJBXACMLUtil should consider overloaded methods
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLPolicyModuleDelegate.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLPolicyModuleDelegate.java 2010-08-12 15:51:40 UTC (rev 103)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLPolicyModuleDelegate.java 2010-09-10 20:07:19 UTC (rev 104)
@@ -111,7 +111,7 @@
try
{
RequestContext requestCtx = util.createXACMLRequest(this.ejbName,
- this.ejbMethod.getName(),this.ejbPrincipal, callerRoles);
+ this.ejbMethod, this.ejbPrincipal, callerRoles);
PolicyDecisionPoint pdp = util.getPDP(policyRegistration, this.policyContextID);
if(pdp == null)
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLUtil.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLUtil.java 2010-08-12 15:51:40 UTC (rev 103)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLUtil.java 2010-09-10 20:07:19 UTC (rev 104)
@@ -22,6 +22,8 @@
package org.jboss.security.authorization.modules.ejb;
import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.lang.reflect.Method;
import java.security.Principal;
import java.util.List;
@@ -52,75 +54,160 @@
{
private static Logger log = Logger.getLogger(EJBXACMLUtil.class);
private boolean trace = log.isTraceEnabled();
-
+
+ public RequestContext createXACMLRequest( String ejbName, Method ejbMethod, Principal principal, RoleGroup callerRoles )
+ throws Exception
+ {
+ String action = ejbMethod.getName();
+
+ //Let us look at the number of arguments
+ Class<?>[] paramTypes = ejbMethod.getParameterTypes();
+ if( paramTypes.length == 0 )
+ return this.createXACMLRequest(ejbName, action, principal, callerRoles );
+
+ StringBuilder builder = new StringBuilder( "(" );
+ int i = 0;
+ for( Class<?> paramClass: paramTypes )
+ {
+ if( i > 0 )
+ builder.append( "," );
+ builder.append( paramClass.getSimpleName() );
+ i++;
+ }
+
+ builder.append( ")" );
+
+ //Create an action type
+ ActionType actionType = getActionType( action + builder.toString() );
+ //actionType.
+
+ RequestContext requestCtx = this.getRequestContext( ejbName, actionType, principal, callerRoles );
+
+ if(trace)
+ {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+ requestCtx.marshall(baos);
+ log.trace(new String(baos.toByteArray()));
+ }
+ return requestCtx;
+ }
+
+ /**
+ *
+ * @param ejbName
+ * @param methodName
+ * @param principal
+ * @param callerRoles
+ * @return
+ * @throws Exception
+ */
public RequestContext createXACMLRequest(String ejbName, String methodName,
Principal principal, RoleGroup callerRoles) throws Exception
{
+ String action = methodName;
+ //Create an action type
+ ActionType actionType = getActionType( action );
+
+ RequestContext requestCtx = this.getRequestContext(ejbName, actionType, principal, callerRoles);
+
+ if(trace)
+ {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+ requestCtx.marshall(baos);
+ log.trace(new String(baos.toByteArray()));
+ }
+ return requestCtx;
+ }
+
+ private RequestContext getRequestContext( String ejbName, ActionType actionType,
+ Principal principal, RoleGroup callerRoles ) throws IOException
+ {
if(principal == null)
- throw new IllegalArgumentException("principal is null");
+ throw new IllegalArgumentException("principal is null");
- String action = methodName;
-
RequestContext requestCtx = RequestResponseContextFactory.createRequestCtx();
//Create a subject type
- SubjectType subject = new SubjectType();
- subject.getAttribute().add(
- RequestAttributeFactory.createStringAttributeType(
- XACMLConstants.ATTRIBUTEID_SUBJECT_ID, "jboss.org",
- principal.getName()));
+ SubjectType subject = this.getSubjectType( principal, callerRoles );
- List<Role> rolesList = callerRoles.getRoles();
- if(rolesList != null)
- {
- for(Role role:rolesList)
- {
- String roleName = role.getRoleName();
- AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType(
- XACMLConstants.ATTRIBUTEID_ROLE, "jboss.org", roleName);
- subject.getAttribute().add(attSubjectID);
- }
- }
-
//Create a resource type
- ResourceType resourceType = new ResourceType();
