/** See if the given JACC permission is implied using the caller as * obtained from either the * PolicyContext.getContext(javax.security.auth.Subject.container) or * the info associated with the requestPrincipal. * * @param perm - the JACC permission to check * @param requestPrincpal - the http request getPrincipal * @param caller the authenticated subject obtained by establishSubjectContext * @return true if the permission is allowed, false otherwise */ private boolean checkPolicy(Permission perm, Principal requestPrincpal, Subject caller, Role role) { // Get the caller principals, its null if there is no caller Principal[] principals = getPrincipals(caller,role); return checkPolicy(perm, principals); }
/** * Perform hasResourcePermission Check * @param request * @param response * @param securityConstraints * @param context * @param caller * @return * @throws IOException */ private boolean hasResourcePermission(Subject caller, Role role) throws IOException { Principal requestPrincipal = request.getUserPrincipal(); WebResourcePermission perm = new WebResourcePermission(this.canonicalRequestURI, request.getMethod()); boolean allowed = checkPolicy(perm, requestPrincipal, caller, role ); if( trace ) log.trace("hasResourcePermission, perm="+perm+", allowed="+allowed); return allowed; }
this.policyContextID = webResource.getPolicyContextID(); Boolean userDataCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.USERDATA_PERM_CHECK)); Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK)); throw new IllegalStateException("Request is null"); return process(request, role);
Set<Principal> roles = (Set<Principal>)map.get(ResourceKeys.PRINCIPAL_ROLES); String servletName = webResource.getServletName(); Boolean resourceCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.RESOURCE_PERM_CHECK)); Boolean userDataCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.USERDATA_PERM_CHECK)); Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK)); validatePermissionChecks(resourceCheck,userDataCheck,roleRefCheck); decision = this.hasResourcePermission(callerSubject, role); else if(userDataCheck) decision = this.hasUserDataPermission(); else if(roleRefCheck) decision = this.hasRole(principal, roleName, roles, servletName); else if(trace)
WebXACMLUtil util = new WebXACMLUtil(); try RequestContext requestCtx = util.createXACMLRequest(request,callerRoles); if(this.policyContextID == null) this.policyContextID = PolicyContext.getContextID(); PolicyDecisionPoint pdp = util.getPDP(this.policyRegistration, this.policyContextID); ResponseContext response = pdp.evaluate(requestCtx); result = response.getDecision() == XACMLConstants.DECISION_PERMIT ?
Set<Principal> roles = (Set<Principal>)map.get(ResourceKeys.PRINCIPAL_ROLES); String servletName = webResource.getServletName(); Boolean resourceCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.RESOURCE_PERM_CHECK)); Boolean userDataCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.USERDATA_PERM_CHECK)); Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK)); validatePermissionChecks(resourceCheck,userDataCheck,roleRefCheck); decision = this.hasResourcePermission(callerSubject, role); else if(userDataCheck) decision = this.hasUserDataPermission(); else if(roleRefCheck) decision = this.hasRole(principal, roleName, roles, servletName); else PicketBoxLogger.LOGGER.debugInvalidWebJaccCheck();
WebXACMLUtil util = new WebXACMLUtil(); try RequestContext requestCtx = util.createXACMLRequest(request,callerRoles); if(this.policyContextID == null) this.policyContextID = PolicyContext.getContextID(); PolicyDecisionPoint pdp = util.getPDP(this.policyRegistration, this.policyContextID); ResponseContext response = pdp.evaluate(requestCtx); result = response.getDecision() == XACMLConstants.DECISION_PERMIT ?
/** See if the given JACC permission is implied using the caller as * obtained from either the * PolicyContext.getContext(javax.security.auth.Subject.container) or * the info associated with the requestPrincipal. * * @param perm - the JACC permission to check * @param requestPrincpal - the http request getPrincipal * @param caller the authenticated subject obtained by establishSubjectContext * @return true if the permission is allowed, false otherwise */ private boolean checkPolicy(Permission perm, Principal requestPrincpal, Subject caller, Role role) { // Get the caller principals, its null if there is no caller Principal[] principals = getPrincipals(caller,role); return checkPolicy(perm, principals); }
this.policyContextID = webResource.getPolicyContextID(); Boolean userDataCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.USERDATA_PERM_CHECK)); Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK)); throw PicketBoxMessages.MESSAGES.invalidNullProperty("servletRequest"); return process(request, role);
/** * Perform hasUserDataPermission check for the realm. * If this module returns false, the base class (Realm) will * make the decision as to whether a redirection to the ssl * port needs to be done * @param request * @param response * @param constraints * @return * @throws IOException */ private boolean hasUserDataPermission() throws IOException { WebUserDataPermission perm = new WebUserDataPermission(this.canonicalRequestURI, request.getMethod()); if( trace ) log.trace("hasUserDataPermission, p="+perm); boolean ok = false; try { Principal[] principals = null; ok = checkPolicy(perm, principals); } catch(Exception e) { if( trace ) log.trace("Failed to checkSecurityAssociation", e); } return ok; }
/** * Perform hasRole check * @param principal * @param role * @param roles * @return */ private boolean hasRole(Principal principal, String roleName, Set<Principal> roles, String servletName) { if(servletName == null) throw new IllegalArgumentException("servletName is null"); WebRoleRefPermission perm = new WebRoleRefPermission(servletName, roleName); Principal[] principals = {principal}; if( roles != null ) { principals = new Principal[roles.size()]; roles.toArray(principals); } boolean allowed = checkPolicy(perm, principals); if( trace ) log.trace("hasRole, perm="+perm+", allowed="+allowed); return allowed; }
/** * Perform hasResourcePermission Check * @param caller * @param role * @return * @throws IOException */ private boolean hasResourcePermission(Subject caller, Role role) throws IOException { Principal requestPrincipal = request.getUserPrincipal(); WebResourcePermission perm = new WebResourcePermission(this.canonicalRequestURI, request.getMethod()); boolean allowed = checkPolicy(perm, requestPrincipal, caller, role ); if (PicketBoxLogger.LOGGER.isTraceEnabled()) { PicketBoxLogger.LOGGER.traceHasResourcePermission(perm.toString(), allowed); } return allowed; }
/** * Perform hasRole check * @param principal * @param roleName * @param roles * @return */ private boolean hasRole(Principal principal, String roleName, Set<Principal> roles, String servletName) { if(servletName == null) throw PicketBoxMessages.MESSAGES.invalidNullArgument("servletName"); WebRoleRefPermission perm = new WebRoleRefPermission(servletName, roleName); Principal[] principals = {principal}; if( roles != null ) { principals = new Principal[roles.size()]; roles.toArray(principals); } boolean allowed = checkPolicy(perm, principals); PicketBoxLogger.LOGGER.traceHasRolePermission(perm.toString(), allowed); return allowed; }
/** * Perform hasUserDataPermission check for the realm. * If this module returns false, the base class (Realm) will * make the decision as to whether a redirection to the ssl * port needs to be done * @return * @throws IOException */ private boolean hasUserDataPermission() throws IOException { WebUserDataPermission perm = new WebUserDataPermission(this.canonicalRequestURI, request.getMethod()); boolean ok = false; try { Principal[] principals = null; ok = checkPolicy(perm, principals); } catch(Exception e) { PicketBoxLogger.LOGGER.debugIgnoredException(e); } if (PicketBoxLogger.LOGGER.isTraceEnabled()) { PicketBoxLogger.LOGGER.traceHasUserDataPermission(perm.toString(), ok); } return ok; }