org.ow2.jonas.web.base.lib
Class PermissionManager

java.lang.Object
  org.ow2.jonas.lib.security.AbsPermissionManager
      org.ow2.jonas.web.base.lib.PermissionManager

public class PermissionManager
extends AbsPermissionManager

Defines a PermissionManager class which will manage JACC permissions for a web-app.

Author:

Florent Benoit, S. Ali Tokmen

Constructor Summary

PermissionManager(WebContainerDeploymentDesc webContainerDeploymentDesc, String contextId, boolean remove)
Default Constructor.

Method Summary

boolean	checkWebResourcePermission(HttpServletRequest request, String principalName, String[] roles) Check the security for a given HttpServletRequest.
boolean	checkWebRoleRefPermission(HttpServletRequest request, String servletName, String principalName, String[] roles, String roleName) Check the security for a given HttpServletRequest.
boolean	checkWebUserDataPermission(HttpServletRequest request, String principalName, String[] roles) Check the security for a given HttpServletRequest.
protected void	resetDeploymentDesc() Reset Deployment Descriptor.
protected void	translateSecurityConstraintElements() 3.1.3.1 Translating security-constraint elements The paragraphs of this section describe the translation of security-constraints into WebResourcePermission and WebUserDataPermission objects constructed using qualified URL pattern names.
void	translateServletDeploymentDescriptor() 3.1.3.Translating Servlet Deployment Descriptors A reference to a PolicyConfiguration object must be obtained by calling the getPolicyConfiguration method on the PolicyConfigurationFactory implementation class of the provider configured into the container.
protected void	translateServletSecurityRoleRef() 3.1.3.2 Translating Servlet security-role-ref Elements For each security-role-ref appearing in the deployment descriptor a corresponding WebRoleRefPermission must be added to the corresponding role.

Methods inherited from class org.ow2.jonas.lib.security.AbsPermissionManager

commit, delete, getContextId, getPolicy, getPolicyConfiguration, setContextId, setPolicy, setPolicyConfiguration

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PermissionManager

public PermissionManager(WebContainerDeploymentDesc webContainerDeploymentDesc,
                         String contextId,
                         boolean remove)
                  throws PermissionManagerException

Default Constructor.

Parameters:

webContainerDeploymentDesc - EJB deployment Descriptor

contextId - context ID used for PolicyContext

remove - - remove the policy context when creating a new one.

Throws:

PermissionManagerException - if permissions can't be set

Method Detail

translateServletDeploymentDescriptor

public void translateServletDeploymentDescriptor()
                                          throws PermissionManagerException

3.1.3.Translating Servlet Deployment Descriptors A reference to a PolicyConfiguration object must be obtained by calling the getPolicyConfiguration method on the PolicyConfigurationFactory implementation class of the provider configured into the container. The policy context identifier used in the call to the getPolicyConfiguration method must be a String composed as described in Section 3.1.2, Servlet Policy Context Identifiers, on page 19. The value true must be passed as the second parameter in the call to getPolicyConfiguration to ensure that any and all policy statements are removed from the policy context associated with the returned PolicyConfiguration. The security-constraint and securityrole-ref elements in the deployment descriptor must be translated into permissions and added to the PolicyConfiguration object as defined in the following sections.

Throws:

PermissionManagerException - if permissions can't be set

translateSecurityConstraintElements

protected void translateSecurityConstraintElements()
                                            throws PermissionManagerException

3.1.3.1 Translating security-constraint elements The paragraphs of this section describe the translation of security-constraints into WebResourcePermission and WebUserDataPermission objects constructed using qualified URL pattern names. In the exceptional case, as defined in Qualified URL Pattern Names, where a pattern is made irrelevant by a qualifying pattern, the permission instantiations that would result from the translation of the pattern, as described below, must not be performed. Otherwise, the translation of URL patterns in security constraints must yield an equivalent translation to the translation that would result from following the instructions in the remainder of this section. [...]

Throws:

PermissionManagerException - if permissions can't be set

translateServletSecurityRoleRef

protected void translateServletSecurityRoleRef()
                                        throws PermissionManagerException

3.1.3.2 Translating Servlet security-role-ref Elements For each security-role-ref appearing in the deployment descriptor a corresponding WebRoleRefPermission must be added to the corresponding role. The name of the WebRoleRefPermission must be the servlet-name in whose context the security-role-ref is defined. The actions of the WebRoleRefPermission must be the value of the role-name (that is the reference), appearing in the security-role-ref. The deployment tools must call the addToRole method on the PolicyConfiguration object to add the WebRoleRefPermission object resulting from the translation to the role identified in the role-link appearing in the security-role-ref. Additional WebRoleRefPermission objects must be added to the PolicyConfiguration as follows. For each servlet element in the deployment descriptor a WebRoleRefPermission must be added to each security-role whose name does not appear as the role-name in a security-role-ref within the servlet element. The name of each such WebRoleRefPermission must be the servlet-name of the corresponding servlet element. The actions (that is, reference) of each such WebRoleRefPermission must be the corresponding (non-appearing) role-name. The resulting permissions must be added to the corresponding roles by calling the addToRole method on the PolicyConfiguration object.

Throws:

PermissionManagerException - if permissions can't be set

checkWebUserDataPermission

public boolean checkWebUserDataPermission(HttpServletRequest request,
                                          String principalName,
                                          String[] roles)

Check the security for a given HttpServletRequest.

Parameters:

request - the http servlet request

principalName - name of the principal

roles - array of roles for this permission

Returns:

true if the permission is granted, else false

checkWebResourcePermission

public boolean checkWebResourcePermission(HttpServletRequest request,
                                          String principalName,
                                          String[] roles)

Check the security for a given HttpServletRequest.

Parameters:

request - the http servlet request

principalName - name of the principal

roles - array of roles for this permission

Returns:

true if the permission is granted, else false

checkWebRoleRefPermission

public boolean checkWebRoleRefPermission(HttpServletRequest request,
                                         String servletName,
                                         String principalName,
                                         String[] roles,
                                         String roleName)

Check the security for a given HttpServletRequest.

Parameters:

request - the http servlet request

servletName - Name of the servlet

principalName - name of the principal

roles - array of roles for this permission

roleName - name of the role

Returns:

true if the permission is granted, else false

resetDeploymentDesc

protected void resetDeploymentDesc()

Reset Deployment Descriptor.

Specified by:

resetDeploymentDesc in class AbsPermissionManager