Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
  /*
   * JBoss, Home of Professional Open Source
   * Copyright 2005, JBoss Inc., and individual contributors as indicated
   * by the @authors tag. See the copyright.txt in the distribution for a
   * full listing of individual contributors.
   *
   * This is free software; you can redistribute it and/or modify it
   * under the terms of the GNU Lesser General Public License as
   * published by the Free Software Foundation; either version 2.1 of
  * the License, or (at your option) any later version.
  *
  * This software is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
  * License along with this software; if not, write to the Free
  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 package org.jboss.security.authorization.modules.web;
 
 import java.util.Map;
 import java.util.Set;
 
 
 
 
 //$Id: WebJACCPolicyModuleDelegate.java 62923 2007-05-09 03:08:14Z anil.saldhana@jboss.com $
 
JACC based authorization module helper that deals with the web layer authorization decisions

Author(s):
Anil Saldhana
Version:
$Revision: 62923 $
Since:
July 7, 2006
 
 {   
    private Policy policy = Policy.getPolicy(); 
    private HttpServletRequest request = null;
    private CodeSource webCS = null;
    
    private String canonicalRequestURI = null
 
    {  
        = Logger.getLogger(WebJACCPolicyModuleDelegate.class);
        = .isTraceEnabled();
    }

   
 
    @SuppressWarnings("unchecked")
    public int authorize(Resource resourceSubject callerSubjectRoleGroup role)
    {
       if(resource instanceof WebResource == false)
          throw new IllegalArgumentException("resource is not a WebResource");
       
       WebResource webResource = (WebResourceresource;
       
       //Get the context map
       Map<String,Objectmap = resource.getMap();
       if(map == null)
          throw new IllegalStateException("Map from the Resource is null"); 
       
       //Get the Request Object
        = (HttpServletRequestwebResource.getServletRequest();
       
        = webResource.getCodeSource();
       this. = webResource.getCanonicalRequestURI();      
 
       String roleName = (String)map.get(.);
       Principal principal = (Principal)map.get(.);
       Set<Principalroles = (Set<Principal>)map.get(.); 
       String servletName = webResource.getServletName();
      Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(.)); 
      
      validatePermissionChecks(resourceCheck,userDataCheck,roleRefCheck);
      
      boolean decision = false;
      
      try
      {
         if(resourceCheck)
            decision = this.hasResourcePermission(callerSubjectrole);
         else
         if(userDataCheck)
           decision = this.hasUserDataPermission();
         else
         if(roleRefCheck)
            decision = this.hasRole(principalroleNamerolesservletName);
         else
            if()
              .trace("Check is not for resourcePerm, userDataPerm or roleRefPerm.");
      }
      catch(IOException ioe)
      {
         if()
            .trace("IOException:",ioe);
      } 
      return decision ? . : .;
   }

   
   { 
     this. = authzM;
   }     
   //****************************************************************************
   //  PRIVATE METHODS
   //****************************************************************************
   
See if the given JACC permission is implied using the caller as obtained from either the PolicyContext.getContext(javax.security.auth.Subject.container) or the info associated with the requestPrincipal.

Parameters:
perm - the JACC permission to check
requestPrincpal - the http request getPrincipal
caller the authenticated subject obtained by establishSubjectContext
Returns:
true if the permission is allowed, false otherwise
 
   private boolean checkPolicy(Permission permPrincipal requestPrincpal,
         Subject callerRole role)
   {  
      // Get the caller principals, its null if there is no caller
      Principal[] principals = getPrincipals(caller,role); 
      
      return checkPolicy(permprincipals);
   }
   
   
   
See if the given permission is implied by the Policy. This calls Policy.implies(pd, perm) with the ProtectionDomain built from the active CodeSource set by the JaccContextValve, and the given principals.

Parameters:
perm - the JACC permission to evaluate
principals - the possibly null set of principals for the caller
Returns:
true if the permission is allowed, false otherwise
 
   private boolean checkPolicy(Permission permPrincipal[] principals)
   { 
      ProtectionDomain pd = new ProtectionDomain(nullnullprincipals);
      boolean allowed = .implies(pdperm);
      if )
      {
         String msg = (allowed ? "Allowed: " : "Denied: ") +perm;
         .trace(msg);
      }
      return allowed;
   } 
   
   
Ensure that the bool is a valid value

Parameters:
bool
Returns:
bool or Boolean.FALSE (when bool is null)
   private Boolean checkBooleanValue(Boolean bool)
   {
      if(bool == null)
         return .;
      return bool;
   } 

   
   
Perform hasResourcePermission Check

Parameters:
request
response
securityConstraints
context
caller
Returns:
Throws:
java.io.IOException
   private boolean hasResourcePermission(Subject callerRole  role)
   throws IOException
   { 
      Principal requestPrincipal = .getUserPrincipal(); 
                                                     .getMethod());
      boolean allowed = checkPolicy(permrequestPrincipalcallerrole );
      if )
         .trace("hasResourcePermission, perm="+perm+", allowed="+allowed); 
      return allowed;
   }

   
Perform hasRole check

Parameters:
principal
role
roles
Returns:
   private boolean hasRole(Principal principalString roleName
         Set<PrincipalrolesString servletName)
   { 
      if(servletName == null)
         throw new IllegalArgumentException("servletName is null");
      
      WebRoleRefPermission perm = new WebRoleRefPermission(servletNameroleName);
      Principal[] principals = {principal}; 
      ifroles != null )
      {
         principals = new Principal[roles.size()];
         roles.toArray(principals);
      }
      boolean allowed = checkPolicy(permprincipals);
      if )
         .trace("hasRole, perm="+perm+", allowed="+allowed);
      return allowed;
   }

   
Perform hasUserDataPermission check for the realm. If this module returns false, the base class (Realm) will make the decision as to whether a redirection to the ssl port needs to be done

Parameters:
request
response
constraints
Returns:
Throws:
java.io.IOException
   private boolean hasUserDataPermission() throws IOException
   { 
                                               .getMethod());
      if )
         .trace("hasUserDataPermission, p="+perm);
      boolean ok = false;
      try
      {
         Principal[] principals = null;
         ok = checkPolicy(permprincipals);
      }
      catch(Exception e)
      {
         if )
            .trace("Failed to checkSecurityAssociation"e);
      } 
      return ok;
   }

   
Validate that the access check is made only for one of the following

Parameters:
resourceCheck
userDataCheck
roleRefCheck
   private void validatePermissionChecks(Boolean resourceCheck,
         Boolean userDataCheckBoolean roleRefCheck)
   {
      if()
         .trace("resourceCheck="+resourceCheck + " : userDataCheck=" + userDataCheck
               + " : roleRefCheck=" + roleRefCheck); 
      if((resourceCheck == . && userDataCheck == . && roleRefCheck == . ) 
           || (resourceCheck == . && userDataCheck == .
           || (userDataCheck == . && roleRefCheck == .))
         throw new IllegalStateException("Permission checks must be different"); 
   }
New to GrepCode? Check out our FAQ X