%line | %branch | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
org.apache.jetspeed.page.PageManagerSecurityUtils |
|
|
1 | /* |
|
2 | * Licensed to the Apache Software Foundation (ASF) under one or more |
|
3 | * contributor license agreements. See the NOTICE file distributed with |
|
4 | * this work for additional information regarding copyright ownership. |
|
5 | * The ASF licenses this file to You under the Apache License, Version 2.0 |
|
6 | * (the "License"); you may not use this file except in compliance with |
|
7 | * the License. You may obtain a copy of the License at |
|
8 | * |
|
9 | * http://www.apache.org/licenses/LICENSE-2.0 |
|
10 | * |
|
11 | * Unless required by applicable law or agreed to in writing, software |
|
12 | * distributed under the License is distributed on an "AS IS" BASIS, |
|
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
14 | * See the License for the specific language governing permissions and |
|
15 | * limitations under the License. |
|
16 | */ |
|
17 | package org.apache.jetspeed.page; |
|
18 | ||
19 | import java.security.AccessController; |
|
20 | import java.security.Principal; |
|
21 | import java.util.ArrayList; |
|
22 | import java.util.Iterator; |
|
23 | import java.util.LinkedList; |
|
24 | import java.util.List; |
|
25 | ||
26 | import javax.security.auth.Subject; |
|
27 | ||
28 | import org.apache.jetspeed.JetspeedActions; |
|
29 | import org.apache.jetspeed.om.page.SecurityConstraintImpl; |
|
30 | import org.apache.jetspeed.om.page.SecurityConstraintsDef; |
|
31 | import org.apache.jetspeed.page.document.DocumentException; |
|
32 | import org.apache.jetspeed.security.GroupPrincipal; |
|
33 | import org.apache.jetspeed.security.JSSubject; |
|
34 | import org.apache.jetspeed.security.RolePrincipal; |
|
35 | import org.apache.jetspeed.security.UserPrincipal; |
|
36 | ||
37 | ||
38 | /** |
|
39 | * PageManagerUtils |
|
40 | * |
|
41 | * @author <a href="mailto:taylor@apache.org">David Sean Taylor</a> |
|
42 | * @version $Id: $ |
|
43 | */ |
|
44 | 0 | public class PageManagerSecurityUtils |
45 | { |
|
46 | public static boolean checkConstraint(SecurityConstraintsDef def, String actions) |
|
47 | throws DocumentException |
|
48 | { |
|
49 | 0 | List viewActionList = SecurityConstraintImpl.parseCSVList(actions); |
50 | 0 | List otherActionsList = null; |
51 | 0 | if (viewActionList.size() == 1) |
52 | { |
|
53 | 0 | if (!viewActionList.contains(JetspeedActions.VIEW)) |
54 | { |
|
55 | 0 | otherActionsList = viewActionList; |
56 | 0 | viewActionList = null; |
57 | } |
|
58 | } |
|
59 | else |
|
60 | { |
|
61 | 0 | otherActionsList = viewActionList; |
62 | 0 | viewActionList = null; |
63 | 0 | if (otherActionsList.remove(JetspeedActions.VIEW)) |
64 | { |
|
65 | 0 | viewActionList = new ArrayList(1); |
66 | 0 | viewActionList.add(JetspeedActions.VIEW); |
67 | } |
|
68 | } |
|
69 | ||
70 | // get current request context subject |
|
71 | 0 | Subject subject = JSSubject.getSubject(AccessController.getContext()); |
72 | 0 | if (subject == null) |
73 | { |
|
74 | 0 | throw new SecurityException("Security Consraint Check: Missing JSSubject"); |
75 | } |
|
76 | ||
77 | // get user/group/role principal names |
|
78 | 0 | List userPrincipals = null; |
79 | 0 | List rolePrincipals = null; |
80 | 0 | List groupPrincipals = null; |
81 | 0 | Iterator principals = subject.getPrincipals().iterator(); |
82 | 0 | while (principals.hasNext()) |
83 | { |
|
84 | 0 | Principal principal = (Principal) principals.next(); |
85 | 0 | if (principal instanceof UserPrincipal) |
86 | { |
|
87 | 0 | if (userPrincipals == null) |
88 | { |
|
89 | 0 | userPrincipals = new LinkedList(); |
90 | } |
|
91 | 0 | userPrincipals.add(principal.getName()); |
92 | } |
|
93 | 0 | else if (principal instanceof RolePrincipal) |
94 | { |
|
95 | 0 | if (rolePrincipals == null) |
96 | { |
|
97 | 0 | rolePrincipals = new LinkedList(); |
98 | } |
|
99 | 0 | rolePrincipals.add(principal.getName()); |
100 | } |
|
101 | 0 | else if (principal instanceof GroupPrincipal) |
102 | { |
|
103 | 0 | if (groupPrincipals == null) |
104 | { |
|
105 | 0 | groupPrincipals = new LinkedList(); |
106 | } |
|
