1 22 package org.jboss.web.tomcat.security.authorization.delegates; 23 24 import java.io.IOException ; 25 import java.security.CodeSource ; 26 import java.security.Permission ; 27 import java.security.Policy ; 28 import java.security.Principal ; 29 import java.security.ProtectionDomain ; 30 import java.util.Map ; 31 import java.util.Set ; 32 33 import javax.security.auth.Subject ; 34 import javax.security.jacc.WebResourcePermission ; 35 import javax.security.jacc.WebRoleRefPermission ; 36 import javax.security.jacc.WebUserDataPermission ; 37 import javax.servlet.http.HttpServletRequest ; 38 39 import org.apache.catalina.Context; 40 import org.apache.catalina.connector.Request; 41 import org.apache.catalina.connector.Response; 42 import org.apache.catalina.deploy.SecurityConstraint; 43 import org.jboss.logging.Logger; 44 import org.jboss.security.authorization.AuthorizationContext; 45 import org.jboss.security.authorization.PolicyRegistration; 46 import org.jboss.security.authorization.Resource; 47 import org.jboss.security.authorization.ResourceKeys; 48 import org.jboss.security.authorization.modules.AuthorizationModuleDelegate; 49 import org.jboss.web.tomcat.security.JaccContextValve; 50 51 52 54 61 public class WebJACCPolicyModuleDelegate extends AuthorizationModuleDelegate 62 { 63 private Policy policy = Policy.getPolicy(); 64 65 public WebJACCPolicyModuleDelegate() 66 { 67 log = Logger.getLogger(WebJACCPolicyModuleDelegate.class); 68 trace = log.isTraceEnabled(); 69 } 70 71 74 public int authorize(Resource resource) 75 { 76 Map map = resource.getMap(); 78 if(map == null) 79 throw new IllegalStateException ("Map from the Resource is null"); 80 81 if(map.size() == 0) 82 throw new IllegalStateException ("Map from the Resource is size zero"); 83 Request request = (Request )map.get(ResourceKeys.WEB_REQUEST); 85 Response response = (Response)map.get(ResourceKeys.WEB_RESPONSE); 86 SecurityConstraint[] constraints = (SecurityConstraint[]) 87 map.get(ResourceKeys.WEB_SECURITY_CONSTRAINTS); 88 Context context = (Context)map.get(ResourceKeys.WEB_CONTEXT); 89 Subject callerSubject = (Subject )map.get(ResourceKeys.CALLER_SUBJECT); 91 String roleName = (String )map.get(ResourceKeys.ROLENAME); 92 Principal principal = (Principal )map.get(ResourceKeys.HASROLE_PRINCIPAL); 93 Set roles = (Set )map.get(ResourceKeys.PRINCIPAL_ROLES); 94 String servletName = (String )map.get(ResourceKeys.SERVLET_NAME); 95 Boolean resourceCheck = checkBooleanValue((Boolean )map.get(ResourceKeys.RESOURCE_PERM_CHECK)); 96 Boolean userDataCheck = checkBooleanValue((Boolean )map.get(ResourceKeys.USERDATA_PERM_CHECK)); 97 Boolean roleRefCheck = checkBooleanValue((Boolean )map.get(ResourceKeys.ROLEREF_PERM_CHECK)); 98 99 validatePermissionChecks(resourceCheck,userDataCheck,roleRefCheck); 100 101 boolean decision = false; 102 103 try 104 { 105 if(resourceCheck) 106 decision = this.hasResourcePermission(request, response, constraints, context, callerSubject); 107 else 108 if(userDataCheck) 109 decision = this.hasUserDataPermission(request, response, constraints); 110 else 111 if(roleRefCheck) 112 decision = this.hasRole(principal, roleName, roles, servletName); 113 else 114 if(trace) 115 log.trace("Check is not for resourcePerm, userDataPerm or roleRefPerm."); 116 } 117 catch(IOException ioe) 118 { 119 if(trace) 120 log.trace("IOException:",ioe); 121 } 122 return decision ? AuthorizationContext.PERMIT : AuthorizationContext.DENY; 123 } 124 125 128 public void setPolicyRegistrationManager(PolicyRegistration authzM) 129 { 130 this.authzManager = authzM; 131 } 132 133 138 static String requestURI(Request request) 139 { 140 String uri = request.getMappingData().requestPath.getString(); 141 if( uri == null || uri.equals("/") ) 142 { 143 uri = ""; 144 } 145 return uri; 146 } 147 148 161 private boolean checkSecurityAssociation(Permission perm, Principal requestPrincpal, 162 Subject caller) 163 { 164 Principal [] principals = null; 166 if( caller != null ) 167 { 168 if( trace ) 169 log.trace("No active subject found, using "); 170 Set principalsSet = caller.getPrincipals(); 171 principals = new Principal [principalsSet.size()]; 172 principalsSet.toArray(principals); 173 } 174 return checkSecurityAssociation(perm, principals); 175 } 176 177 178 187 private boolean checkSecurityAssociation(Permission perm, Principal [] principals) 188 { 189 CodeSource webCS = (CodeSource ) JaccContextValve.activeCS.get(); 190 ProtectionDomain pd = new ProtectionDomain (webCS, null, null, principals); 191 boolean allowed = policy.implies(pd, perm); 192 if( trace ) 193 { 194 String msg = (allowed ? "Allowed: " : "Denied: ") +perm; 195 log.trace(msg); 196 } 197 return allowed; 198 } 199 200 205 private Boolean checkBooleanValue(Boolean bool) 206 { 207 if(bool == null) 208 return Boolean.FALSE; 209 return bool; 210 } 211 212 213 223 private boolean hasResourcePermission(Request request, Response response, 224 SecurityConstraint[] securityConstraints, Context context, Subject caller) 225 throws IOException 226 { 227 Principal requestPrincipal = request.getPrincipal(); 228 HttpServletRequest httpRequest = request.getRequest(); 229 String uri = requestURI(request); 230 WebResourcePermission perm = new WebResourcePermission (uri, httpRequest.getMethod()); 231 boolean allowed = checkSecurityAssociation(perm, requestPrincipal, caller ); 232 if( trace ) 233 log.trace("hasResourcePermission, perm="+perm+", allowed="+allowed); 234 return allowed; 235 } 236 237 244 private boolean hasRole(Principal principal, String roleName, Set roles, String servletName) 245 { 246 WebRoleRefPermission perm = new WebRoleRefPermission (servletName, roleName); 247 Principal [] principals = {principal}; 248 if( roles != null ) 249 { 250 principals = new Principal [roles.size()]; 251 roles.toArray(principals); 252 } 253 boolean allowed = checkSecurityAssociation(perm, principals); 254 if( trace ) 255 log.trace("hasRole, perm="+perm+", allowed="+allowed); 256 return allowed; 257 } 258 259 270 private boolean hasUserDataPermission(Request request, Response response, 271 SecurityConstraint[] constraints) throws IOException 272 { 273 HttpServletRequest httpRequest = request.getRequest(); 274 String uri = requestURI(request); 275 WebUserDataPermission perm = new WebUserDataPermission (uri, httpRequest.getMethod()); 276 if( trace ) 277 log.trace("hasUserDataPermission, p="+perm); 278 boolean ok = false; 279 try 280 { 281 Principal [] principals = null; 282 ok = checkSecurityAssociation(perm, principals); 283 } 284 catch(Exception e) 285 { 286 if( trace ) 287 log.trace("Failed to checkSecurityAssociation", e); 288 } 289 return ok; 290 } 291 292 299 private void validatePermissionChecks(Boolean resourceCheck, 300 Boolean userDataCheck, Boolean roleRefCheck) 301 { 302 if(trace) 303 log.trace("resourceCheck="+resourceCheck + " : userDataCheck=" + userDataCheck 304 + " : roleRefCheck=" + roleRefCheck); 305 if((resourceCheck == Boolean.TRUE && userDataCheck == Boolean.TRUE && roleRefCheck == Boolean.TRUE ) 306 || (resourceCheck == Boolean.TRUE && userDataCheck == Boolean.TRUE) 307 || (userDataCheck == Boolean.TRUE && roleRefCheck == Boolean.TRUE)) 308 throw new IllegalStateException ("Permission checks must be different"); 309 } 310 } 311 | Popular Tags |