All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.jboss.security.plugins.JBossAuthorizationManager Maven / Gradle / Ivy

There is a newer version: 5.1.0.Final
Show newest version
/*
 * JBoss, Home of Professional Open Source
 * Copyright 2005, JBoss Inc., and individual contributors as indicated
 * by the @authors tag. See the copyright.txt in the distribution for a
 * full listing of individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.security.plugins;
 
import static org.jboss.security.SecurityConstants.ROLES_IDENTIFIER;

import java.security.Principal;
import java.security.acl.Group;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;

import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;

import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.RunAs;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SecurityUtil;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
import org.jboss.security.authorization.Resource;
import org.jboss.security.callbacks.SecurityContextCallback;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleRole;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.mapping.MappingManager;
import org.jboss.security.mapping.MappingType;
import org.jboss.security.plugins.authorization.JBossAuthorizationContext;

//$Id$

/**
 *  Authorization Manager implementation
 *  @author Anil Saldhana
 *  @since  Jan 3, 2006 
 *  @version $Revision$
 */
public class JBossAuthorizationManager 
implements AuthorizationManager 
{  
   private final String securityDomain;  
   
   private AuthorizationContext authorizationContext = null;
   
   //Lock deals with synchronization of authorizationContext usage
   private final Lock lock = new ReentrantLock();
   
   public JBossAuthorizationManager(String securityDomainName)
   {
      this.securityDomain = SecurityUtil.unprefixSecurityDomain( securityDomainName );
   } 
   
   /**
    * @see AuthorizationManager#authorize(Resource)
    */
   public int authorize(Resource resource) throws AuthorizationException
   {
      validateResource(resource);
      Subject subject = SubjectActions.getActiveSubject();
      return internalAuthorization(resource,subject, null);
   }
   
   /**
    * @see AuthorizationManager#authorize(Resource, Subject)
    */
   public int authorize(Resource resource, Subject subject)
   throws AuthorizationException
   {
      return internalAuthorization(resource, subject, null);
   }
   
   /**
    * @see AuthorizationManager#authorize(Resource, Subject, RoleGroup) 
    */
   public int authorize(Resource resource, Subject subject,
         RoleGroup role) throws AuthorizationException
   {
      this.validateResource(resource);
      return internalAuthorization(resource, subject, role);
   }

   /**
    * @see AuthorizationManager#authorize(Resource, Subject, Group)
    */
   public int authorize(Resource resource, Subject subject, 
         Group roleGroup) throws AuthorizationException
   { 
      this.validateResource(resource);
      return internalAuthorization(resource, subject, getRoleGroup(roleGroup));
   }

   /** Does the current Subject have a role(a Principal) that equates to one
    of the role names. This method obtains the Group named 'Roles' from
    the principal set of the currently authenticated Subject as determined
    by the SecurityAssociation.getSubject() method and then creates a
    SimplePrincipal for each name in roleNames. If the role is a member of the
    Roles group, then the user has the role. This requires that the caller
    establish the correct SecurityAssociation subject prior to calling this
    method. In the past this was done as a side-effect of an isValid() call,
    but this is no longer the case.
    
    @param principal - ignored. The current authenticated Subject determines
    the active user and assigned user roles.
    @param rolePrincipals - a Set of Principals for the roles to check.
    
    @see java.security.acl.Group;
    @see Subject#getPrincipals()
    */
   public boolean doesUserHaveRole(Principal principal, Set rolePrincipals)
   {
      boolean hasRole = false;
      RoleGroup roles = this.getCurrentRoles(principal);
      if (PicketBoxLogger.LOGGER.isTraceEnabled())
      {
         PicketBoxLogger.LOGGER.traceBeginDoesUserHaveRole(principal, roles != null ? roles.toString() : "");
      }
      if(roles != null)
      {
         Iterator iter = rolePrincipals.iterator();
         while( hasRole == false && iter.hasNext() )
         {
            Principal role = iter.next();
            hasRole = doesRoleGroupHaveRole(role, roles);
         }
         PicketBoxLogger.LOGGER.traceEndDoesUserHaveRole(hasRole);
      }
      return hasRole;
   }
   
   /** Does the current Subject have a role(a Principal) that equates to one
    of the role names.
    
    @see #doesUserHaveRole(Principal, Set)
    
    @param principal - ignored. The current authenticated Subject determines
    the active user and assigned user roles.
    @param role - the application domain role that the principal is to be
    validated against.
    @return true if the active principal has the role, false otherwise.
    */
   public boolean doesUserHaveRole(Principal principal, Principal role)
   {
      boolean hasRole = false;
      RoleGroup roles = this.getCurrentRoles(principal);
      hasRole = doesRoleGroupHaveRole(role, roles); 
      return hasRole;
   } 
   
   /** Return the set of domain roles the current active Subject 'Roles' group
    found in the subject Principals set.
    
