1 22 package org.jboss.jmx.adaptor.html; 23 24 import java.io.IOException ; 25 import java.lang.reflect.Method ; 26 import java.security.Principal ; 27 import java.util.ArrayList ; 28 import java.util.Arrays ; 29 import java.util.Enumeration ; 30 import java.util.Iterator ; 31 import java.util.List ; 32 import java.util.StringTokenizer ; 33 34 import javax.security.auth.Subject ; 35 import javax.security.jacc.PolicyContext ; 36 import javax.security.jacc.PolicyContextException ; 37 import javax.servlet.Filter ; 38 import javax.servlet.FilterChain ; 39 import javax.servlet.FilterConfig ; 40 import javax.servlet.ServletException ; 41 import javax.servlet.ServletRequest ; 42 import javax.servlet.ServletResponse ; 43 import javax.servlet.http.HttpServletResponse ; 44 45 import org.jboss.logging.Logger; 46 import org.jboss.security.SimpleGroup; 47 48 50 63 public class JMXOpsAccessControlFilter implements Filter 64 { 65 private static Logger log = Logger.getLogger(JMXOpsAccessControlFilter.class); 66 private boolean trace = log.isTraceEnabled(); 67 private static final String ACTION_PARAM = "action"; 68 private static final String DISPLAY_MBEANS_ACTION = "displayMBeans"; 69 private static final String INSPECT_MBEAN_ACTION = "inspectMBean"; 70 private static final String UPDATE_ATTRIBUTES_ACTION = "updateAttributes"; 71 private static final String INVOKE_OP_ACTION = "invokeOp"; 72 private static final String INVOKE_OP_BY_NAME_ACTION = "invokeOpByName"; 73 74 private List updateAttributesRoles = null; 75 private List invokeOpRoles = null; 76 private List invokeMBeanRoles = null; 78 79 private ArrayList subjectRoles = null; 80 81 private Object authorizationDelegate = null; 86 87 90 public void init(FilterConfig filterConfig) throws ServletException 91 { 92 String updateAttributesStr = filterConfig.getInitParameter("updateAttributes"); 93 if(updateAttributesStr != null && updateAttributesStr.length() > 0) 94 updateAttributesRoles = this.getRoles(updateAttributesStr); 95 96 String invokeOpStr = filterConfig.getInitParameter("invokeOp"); 97 if(invokeOpStr != null && invokeOpStr.length() > 0) 98 invokeOpRoles = this.getRoles(invokeOpStr); 99 100 String inspectMBeanStr = filterConfig.getInitParameter("inspectMBean"); 101 if(inspectMBeanStr != null && inspectMBeanStr.length() > 0) 102 invokeMBeanRoles = this.getRoles(inspectMBeanStr); 103 104 String delegateStr = filterConfig.getInitParameter("authorizationDelegate"); 106 if(delegateStr != null && delegateStr.length() > 0) 107 authorizationDelegate = this.instantiate(delegateStr); 108 } 109 110 114 public void doFilter(ServletRequest request, ServletResponse response, 115 FilterChain chain) 116 throws IOException , ServletException 117 { 118 boolean passThrough = true; 119 subjectRoles = getSubjectRoles(); 120 121 String action = request.getParameter(ACTION_PARAM); 122 123 if( action == null ) 124 action = DISPLAY_MBEANS_ACTION; 125 126 if( action.equals(UPDATE_ATTRIBUTES_ACTION)) 127 passThrough = authorize(request, response, updateAttributesRoles); 128 else if( action.equals(INVOKE_OP_ACTION) || action.equals(INVOKE_OP_BY_NAME_ACTION)) 129 passThrough = authorize(request, response,invokeOpRoles); 130 else if( action.equals(INSPECT_MBEAN_ACTION)) 131 passThrough = authorize(request, response,invokeMBeanRoles); 132 133 if(!passThrough) 134 ((HttpServletResponse )response).setStatus(HttpServletResponse.SC_FORBIDDEN); 135 else 136 chain.doFilter(request, response); 137 } 138 139 142 public void destroy() 143 { 144 } 145 146 155 private boolean authorize(ServletRequest request, 156 ServletResponse response, List listToCheck) 157 { 158 if(authorizationDelegate != null) 160 return checkWithDelegate(request,response,listToCheck); 161 162 if(listToCheck == null || listToCheck.size() == 0) 163 return true; 164 165 boolean result = false; 166 int len = this.subjectRoles.size(); 167 for(int i = 0; i < len; i++) 168 { 169 String subjectRole = (String )subjectRoles.get(i); 170 result = listToCheck.contains(subjectRole); 171 if(result) 172 break; 173 } 174 return result; 175 } 176 177 private boolean checkWithDelegate(ServletRequest request, 178 ServletResponse response, List listToCheck) 179 { 180 Boolean result = Boolean.FALSE; 181 String name = "authorize"; 182 Class [] args = new Class [] {ServletRequest .class, ServletResponse .class, 183 List .class}; 184 try 185 { 186 Method meth = authorizationDelegate.getClass().getMethod(name,args); 187 result = (Boolean )meth.invoke(authorizationDelegate, 188 new Object []{request,response,listToCheck}); 189 } 190 catch ( Exception e) 191 { 192 if(trace) 193 log.error("Error invoking AuthorizationDelegate:",e); 194 } 195 return result.booleanValue(); 196 } 197 198 199 204 private List getRoles(String commaSeperatedRoles) 205 { 206 StringTokenizer st = new StringTokenizer (commaSeperatedRoles,","); 207 int numTokens = st.countTokens(); 208 String [] strArr = new String [numTokens]; 209 for(int i=0; i < numTokens; i++) 210 { 211 strArr[i] = st.nextToken(); 212 } 213 return Arrays.asList(strArr); 214 } 215 216 220 private ArrayList getSubjectRoles() 221 { 222 ArrayList alist = new ArrayList (); 223 224 String SUBJECT_CONTEXT_KEY = "javax.security.auth.Subject.container"; 225 try 226 { 227 Subject caller = (Subject ) PolicyContext.getContext(SUBJECT_CONTEXT_KEY); 228 Iterator iter = caller.getPrincipals().iterator(); 229 while(iter != null && iter.hasNext()) 230 { 231 Principal p = (Principal )iter.next(); 232 if(p instanceof SimpleGroup) 233 { 234 SimpleGroup sg = (SimpleGroup)p; 235 String name = sg.getName(); 236 if("Roles".equals(name)) 237 { 238 Enumeration en = sg.members(); 239 while(en.hasMoreElements()) 240 { 241 String role = en.nextElement().toString(); 242 if(role != null) 243 alist.add(role); 244 } 245 } 246 } 247 } 248 } 249 catch (PolicyContextException e) 250 { 251 if(trace) 252 log.trace("Error obtaining authenticated subject:",e); 253 } 254 if(trace) 255 log.trace("Subject Roles="+alist); 256 return alist; 257 } 258 259 260 265 public Object instantiate(String delegateStr) 266 { 267 ClassLoader cl = Thread.currentThread().getContextClassLoader(); 268 Object obj = null; 269 try 270 { 271 Class clazz = cl.loadClass(delegateStr); 272 obj = clazz.newInstance(); 273 } 274 catch (Exception e) 275 { 276 if(trace) 277 log.error("Error instantiating AuthorizationDelegate:",e); 278 } 279 return obj; 280 } 281 } 282 | Popular Tags |