001: /*
002: * JBoss, Home of Professional Open Source.
003: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
004: * as indicated by the @author tags. See the copyright.txt file in the
005: * distribution for a full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package javax.security.jacc;
023:
024: import java.util.Set;
025: import java.util.Map;
026: import java.util.Collections;
027: import java.util.HashMap;
028: import java.security.SecurityPermission;
029:
030: /** This utility class is used by containers to communicate policy context
031: * identifiers and other policy relevant context to Policy providers. Policy
032: * providers use the policy context identifier to select the subset of policy
033: * to apply in access decisions.
034: *
035: * The value of a policy context identifier is a String and each thread has an
036: * independently established policy context identifier. A container will
037: * establish the thread-scoped value of a policy context identifier by calling
038: * the static setContextID method. The value of a thread-scoped policy context
039: * identifier is available (to Policy) by calling the static getContextID method.
040: *
041: * This class is also used by Policy providers to request additional
042: * thread-scoped policy relevant context objects from the calling container.
043: * Containers register container-specific PolicyContext handlers using the
044: * static registerHandler method. Handler registration is scoped to the class,
045: * such that the same handler registrations are active in all thread contexts.
046: * Containers may use the static method setHandlerData to establish a
047: * thread-scoped parameter that will be passed to handlers when they are
048: * activated by Policy providers. The static getContext method is used to
049: * activate a handler and obtain the corresponding context object.
050: *
051: * The static accessor functions provided by this class allow per-thread policy
052: * context values to be established and communicated independent of a common
053: * reference to a particular PolicyContext instance.
054: *
055: * The PolicyContext class may encapsulate static ThreadLocal instance variables
056: * to represent the policy context identifier and handler data values.
057: *
058: * The Application server must bundle or install the PolicyContext class, and
059: * the containers of the application server must prevent the methods of the
060: * PolicyContext class from being called from calling contexts that are not
061: * authorized to call these methods. With the exception of the getContextID
062: * and GetHandlerKeys methods, containers must restrict and afford access to
063: * the methods of the PolicyContext class to calling contexts trusted by the
064: * container to perform container access decisions. The PolicyContext class may
065: * satisfy this requirement (on behalf of its container) by rejecting calls made
066: * from an AccessControlContext that has not been granted the "setPolicy"
067: * SecurityPermission, and by ensuring that Policy providers used to perform
068: * container access decisions are granted the "setPolicy" permission.
069: *
070: * @see http://java.sun.com/j2ee/1.4/docs/api/
071: *
072: * @author Scott.Stark@jboss.org
073: * @author Ron Monzillo, Gary Ellison (javadoc)
074: * @version $Revision: 57196 $
075: */
076: public final class PolicyContext {
077: private static SecurityPermission setPolicy = new SecurityPermission(
078: "setPolicy");
079: private static SecurityPermission getPolicy = new SecurityPermission(
080: "getPolicy");
081: private static ThreadLocal handlerDataLocal = new ThreadLocal();
082: private static ThreadLocal contextIDLocal = new ThreadLocal();
083: private static Map handlerMap = Collections
084: .synchronizedMap(new HashMap());
085:
086: /** This method may be used by a Policy provider to activate the
087: * PolicyContextHandler registered to the context object key and cause it to
088: * return the corresponding policy context object from the container. When
089: * this method activates a handler, it passes to the handler the context
090: * object key and the handler data associated with the calling thread.
091: *
092: * @param key - a non-null String that identifies the PolicyContextHandler to
093: * activate as well as the context object to be acquired from the handler.
094: * @return the container and handler specific object containing the desired
095: * context. A null value is returned if the corresponding handler has been
096: * registered, and the value of the corresponding context is null.
097: * @throws IllegalArgumentException - if a PolicyContextHandler has not been
098: * registered for the key or the registered handler no longer supports the key.
099: * @throws SecurityException - if the caller does not have the
100: * SecurityPermission("getPolicy") permission.
101: * @throws PolicyContextException - if an operation by this method on the
102: * identified PolicyContextHandler causes it to throw a checked exception
103: * that is not accounted for in the signature of this method.
104: */
105: public static Object getContext(String key)
106: throws PolicyContextException {
107: if (key == null || handlerMap.containsKey(key) == false)
108: throw new IllegalArgumentException(
109: "No PolicyContextHandler for key=" + key);
110: SecurityManager sm = System.getSecurityManager();
111: if (sm != null)
112: sm.checkPermission(getPolicy);
113:
114: PolicyContextHandler handler = (PolicyContextHandler) handlerMap
115: .get(key);
116: if (handler.supports(key) == false)
117: throw new IllegalArgumentException(
118: "PolicyContextHandler does not support key=" + key);
119: Object data = handlerDataLocal.get();
120: Object context = handler.getContext(key, data);
121: return context;
122: }
123:
124: /** This method returns the value of the policy context identifier associated
125: * with the thread on which the accessor is called.
