cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/5] cxf git commit: Adding in Abstract XACML interceptor
Date Fri, 17 Jul 2015 14:17:12 GMT
Adding in Abstract XACML interceptor


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2302aa58
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2302aa58
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2302aa58

Branch: refs/heads/master
Commit: 2302aa5820661975bb04857fa6d48bb68bebb4f7
Parents: 292fe25
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Jul 17 14:55:38 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jul 17 15:17:01 2015 +0100

----------------------------------------------------------------------
 .../AbstractXACMLAuthorizingInterceptor.java    | 163 +++++++++++++++++++
 .../xacml2/XACMLAuthorizingInterceptor.java     | 127 +--------------
 2 files changed, 166 insertions(+), 124 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2302aa58/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
new file mode 100644
index 0000000..f81f07a
--- /dev/null
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/AbstractXACMLAuthorizingInterceptor.java
@@ -0,0 +1,163 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security.saml.xacml2;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.security.AccessDeniedException;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.util.DOM2Writer;
+import org.opensaml.xacml.ctx.DecisionType.DECISION;
+import org.opensaml.xacml.ctx.RequestType;
+import org.opensaml.xacml.ctx.ResponseType;
+import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusType;
+
+/**
+ * An interceptor to perform an XACML 2.0 authorization request to a remote PDP using OpenSAML,
+ * and make an authorization decision based on the response. It takes the principal and roles
+ * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
+ * statement. How the actual PDP invocation is made is up to a subclass.
+ */
+public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message>
{
+    private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
+    
+    private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
+    
+    public AbstractXACMLAuthorizingInterceptor() {
+        super(Phase.PRE_INVOKE);
+        org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+    }
+    
+    public void handleMessage(Message message) throws Fault {
+        SecurityContext sc = message.get(SecurityContext.class);
+        
+        if (sc instanceof LoginSecurityContext) {
+            Principal principal = sc.getUserPrincipal();
+            
+            LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
+            Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
+            List<String> roles = new ArrayList<>();
+            if (principalRoles != null) {
+                for (Principal p : principalRoles) {
+                    if (p != principal) {
+                        roles.add(p.getName());
+                    }
+                }
+            }
+            
+            try {
+                if (authorize(principal, roles, message)) {
+                    return;
+                }
+            } catch (Exception e) {
+                LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
+                throw new AccessDeniedException("Unauthorized");
+            }
+        } else {
+            LOG.log(
+                Level.FINE,
+                "The SecurityContext was not an instance of LoginSecurityContext. No authorization
"
+                + "is possible as a result"
+            );
+        }
+        
+        throw new AccessDeniedException("Unauthorized");
+    }
+    
+    public XACMLRequestBuilder getRequestBuilder() {
+        return requestBuilder;
+    }
+
+    public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
+        this.requestBuilder = requestBuilder;
+    }
+
+    /**
+     * Perform a (remote) authorization decision and return a boolean depending on the result
+     */
+    protected boolean authorize(
+        Principal principal, List<String> roles, Message message
+    ) throws Exception {
+        RequestType request = requestBuilder.createRequest(principal, roles, message);
+        if (LOG.isLoggable(Level.FINE)) {
+            Document doc = DOMUtils.createDocument();
+            Element requestElement = OpenSAMLUtil.toDom(request, doc);
+            LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
+        }
+        
+        ResponseType response = performRequest(request, message);
+        
+        List<ResultType> results = response.getResults();
+        
+        if (results == null) {
+            return false;
+        }
+        
+        for (ResultType result : results) {
+            // Handle any Obligations returned by the PDP
+            handleObligations(request, principal, message, result);
+            
+            DECISION decision = result.getDecision() != null ? result.getDecision().getDecision()
: DECISION.Deny; 
+            String code = "";
+            String statusMessage = "";
+            if (result.getStatus() != null) {
+                StatusType status = result.getStatus();
+                code = status.getStatusCode() != null ? status.getStatusCode().getValue()
: "";
+                statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue()
: "";
+            }
+            LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message:
" + statusMessage);
+            return decision == DECISION.Permit;
+        }
+        
+        return false;
+    }
+    
+    /**
+     * Handle any Obligations returned by the PDP
+     */
+    protected void handleObligations(
+        RequestType request,
+        Principal principal,
+        Message message,
+        ResultType result
+    ) throws Exception {
+        // Do nothing by default
+    }
+
+    protected abstract ResponseType performRequest(RequestType request, Message message)
throws Exception;
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2302aa58/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
index 1238099..c9301e6 100644
--- a/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
+++ b/rt/security-saml/src/main/java/org/apache/cxf/rt/security/saml/xacml2/XACMLAuthorizingInterceptor.java
@@ -19,32 +19,9 @@
 