    @param principal - ignored. The current authenticated Subject determines
    the active user and assigned user roles.
    @return The Set for the application domain roles that the
    principal has been assigned.
    */
   public Set getUserRoles(Principal principal)
   { 
      RoleGroup userRoles = getCurrentRoles(principal);
      return this.getRolesAsSet(userRoles); 
   }  
     
   
   /** Check that the indicated application domain role is a member of the
    user's assigned roles. This handles the special AnybodyPrincipal and
    NobodyPrincipal independent of the Group implementation.
    
    @param role , the application domain role required for access
    @param userRoles , the set of roles assigned to the user
    @return true if role is in userRoles or an AnybodyPrincipal instance, false
    if role is a NobodyPrincipal or no a member of userRoles
    */
   protected boolean doesRoleGroupHaveRole(Principal role, RoleGroup userRoles)
   {
      // First check that role is not a NobodyPrincipal
      if (role instanceof NobodyPrincipal)
         return false;
      
      // Check for inclusion in the user's role set
      boolean isMember = userRoles.containsRole(new SimpleRole(role.getName())); 
      if (isMember == false)
      {   // Check the AnybodyPrincipal special cases
         isMember = (role instanceof AnybodyPrincipal);
      }
      
      return isMember;
   } 
   
   @Override
   public String toString()
   {
      StringBuffer buf = new StringBuffer();
      buf.append("[AuthorizationManager:class=").append(getClass().getName());
      buf.append(":").append(this.securityDomain).append(":");
      buf.append("]");
      return buf.toString();
   } 
   
   //Value added methods
   /**
    * Set the AuthorizationContext
    */
   public void setAuthorizationContext(AuthorizationContext authorizationContext)
   {
      if(authorizationContext == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("authorizationContext");

      String sc = authorizationContext.getSecurityDomain();
      if(this.securityDomain.equals(sc) == false)
         throw PicketBoxMessages.MESSAGES.unexpectedSecurityDomainInContext(this.securityDomain);

      lock.lock();
      try
      { 
         this.authorizationContext = authorizationContext;
      }
      finally
      {
         lock.unlock();
      }
   }
   
   public String getSecurityDomain()
   {
      return this.securityDomain;
   }
   

   /**
    * @see AuthorizationManager#getTargetRoles(Principal, Map)
    */
   public Group getTargetRoles(Principal targetPrincipal, Map contextMap)
   {
      throw new UnsupportedOperationException();
   }

   //Private Methods
   private HashSet getRolesAsSet(RoleGroup roles)
   {
      HashSet userRoles = null;
      if( roles != null )
      {
         userRoles = new HashSet();
         Collection rolesList = roles.getRoles();
         for(Role r: rolesList)
         {
            userRoles.add(new SimplePrincipal(r.getRoleName()));
         } 
      }
      return userRoles;
   } 

   /**
    * @see AuthorizationManager#getSubjectRoles(Subject, CallbackHandler)
    */
   public RoleGroup getSubjectRoles(Subject authenticatedSubject, CallbackHandler cbh)
   {
      if(authenticatedSubject == null)
         return null;
      
      //Ask the CBH for the SecurityContext
      SecurityContextCallback scb = new SecurityContextCallback();
      try
      {
         cbh.handle(new Callback[]{scb});
      }
      catch (Exception e)
      {
         throw new RuntimeException(e);
      } 
      SecurityContext sc = scb.getSecurityContext();
      
      //Handle the case of Incoming RunAs
      Principal callerPrincipal = null;
      RunAs callerRunAs = sc.getIncomingRunAs();
      if(callerRunAs != null)
      {
         callerPrincipal = new SimplePrincipal(callerRunAs.getName()); 
      }
      
      RoleGroup roles = this.getCurrentRoles(callerPrincipal, authenticatedSubject, sc);
      if(roles == null)
         roles = new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
      return roles; 
   }  
   
   /*
    * Get the current role group from the security context or
    * the Subject
    * @param principal The Principal in question
    */
   private RoleGroup getCurrentRoles(Principal principal)
   { 
      //Check that the caller is authenticated to the current thread
      Subject subject = SubjectActions.getActiveSubject();  
      
      //Deal with the security context
      SecurityContext sc = SubjectActions.getSecurityContext(); 
      if(sc == null)
      {
         sc = new JBossSecurityContext(securityDomain); 
         SubjectActions.setSecurityContext(sc);   
      } 
      
      return getCurrentRoles(principal,subject,sc); 
   } 
   
   private RoleGroup getCurrentRoles(Principal principal, Subject subject, SecurityContext securityContext)
   {
      if(subject == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("subject");
      if(securityContext == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("securityContext");

