1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.jetspeed.page;
18
19 import java.security.AccessController;
20 import java.security.Principal;
21 import java.util.ArrayList;
22 import java.util.Iterator;
23 import java.util.LinkedList;
24 import java.util.List;
25
26 import javax.security.auth.Subject;
27
28 import org.apache.jetspeed.JetspeedActions;
29 import org.apache.jetspeed.om.page.SecurityConstraintImpl;
30 import org.apache.jetspeed.om.page.SecurityConstraintsDef;
31 import org.apache.jetspeed.page.document.DocumentException;
32 import org.apache.jetspeed.security.GroupPrincipal;
33 import org.apache.jetspeed.security.JSSubject;
34 import org.apache.jetspeed.security.RolePrincipal;
35 import org.apache.jetspeed.security.UserPrincipal;
36
37
38 /***
39 * PageManagerUtils
40 *
41 * @author <a href="mailto:taylor@apache.org">David Sean Taylor</a>
42 * @version $Id: $
43 */
44 public class PageManagerSecurityUtils
45 {
46 public static boolean checkConstraint(SecurityConstraintsDef def, String actions)
47 throws DocumentException
48 {
49 List viewActionList = SecurityConstraintImpl.parseCSVList(actions);
50 List otherActionsList = null;
51 if (viewActionList.size() == 1)
52 {
53 if (!viewActionList.contains(JetspeedActions.VIEW))
54 {
55 otherActionsList = viewActionList;
56 viewActionList = null;
57 }
58 }
59 else
60 {
61 otherActionsList = viewActionList;
62 viewActionList = null;
63 if (otherActionsList.remove(JetspeedActions.VIEW))
64 {
65 viewActionList = new ArrayList(1);
66 viewActionList.add(JetspeedActions.VIEW);
67 }
68 }
69
70
71 Subject subject = JSSubject.getSubject(AccessController.getContext());
72 if (subject == null)
73 {
74 throw new SecurityException("Security Consraint Check: Missing JSSubject");
75 }
76
77
78 List userPrincipals = null;
79 List rolePrincipals = null;
80 List groupPrincipals = null;
81 Iterator principals = subject.getPrincipals().iterator();
82 while (principals.hasNext())
83 {
84 Principal principal = (Principal) principals.next();
85 if (principal instanceof UserPrincipal)
86 {
87 if (userPrincipals == null)
88 {
89 userPrincipals = new LinkedList();
90 }
91 userPrincipals.add(principal.getName());
92 }
93 else if (principal instanceof RolePrincipal)
94 {
95 if (rolePrincipals == null)
96 {
97 rolePrincipals = new LinkedList();
98 }
99 rolePrincipals.add(principal.getName());
100 }
101 else if (principal instanceof GroupPrincipal)
102 {
103 if (groupPrincipals == null)
104 {
105 groupPrincipals = new LinkedList();
106 }
107 groupPrincipals.add(principal.getName());
108 }
109 }
110
111 boolean result = false;
112
113
114 if (viewActionList != null)
115 {
116 result = checkConstraints(viewActionList, userPrincipals, rolePrincipals, groupPrincipals, def);
117 }
118 if (otherActionsList != null)
119 {
120 result = checkConstraints(otherActionsList, userPrincipals, rolePrincipals, groupPrincipals, def);
121 }
122 return result;
123 }
124 /***
125 * check access for the constraints list of a security constraints definition
126 *
127 * @param actions given actions
128 * @param userPrincipals set of user principals
129 * @param rolePrincipals set of role principals
130 * @param groupPrincipals set oof group principals
131 * @param def the security constraint definition
132 * @throws SecurityException
133 */
134 public static boolean checkConstraints(List actions, List userPrincipals, List rolePrincipals, List groupPrincipals, SecurityConstraintsDef def)
135 throws DocumentException
136 {
137
138 List checkConstraints = def.getSecurityConstraints();
139
140
141
142 if ((checkConstraints != null) && !checkConstraints.isEmpty())
143 {
144
145
146 Iterator actionsIter = actions.iterator();
147 while (actionsIter.hasNext())
148 {
149
150
151
152
153
154 String action = (String)actionsIter.next();
155 boolean actionPermitted = false;
156 boolean actionNotPermitted = false;
157 boolean anyActionsPermitted = true;
158
159
160 Iterator checkConstraintsIter = checkConstraints.iterator();
161 while (checkConstraintsIter.hasNext())
162 {
163 SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();
164
165
166 if (constraint.getPermissions() != null)
167 {
168
169 anyActionsPermitted = true;
170
171
172 if (constraint.actionMatch(action) &&
173 constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
174 {
175 actionPermitted = true;
176 break;
177 }
178 }
179 else
180 {
181
182 if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
183 {
184 actionNotPermitted = true;
185 break;
186 }
187 }
188 }
189
190
191 if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
192 {
193
194 return false;
195 }
196 }
197 }
198 else
199 {
200
201
202 if (
203 {
204
205
206 return false;
207 }
208 }
209 return true;
210 }
211 }