- resourceType.getAttribute().add(
- RequestAttributeFactory.createStringAttributeType(
- XACMLConstants.ATTRIBUTEID_RESOURCE_ID,
- null,
- ejbName));
+ ResourceType resourceType = getResourceType( ejbName );
- //Create an action type
- ActionType actionType = new ActionType();
- actionType.getAttribute().add(
- RequestAttributeFactory.createStringAttributeType(
- XACMLConstants.ATTRIBUTEID_ACTION_ID,
- "jboss.org",
- action));
-
//Create an Environment Type (Optional)
- EnvironmentType environmentType = new EnvironmentType();
- environmentType.getAttribute().add(
- RequestAttributeFactory.createDateTimeAttributeType(
- XACMLConstants.ATTRIBUTEID_CURRENT_TIME, null));
+ EnvironmentType environmentType = getEnvironmentType();
//Create a Request Type
+ RequestType requestType = getRequestType( subject, resourceType, actionType, environmentType );
+
+ requestCtx.setRequest( requestType );
+
+ return requestCtx;
+ }
+
+ private RequestType getRequestType(SubjectType subject, ResourceType resourceType, ActionType actionType,
+ EnvironmentType environmentType)
+ {
RequestType requestType = new RequestType();
requestType.getSubject().add(subject);
requestType.getResource().add(resourceType);
requestType.setAction(actionType);
requestType.setEnvironment(environmentType);
+ return requestType;
+ }
- requestCtx.setRequest(requestType);
+ private EnvironmentType getEnvironmentType()
+ {
+ EnvironmentType environmentType = new EnvironmentType();
+ environmentType.getAttribute().add(
+ RequestAttributeFactory.createDateTimeAttributeType(
+ XACMLConstants.ATTRIBUTEID_CURRENT_TIME, null));
+ return environmentType;
+ }
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ private ActionType getActionType(String action)
+ {
+ String actionID_NS = XACMLConstants.ATTRIBUTEID_ACTION_ID;
+
+ AttributeType actionAttribute = RequestAttributeFactory.createStringAttributeType( actionID_NS , "jboss.org", action );
+ ActionType actionType = new ActionType();
+ actionType.getAttribute().add( actionAttribute );
+ return actionType;
+ }
- if(trace)
- {
- requestCtx.marshall(baos);
- log.trace(new String(baos.toByteArray()));
- }
- return requestCtx;
- }
-
+ private ResourceType getResourceType(String ejbName)
+ {
+ String resourceID_NS = XACMLConstants.ATTRIBUTEID_RESOURCE_ID;
+
+ ResourceType resourceType = new ResourceType();
+ AttributeType resourceAttribute = RequestAttributeFactory.createStringAttributeType( resourceID_NS, null, ejbName );
+ resourceType.getAttribute().add( resourceAttribute );
+ return resourceType;
+ }
+
+ private SubjectType getSubjectType( Principal principal, RoleGroup callerRoles )
+ {
+ String subjectID_NS = XACMLConstants.ATTRIBUTEID_SUBJECT_ID;
+ String roleID_NS = XACMLConstants.ATTRIBUTEID_ROLE;
+ String principalName = principal.getName();
+
+ //Create a subject type
+ SubjectType subject = new SubjectType();
+ AttributeType attribute = RequestAttributeFactory.createStringAttributeType( subjectID_NS, "jboss.org", principalName );
+
+ subject.getAttribute().add( attribute );
+
+ List<Role> rolesList = callerRoles.getRoles();
+ if(rolesList != null)
+ {
+ for(Role role:rolesList)
+ {
+ String roleName = role.getRoleName();
+ AttributeType attSubjectID = RequestAttributeFactory.createStringAttributeType( roleID_NS , "jboss.org", roleName );
+ subject.getAttribute().add(attSubjectID);
+ }
+ }
+ return subject;
+ }
}
\ No newline at end of file
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java 2010-09-10 20:07:19 UTC (rev 104)
@@ -133,15 +133,75 @@
assertEquals(AuthorizationContext.DENY, res);
}
- private EJBResource getEJBResource(PolicyRegistration policyRegistration)
+ /**
+ * Test whether the EJBXACMLPolicyDelegate will permit calls to particular overloaded method
+ *
+ * NOTE: the policy only provides success for <i> public void largeMethod( String a, int[] b, String[] c ) </i>
+ * @throws Exception
+ */
+ public void testEJBOverloadedMethodsSuccessCase() throws Exception
{
+ EJBXACMLPolicyModuleDelegate pc = new EJBXACMLPolicyModuleDelegate();
+
