00001
00027 package org.objectweb.jonas.web.lib;
00028
00029 import java.net.MalformedURLException;
00030 import java.net.URI;
00031 import java.net.URISyntaxException;
00032 import java.net.URL;
00033 import java.security.CodeSource;
00034 import java.security.Permission;
00035 import java.security.PermissionCollection;
00036 import java.security.Principal;
00037 import java.security.ProtectionDomain;
00038 import java.security.cert.Certificate;
00039 import java.util.ArrayList;
00040 import java.util.Collection;
00041 import java.util.Iterator;
00042 import java.util.List;
00043 import java.util.Map;
00044
00045 import javax.security.jacc.PolicyContext;
00046 import javax.security.jacc.PolicyContextException;
00047 import javax.security.jacc.WebResourcePermission;
00048 import javax.security.jacc.WebRoleRefPermission;
00049 import javax.security.jacc.WebUserDataPermission;
00050 import javax.servlet.http.HttpServletRequest;
00051
00052 import org.objectweb.jonas.common.Log;
00053 import org.objectweb.jonas.security.jacc.JPolicyContextHandlerCurrent;
00054 import org.objectweb.jonas.security.jacc.JPolicyContextHandlerData;
00055 import org.objectweb.jonas.security.jacc.JPolicyUserRoleMapping;
00056
00057 import org.objectweb.jonas_lib.deployment.api.SecurityRoleRefDesc;
00058 import org.objectweb.jonas_lib.security.AbsPermissionManager;
00059 import org.objectweb.jonas_lib.security.PermissionManagerException;
00060 import org.objectweb.jonas_web.deployment.api.SecurityConstraintListDesc;
00061 import org.objectweb.jonas_web.deployment.api.SecurityRoleDesc;
00062 import org.objectweb.jonas_web.deployment.api.ServletDesc;
00063 import org.objectweb.jonas_web.deployment.api.WebContainerDeploymentDesc;
00064 import org.objectweb.util.monolog.api.BasicLevel;
00065 import org.objectweb.util.monolog.api.Logger;
00066
00072 public class PermissionManager extends AbsPermissionManager {
00073
00077 private static Logger logger = null;
00078
00082 private WebContainerDeploymentDesc webContainerDeploymentDesc = null;
00083
00090 public PermissionManager(WebContainerDeploymentDesc webContainerDeploymentDesc, String contextId)
00091 throws PermissionManagerException {
00092 super(contextId);
00093 this.webContainerDeploymentDesc = webContainerDeploymentDesc;
00094 logger = Log.getLogger(Log.JONAS_WEB_PREFIX);
00095 }
00096
00113 public void translateServletDeploymentDescriptor() throws PermissionManagerException {
00114 translateSecurityConstraintElements();
00115 translateServletSecurityRoleRef();
00116 }
00117
00132 protected void translateSecurityConstraintElements() throws PermissionManagerException {
00133 if (webContainerDeploymentDesc == null || getPolicyConfiguration() == null) {
00134 throw new PermissionManagerException("PolicyConfiguration or webContainerbDeploymentDesc is null");
00135 }
00136
00137 SecurityConstraintListDesc securityConstraintListDesc = webContainerDeploymentDesc
00138 .getSecurityConstraintListDesc();
00139 PermissionCollection excludedPermissions = securityConstraintListDesc.getExcludedPermissions();
00140 PermissionCollection uncheckedPermissions = securityConstraintListDesc.getUncheckedPermissions();
00141 PermissionCollection rolePermissions = null;
00142 String roleName = null;
00143 Map roleMapPermissions = securityConstraintListDesc.getPermissionsByRole();
00144
00145 try {
00146 getPolicyConfiguration().addToExcludedPolicy(excludedPermissions);
00147 getPolicyConfiguration().addToUncheckedPolicy(uncheckedPermissions);
00148
00149 for (Iterator rolesIt = roleMapPermissions.keySet().iterator(); rolesIt.hasNext();) {
00150 roleName = (String) rolesIt.next();
00151 rolePermissions = (PermissionCollection) roleMapPermissions.get(roleName);
00152 getPolicyConfiguration().addToRole(roleName, rolePermissions);
00153 }
00154 } catch (PolicyContextException pce) {
00155 throw new PermissionManagerException("Can not add add permissions to policy", pce);
00156 }
00157 }
00158
00182 protected void translateServletSecurityRoleRef() throws PermissionManagerException {
00183 if (webContainerDeploymentDesc == null || getPolicyConfiguration() == null) {
00184 throw new PermissionManagerException("PolicyConfiguration or webContainerbDeploymentDesc is null");
00185 }
00186
00187 Collection servlets = webContainerDeploymentDesc.getServletDescList();
00188
00189
00190 List rolesAppearedInSecurityRoleRef = new ArrayList();
00191
00192
00193
00194
00195
00196
00197
00198
00199
00200 ServletDesc servletDesc = null;
00201 String servletName = null;
00202 List roleRefs = null;
00203 SecurityRoleRefDesc securityRoleRefDesc = null;
00204 for (Iterator itServlet = servlets.iterator(); itServlet.hasNext();) {
00205 servletDesc = (ServletDesc) itServlet.next();
00206 roleRefs = servletDesc.getSecurityRoleRefList();
00207 servletName = servletDesc.getServletName();
00208 for (Iterator itRoleRef = roleRefs.iterator(); itRoleRef.hasNext();) {
00209 securityRoleRefDesc = (SecurityRoleRefDesc) itRoleRef.next();
00210
00211
00212
00213
00214
00215
00216 Permission webRoleRefPermission = securityRoleRefDesc.getWebRoleRefPermission();
00217
00218
00219 rolesAppearedInSecurityRoleRef.add(securityRoleRefDesc.getRoleName());
00220
00221 try {
00222 getPolicyConfiguration().addToRole(securityRoleRefDesc.getRoleLink(), webRoleRefPermission);
00223 } catch (PolicyContextException pce) {
00224 throw new PermissionManagerException("Can not add add permission '" + webRoleRefPermission
00225 + "' to policy", pce);
00226 }
00227 }
00228 }
00229
00230
00231
00232
00233
00234
00235
00236
00237 List securityRoles = webContainerDeploymentDesc.getSecurityRoleList();
00238 SecurityRoleDesc securityRoleDesc = null;
00239 String securityRoleName = null;
00240
00241 for (Iterator itServlet = servlets.iterator(); itServlet.hasNext();) {
00242 servletDesc = (ServletDesc) itServlet.next();
00243 servletName = servletDesc.getServletName();
00244
00245 for (Iterator itSecurityRoles = securityRoles.iterator(); itSecurityRoles.hasNext();) {
00246 securityRoleDesc = (SecurityRoleDesc) itSecurityRoles.next();
00247 securityRoleName = securityRoleDesc.getRoleName();
00248
00249
00250
00251 if (!rolesAppearedInSecurityRoleRef.contains(securityRoleName)) {
00252
00253
00254
00255
00256
00257
00258
00259
00260
00261
00262 Permission webRoleRefPermission = new WebRoleRefPermission(servletName, securityRoleName);
00263 try {
00264 getPolicyConfiguration().addToRole(securityRoleName, webRoleRefPermission);
00265 } catch (PolicyContextException pce) {
00266 throw new PermissionManagerException("Can not add add permission '" + webRoleRefPermission
00267 + "' to policy", pce);
00268 }
00269 }
00270 }
00271 }
00272
00277 securityRoles = webContainerDeploymentDesc.getSecurityRoleList();
00278 for (Iterator itSecurityRoles = securityRoles.iterator(); itSecurityRoles.hasNext();) {
00279 securityRoleDesc = (SecurityRoleDesc) itSecurityRoles.next();
00280 securityRoleName = securityRoleDesc.getRoleName();
00285 Permission webRoleRefPermission = new WebRoleRefPermission("", securityRoleName);
00286 try {
00287 getPolicyConfiguration().addToRole(securityRoleName, webRoleRefPermission);
00288 } catch (PolicyContextException pce) {
00289 throw new PermissionManagerException("Can not add add permission '" + webRoleRefPermission
00290 + "' to policy", pce);
00291 }
00292 }
00293 }
00294
00302 public boolean checkWebUserDataPermission(HttpServletRequest request, String principalName, String[] roles) {
