KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > objectweb > jonas_web > deployment > api > SecurityConstraintListDesc


1 /**
2  * JOnAS: Java(TM) Open Application Server
3  * Copyright (C) 2004 Bull S.A.
4  * Contact: jonas-team@objectweb.org
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, write to the Free Software
18  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
19  * USA
20  *
21  * Initial developer(s): Florent BENOIT
22  * --------------------------------------------------------------------------
23  * $Id: SecurityConstraintListDesc.java,v 1.2 2004/06/01 11:24:01 benoitf Exp $
24  * --------------------------------------------------------------------------
25  */
26
27 package org.objectweb.jonas_web.deployment.api;
28
29 import java.security.Permission JavaDoc;
30 import java.security.PermissionCollection JavaDoc;
31 import java.security.Permissions JavaDoc;
32 import java.util.ArrayList JavaDoc;
33 import java.util.Collections JavaDoc;
34 import java.util.Enumeration JavaDoc;
35 import java.util.HashMap JavaDoc;
36 import java.util.Iterator JavaDoc;
37 import java.util.List JavaDoc;
38 import java.util.Map JavaDoc;
39
40 import org.objectweb.util.monolog.api.BasicLevel;
41 import org.objectweb.util.monolog.api.Logger;
42
43 import org.objectweb.jonas_lib.deployment.xml.SecurityRole;
44
45 import org.objectweb.jonas_web.deployment.xml.AuthConstraint;
46 import org.objectweb.jonas_web.deployment.xml.SecurityConstraint;
47 import org.objectweb.jonas_web.deployment.xml.UserDataConstraint;
48 import org.objectweb.jonas_web.deployment.xml.WebApp;
49 import org.objectweb.jonas_web.deployment.xml.WebResourceCollection;
50
51 import org.objectweb.common.TraceCore;
52
53
54 /**
55  * This class is used to manage security constraint in web applications
56  * useful for JACC implementation as it returns set of JACC permissions
57  * @author Florent Benoit
58  */
59 public class SecurityConstraintListDesc {
60
61     /**
62      * Default pattern
63      */
64     private static final String JavaDoc DEFAULT_PATTERN = "/";
65
66     /**
67      * SecurityConstraint root element
68      */
69     private WebApp webApp = null;
70
71     /**
72      * Map between pattern and its PatternEntry object
73      */
74     private Map JavaDoc mapPatterns = null;
75
76     /**
77      * Excluded permissions
78      */
79     private PermissionCollection JavaDoc excludedPermissions = null;
80
81     /**
82      * Unchecked permissions
83      */
84     private PermissionCollection JavaDoc uncheckedPermissions = null;
85
86
87     /**
88      * Permissions by role
89      */
90     private Map JavaDoc permissionsByRole = null;
91
92
93     /**
94      * Logger
95      */
96     private static Logger logger = null;
97
98
99     /**
100      * Constructor
101      * @param webApp root element of security constraints
102      */
103     public SecurityConstraintListDesc(WebApp webApp) {
104         this.webApp = webApp;
105
106         // init logger
107 logger = TraceCore.jacc;
108
109         // Init patterns Map
110 mapPatterns = new HashMap JavaDoc();
111
112         // Init permissions
113 excludedPermissions = new Permissions JavaDoc();
114         uncheckedPermissions = new Permissions JavaDoc();
115         permissionsByRole = new HashMap JavaDoc();
116         try {
117             // Transform DD to constraints
118 initConstraints();
119
120             // Qualify the patterns
121 qualifyPatterns();
122
123             // Build JACC permissions
124 buildPermissions();
125         } catch (Exception JavaDoc e) {
126             e.printStackTrace();
127         }
128     }
129
130
131     /**
132      * Initialize the constraints
133      * @see JACC 3.1.3.1 for the rules
134      * Excluding auth-constraint = auth-constraint naming no roles
135      */
136     private void initConstraints() {
137
138         // All defined security-role
139 // Used if role-name = "*" in auth-constraint
140 String JavaDoc[] securityRoles = new String JavaDoc[webApp.getSecurityRoleList().size()];
141         int r = 0;
142         for (Iterator JavaDoc itSecurityRoles = webApp.getSecurityRoleList().iterator(); itSecurityRoles.hasNext(); r++) {
143             securityRoles[r] = ((SecurityRole) itSecurityRoles.next()).getRoleName();
144         }
145
146         SecurityConstraint securityConstraint = null;
