001: /**
002: * $Id: PASAccessController.java,v 1.6 2006/02/18 00:28:54 yue Exp $
003: * Copyright 2004 Sun Microsystems, Inc. All
004: * rights reserved. Use of this product is subject
005: * to license terms. Federal Acquisitions:
006: * Commercial Software -- Government Users
007: * Subject to Standard License Terms and
008: * Conditions.
009: *
010: * Sun, Sun Microsystems, the Sun logo, and Sun ONE
011: * are trademarks or registered trademarks of Sun Microsystems,
012: * Inc. in the United States and other countries.
013: */package com.sun.portal.admin.server;
014:
015: import java.security.Principal;
016: import java.util.logging.Level;
017: import java.util.logging.Logger;
018:
019: import javax.management.ObjectName;
020:
021: import netscape.ldap.util.DN;
022:
023: import com.iplanet.sso.SSOToken;
024: import com.iplanet.sso.SSOTokenManager;
025: import com.sun.cacao.agent.auth.AccessControlActionEnum;
026: import com.sun.cacao.agent.auth.AccessController;
027: import com.sun.portal.admin.common.context.PortalDomainContext;
028: import com.sun.portal.admin.common.context.PortalDomainContextFactory;
029:
030: /**
031: * This access controller controls access to the Portal Admin Server
032: * MBeans. It is placed at the beginning of the PASPrincipal access
033: * control list.
034: */
035: public class PASAccessController implements AccessController {
036: private static Logger logger = PASLogger.getLogger();
037:
038: /**
039: * checkMBeanPermission must check that the Principal
040: * given is allowed to do the action provided.
041: *
042: * @param principal The Principal to check
043: * @param classloader the <code>ClassLoader</code> of the mbean
044: * @param classname the name of the mbean implementation class
045: * @param member an optional member (attribute/operation)
046: * @param objectName the optional mbean object name
047: * @param action an action on the mbean as defined in JMX MBeanPermission
048: * @return true if permission should be granted,
049: * false if this check is not enough to provide permission
050: * @exception SecurityException if permission must not be granted
051: * for this Subject via this Principal (it may be granted via
052: * another Principal though)
053: */
054: public boolean checkMBeanPermission(Principal principal,
055: ClassLoader classloader, String classname, String member,
056: ObjectName objectName, AccessControlActionEnum action)
057: throws SecurityException {
058:
059: if (!(principal instanceof PASPrincipal)) {
060: // This shouldn't happen because this method is supposedly
061: // invoked only for a PASPrincipal, but anyway...
062: return false;
063: }
064:
065: if (objectName == null) {
066: // We check permission to a MBean only.
067: return false;
068: } else {
069: if (!objectName.getDomain().equals(
070: AdminServerUtil.JMX_DOMAIN)
071: && !objectName.equals(PASModule.myObjectName)) {
072:
073: // This isn't a portal MBean.
074: return false;
075: }
076: }
077:
078: PASPrincipal pasPrincipal = (PASPrincipal) principal;
079: String userName = pasPrincipal.getName();
080: String domainID = pasPrincipal.getPortalDomainID();
081: PortalDomainContext pdc = null;
082: String message = null;
083:
084: try {
085: pdc = PortalDomainContextFactory
086: .getPortalDomainContext(domainID);
087: } catch (Exception e) {
088: message = "Access denied: " + e.getMessage();
089: //logger.log(Level.WARNING, message, e);
090: logger.log(Level.WARNING, "PSAD_CSPAS0001", e.getMessage());
091: logger.log(Level.WARNING, "PSAD_CSPAS0000", e);
092: // Don't really know what happened, but better safe than sorry...
093: throw new SecurityException(message);
094: }
095:
096: // Check for a valid SSO token.
097: SSOToken token = pasPrincipal.getSSOToken();
098:
099: try {
100: SSOTokenManager.getInstance().validateToken(token);
101: } catch (Exception e) {
102: message = "Access denied: " + e.getMessage();
103: //logger.log(Level.WARNING, message, e);
104: logger.log(Level.WARNING, "PSAD_CSPAS0001", e.getMessage());
105: logger.log(Level.WARNING, "PSAD_CSPAS0000", e);
106: throw new SecurityException(message);
107: }
108:
109: // In this release, only the super user of the portal domain
110: // is allowed access. Everyone else is denied. In the
111: // future, we need to have real access control for various
112: // types of portal users/admins.
113:
114: DN userDN = new DN(userName);
115: DN super UserDN = new DN(pdc.getSuperUser());
116:
117: if (userDN.equals(super UserDN)) {
118: Thread.currentThread().setContextClassLoader(
119: getClass().getClassLoader());
120: return true;
121: } else {
122: message = "Access denied: " + userName
123: + " is not a super user";
124: //logger.log(Level.WARNING, message);
125: logger.log(Level.WARNING, "PSAD_CSPAS0002", userName);
126: throw new SecurityException(message);
127: }
128: }
129: }
|