KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > jboss > jmx > adaptor > html > JMXOpsAccessControlFilter


1 /*
2 * JBoss, Home of Professional Open Source
3 * Copyright 2005, JBoss Inc., and individual contributors as indicated
4 * by the @authors tag. See the copyright.txt in the distribution for a
5 * full listing of individual contributors.
6 *
7 * This is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU Lesser General Public License as
9 * published by the Free Software Foundation; either version 2.1 of
10 * the License, or (at your option) any later version.
11 *
12 * This software is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this software; if not, write to the Free
19 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21 */
22 package org.jboss.jmx.adaptor.html;
23
24 import java.io.IOException JavaDoc;
25 import java.lang.reflect.Method JavaDoc;
26 import java.security.Principal JavaDoc;
27 import java.util.ArrayList JavaDoc;
28 import java.util.Arrays JavaDoc;
29 import java.util.Enumeration JavaDoc;
30 import java.util.Iterator JavaDoc;
31 import java.util.List JavaDoc;
32 import java.util.StringTokenizer JavaDoc;
33
34 import javax.security.auth.Subject JavaDoc;
35 import javax.security.jacc.PolicyContext JavaDoc;
36 import javax.security.jacc.PolicyContextException JavaDoc;
37 import javax.servlet.Filter JavaDoc;
38 import javax.servlet.FilterChain JavaDoc;
39 import javax.servlet.FilterConfig JavaDoc;
40 import javax.servlet.ServletException JavaDoc;
41 import javax.servlet.ServletRequest JavaDoc;
42 import javax.servlet.ServletResponse JavaDoc;
43 import javax.servlet.http.HttpServletResponse JavaDoc;
44
45 import org.jboss.logging.Logger;
46 import org.jboss.security.SimpleGroup;
47
48 //$Id: JMXOpsAccessControlFilter.java 45623 2006-06-12 18:52:14Z asaldhana $
49
50 /**
51  * JBAS-3311: Access Control on JMX Operations in the JMX Console.
52  * Filter that allows Role Based Authorization of the various
53  * JMX Operations. The actions that come as part of the request are:
54  * displayMBeans
55  * inspectMBean
56  * updateAttributes - Operations that involve updation of jmx attributes
57  * invokeOp - Operations that involve "invoke"
58  * invokeOpByName
59  * @author <a HREF="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
60  * @since Jun 12, 2006
61  * @version $Revision: 45623 $
62  */
63 public class JMXOpsAccessControlFilter implements Filter JavaDoc
64 {
65    private static Logger log = Logger.getLogger(JMXOpsAccessControlFilter.class);
66    private boolean trace = log.isTraceEnabled();
67    private static final String JavaDoc ACTION_PARAM = "action";
68    private static final String JavaDoc DISPLAY_MBEANS_ACTION = "displayMBeans";
69    private static final String JavaDoc INSPECT_MBEAN_ACTION = "inspectMBean";
70    private static final String JavaDoc UPDATE_ATTRIBUTES_ACTION = "updateAttributes";
71    private static final String JavaDoc INVOKE_OP_ACTION = "invokeOp";
72    private static final String JavaDoc INVOKE_OP_BY_NAME_ACTION = "invokeOpByName";
73    
74    private List JavaDoc updateAttributesRoles = null;
75    private List JavaDoc invokeOpRoles = null;
76    //Rare usecase
77 private List JavaDoc invokeMBeanRoles = null;
78    
79    private ArrayList JavaDoc subjectRoles = null;
80    
81    //An authorization delegate that the user can plug in which can do the
82 //authorization decisions - when deeper access control usecases arise
83 //The Authorization Delegate should have a method
84 //public Boolean authorize(ServletRequest,ServletResponse,List)
85 private Object JavaDoc authorizationDelegate = null;
86    
87    /**
88     * @see Filter#init(javax.servlet.FilterConfig)
89     */
90    public void init(FilterConfig JavaDoc filterConfig) throws ServletException JavaDoc
91    {
92       String JavaDoc updateAttributesStr = filterConfig.getInitParameter("updateAttributes");
93       if(updateAttributesStr != null && updateAttributesStr.length() > 0)
94          updateAttributesRoles = this.getRoles(updateAttributesStr);
95       
96       String JavaDoc invokeOpStr = filterConfig.getInitParameter("invokeOp");
97       if(invokeOpStr != null && invokeOpStr.length() > 0)
98          invokeOpRoles = this.getRoles(invokeOpStr);
99       
100       String JavaDoc inspectMBeanStr = filterConfig.getInitParameter("inspectMBean");
101       if(inspectMBeanStr != null && inspectMBeanStr.length() > 0)
102          invokeMBeanRoles = this.getRoles(inspectMBeanStr);
103       
104       //Optional - Authorization Delegate
105 String JavaDoc delegateStr = filterConfig.getInitParameter("authorizationDelegate");
106       if(delegateStr != null && delegateStr.length() > 0)
107          authorizationDelegate = this.instantiate(delegateStr);
108    }
109
110    /**
111     * @see Filter#doFilter(javax.servlet.ServletRequest,
112     * javax.servlet.ServletResponse, javax.servlet.FilterChain)
113     */
114    public void doFilter(ServletRequest JavaDoc request, ServletResponse JavaDoc response,
115                    FilterChain JavaDoc chain)
116    throws IOException JavaDoc, ServletException JavaDoc
117    {
118       boolean passThrough = true;
119       subjectRoles = getSubjectRoles();
120       
121       String JavaDoc action = request.getParameter(ACTION_PARAM);
122
123       if( action == null )
124          action = DISPLAY_MBEANS_ACTION;
125       
126       if( action.equals(UPDATE_ATTRIBUTES_ACTION))