147         for (Iterator JavaDoc it = webApp.getSecurityConstraintList().iterator(); it.hasNext();) {
148
149             // Retrieve Security Constraint object if any
150 securityConstraint = (SecurityConstraint) it.next();
151
152             // Get the resource collection list
153 List JavaDoc webResourceCollectionList = securityConstraint.getWebResourceCollectionList();
154
155             // Auth Constraint where role are defined
156 AuthConstraint authConstraint = securityConstraint.getAuthConstraint();
157
158             // User data constraint where role are defined
159 UserDataConstraint userDataConstraint = securityConstraint.getUserDataConstraint();
160
161             // Get roles if any
162 List JavaDoc rolesList = null;
163             boolean hasAuthConstraint = false;
164             boolean isExcludingAuthConstraint = false;
165             if (authConstraint != null) {
166                 rolesList = authConstraint.getRoleNameList();
167                 // Excluding if no roles
168 hasAuthConstraint = true;
169                 isExcludingAuthConstraint = (rolesList.size() == 0);
170             }
171
172
173             // Transport Guarantee
174 String JavaDoc transportGuarantee = null;
175             if (userDataConstraint != null) {
176                 transportGuarantee = userDataConstraint.getTransportGuarantee();
177             }
178
179
180             // Now, build the structure of patterns
181 WebResourceCollection webRC = null;
182
183             // For each web ressource collection
184 for (Iterator JavaDoc itWebRC = webResourceCollectionList.iterator(); itWebRC.hasNext();) {
185                 webRC = (WebResourceCollection) itWebRC.next();
186
187                 // Get the http-method
188 List JavaDoc methodList = webRC.getHttpMethodList();
189
190                 // For each pattern, add the http-method and set the transport guarantee
191 // If it is not an Excluding Auth constraint, add these values to each role
192
193                 // Get all the patterns and build objects
194 String JavaDoc urlPatternString = null;
195                 for (Iterator JavaDoc itPattern = webRC.getUrlPatternList().iterator(); itPattern.hasNext();) {
196                     urlPatternString = (String JavaDoc) itPattern.next();
197
198                     // Get existing if one ?
199 PatternEntry patternEntry = (PatternEntry) mapPatterns.get(urlPatternString);
200                     if (patternEntry == null) {
201                         patternEntry = new PatternEntry(urlPatternString);
202                         mapPatterns.put(urlPatternString, patternEntry);
203                     }
204                     // Add for all or for all specified roles
205 String JavaDoc[] methods = null;
206                     if (methodList.isEmpty()) {
207                         // All the methods are applied
208 methods = MethodsDesc.METHODS;
209                     } else {
210                         methods = (String JavaDoc[]) methodList.toArray(new String JavaDoc[methodList.size()]);
211                     }
212                     if (hasAuthConstraint) {
213                         // Excluded or role based
214 if (isExcludingAuthConstraint) {
215                             patternEntry.addExcludedMethods(methods, transportGuarantee);
216                         } else {
217                             // role based
218 for (Iterator JavaDoc itRole = rolesList.iterator(); itRole.hasNext();) {
219                                 String JavaDoc roleName = (String JavaDoc) itRole.next();
220
221                                 // Add methods to a specific or all existing roles
222 if (roleName.equals("*")) {
223                                     patternEntry.addMethodsOnRoles(methods, securityRoles, transportGuarantee);
224                                 } else {
225                                     patternEntry.addMethodsOnRole(methods, roleName, transportGuarantee);
226                                 }
227                             }
228                         }
229                     } else {
230                         // No auth Constraint --> unchecked
231 patternEntry.addUncheckedMethods(methods, transportGuarantee);
232                     }
233                 }
234             }
235         }
236     }
237
238
239     /**
240      * Qualify patterns
