Main Page | Packages | Class Hierarchy | Class List | File List | Class Members | Related Pages | Search for 
src / org / objectweb / jonas / web / lib

PermissionManager.java

00001 
00027 package org.objectweb.jonas.web.lib;
00028 
00029 import java.net.MalformedURLException;
00030 import java.net.URI;
00031 import java.net.URISyntaxException;
00032 import java.net.URL;
00033 import java.security.CodeSource;
00034 import java.security.Permission;
00035 import java.security.PermissionCollection;
00036 import java.security.Principal;
00037 import java.security.ProtectionDomain;
00038 import java.security.cert.Certificate;
00039 import java.util.ArrayList;
00040 import java.util.Collection;
00041 import java.util.Iterator;
00042 import java.util.List;
00043 import java.util.Map;
00044 
00045 import javax.security.jacc.PolicyContext;
00046 import javax.security.jacc.PolicyContextException;
00047 import javax.security.jacc.WebResourcePermission;
00048 import javax.security.jacc.WebRoleRefPermission;
00049 import javax.security.jacc.WebUserDataPermission;
00050 import javax.servlet.http.HttpServletRequest;
00051 
00052 import org.objectweb.jonas.common.Log;
00053 import org.objectweb.jonas.security.jacc.JPolicyContextHandlerCurrent;
00054 import org.objectweb.jonas.security.jacc.JPolicyContextHandlerData;
00055 import org.objectweb.jonas.security.jacc.JPolicyUserRoleMapping;
00056 
00057 import org.objectweb.jonas_lib.deployment.api.SecurityRoleRefDesc;
00058 import org.objectweb.jonas_lib.security.AbsPermissionManager;
00059 import org.objectweb.jonas_lib.security.PermissionManagerException;
00060 import org.objectweb.jonas_web.deployment.api.SecurityConstraintListDesc;
00061 import org.objectweb.jonas_web.deployment.api.SecurityRoleDesc;
00062 import org.objectweb.jonas_web.deployment.api.ServletDesc;
00063 import org.objectweb.jonas_web.deployment.api.WebContainerDeploymentDesc;
00064 import org.objectweb.util.monolog.api.BasicLevel;
00065 import org.objectweb.util.monolog.api.Logger;
00066 
00072 public class PermissionManager extends AbsPermissionManager {
00073 
00077     private static Logger logger = null;
00078 
00082     private WebContainerDeploymentDesc webContainerDeploymentDesc = null;
00083 
00090     public PermissionManager(WebContainerDeploymentDesc webContainerDeploymentDesc, String contextId)
00091             throws PermissionManagerException {
00092         super(contextId);
00093         this.webContainerDeploymentDesc = webContainerDeploymentDesc;
00094         logger = Log.getLogger(Log.JONAS_WEB_PREFIX);
00095     }
00096 
00113     public void translateServletDeploymentDescriptor() throws PermissionManagerException {
00114         translateSecurityConstraintElements();
00115         translateServletSecurityRoleRef();
00116     }
00117 
00132     protected void translateSecurityConstraintElements() throws PermissionManagerException {
00133         if (webContainerDeploymentDesc == null || getPolicyConfiguration() == null) {
00134             throw new PermissionManagerException("PolicyConfiguration or webContainerbDeploymentDesc is null");
00135         }
00136 
00137         SecurityConstraintListDesc securityConstraintListDesc = webContainerDeploymentDesc
00138                 .getSecurityConstraintListDesc();
00139         PermissionCollection excludedPermissions = securityConstraintListDesc.getExcludedPermissions();
00140         PermissionCollection uncheckedPermissions = securityConstraintListDesc.getUncheckedPermissions();
00141         PermissionCollection rolePermissions = null;
00142         String roleName = null;
00143         Map roleMapPermissions = securityConstraintListDesc.getPermissionsByRole();
00144 
00145         try {
00146             getPolicyConfiguration().addToExcludedPolicy(excludedPermissions);
00147             getPolicyConfiguration().addToUncheckedPolicy(uncheckedPermissions);
00148 
00149             for (Iterator rolesIt = roleMapPermissions.keySet().iterator(); rolesIt.hasNext();) {
00150                 roleName = (String) rolesIt.next();
00151                 rolePermissions = (PermissionCollection) roleMapPermissions.get(roleName);
00152                 getPolicyConfiguration().addToRole(roleName, rolePermissions);
00153             }
00154         } catch (PolicyContextException pce) {
00155             throw new PermissionManagerException("Can not add add permissions to policy", pce);
00156         }
00157     }
00158 
00182     protected void translateServletSecurityRoleRef() throws PermissionManagerException {
00183         if (webContainerDeploymentDesc == null || getPolicyConfiguration() == null) {
00184             throw new PermissionManagerException("PolicyConfiguration or webContainerbDeploymentDesc is null");
00185         }
00186 
00187         Collection servlets = webContainerDeploymentDesc.getServletDescList();
00188 
00189         // List of roles which appear as role-name in a security-role-ref
00190         List rolesAppearedInSecurityRoleRef = new ArrayList();
00191 
00192         /*
00193          * For each security-role-ref appearing in the deployment descriptor a
00194          * corresponding WebRoleRefPermission must be added to the corresponding
00195          * role. The name of the WebRoleRefPermission must be the servlet-name
00196          * in whose context the security-role-ref is defined. The actions of the
00197          * WebRoleRefPermission must be the value of the role-name (that is the
00198          * reference), appearing in the security-role-ref
00199          */
00200         ServletDesc servletDesc = null;
00201         String servletName = null;
00202         List roleRefs = null;
00203         SecurityRoleRefDesc securityRoleRefDesc = null;
00204         for (Iterator itServlet = servlets.iterator(); itServlet.hasNext();) {
00205             servletDesc = (ServletDesc) itServlet.next();
00206             roleRefs = servletDesc.getSecurityRoleRefList();
00207             servletName = servletDesc.getServletName();
00208             for (Iterator itRoleRef = roleRefs.iterator(); itRoleRef.hasNext();) {
00209                 securityRoleRefDesc = (SecurityRoleRefDesc) itRoleRef.next();
00210                 /*
00211                  * The deployment tools must call the addToRole method on the
00212                  * PolicyConfiguration object to add the WebRoleRefPermission
00213                  * object resulting from the translation to the role identified
00214                  * in the role-link appearing in the security-role-ref.
