001: /*
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */
017: package org.apache.jetspeed.page;
018:
019: import java.security.AccessController;
020: import java.security.Principal;
021: import java.util.ArrayList;
022: import java.util.Iterator;
023: import java.util.LinkedList;
024: import java.util.List;
025:
026: import javax.security.auth.Subject;
027:
028: import org.apache.jetspeed.JetspeedActions;
029: import org.apache.jetspeed.om.page.SecurityConstraintImpl;
030: import org.apache.jetspeed.om.page.SecurityConstraintsDef;
031: import org.apache.jetspeed.page.document.DocumentException;
032: import org.apache.jetspeed.security.GroupPrincipal;
033: import org.apache.jetspeed.security.JSSubject;
034: import org.apache.jetspeed.security.RolePrincipal;
035: import org.apache.jetspeed.security.UserPrincipal;
036:
037: /**
038: * PageManagerUtils
039: *
040: * @author <a href="mailto:taylor@apache.org">David Sean Taylor</a>
041: * @version $Id: $
042: */
043: public class PageManagerSecurityUtils {
044: public static boolean checkConstraint(SecurityConstraintsDef def,
045: String actions) throws DocumentException {
046: List viewActionList = SecurityConstraintImpl
047: .parseCSVList(actions);
048: List otherActionsList = null;
049: if (viewActionList.size() == 1) {
050: if (!viewActionList.contains(JetspeedActions.VIEW)) {
051: otherActionsList = viewActionList;
052: viewActionList = null;
053: }
054: } else {
055: otherActionsList = viewActionList;
056: viewActionList = null;
057: if (otherActionsList.remove(JetspeedActions.VIEW)) {
058: viewActionList = new ArrayList(1);
059: viewActionList.add(JetspeedActions.VIEW);
060: }
061: }
062:
063: // get current request context subject
064: Subject subject = JSSubject.getSubject(AccessController
065: .getContext());
066: if (subject == null) {
067: throw new SecurityException(
068: "Security Consraint Check: Missing JSSubject");
069: }
070:
071: // get user/group/role principal names
072: List userPrincipals = null;
073: List rolePrincipals = null;
074: List groupPrincipals = null;
075: Iterator principals = subject.getPrincipals().iterator();
076: while (principals.hasNext()) {
077: Principal principal = (Principal) principals.next();
078: if (principal instanceof UserPrincipal) {
079: if (userPrincipals == null) {
080: userPrincipals = new LinkedList();
081: }
082: userPrincipals.add(principal.getName());
083: } else if (principal instanceof RolePrincipal) {
084: if (rolePrincipals == null) {
085: rolePrincipals = new LinkedList();
086: }
087: rolePrincipals.add(principal.getName());
088: } else if (principal instanceof GroupPrincipal) {
089: if (groupPrincipals == null) {
090: groupPrincipals = new LinkedList();
091: }
092: groupPrincipals.add(principal.getName());
093: }
094: }
095:
096: boolean result = false;
097:
098: // check constraints using parsed action and access lists
099: if (viewActionList != null) {
100: result = checkConstraints(viewActionList, userPrincipals,
101: rolePrincipals, groupPrincipals, def);
102: }
103: if (otherActionsList != null) {
104: result = checkConstraints(otherActionsList, userPrincipals,
105: rolePrincipals, groupPrincipals, def);
106: }
107: return result;
108: }
109:
110: /**
111: * check access for the constraints list of a security constraints definition
112: *
113: * @param actions given actions
114: * @param userPrincipals set of user principals
115: * @param rolePrincipals set of role principals
116: * @param groupPrincipals set oof group principals
117: * @param def the security constraint definition
118: * @throws SecurityException
119: */
120: public static boolean checkConstraints(List actions,
121: List userPrincipals, List rolePrincipals,
122: List groupPrincipals, SecurityConstraintsDef def)
123: throws DocumentException {
124:
125: List checkConstraints = def.getSecurityConstraints();
126: // SecurityConstraint c =(SecurityConstraint)constraints.next();
127: // skip missing or empty constraints: permit all access
128: //List checkConstraints = getAllSecurityConstraints(pageSecurity);
129: if ((checkConstraints != null) && !checkConstraints.isEmpty()) {
130: // test each action, constraints check passes only
131: // if all actions are permitted for principals
132: Iterator actionsIter = actions.iterator();
133: while (actionsIter.hasNext()) {
134: // check each action:
135: // - if any actions explicity permitted, (including owner),
136: // assume no permissions are permitted by default
137: // - if all constraints do not specify a permission, assume
138: // access is permitted by default
139: String action = (String) actionsIter.next();
140: boolean actionPermitted = false;
141: boolean actionNotPermitted = false;
142: boolean anyActionsPermitted = true; // TODO:(getOwner() != null);
143:
144: // check against constraints
145: Iterator checkConstraintsIter = checkConstraints
146: .iterator();
147: while (checkConstraintsIter.hasNext()) {
148: SecurityConstraintImpl constraint = (SecurityConstraintImpl) checkConstraintsIter
149: .next();
150:
151: // if permissions specified, attempt to match constraint
152: if (constraint.getPermissions() != null) {
153: // explicit actions permitted
154: anyActionsPermitted = true;
155:
156: // test action permission match and user/role/group principal match
157: if (constraint.actionMatch(action)
158: && constraint.principalsMatch(
159: userPrincipals, rolePrincipals,
160: groupPrincipals, true)) {
161: actionPermitted = true;
162: break;
163: }
164: } else {
165: // permissions not specified: not permitted if any principal matched
166: if (constraint.principalsMatch(userPrincipals,
167: rolePrincipals, groupPrincipals, false)) {
168: actionNotPermitted = true;
169: break;
170: }
171: }
172: }
173:
174: // fail if any action not permitted
175: if ((!actionPermitted && anyActionsPermitted)
176: || actionNotPermitted) {
177: //throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
178: return false;
179: }
180: }
181: } else {
182: // fail for any action if owner specified
183: // since no other constraints were found
184: if (/*(getOwner() != null) && */!actions.isEmpty()) {
185: //String action = (String)actions.get(0);
186: //throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
187: return false;
188: }
189: }
190: return true;
191: }
192: }
|