241      * @see JACC 3.1.3.1 subsection Qualified URL Pattern Names
242      */
243     private synchronized void qualifyPatterns() {
244
245         // Add default pattern
246 PatternEntry defaultPatternEntry = (PatternEntry) mapPatterns.get(DEFAULT_PATTERN);
247         if (defaultPatternEntry == null) {
248             defaultPatternEntry = new PatternEntry(DEFAULT_PATTERN);
249             // Last entry to unchecked
250 defaultPatternEntry.setUncheckedLastEntry();
251             mapPatterns.put(DEFAULT_PATTERN, defaultPatternEntry);
252         }
253
254         // For each pattern, qualify this pattern by all patterns
255 PatternEntry patternEntry = null;
256         Pattern otherPattern = null;
257         String JavaDoc patternString = null;
258
259         // Build list of patterns object
260 List JavaDoc patterns = new ArrayList JavaDoc();
261         for (Iterator JavaDoc it = mapPatterns.keySet().iterator(); it.hasNext();) {
262             patternString = (String JavaDoc) it.next();
263             patterns.add(new Pattern(patternString));
264         }
265
266         // Sort elements
267 Collections.sort(patterns);
268
269         Pattern pattern = null;
270         for (Iterator JavaDoc it = mapPatterns.keySet().iterator(); it.hasNext();) {
271             patternString = (String JavaDoc) it.next();
272             pattern = new Pattern(patternString);
273             patternEntry = (PatternEntry) mapPatterns.get(patternString);
274
275             // Loop on all patterns
276 for (Iterator JavaDoc itOther = patterns.iterator(); itOther.hasNext();) {
277                 otherPattern = (Pattern) itOther.next();
278
279                 if (pattern.isPathPrefix() && pattern.isMatching(otherPattern)) {
280                     /* first case (path prefix)
281                        If the pattern is a path prefix pattern, it must be
282                        qualified by every path-prefix pattern in the
283                        deployment descriptor matched by and different from
284                        the pattern being qualified. The pattern must also be
285                        qualified by every exact pattern appearing in the
286                        deployment descriptor that is matched by the pattern being
287                        qualified.
288                     */
289                     if (otherPattern.isPathPrefix() && !pattern.equals(otherPattern)) {
290                         patternEntry.addQualifiedPattern(otherPattern);
291                     } else if (otherPattern.isExactPattern()) {
292                         patternEntry.addQualifiedPattern(otherPattern);
293                     }
294                 } else if (pattern.isExtensionPattern()) {
295                     // Case two : Extension pattern
296 /*
297                       If the pattern is an extension pattern, it must be
298                       qualified by every path-prefix pattern appearing in
299                       the deployment descriptor and every exact pattern in
300                       the deployment descriptor that is matched by the
301                       pattern being qualified.
302                     */
303                     if (otherPattern.isPathPrefix() || (pattern.isMatching(otherPattern) && otherPattern.isExactPattern())) {
304                         patternEntry.addQualifiedPattern(otherPattern);
305                     }
306                 } else if (pattern.isDefaultPattern()) {
307                     // Case three : Default pattern
308 /*
309                       If the pattern is the default pattern, "/", it must
310                       be qualified by every other pattern except the default
311                       pattern appearing in the deployment descriptor.
312                     */
313                     if (!otherPattern.isDefaultPattern()) {
314                         patternEntry.addQualifiedPattern(otherPattern);
315                     }
316                     /*
317                      } else if (pattern.isExactPattern()) {
318                       // case 4 : Exact Pattern
319                       // Nothing : must not contain any qualifying pattern
320                       If the pattern is an exact pattern,
321                       its qualified form must not contain any qualifying
322                       patterns.
