geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r673535 - in /geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src: main/java/org/apache/geronimo/web25/deployment/security/ test/java/org/apache/geronimo/web25/deployment/security/ test/resources/security/
Date Wed, 02 Jul 2008 22:54:45 GMT
Author: djencks
Date: Wed Jul  2 15:54:44 2008
New Revision: 673535

URL: http://svn.apache.org/viewvc?rev=673535&view=rev
Log:
Make it easier to find out what permissions are being added to the policy

Added:
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml
      - copied, changed from r670784, geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web4.xml
Modified:
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java?rev=673535&r1=673534&r2=673535&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
Wed Jul  2 15:54:44 2008
@@ -31,6 +31,8 @@
 import javax.security.jacc.WebResourcePermission;
 import javax.security.jacc.WebUserDataPermission;
 import javax.security.jacc.WebRoleRefPermission;
+import javax.security.jacc.PolicyConfiguration;
+import javax.security.jacc.PolicyContextException;
 
 import org.apache.geronimo.security.jacc.ComponentPermissions;
 import org.apache.geronimo.xbeans.javaee.RoleNameType;
@@ -47,7 +49,6 @@
  */
 public class SpecSecurityBuilder {
     private final Set<String> securityRoles = new HashSet<String>();
-    private final Map<String, PermissionCollection> rolePermissions = new HashMap<String,
PermissionCollection>();
     private final Map<String, URLPattern> uncheckedPatterns = new HashMap<String,
URLPattern>();
     private final Map<UncheckedItem, HTTPMethods> uncheckedResourcePatterns = new HashMap<UncheckedItem,
HTTPMethods>();
     private final Map<UncheckedItem, HTTPMethods> uncheckedUserPatterns = new HashMap<UncheckedItem,
HTTPMethods>();
@@ -58,21 +59,26 @@
 //    private boolean useExcluded = false;
     private boolean useExcluded = true;
 
+    private final RecordingPolicyConfiguration policyConfiguration = new RecordingPolicyConfiguration(true);
+
     public ComponentPermissions buildSpecSecurityConfig(WebAppType webApp) {
         collectRoleNames(webApp.getSecurityRoleArray());
         //role refs
-        for (ServletType servletType: webApp.getServletArray()) {
-           processRoleRefPermissions(servletType);
-        }
-        //add the role-ref permissions for unmapped jsps
-        addUnmappedJSPPermissions();
+        try {
+            for (ServletType servletType: webApp.getServletArray()) {
+               processRoleRefPermissions(servletType);
+            }
+            //add the role-ref permissions for unmapped jsps
+            addUnmappedJSPPermissions();
 
-        analyzeSecurityConstraints(webApp.getSecurityConstraintArray());
+            analyzeSecurityConstraints(webApp.getSecurityConstraintArray());
 //        if (!useExcluded) {
             removeExcludedDups();
 //        }
-
-        return buildComponentPermissions();
+            return buildComponentPermissions();
+        } catch (PolicyContextException e) {
+            throw new IllegalStateException("Should not happen", e);
+        }
     }
 
     public void analyzeSecurityConstraints(SecurityConstraintType[] securityConstraintArray)
{
@@ -160,17 +166,15 @@
         }
     }
 
-    public ComponentPermissions buildComponentPermissions() {
-        PermissionCollection excludedPermissions = new Permissions();
-        PermissionCollection uncheckedPermissions = new Permissions();
+    public ComponentPermissions buildComponentPermissions() throws PolicyContextException
{
 
         if (useExcluded) {
             for (URLPattern pattern : excludedPatterns.values()) {
                 String name = pattern.getQualifiedPattern(allSet);
                 String actions = pattern.getMethods();
 
-                excludedPermissions.add(new WebResourcePermission(name, actions));
-                excludedPermissions.add(new WebUserDataPermission(name, actions));
+                policyConfiguration.addToExcludedPolicy(new WebResourcePermission(name, actions));
+                policyConfiguration.addToExcludedPolicy(new WebUserDataPermission(name, actions));
             }
         }
 
@@ -180,7 +184,7 @@
             WebResourcePermission permission = new WebResourcePermission(name, actions);
 
             for (String roleName : pattern.getRoles()) {
-                addPermissionToRole(roleName, permission);
+                policyConfiguration.addToRole(roleName, permission);
             }
             HTTPMethods methods = pattern.getHTTPMethods();
             int transportType = pattern.getTransport();
@@ -233,26 +237,18 @@
             HTTPMethods methods = uncheckedResourcePatterns.get(item);
             String actions = URLPattern.getMethodsWithTransport(methods, item.getTransportType());
 
-            uncheckedPermissions.add(new WebResourcePermission(item.getName(), actions));
+            policyConfiguration.addToUncheckedPolicy(new WebResourcePermission(item.getName(),
actions));
         }
         //Create the uncheckedPermissions for WebUserDataPermissions
         for (UncheckedItem item : uncheckedUserPatterns.keySet()) {
             HTTPMethods methods = uncheckedUserPatterns.get(item);
             String actions = URLPattern.getMethodsWithTransport(methods, item.getTransportType());
 
-            uncheckedPermissions.add(new WebUserDataPermission(item.getName(), actions));
+            policyConfiguration.addToUncheckedPolicy(new WebUserDataPermission(item.getName(),
actions));
         }
 
