PageManagerSecurityUtils xref

View Javadoc

1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements.  See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache License, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License.  You may obtain a copy of the License at
8    * 
9    *      http://www.apache.org/licenses/LICENSE-2.0
10   * 
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  package org.apache.jetspeed.page;
18  
19  import java.security.AccessController;
20  import java.security.Principal;
21  import java.util.ArrayList;
22  import java.util.Iterator;
23  import java.util.LinkedList;
24  import java.util.List;
25  
26  import javax.security.auth.Subject;
27  
28  import org.apache.jetspeed.JetspeedActions;
29  import org.apache.jetspeed.om.page.SecurityConstraintImpl;
30  import org.apache.jetspeed.om.page.SecurityConstraintsDef;
31  import org.apache.jetspeed.page.document.DocumentException;
32  import org.apache.jetspeed.security.GroupPrincipal;
33  import org.apache.jetspeed.security.JSSubject;
34  import org.apache.jetspeed.security.RolePrincipal;
35  import org.apache.jetspeed.security.UserPrincipal;
36  
37  
38  /***
39   * PageManagerUtils
40   * 
41   * @author <a href="mailto:taylor@apache.org">David Sean Taylor</a>
42   * @version $Id: $
43   */
44  public class PageManagerSecurityUtils
45  {
46      public static boolean checkConstraint(SecurityConstraintsDef def, String actions)
47      throws DocumentException
48      {
49          List viewActionList = SecurityConstraintImpl.parseCSVList(actions);
50          List otherActionsList = null;
51          if (viewActionList.size() == 1)
52          {
53              if (!viewActionList.contains(JetspeedActions.VIEW))
54              {
55                  otherActionsList = viewActionList;
56                  viewActionList = null;
57              }
58          }
59          else
60          {
61              otherActionsList = viewActionList;
62              viewActionList = null;
63              if (otherActionsList.remove(JetspeedActions.VIEW))
64              {
65                  viewActionList = new ArrayList(1);
66                  viewActionList.add(JetspeedActions.VIEW);
67              }
68          }
69  
70          // get current request context subject
71          Subject subject = JSSubject.getSubject(AccessController.getContext());
72          if (subject == null)
73          {
74              throw new SecurityException("Security Consraint Check: Missing JSSubject");
75          }
76  
77          // get user/group/role principal names
78          List userPrincipals = null;
79          List rolePrincipals = null;
80          List groupPrincipals = null;
81          Iterator principals = subject.getPrincipals().iterator();
82          while (principals.hasNext())
83          {
84              Principal principal = (Principal) principals.next();
85              if (principal instanceof UserPrincipal)
86              {
87                  if (userPrincipals == null)
88                  {
89                      userPrincipals = new LinkedList();
90                  }
91                  userPrincipals.add(principal.getName());
92              }
93              else if (principal instanceof RolePrincipal)
94              {
95                  if (rolePrincipals == null)
96                  {
97                      rolePrincipals = new LinkedList();
98                  }
99                  rolePrincipals.add(principal.getName());
100             }
101             else if (principal instanceof GroupPrincipal)
102             {
103                 if (groupPrincipals == null)
104                 {
105                     groupPrincipals = new LinkedList();
106                 }
107                 groupPrincipals.add(principal.getName());
108             }
109         }
110         
111         boolean result = false;
112         
113         // check constraints using parsed action and access lists
114         if (viewActionList != null)
115         {
116             result = checkConstraints(viewActionList, userPrincipals, rolePrincipals, groupPrincipals, def);
117         }
118         if (otherActionsList != null)
119         {
120             result = checkConstraints(otherActionsList, userPrincipals, rolePrincipals, groupPrincipals, def);
121         }
122         return result;
123     }
124     /***
125      * check access for the constraints list of a security constraints definition
126      * 
127      * @param actions given actions
128      * @param userPrincipals set of user principals  
129      * @param rolePrincipals set of role principals
130      * @param groupPrincipals set oof group principals
131      * @param def the security constraint definition 
132      * @throws SecurityException
133      */
134     public static boolean checkConstraints(List actions, List userPrincipals, List rolePrincipals, List groupPrincipals, SecurityConstraintsDef def) 
135     throws DocumentException
136     {
137         
138         List checkConstraints = def.getSecurityConstraints();
139             // SecurityConstraint c =(SecurityConstraint)constraints.next();
140         // skip missing or empty constraints: permit all access
141         //List checkConstraints = getAllSecurityConstraints(pageSecurity);
142         if ((checkConstraints != null) && !checkConstraints.isEmpty())
143         {
144             // test each action, constraints check passes only
145             // if all actions are permitted for principals
146             Iterator actionsIter = actions.iterator();
147             while (actionsIter.hasNext())
148             {
149                 // check each action:
150                 // - if any actions explicity permitted, (including owner),
151                 //   assume no permissions are permitted by default
152                 // - if all constraints do not specify a permission, assume
153                 //   access is permitted by default
154                 String action = (String)actionsIter.next();
155                 boolean actionPermitted = false;
156                 boolean actionNotPermitted = false;
157                 boolean anyActionsPermitted = true; // TODO:(getOwner() != null);
158                 
159                 // check against constraints
160                 Iterator checkConstraintsIter = checkConstraints.iterator();
161                 while (checkConstraintsIter.hasNext())
162                 {
163                     SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();
164                     
165                     // if permissions specified, attempt to match constraint
166                     if (constraint.getPermissions() != null)
167                     {
168                         // explicit actions permitted
169                         anyActionsPermitted = true;
170 
171                         // test action permission match and user/role/group principal match
172                         if (constraint.actionMatch(action) &&
173                             constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
174                         {
175                             actionPermitted = true;
176                             break;
177                         }
178                     }
179                     else
180                     {
181                         // permissions not specified: not permitted if any principal matched
182                         if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
183                         {
184                             actionNotPermitted = true;
185                             break;
186                         }
187                     }
188                 }
189                 
190                 // fail if any action not permitted
191                 if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)
192                 {
193                     //throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
194                     return false;
195                 }
196             }
197         }
198         else
199         {
200             // fail for any action if owner specified
201             // since no other constraints were found
202             if (/*(getOwner() != null) && */ !actions.isEmpty())
203             {
204                 //String action = (String)actions.get(0);
205                 //throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
206                 return false;
207             }
208         }
209         return true;
210     }
211 }