127          passThrough = authorize(request, response, updateAttributesRoles);
128       else if( action.equals(INVOKE_OP_ACTION) || action.equals(INVOKE_OP_BY_NAME_ACTION))
129          passThrough = authorize(request, response,invokeOpRoles);
130       else if( action.equals(INSPECT_MBEAN_ACTION))
131          passThrough = authorize(request, response,invokeMBeanRoles);
132       
133       if(!passThrough)
134         ((HttpServletResponse JavaDoc)response).setStatus(HttpServletResponse.SC_FORBIDDEN);
135       else
136          chain.doFilter(request, response);
137    }
138
139    /**
140     * @see Filter#destroy()
141     */
142    public void destroy()
143    {
144    }
145
146    /**
147     * Authorize the JMX Operations
148     * If there is an Authorization Delegate plugged in, it will
149     * be consulted for access control
150     * @param request
151     * @param response
152     * @param listToCheck
153     * @return
154     */
155    private boolean authorize(ServletRequest JavaDoc request,
156          ServletResponse JavaDoc response, List JavaDoc listToCheck)
157    {
158       //Check if there is an authorization delegate
159 if(authorizationDelegate != null)
160          return checkWithDelegate(request,response,listToCheck);
161
162       if(listToCheck == null || listToCheck.size() == 0)
163          return true;
164       
165       boolean result = false;
166       int len = this.subjectRoles.size();
167       for(int i = 0; i < len; i++)
168       {
169          String JavaDoc subjectRole = (String JavaDoc)subjectRoles.get(i);
170          result = listToCheck.contains(subjectRole);
171          if(result)
172             break;
173       }
174       return result;
175    }
176    
177    private boolean checkWithDelegate(ServletRequest JavaDoc request,
178          ServletResponse JavaDoc response, List JavaDoc listToCheck)
179    {
180       Boolean JavaDoc result = Boolean.FALSE;
181       String JavaDoc name = "authorize";
182       Class JavaDoc[] args = new Class JavaDoc[] {ServletRequest JavaDoc.class, ServletResponse JavaDoc.class,
183             List JavaDoc.class};
184       try
185       {
186          Method JavaDoc meth = authorizationDelegate.getClass().getMethod(name,args);
187          result = (Boolean JavaDoc)meth.invoke(authorizationDelegate,
188                new Object JavaDoc[]{request,response,listToCheck});
189       }
190       catch ( Exception JavaDoc e)
191       {
192          if(trace)
193             log.error("Error invoking AuthorizationDelegate:",e);
194       }
195       return result.booleanValue();
196    }
197    
198    
199    /**
200     * Get a list of roles from the string that is comma-delimited
201     * @param commaSeperatedRoles
202     * @return
203     */
204    private List JavaDoc getRoles(String JavaDoc commaSeperatedRoles)
205    {
206       StringTokenizer JavaDoc st = new StringTokenizer JavaDoc(commaSeperatedRoles,",");
207       int numTokens = st.countTokens();
208       String JavaDoc[] strArr = new String JavaDoc[numTokens];
209       for(int i=0; i < numTokens; i++)
210       {
211          strArr[i] = st.nextToken();
212       }
213       return Arrays.asList(strArr);
214    }
215    
216    /**
217     * Get a list of roles from the authenticated subject
218     * @return
219     */
220    private ArrayList JavaDoc getSubjectRoles()
221    {
222       ArrayList JavaDoc alist = new ArrayList JavaDoc();
223       
224       String JavaDoc SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container";
225       try
226       {
227          Subject JavaDoc caller = (Subject JavaDoc) PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
228          Iterator JavaDoc iter = caller.getPrincipals().iterator();
229          while(iter != null && iter.hasNext())
230          {
231             Principal JavaDoc p = (Principal JavaDoc)iter.next();
232             if(p instanceof SimpleGroup)
233             {
234                SimpleGroup sg = (SimpleGroup)p;
235                String JavaDoc name = sg.getName();
236                if("Roles".equals(name))
237                {
238                   Enumeration JavaDoc en = sg.members();
239                   while(en.hasMoreElements())
240                   {
241                     String JavaDoc role = en.nextElement().toString();
242                     if(role != null)
243                       alist.add(role);
244                   }
245                }
246             }
247          }
248       }
249       catch (PolicyContextException JavaDoc e)
250       {
251          if(trace)
252             log.trace("Error obtaining authenticated subject:",e);
253       }
254       if(trace)
255          log.trace("Subject Roles="+alist);
256       return alist;
257    }
258    
259
260    /**
261     * Instantiate The Authorization Delegate
262     * @param delegateStr
263     * @return
264     */
265    public Object JavaDoc instantiate(String JavaDoc delegateStr)
266    {
267       ClassLoader JavaDoc cl = Thread.currentThread().getContextClassLoader();
268       Object JavaDoc obj = null;
269       try
270       {
271          Class JavaDoc clazz = cl.loadClass(delegateStr);
272          obj = clazz.newInstance();
273       }
274       catch (Exception JavaDoc e)
275       {
276          if(trace)
277             log.error("Error instantiating AuthorizationDelegate:",e);
278       }
279       return obj;
280    }
281 }
282
Popular Tags