      Group subjectRoles = getGroupFromSubject(subject);
      
      boolean emptyContextRoles = false;
      
      RoleGroup userRoles = securityContext.getUtil().getRoles();
      //Group userRoles = (Group)sc.getData().get(ROLES_IDENTIFIER);
      if(userRoles == null || "true".equalsIgnoreCase(SubjectActions.getRefreshSecurityContextRoles()))
         emptyContextRoles = true;
      userRoles = copyGroups(userRoles, subjectRoles); 
      
      /**
       * Update the roles in the SecurityContext and
       * allow mapping rules be applied only if the SC roles
       * and the subject roles are not the same
       */
      if(subjectRoles != userRoles || emptyContextRoles)
      { 
         MappingManager mm = securityContext.getMappingManager();
         MappingContext mc = mm.getMappingContext(MappingType.ROLE.name());
        
         RoleGroup mappedUserRoles = userRoles;
         if(mc != null && mc.hasModules())
         {
            Map contextMap = new HashMap();
            contextMap.put(SecurityConstants.ROLES_IDENTIFIER, userRoles);
            if(principal != null)
              contextMap.put(SecurityConstants.PRINCIPAL_IDENTIFIER, principal);
            //Append any deployment role->principals configuration done by the user
            contextMap.put(SecurityConstants.DEPLOYMENT_PRINCIPAL_ROLES_MAP,
                  SecurityRolesAssociation.getSecurityRoles());
            
            //Append the principals also
            contextMap.put(SecurityConstants.PRINCIPALS_SET_IDENTIFIER, subject.getPrincipals());
            if (PicketBoxLogger.LOGGER.isTraceEnabled())
            {
               PicketBoxLogger.LOGGER.traceRolesBeforeMapping(userRoles != null ? userRoles.toString() : "");
            }

            if(userRoles == null)
               userRoles = this.getEmptyRoleGroup();
            
            mc.performMapping(contextMap, userRoles);
            mappedUserRoles = mc.getMappingResult().getMappedObject();
            if (PicketBoxLogger.LOGGER.isTraceEnabled())
            {
               PicketBoxLogger.LOGGER.traceRolesAfterMapping(userRoles.toString());
            }
         }
         securityContext.getData().put(ROLES_IDENTIFIER, mappedUserRoles);
      } 
      
      //Ensure that the security context has the roles
      if(securityContext.getUtil().getRoles() == null)
         securityContext.getUtil().setRoles(userRoles);

      //Send the final processed (mapping applied) roles
      return userRoles;   
   }
   
   /**
    * Copy the principals from the second group into the first.
    * If the first group is null and the second group is not, the
    * first group will be made equal to the second group
    * @param source
    * @param toCopy
    */
   private RoleGroup copyGroups(RoleGroup source, Group toCopy)
   {
      if(toCopy == null)
         return source;
      if(source == null && toCopy != null) 
         source = this.getEmptyRoleGroup();
      Enumeration en = toCopy.members();
      while(en.hasMoreElements())
      {
         source.addRole(new SimpleRole(en.nextElement().getName())); 
      }
       
      return source;
   }
   
   private int internalAuthorization(final Resource resource, Subject subject,
         RoleGroup role)
   throws AuthorizationException
   {
      if(this.authorizationContext == null)
         this.setAuthorizationContext( new JBossAuthorizationContext(this.securityDomain) );
       return this.authorizationContext.authorize(resource, subject, role); 
   }
   
   /**
    * Get the Subject roles by looking for a Group called 'Roles'
    * @param theSubject - the Subject to search for roles
    * @return the Group contain the subject roles if found, null otherwise
    */
   private Group getGroupFromSubject(Subject theSubject)
   {
      if(theSubject == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("theSubject");
      Set subjectGroups = theSubject.getPrincipals(Group.class);
      Iterator iter = subjectGroups.iterator();
      Group roles = null;
      while( iter.hasNext() )
      {
         Group grp = iter.next();
         String name = grp.getName();
         if( name.equals(ROLES_IDENTIFIER) )
            roles = grp;
      }
      return roles;
   } 
   
   private RoleGroup getRoleGroup(Group roleGroup)
   {
      if(roleGroup == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("roleGroup");
      SimpleRoleGroup srg = new SimpleRoleGroup(roleGroup.getName());
      Enumeration principals = roleGroup.members();
      while(principals.hasMoreElements())
      {
         srg.addRole(new SimpleRole(principals.nextElement().getName()));
      }
      return srg;  
   }
   

   private void validateResource(Resource resource)
   {
      if(resource == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("resource");
      if(resource.getMap() == null)
         throw PicketBoxMessages.MESSAGES.invalidNullArgument("resource.contextMap");
   }
   
   private RoleGroup getEmptyRoleGroup()
   {
      return new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
   }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy