All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.switchyard.handlers.SecurityHandler Maven / Gradle / Ivy

/*
 * Copyright 2013 Red Hat Inc. and/or its affiliates and other contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * http://www.apache.org/licenses/LICENSE-2.0
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,  
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.switchyard.handlers;

import static org.switchyard.policy.PolicyUtil.isProvided;
import static org.switchyard.policy.PolicyUtil.isRequired;
import static org.switchyard.policy.PolicyUtil.provide;
import static org.switchyard.policy.SecurityPolicy.AUTHORIZATION;
import static org.switchyard.policy.SecurityPolicy.CLIENT_AUTHENTICATION;
import static org.switchyard.policy.SecurityPolicy.CONFIDENTIALITY;

import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;

import org.jboss.logging.Logger;
import org.switchyard.BaseHandler;
import org.switchyard.Exchange;
import org.switchyard.HandlerException;
import org.switchyard.ServiceDomain;
import org.switchyard.ServiceSecurity;
import org.switchyard.security.SecurityMetadata;
import org.switchyard.security.SecurityServices;
import org.switchyard.security.context.SecurityContext;
import org.switchyard.security.context.SecurityContextManager;
import org.switchyard.security.credential.ConfidentialityCredential;
import org.switchyard.security.credential.PrincipalCredential;
import org.switchyard.security.provider.SecurityProvider;

/**
 * A security ExchangeHandler implementation.
 * 
 * @author David Ward <[email protected]> © 2013 Red Hat Inc.
 */
public class SecurityHandler extends BaseHandler {

    private static final Logger LOGGER = Logger.getLogger(SecurityHandler.class);
    private static final ThreadLocal PROCESS_COUNT = new InheritableThreadLocal();

    private final SecurityContextManager _securityContextManager;
    private final SecurityProvider _securityProvider;
    private final SecurityAction _securityAction;

    /**
     * What the SecurityHandler should do.
     */
    public static enum SecurityAction {
        /** Process security. */
        PROCESS,
        /** Cleanup security. */
        CLEANUP;
    }

    /**
     * Constructs a SecurityHandler for the specified ServiceDomain and SecurityAction.
     * @param serviceDomain the ServiceDomain
     * @param securityAction the SecurityAction
     */
    public SecurityHandler(ServiceDomain serviceDomain, SecurityAction securityAction) {
        _securityContextManager = new SecurityContextManager(serviceDomain);
        _securityProvider = SecurityServices.getSecurityProvider();
        _securityAction = securityAction;
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public void handleMessage(Exchange exchange) throws HandlerException {
        ServiceSecurity serviceSecurity = SecurityMetadata.getServiceSecurity(exchange);
        if (serviceSecurity == null) {
            // nothing to do
            return;
        }
        switch (_securityAction) {
            case PROCESS:
                process(exchange, serviceSecurity);
                break;
            case CLEANUP:
                cleanup(exchange, serviceSecurity);
                break;
        }
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public void handleFault(Exchange exchange) {
        ServiceSecurity serviceSecurity = SecurityMetadata.getServiceSecurity(exchange);
        if (serviceSecurity == null) {
            // nothing to do
            return;
        }
        try {
            cleanup(exchange, serviceSecurity);
        } catch (Exception e) {
            LOGGER.error(e);
        }
    }

    private void process(Exchange exchange, ServiceSecurity serviceSecurity) throws HandlerException {
        processCount().incrementAndGet();
        SecurityContext securityContext = _securityContextManager.getContext(exchange);
        if (isRequired(exchange, CONFIDENTIALITY) && !isProvided(exchange, CONFIDENTIALITY)) {
            if (isConfidentialityProvided(securityContext)) {
                provide(exchange, CONFIDENTIALITY);
            }
        }
        boolean success = false;
        if (isRequired(exchange, CLIENT_AUTHENTICATION) && !isProvided(exchange, CLIENT_AUTHENTICATION)) {
            if (isClientAuthenticationProvided(securityContext)) {
                provide(exchange, CLIENT_AUTHENTICATION);
                success = true;
            } else {
                boolean authenticated = _securityProvider.authenticate(serviceSecurity, securityContext);
                if (authenticated) {
                    provide(exchange, CLIENT_AUTHENTICATION);
                    success = true;
                }
            }
        } else {
            success = true;
        }
        if (success) {
            _securityProvider.populate(serviceSecurity, securityContext);
        }
        if (isRequired(exchange, AUTHORIZATION) && !isProvided(exchange, AUTHORIZATION)) {
            if (isAuthorizationProvided(serviceSecurity, securityContext)) {
                provide(exchange, AUTHORIZATION);
            }
        }
        _securityContextManager.setContext(exchange, securityContext);
    }

    private void cleanup(Exchange exchange, ServiceSecurity serviceSecurity) {
        int pc = processCount().decrementAndGet();
        if (pc < 1) {
            _securityContextManager.setContext(exchange, null);
            processCount().set(0);
        }
        /*
        SecurityContext securityContext = _securityContextManager.getContext(exchange);
        securityContext.clearCredentials();
        _securityProvider.clear(serviceSecurity, securityContext);
        _securityContextManager.setContext(exchange, securityContext);
        */
    }

    private boolean isConfidentialityProvided(SecurityContext securityContext) {
        Set creds = securityContext.getCredentials(ConfidentialityCredential.class);
        for (ConfidentialityCredential cred : creds) {
            if (cred.isConfidential()) {
                return true;
            }
        }
        return false;
    }

    private boolean isClientAuthenticationProvided(SecurityContext securityContext) {
        Set creds = securityContext.getCredentials(PrincipalCredential.class);
        for (PrincipalCredential cred : creds) {
            if (cred.getPrincipal() != null && cred.isTrusted()) {
                return true;
            }
        }
        return false;
    }

    private boolean isAuthorizationProvided(ServiceSecurity serviceSecurity, SecurityContext securityContext) {
        return _securityProvider.checkRolesAllowed(serviceSecurity, securityContext);
    }

    private static synchronized AtomicInteger processCount() {
        AtomicInteger hic = PROCESS_COUNT.get();
        if (hic == null) {
            hic = new AtomicInteger(0);
            PROCESS_COUNT.set(hic);
        }
        return hic;
    }

}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy