| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.openejb.core.security.jacc; |
| |
| import org.apache.openejb.assembler.classic.DelegatePermissionCollection; |
| import org.apache.openejb.loader.SystemInstance; |
| |
| import javax.security.jacc.PolicyConfiguration; |
| import javax.security.jacc.PolicyContextException; |
| import java.security.Permission; |
| import java.security.PermissionCollection; |
| import java.security.Principal; |
| import java.security.ProtectionDomain; |
| import java.util.Enumeration; |
| import java.util.LinkedHashMap; |
| import java.util.Map; |
| import java.util.Set; |
| |
| /** |
| * @version $Rev: 1240285 $ $Date: 2012-02-03 18:39:13 +0000 (Fri, 03 Feb 2012) $ |
| */ |
| public class BasicPolicyConfiguration implements PolicyConfiguration { |
| final static int OPEN = 1; |
| final static int IN_SERVICE = 2; |
| final static int DELETED = 3; |
| |
| private final String contextID; |
| private int state; |
| protected final Map<String, PermissionCollection> rolePermissionsMap = new LinkedHashMap<String, PermissionCollection>(); |
| protected PermissionCollection unchecked = null; |
| protected PermissionCollection excluded = null; |
| |
| protected BasicPolicyConfiguration(String contextID) { |
| this.contextID = contextID; |
| this.state = OPEN; |
| } |
| |
| public String getContextID() throws PolicyContextException { |
| return contextID; |
| } |
| |
| public boolean implies(ProtectionDomain domain, Permission permission) { |
| |
| if (excluded != null && excluded.implies(permission)) return false; |
| |
| if (unchecked != null && unchecked.implies(permission)) return true; |
| |
| Principal[] principals = domain.getPrincipals(); |
| if (principals.length == 0) return false; |
| |
| RoleResolver roleResolver = SystemInstance.get().getComponent(RoleResolver.class); |
| Set<String> roles = roleResolver.getLogicalRoles(principals, rolePermissionsMap.keySet()); |
| |
| for (String role : roles) { |
| PermissionCollection permissions = rolePermissionsMap.get(role); |
| |
| if (permissions != null && permissions.implies(permission)) return true; |
| } |
| |
| return false; |
| } |
| |
| public void addToRole(String roleName, PermissionCollection permissions) throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| |
| Enumeration e = permissions.elements(); |
| while (e.hasMoreElements()) { |
| addToRole(roleName, (Permission) e.nextElement()); |
| } |
| } |
| |
| public void addToRole(String roleName, Permission permission) throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| |
| PermissionCollection permissions = rolePermissionsMap.get(roleName); |
| if (permissions == null) { |
| permissions = new DelegatePermissionCollection(); |
| rolePermissionsMap.put(roleName, permissions); |
| } |
| permissions.add(permission); |
| } |
| |
| public void addToUncheckedPolicy(PermissionCollection permissions) throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| |
| Enumeration e = permissions.elements(); |
| while (e.hasMoreElements()) { |
| addToUncheckedPolicy((Permission) e.nextElement()); |
| } |
| } |
| |
| public void addToUncheckedPolicy(Permission permission) throws PolicyContextException { |
| if (state != OPEN) { |
| throw new UnsupportedOperationException("Not in an open state"); |
| } |
| |
| if (unchecked == null) { |
| unchecked = new DelegatePermissionCollection(); |
| } |
| |
| unchecked.add(permission); |
| } |
| |
| public void addToExcludedPolicy(PermissionCollection permissions) throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| |
| Enumeration e = permissions.elements(); |
| while (e.hasMoreElements()) { |
| addToExcludedPolicy((Permission) e.nextElement()); |
| } |
| } |
| |
| public void addToExcludedPolicy(Permission permission) throws PolicyContextException { |
| if (state != OPEN) { |
| throw new UnsupportedOperationException("Not in an open state"); |
| } |
| |
| if (excluded == null) { |
| excluded = new DelegatePermissionCollection(); |
| } |
| |
| excluded.add(permission); |
| } |
| |
| public void removeRole(String roleName) throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| |
| rolePermissionsMap.remove(roleName); |
| } |
| |
| public void removeUncheckedPolicy() throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| |
| unchecked = null; |
| } |
| |
| public void removeExcludedPolicy() throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| |
| excluded = null; |
| } |
| |
| public void linkConfiguration(PolicyConfiguration link) throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| } |
| |
| public void delete() throws PolicyContextException { |
| state = DELETED; |
| } |
| |
| public void commit() throws PolicyContextException { |
| if (state != OPEN) throw new UnsupportedOperationException("Not in an open state"); |
| state = IN_SERVICE; |
| } |
| |
| public boolean inService() throws PolicyContextException { |
| return (state == IN_SERVICE); |
| } |
| |
| //TODO I have no idea what side effects this might have, but it's needed in some form from PolicyConfigurationFactoryImpl. |
| //see JACC spec 1.0 section 3.1.1.1 discussion of in service and deleted. |
| //spec p. 31 3.1.7 on the effects of remove: |
| //If the getPolicyConfiguration method is used, the value true should be passed as the second |
| // argument to cause the corresponding policy statements to be deleted from the context. |
| public void open(boolean remove) { |
| if (remove) { |
| rolePermissionsMap.clear(); |
| unchecked = null; |
| excluded = null; |
| } |
| state = OPEN; |
| } |
| |
| int getState() { |
| return state; |
| } |
| |
| public interface RoleResolver { |
| public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles); |
| } |
| } |