323                     */
324                 }
325             }
326         }
327     }
328
329
330     /**
331      * Build permissions
332      * @see JACC 3.1.3.1
333      */
334     private void buildPermissions() {
335
336         PatternEntry patternEntry = null;
337         // For each pattern, build permissions (Exclude default pattern for now)
338 for (Iterator JavaDoc it = mapPatterns.values().iterator(); it.hasNext();) {
339             patternEntry = (PatternEntry) it.next();
340             // No permissions if the pattern is irrelevant
341 if (!patternEntry.isIrrelevant()) {
342                 if (patternEntry.isUncheckedLastEntry()) {
343                     addUncheckedPermissions(patternEntry.getUncheckedPermissions());
344                 } else {
345                     addExcludedPermissions(patternEntry.getExcludedPermissions());
346                     addUncheckedPermissions(patternEntry.getUncheckedPermissions());
347                     addRolePermissions(patternEntry.getRolesPermissionsMap());
348                 }
349             }
350         }
351         if (logger.isLoggable(BasicLevel.DEBUG)) {
352             logger.log(BasicLevel.DEBUG, "Excluded permissions = " + excludedPermissions);
353             logger.log(BasicLevel.DEBUG, "Unchecked permissions = " + uncheckedPermissions);
354             logger.log(BasicLevel.DEBUG, "Roles Permissions = ");
355
356             String JavaDoc roleName = null;
357             for (Iterator JavaDoc it = permissionsByRole.keySet().iterator(); it.hasNext();) {
358                 roleName = (String JavaDoc) it.next();
359                 logger.log(BasicLevel.DEBUG, "Permissions for role " + roleName + " are "
360                            + permissionsByRole.get(roleName));
361             }
362         }
363
364     }
365
366
367     /**
368      * Add Excluded permissions
369      * @param permissions permissions to add. if permissions are null,
370      * no permissions are added.
371      */
372     private void addExcludedPermissions(PermissionCollection JavaDoc permissions) {
373         if (permissions == null) {
374             return;
375         }
376
377         for (Enumeration JavaDoc e = permissions.elements(); e.hasMoreElements();) {
378             excludedPermissions.add((Permission JavaDoc) e.nextElement());
379         }
380     }
381
382     /**
383      * Add Unchecked permissions
384      * @param permissions permissions to add. if permissions are null,
385      * no permissions are added.
386      */
387     private void addUncheckedPermissions(PermissionCollection JavaDoc permissions) {
388         if (permissions == null) {
389             return;
390         }
391
392         for (Enumeration JavaDoc e = permissions.elements(); e.hasMoreElements();) {
393             uncheckedPermissions.add((Permission JavaDoc) e.nextElement());
394         }
395     }
396
397     /**
398      * Add permissions on the roles
399      * @param rolePermissionsMap permissions to add.(Map between role and Permissions)
400      */
401     private void addRolePermissions(Map JavaDoc rolePermissionsMap) {
402         if (rolePermissionsMap == null) {
403             return;
404         }
405
406         // For each role, build permissions on actions found on the role.
407 String JavaDoc roleName = null;
408         PermissionCollection JavaDoc permissions = null;
409         PermissionCollection JavaDoc existingRolePermissions = null;
410         for (Iterator JavaDoc it = rolePermissionsMap.keySet().iterator(); it.hasNext();) {
411             roleName = (String JavaDoc) it.next();
412             permissions = (PermissionCollection JavaDoc) rolePermissionsMap.get(roleName);
413             if (permissions != null) {
414                 existingRolePermissions = (PermissionCollection JavaDoc) permissionsByRole.get(roleName);
415                 if (existingRolePermissions == null) {
416                     existingRolePermissions = new Permissions JavaDoc();
417                     permissionsByRole.put(roleName, existingRolePermissions);
418                 }
419                 for (Enumeration JavaDoc e = permissions.elements(); e.hasMoreElements();) {
420                     existingRolePermissions.add((Permission JavaDoc) e.nextElement());
421                 }
422             }
423         }
424     }
425
426
427     /**
428      * Gets the excluded permissions
429      * @return excluded permissions
430      */
431     public PermissionCollection JavaDoc getExcludedPermissions() {
432         return excludedPermissions;
433     }
434
435
436     /**
437      * Gets the unchecked permissions
438      * @return unchecked permissions
439      */
440     public PermissionCollection JavaDoc getUncheckedPermissions() {
441         return uncheckedPermissions;
442     }
443
444
445     /**
446      * Gets the permissions by role Map
447      * @return a Map containing permissions by role
448      */
449     public Map JavaDoc getPermissionsByRole() {
450         return permissionsByRole;
451     }
452
453 }
454
455
456
457
458
459
Popular Tags