 package org.apache.cxf.rt.security.saml.xacml2;
 
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
 import org.opensaml.xacml.ctx.RequestType;
 import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusType;
 
 /**
  * An interceptor to perform an XACML 2.0 authorization request to a remote PDP using OpenSAML,
@@ -52,114 +29,16 @@ import org.opensaml.xacml.ctx.StatusType;
  * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
  * statement. 
  */
-public class XACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message>
{
-    private static final Logger LOG = LogUtils.getL7dLogger(XACMLAuthorizingInterceptor.class);
+public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
     
-    private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
     private PolicyDecisionPoint pdp;
     
     public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
-        super(Phase.PRE_INVOKE);
-        org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
+        super();
         this.pdp = pdp;
     }
     
-    public void handleMessage(Message message) throws Fault {
-        SecurityContext sc = message.get(SecurityContext.class);
-        
-        if (sc instanceof LoginSecurityContext) {
-            Principal principal = sc.getUserPrincipal();
-            
-            LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
-            Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
-            List<String> roles = new ArrayList<>();
-            if (principalRoles != null) {
-                for (Principal p : principalRoles) {
-                    if (p != principal) {
-                        roles.add(p.getName());
-                    }
-                }
-            }
-            
-            try {
-                if (authorize(principal, roles, message)) {
-                    return;
-                }
-            } catch (Exception e) {
-                LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
-                throw new AccessDeniedException("Unauthorized");
-            }
-        } else {
-            LOG.log(
-                Level.FINE,
-                "The SecurityContext was not an instance of LoginSecurityContext. No authorization
"
-                + "is possible as a result"
-            );
-        }
-        
-        throw new AccessDeniedException("Unauthorized");
-    }
-    
-    public XACMLRequestBuilder getRequestBuilder() {
-        return requestBuilder;
-    }
-
-    public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
-        this.requestBuilder = requestBuilder;
-    }
-
-    /**
-     * Perform a (remote) authorization decision and return a boolean depending on the result
-     */
-    protected boolean authorize(
-        Principal principal, List<String> roles, Message message
-    ) throws Exception {
-        RequestType request = requestBuilder.createRequest(principal, roles, message);
-        if (LOG.isLoggable(Level.FINE)) {
-            Document doc = DOMUtils.createDocument();
-            Element requestElement = OpenSAMLUtil.toDom(request, doc);
-            LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
-        }
-        
-        ResponseType response = performRequest(request, message);
-        
-        List<ResultType> results = response.getResults();
-        
-        if (results == null) {
-            return false;
-        }
-        
-        for (ResultType result : results) {
-            // Handle any Obligations returned by the PDP
-            handleObligations(request, principal, message, result);
-            
-            DECISION decision = result.getDecision() != null ? result.getDecision().getDecision()
: DECISION.Deny; 
-            String code = "";
-            String statusMessage = "";
-            if (result.getStatus() != null) {
-                StatusType status = result.getStatus();
-                code = status.getStatusCode() != null ? status.getStatusCode().getValue()
: "";
-                statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue()
: "";
-            }
-            LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message:
" + statusMessage);
-            return decision == DECISION.Permit;
-        }
-        
-        return false;
-    }
-    
-    /**
-     * Handle any Obligations returned by the PDP
-     */
-    protected void handleObligations(
-        RequestType request,
-        Principal principal,
-        Message message,
-        ResultType result
-    ) throws Exception {
-        // Do nothing by default
-    }
-
+    @Override
     protected ResponseType performRequest(RequestType request, Message message) throws Exception
{
         return this.pdp.evaluate(request);
     }


Mime
View raw message