00215                  */
00216                 Permission webRoleRefPermission = securityRoleRefDesc.getWebRoleRefPermission();
00217 
00218                 // Role has appear
00219                 rolesAppearedInSecurityRoleRef.add(securityRoleRefDesc.getRoleName());
00220 
00221                 try {
00222                     getPolicyConfiguration().addToRole(securityRoleRefDesc.getRoleLink(), webRoleRefPermission);
00223                 } catch (PolicyContextException pce) {
00224                     throw new PermissionManagerException("Can not add add permission '" + webRoleRefPermission
00225                             + "' to policy", pce);
00226                 }
00227             }
00228         }
00229 
00230         /*
00231          * Additional WebRoleRefPermission objects must be added to the
00232          * PolicyConfiguration as follows. For each servlet element in the
00233          * deployment descriptor a WebRoleRefPermission must be added to each
00234          * security-role whose name does not appear as the role-name in a
00235          * security-role-ref within the servlet element.
00236          */
00237         List securityRoles = webContainerDeploymentDesc.getSecurityRoleList();
00238         SecurityRoleDesc securityRoleDesc = null;
00239         String securityRoleName = null;
00240 
00241         for (Iterator itServlet = servlets.iterator(); itServlet.hasNext();) {
00242             servletDesc = (ServletDesc) itServlet.next();
00243             servletName = servletDesc.getServletName();
00244 
00245             for (Iterator itSecurityRoles = securityRoles.iterator(); itSecurityRoles.hasNext();) {
00246                 securityRoleDesc = (SecurityRoleDesc) itSecurityRoles.next();
00247                 securityRoleName = securityRoleDesc.getRoleName();
00248                 // if role does not appear as the role-name in a
00249                 // security-role-ref
00250                 // need to create permission
00251                 if (!rolesAppearedInSecurityRoleRef.contains(securityRoleName)) {
00252 
00253                     /*
00254                      * The name of each such WebRoleRefPermission must be the
00255                      * servlet-name of the corresponding servlet element. The
00256                      * actions (that is, reference) of each such
00257                      * WebRoleRefPermission must be the corresponding
00258                      * (non-appearing) role-name. The resulting permissions must
00259                      * be added to the corresponding roles by calling the
00260                      * addToRole method on the PolicyConfiguration object.