126: *
127: * @return the possibly null policy context identifier established for the
128: * thread. This method must return the default policy context identifier,
129: * null, if the policy context identifier of the thread has not been set via
130: * setContext to another value.
131: */
132: public static String getContextID() {
133: String contextID = (String) contextIDLocal.get();
134: return contextID;
135: }
136:
137: /** This method may be used to obtain the keys that identify the container
138: * specific context handlers registered by the container.
139: *
140: * @return A Set, the elements of which, are the String key values that
141: * identify the handlers that have been registered and therefore may be
142: * activated on the PolicyContext
143: */
144: public static Set getHandlerKeys() {
145: return handlerMap.keySet();
146: }
147:
148: /** Authorization protected method used to register a container specific
149: * PolicyContext handler. A handler may be registered to handle multiple keys,
150: * but at any time, at most one handler may be registered for a key.
151: *
152: * @param key - a case-sensitive, non-null String that identifies the context
153: * object handled by the handler.
154: * @param handler - an non-null object that implements the PolicyContextHandler
155: * interface.
156: * @param replace - this boolean value defines the behavior of this method
157: * if, when it is called, a PolicyContextHandler has already been registered
158: * to handle the same key. In that case, and if the value of this argument is
159: * true, the existing handler is replaced with the argument handler. If the
160: * value of this parameter is false the existing registration is preserved
161: * and an exception is thrown.
162: *
163: * @throws IllegalArgumentException - if the value of either of the handler
164: * or key arguments is null, or the value of the replace argument is false
165: * and a handler with the same key as the argument handler is already
166: * registered.
167: * @throws SecurityException - if the caller does not have the
168: * SecurityPermission("setPolicy") permission.
169: * @throws PolicyContextException - if an operation by this method on the
170: * argument PolicyContextHandler causes it to throw a checked exception that
171: * is not accounted for in the signature of this method.
172: */
173: public static void registerHandler(String key,
174: PolicyContextHandler handler, boolean replace)
175: throws PolicyContextException {
176: if (key == null)
177: throw new IllegalArgumentException(
178: "The key may not be null");
179: if (handler == null)
180: throw new IllegalArgumentException(
181: "The handler may not be null");
182: SecurityManager sm = System.getSecurityManager();
183: if (sm != null)
184: sm.checkPermission(setPolicy);
185: if (replace == false && handlerMap.containsKey(key) == true) {
186: String msg = "Handler for key=" + key
187: + ", exists, handler: " + handlerMap.get(key);
188: throw new IllegalArgumentException(msg);
189: }
190:
191: handlerMap.put(key, handler);
192: }
193:
194: /** Authorization protected method used to modify the value of the policy
195: * context identifier associated with the thread on which this method is
196: * called
197: *
198: * @param contextID - a String that represents the value of the policy
199: * context identifier to be assigned to the PolicyContext for the calling
200: * thread. The value null is a legitimate value for this parameter.
201: * @throws SecurityException - if the caller does not have the
202: * SecurityPermission("setPolicy") permission.
203: *
204: */
205: public static void setContextID(String contextID) {
206: SecurityManager sm = System.getSecurityManager();
207: if (sm != null)
208: sm.checkPermission(setPolicy);
209: contextIDLocal.set(contextID);
210: }
211:
212: /** Authorization protected method that may be used to associate a
213: * thread-scoped handler data object with the PolicyContext. The handler data
214: * object will be made available to handlers, where it can serve to supply or
215: * bind the handler to invocation scoped state within the container.
216: *
217: * @param data - a container-specific object that will be associated with the
218: * calling thread and passed to any handler activated by a Policy provider
219: * (on the thread). The value null is a legitimate value for this parameter,
220: * and is the value that will be used in the activation of handlers if the
221: * setHandlerData has not been called on the thread.
222: * @throws SecurityException - if the caller does not have the
223: * SecurityPermission("setPolicy") permission.
224: */
225: public static void setHandlerData(Object data) {
226: SecurityManager sm = System.getSecurityManager();
227: if (sm != null)
228: sm.checkPermission(setPolicy);
229: handlerDataLocal.set(data);
230: }
231:
232: private PolicyContext() {
233: }
234: }
|