107 | 0 | groupPrincipals.add(principal.getName()); |
108 | } |
|
109 | 0 | } |
110 | ||
111 | 0 | boolean result = false; |
112 | ||
113 | // check constraints using parsed action and access lists |
|
114 | 0 | if (viewActionList != null) |
115 | { |
|
116 | 0 | result = checkConstraints(viewActionList, userPrincipals, rolePrincipals, groupPrincipals, def); |
117 | } |
|
118 | 0 | if (otherActionsList != null) |
119 | { |
|
120 | 0 | result = checkConstraints(otherActionsList, userPrincipals, rolePrincipals, groupPrincipals, def); |
121 | } |
|
122 | 0 | return result; |
123 | } |
|
124 | /** |
|
125 | * check access for the constraints list of a security constraints definition |
|
126 | * |
|
127 | * @param actions given actions |
|
128 | * @param userPrincipals set of user principals |
|
129 | * @param rolePrincipals set of role principals |
|
130 | * @param groupPrincipals set oof group principals |
|
131 | * @param def the security constraint definition |
|
132 | * @throws SecurityException |
|
133 | */ |
|
134 | public static boolean checkConstraints(List actions, List userPrincipals, List rolePrincipals, List groupPrincipals, SecurityConstraintsDef def) |
|
135 | throws DocumentException |
|
136 | { |
|
137 | ||
138 | 0 | List checkConstraints = def.getSecurityConstraints(); |
139 | // SecurityConstraint c =(SecurityConstraint)constraints.next(); |
|
140 | // skip missing or empty constraints: permit all access |
|
141 | //List checkConstraints = getAllSecurityConstraints(pageSecurity); |
|
142 | 0 | if ((checkConstraints != null) && !checkConstraints.isEmpty()) |
143 | { |
|
144 | // test each action, constraints check passes only |
|
145 | // if all actions are permitted for principals |
|
146 | 0 | Iterator actionsIter = actions.iterator(); |
147 | 0 | while (actionsIter.hasNext()) |
148 | { |
|
149 | // check each action: |
|
150 | // - if any actions explicity permitted, (including owner), |
|
151 | // assume no permissions are permitted by default |
|
152 | // - if all constraints do not specify a permission, assume |
|
153 | // access is permitted by default |
|
154 | 0 | String action = (String)actionsIter.next(); |
155 | 0 | boolean actionPermitted = false; |
156 | 0 | boolean actionNotPermitted = false; |
157 | 0 | boolean anyActionsPermitted = true; // TODO:(getOwner() != null); |
158 | ||
159 | // check against constraints |
|
160 | 0 | Iterator checkConstraintsIter = checkConstraints.iterator(); |
161 | 0 | while (checkConstraintsIter.hasNext()) |
162 | { |
|
163 | 0 | SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next(); |
164 | ||
165 | // if permissions specified, attempt to match constraint |
|
166 | 0 | if (constraint.getPermissions() != null) |
167 | { |
|
168 | // explicit actions permitted |
|
169 | 0 | anyActionsPermitted = true; |
170 | ||
171 | // test action permission match and user/role/group principal match |
|
172 | 0 | if (constraint.actionMatch(action) && |
173 | constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true)) |
|
174 | { |
|
175 | 0 | actionPermitted = true; |
176 | 0 | break; |
177 | } |
|
178 | } |
|
179 | else |
|
180 | { |
|
181 | // permissions not specified: not permitted if any principal matched |
|
182 | 0 | if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false)) |
183 | { |
|
184 | 0 | actionNotPermitted = true; |
185 | 0 | break; |
186 | } |
|
187 | } |
|
188 | 0 | } |
189 | ||
190 | // fail if any action not permitted |
|
191 | 0 | if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted) |
192 | { |
|
193 | //throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted."); |
|
194 | 0 | return false; |
195 | } |
|
196 | 0 | } |
197 | 0 | } |
198 | else |
|
199 | { |
|
200 | // fail for any action if owner specified |
|
201 | // since no other constraints were found |
|
202 | 0 | if (/*(getOwner() != null) && */ !actions.isEmpty()) |
203 | { |
|
204 | //String action = (String)actions.get(0); |
|
205 | //throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner)."); |
|
206 | 0 | return false; |
207 | } |
|
208 | } |
|
209 | 0 | return true; |
210 | } |
|
211 | } |
This report is generated by jcoverage, Maven and Maven JCoverage Plugin. |