00303
00304 try {
00305 ProtectionDomain protectionDomain = initPolicyContext(request, principalName, roles);
00306
00307
00308
00309
00310 WebUserDataPermission webUserDataPermission = new WebUserDataPermission(request);
00311 boolean accessOK = getPolicy().implies(protectionDomain, webUserDataPermission);
00312
00313 if (logger.isLoggable(BasicLevel.DEBUG)) {
00314 logger.log(BasicLevel.DEBUG, "Policy.implies result = " + accessOK);
00315 }
00316 return accessOK;
00317
00318 } catch (Exception e) {
00319 logger.log(BasicLevel.ERROR, "Can't check web user data permission :" + e.getMessage());
00320 return false;
00321 }
00322
00323 }
00324
00332 public boolean checkWebResourcePermission(HttpServletRequest request, String principalName, String[] roles) {
00333 try {
00334 ProtectionDomain protectionDomain = initPolicyContext(request, principalName, roles);
00335
00336
00337
00338
00339 WebResourcePermission webResourcePermission = new WebResourcePermission(request);
00340 boolean accessOK = getPolicy().implies(protectionDomain, webResourcePermission);
00341 if (logger.isLoggable(BasicLevel.DEBUG)) {
00342 logger.log(BasicLevel.DEBUG, "Policy.implies result = " + accessOK);
00343 }
00344 return accessOK;
00345
00346 } catch (Exception e) {
00347 logger.log(BasicLevel.ERROR, "Can't check web resource permission :" + e.getMessage());
00348 return false;
00349 }
00350
00351 }
00352
00362 public boolean checkWebRoleRefPermission(HttpServletRequest request, String servletName, String principalName, String[] roles,
00363 String roleName) {
00364 try {
00365
00366 ProtectionDomain protectionDomain = initPolicyContext(request, principalName, roles);
00367
00368
00369
00370
00371 WebRoleRefPermission webRoleRefPermission = new WebRoleRefPermission(servletName, roleName);
00372 boolean accessOK = getPolicy().implies(protectionDomain, webRoleRefPermission);
00373 if (logger.isLoggable(BasicLevel.DEBUG)) {
00374 logger.log(BasicLevel.DEBUG, "Policy.implies result = " + accessOK);
00375 }
00376 return accessOK;
00377
00378 } catch (Exception e) {
00379 logger.log(BasicLevel.ERROR, "Can't check web role ref permission :" + e.getMessage());
00380 return false;
00381 }
00382
00383 }
00384
00394 private synchronized ProtectionDomain initPolicyContext(HttpServletRequest request, String principalName, String[] roles)
00395 throws URISyntaxException, MalformedURLException {
00396
00397
00398 PolicyContext.setContextID(getContextId());
00399
00400
00401 JPolicyContextHandlerData jPolicyContextHandlerData = JPolicyContextHandlerCurrent.getCurrent()
00402 .getJPolicyContextHandlerData();
00403 if (jPolicyContextHandlerData == null) {
00404 logger.log(BasicLevel.ERROR, "The Handler data retrieved is null !");
00405 return null;
00406 }
00407 jPolicyContextHandlerData.setHttpServletRequest(request);
00408 PolicyContext.setHandlerData(jPolicyContextHandlerData);
00409
00410
00411 URI uri = new URI("file://" + getContextId());
00412 CodeSource codesource = new CodeSource(new URL(uri.toString()), (Certificate[]) null);
00413
00414
00415 String[] overridedRoles = JPolicyUserRoleMapping.getMappingForPrincipal(getContextId(), principalName);
00416 if (overridedRoles != null) {
00417 roles = overridedRoles;
00418 }
00419
00420 Principal[] principals = null;
00421 if (roles != null) {
00422 principals = new Principal[roles.length];
00423 for (int k = 0; k < roles.length; k++) {
00424 principals[k] = new org.objectweb.jonas.security.auth.JPrincipal(roles[k]);
00425 }
00426 }
00427
00428 return new ProtectionDomain(codesource, null, null, principals);
00429 }
00430
00434 protected void resetDeploymentDesc() {
00435 webContainerDeploymentDesc = null;
00436 }
00437
00438 }