+ PolicyRegistration policyRegistration = new JBossPolicyRegistration();
+ registerPolicy(policyRegistration);
+
HashMap<String,Object> map = new HashMap<String,Object>();
map.put(ResourceKeys.POLICY_REGISTRATION, policyRegistration);
EJBResource er = new EJBResource(map);
er.setEjbName("StatelessSession");
- er.setEjbMethod(StatelessSession.class.getMethods()[0]);
+ er.setEjbMethod(StatelessSession.class.getDeclaredMethod( "largeMethod", new Class[] { String.class, int[].class,
+ String[].class } ));
+
er.setPrincipal(p);
+
+ er.setPolicyContextID(contextID);
+ int res = pc.authorize(er, new Subject(), getRoleGroup());
+ assertEquals(AuthorizationContext.PERMIT, res);
+ }
+
+ /**
+ * Test whether the EJBXACMLPolicyDelegate will deny calls to particular overloaded methods
+ *
+ * NOTE: the policy only provides success for <i> public void largeMethod( String a, int[] b, String[] c ) </i>
+ * @throws Exception
+ */
+ public void testEJBOverloadedMethodsUnsuccessCase() throws Exception
+ {
+ EJBXACMLPolicyModuleDelegate pc = new EJBXACMLPolicyModuleDelegate();
+
+ PolicyRegistration policyRegistration = new JBossPolicyRegistration();
+ registerPolicy(policyRegistration);
+
+ HashMap<String,Object> map = new HashMap<String,Object>();
+ map.put(ResourceKeys.POLICY_REGISTRATION, policyRegistration);
+
+ EJBResource er = new EJBResource(map);
+ er.setEjbName("StatelessSession");
+ er.setEjbMethod(StatelessSession.class.getDeclaredMethod( "largeMethod", new Class[] { String.class , int[].class } ));
+
+ er.setPrincipal(p);
+
+ er.setPolicyContextID(contextID);
+ int res = pc.authorize(er, new Subject(), getRoleGroup());
+ assertEquals(AuthorizationContext.DENY, res);
+
+ //Lets try the no-arg method
+ er.setEjbMethod(StatelessSession.class.getDeclaredMethod( "largeMethod", new Class[0] ));
+ res = pc.authorize(er, new Subject(), getRoleGroup());
+ assertEquals(AuthorizationContext.DENY, res);
+ }
+
+ private EJBResource getEJBResource(PolicyRegistration policyRegistration) throws Exception
+ {
+ HashMap<String,Object> map = new HashMap<String,Object>();
+ map.put(ResourceKeys.POLICY_REGISTRATION, policyRegistration);
+
+ EJBResource er = new EJBResource(map);
+ er.setEjbName("StatelessSession");
+ er.setEjbMethod(StatelessSession.class.getDeclaredMethod( "echo", new Class[0] ));
+ er.setPrincipal(p);
return er;
}
@@ -172,8 +232,17 @@
return new SecurityRoleRef(roleName, roleLink);
}
+ /**
+ * A simple POJO whose methods we use reflectively
+ */
public class StatelessSession
{
public void echo(){}
+
+ public void largeMethod(){}
+
+ public void largeMethod( String a, int[] b ) {}
+
+ public void largeMethod( String a, int[] b, String[] c ) {}
}
}
\ No newline at end of file
Modified: trunk/security-jboss-sx/jbosssx/src/test/resources/authorization/xacml/jboss-xacml-ejb-policy.xml
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/resources/authorization/xacml/jboss-xacml-ejb-policy.xml 2010-08-12 15:51:40 UTC (rev 103)
+++ trunk/security-jboss-sx/jbosssx/src/test/resources/authorization/xacml/jboss-xacml-ejb-policy.xml 2010-09-10 20:07:19 UTC (rev 104)
@@ -10,7 +10,8 @@
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:jboss-test:XVI:rule"
Effect="Permit">
<Description>
- scott can create,remove and invoke echo method of StatelessSession EJB when he has a role of ProjectUser
+ scott can create,remove and invoke echo method of StatelessSession EJB when he has a role of ProjectUser.
+ He can invoke "largeMethod" operation with a particular signature only
</Description>
<Target>
<Subjects>
@@ -76,6 +77,16 @@
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
+ <Action>
+ <ActionMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+ DataType="http://www.w3.org/2001/XMLSchema#string">largeMethod(String,int[],String[])</AttributeValue>
+ <ActionAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
+ DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ActionMatch>
+ </Action>
</Actions>
</Target>
</Rule>
More information about the jboss-cvs-commits
mailing list