01: /*
02: * JBoss, Home of Professional Open Source.
03: * Copyright 2006, Red Hat Middleware LLC, and individual contributors
04: * as indicated by the @author tags. See the copyright.txt file in the
05: * distribution for a full listing of individual contributors.
06: *
07: * This is free software; you can redistribute it and/or modify it
08: * under the terms of the GNU Lesser General Public License as
09: * published by the Free Software Foundation; either version 2.1 of
10: * the License, or (at your option) any later version.
11: *
12: * This software is distributed in the hope that it will be useful,
13: * but WITHOUT ANY WARRANTY; without even the implied warranty of
14: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15: * Lesser General Public License for more details.
16: *
17: * You should have received a copy of the GNU Lesser General Public
18: * License along with this software; if not, write to the Free
19: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21: */
22: package org.jboss.jmx.connector.invoker;
23:
24: import java.util.HashSet;
25: import java.util.Set;
26: import java.util.Iterator;
27: import java.security.Principal;
28: import java.security.acl.Group;
29:
30: import javax.security.auth.Subject;
31:
32: import org.jboss.logging.Logger;
33: import org.jboss.security.SimplePrincipal;
34:
35: /** A default authorization delegate used by the AuthorizationInterceptor. This
36: * looks for a hard coded JBossAdmin role in the current authenticated Subject.
37: *
38: * @author Scott.Stark@jboss.org
39: * @version $Revision: 57209 $
40: */
41: public class RolesAuthorization {
42: private static Logger log = Logger
43: .getLogger(RolesAuthorization.class);
44: private boolean trace = log.isTraceEnabled();
45:
46: private HashSet requiredRoles = new HashSet();
47:
48: public RolesAuthorization() {
49: requiredRoles.add(new SimplePrincipal("JBossAdmin"));
50: }
51:
52: public void setRequiredRoles(HashSet requiredRoles) {
53: this .requiredRoles = requiredRoles;
54: if (trace)
55: log.trace("setRequiredRoles::" + requiredRoles);
56: }
57:
58: public void authorize(Principal caller, Subject subject,
59: String objectname, String opname) {
60: Set groups = subject.getPrincipals(Group.class);
61: Group roles = null;
62: Iterator iter = groups.iterator();
63: while (iter.hasNext()) {
64: Group grp = (Group) iter.next();
65: if (grp.getName().equals("Roles")) {
66: roles = grp;
67: break;
68: }
69: }
70: if (roles == null) {
71: throw new SecurityException("Subject has no Roles");
72: }
73:
74: iter = requiredRoles.iterator();
75: boolean hasRole = false;
76: while (iter.hasNext() && hasRole == false) {
77: Principal p = (Principal) iter.next();
78: hasRole = roles.isMember(p);
79: }
80: if (hasRole == false) {
81: throw new SecurityException(
82: "Authorization failure, requiredRoles="
83: + requiredRoles + ", callerRoles=" + roles);
84: }
85: if (trace)
86: log.trace("Authorization succeeded for subject:" + subject);
87: }
88: }
|