00261                      */
00262                     Permission webRoleRefPermission = new WebRoleRefPermission(servletName, securityRoleName);
00263                     try {
00264                         getPolicyConfiguration().addToRole(securityRoleName, webRoleRefPermission);
00265                     } catch (PolicyContextException pce) {
00266                         throw new PermissionManagerException("Can not add add permission '" + webRoleRefPermission
00267                                 + "' to policy", pce);
00268                     }
00269                 }
00270             }
00271         }
00272 
00277         securityRoles = webContainerDeploymentDesc.getSecurityRoleList();
00278         for (Iterator itSecurityRoles = securityRoles.iterator(); itSecurityRoles.hasNext();) {
00279             securityRoleDesc = (SecurityRoleDesc) itSecurityRoles.next();
00280             securityRoleName = securityRoleDesc.getRoleName();
00285             Permission webRoleRefPermission = new WebRoleRefPermission("", securityRoleName);
00286             try {
00287                 getPolicyConfiguration().addToRole(securityRoleName, webRoleRefPermission);
00288             } catch (PolicyContextException pce) {
00289                 throw new PermissionManagerException("Can not add add permission '" + webRoleRefPermission
00290                         + "' to policy", pce);
00291             }
00292         }
00293     }
00294 
00302     public boolean checkWebUserDataPermission(HttpServletRequest request, String principalName, String[] roles) {
00303 
00304         try {
00305             ProtectionDomain protectionDomain = initPolicyContext(request, principalName, roles);
00306 
00307             //TODO : cache request to avoid creation of a new
00308             // WebUserDatapermission each time
00309             // See JACC 4.12
00310             WebUserDataPermission webUserDataPermission = new WebUserDataPermission(request);
00311             boolean accessOK = getPolicy().implies(protectionDomain, webUserDataPermission);
00312 
00313             if (logger.isLoggable(BasicLevel.DEBUG)) {
00314                 logger.log(BasicLevel.DEBUG, "Policy.implies result = " + accessOK);
00315             }
00316             return accessOK;
00317 
00318         } catch (Exception e) {
00319             logger.log(BasicLevel.ERROR, "Can't check web user data permission :" + e.getMessage());
00320             return false;
00321         }
00322 
00323     }
00324 
00332     public boolean checkWebResourcePermission(HttpServletRequest request, String principalName, String[] roles) {
00333         try {
00334             ProtectionDomain protectionDomain = initPolicyContext(request, principalName, roles);
00335 
00336             //TODO : cache request to avoid creation of a new
00337             // WebResourcePermission each time
00338             // See JACC 4.12
00339             WebResourcePermission webResourcePermission = new WebResourcePermission(request);
00340             boolean accessOK = getPolicy().implies(protectionDomain, webResourcePermission);
00341             if (logger.isLoggable(BasicLevel.DEBUG)) {
00342                 logger.log(BasicLevel.DEBUG, "Policy.implies result = " + accessOK);
00343             }
00344             return accessOK;
00345 
00346         } catch (Exception e) {
00347             logger.log(BasicLevel.ERROR, "Can't check web resource permission :" + e.getMessage());
00348             return false;
00349         }
00350 
00351     }
00352 
00362     public boolean checkWebRoleRefPermission(HttpServletRequest request, String servletName, String principalName, String[] roles,
00363             String roleName) {
00364         try {
00365 
00366             ProtectionDomain protectionDomain = initPolicyContext(request, principalName, roles);
00367 
00368             //TODO : cache request to avoid creation of a new
00369             // WebRoleRefPermission each time
00370             // See JACC 4.12
00371             WebRoleRefPermission webRoleRefPermission = new WebRoleRefPermission(servletName, roleName);
00372             boolean accessOK = getPolicy().implies(protectionDomain, webRoleRefPermission);
00373             if (logger.isLoggable(BasicLevel.DEBUG)) {
00374                 logger.log(BasicLevel.DEBUG, "Policy.implies result = " + accessOK);
00375             }
00376             return accessOK;
00377 
00378         } catch (Exception e) {
00379             logger.log(BasicLevel.ERROR, "Can't check web role ref permission :" + e.getMessage());
00380             return false;
00381         }
00382 
00383     }
00384 
00394     private synchronized ProtectionDomain initPolicyContext(HttpServletRequest request, String principalName, String[] roles)
00395             throws URISyntaxException, MalformedURLException {
00396 
00397         // Set the policy context
00398         PolicyContext.setContextID(getContextId());
00399 
00400         // Configure ContextHandler
00401         JPolicyContextHandlerData jPolicyContextHandlerData = JPolicyContextHandlerCurrent.getCurrent()
00402                 .getJPolicyContextHandlerData();
00403         if (jPolicyContextHandlerData == null) {
00404             logger.log(BasicLevel.ERROR, "The Handler data retrieved is null !");
00405             return null;
00406         }
00407         jPolicyContextHandlerData.setHttpServletRequest(request);
00408         PolicyContext.setHandlerData(jPolicyContextHandlerData);
00409 
00410         // Build Protection Domain with a codesource and array of principal
00411         URI uri = new URI("file://" + getContextId());
00412         CodeSource codesource = new CodeSource(new URL(uri.toString()), (Certificate[]) null);
00413 
00414         // Existing mapping ?
00415         String[] overridedRoles = JPolicyUserRoleMapping.getMappingForPrincipal(getContextId(), principalName);
00416         if (overridedRoles != null) {
00417             roles = overridedRoles;
00418         }
00419 
00420         Principal[] principals = null;
00421         if (roles != null) {
00422             principals = new Principal[roles.length];
00423             for (int k = 0; k < roles.length; k++) {
00424                 principals[k] = new org.objectweb.jonas.security.auth.JPrincipal(roles[k]);
00425             }
00426         }
00427 
00428         return new ProtectionDomain(codesource, null, null, principals);
00429     }
00430 
00434     protected void resetDeploymentDesc() {
00435         webContainerDeploymentDesc = null;
00436     }
00437 
00438 }
Generated on Tue Feb 15 15:05:25 2005 for JOnAS by  doxygen 1.3.9.1