-        return new ComponentPermissions(excludedPermissions, uncheckedPermissions, rolePermissions);
-    }
-
-    public void addPermissionToRole(String roleName, Permission permission) {
-        PermissionCollection permissionsForRole = rolePermissions.get(roleName);
-        if (permissionsForRole == null) {
-            permissionsForRole = new Permissions();
-            rolePermissions.put(roleName, permissionsForRole);
-        }
-        permissionsForRole.add(permission);
+//        System.out.println(policyConfiguration.getAudit());
+        return policyConfiguration.getComponentPermissions();
     }
 
     private void addOrUpdatePattern(Map<UncheckedItem, HTTPMethods> patternMap, String
name, HTTPMethods actions, int transportType) {
@@ -266,7 +262,7 @@
         patternMap.put(item, new HTTPMethods(actions, false));
     }
 
-    protected void processRoleRefPermissions(ServletType servletType) {
+    protected void processRoleRefPermissions(ServletType servletType) throws PolicyContextException
{
         String servletName = servletType.getServletName().getStringValue().trim();
         //WebRoleRefPermissions
         SecurityRoleRefType[] securityRoleRefTypeArray = servletType.getSecurityRoleRefArray();
@@ -282,17 +278,17 @@
             * WebRoleRefPermission object resulting from the translation to the role
             * identified in the role-link appearing in the security-role-ref.
             */
-            addPermissionToRole(roleLink, new WebRoleRefPermission(servletName, roleName));
+            policyConfiguration.addToRole(roleLink, new WebRoleRefPermission(servletName,
roleName));
             unmappedRoles.remove(roleName);
         }
         for (String roleName : unmappedRoles) {
-            addPermissionToRole(roleName, new WebRoleRefPermission(servletName, roleName));
+            policyConfiguration.addToRole(roleName, new WebRoleRefPermission(servletName,
roleName));
         }
     }
 
-    protected void addUnmappedJSPPermissions() {
+    protected void addUnmappedJSPPermissions() throws PolicyContextException {
         for (String roleName : securityRoles) {
-            addPermissionToRole(roleName, new WebRoleRefPermission("", roleName));
+            policyConfiguration.addToRole(roleName, new WebRoleRefPermission("", roleName));
         }
     }
 
@@ -302,4 +298,103 @@
         }
     }
 
+
+    private static class RecordingPolicyConfiguration implements PolicyConfiguration {
+        private final PermissionCollection excludedPermissions = new Permissions();
+        private final PermissionCollection uncheckedPermissions = new Permissions();
+        private final Map<String, PermissionCollection> rolePermissions = new HashMap<String,
PermissionCollection>();
+
+        private final StringBuilder audit;
+
+
+        private RecordingPolicyConfiguration(boolean audit) {
+            if (audit) {
+                this.audit = new StringBuilder();
+            } else {
+                this.audit = null;
+            }
+        }
+
+        public String getContextID() throws PolicyContextException {
+            return null;
+        }
+
+        public void addToRole(String roleName, PermissionCollection permissions) {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public void addToRole(String roleName, Permission permission) throws PolicyContextException
{
+            if (audit != null) {
+                audit.append("Role: ").append(roleName).append(" -> ").append(permission).append('\n');
+            }
+            PermissionCollection permissionsForRole = rolePermissions.get(roleName);
+            if (permissionsForRole == null) {
+                permissionsForRole = new Permissions();
+                rolePermissions.put(roleName, permissionsForRole);
+            }
+            permissionsForRole.add(permission);
+        }
+
+        public void addToUncheckedPolicy(PermissionCollection permissions) {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public void addToUncheckedPolicy(Permission permission) throws PolicyContextException
{
+            if (audit != null) {
+                audit.append("Unchecked -> ").append(permission).append('\n');
+            }
+            uncheckedPermissions.add(permission);
+        }
+
+        public void addToExcludedPolicy(PermissionCollection permissions) {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public void addToExcludedPolicy(Permission permission) throws PolicyContextException
{
+            if (audit != null) {
+                audit.append("Excluded -> ").append(permission).append('\n');
+            }
+            excludedPermissions.add(permission);
+        }
+
+        public void removeRole(String roleName) throws PolicyContextException {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public void removeUncheckedPolicy() throws PolicyContextException {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public void removeExcludedPolicy() throws PolicyContextException {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public void linkConfiguration(PolicyConfiguration link) throws PolicyContextException
{
+            throw new IllegalStateException("not implemented");
+        }
+
+        public void delete() throws PolicyContextException {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public void commit() throws PolicyContextException {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public boolean inService() throws PolicyContextException {
+            throw new IllegalStateException("not implemented");
+        }
+
+        public ComponentPermissions getComponentPermissions() {
+            return new ComponentPermissions(excludedPermissions, uncheckedPermissions, rolePermissions);
+        }
+
+        public String getAudit() {
+            if (audit == null) {
+                return "no audit kept";
+            }
+            return audit.toString();
+        }
+
+    }
 }

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java?rev=673535&r1=673534&r2=673535&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
Wed Jul  2 15:54:44 2008
@@ -32,6 +32,7 @@
 import java.security.Permission;
 
 import javax.security.jacc.WebResourcePermission;
+import javax.security.jacc.WebUserDataPermission;
 
 import junit.framework.TestCase;
 import org.apache.geronimo.common.DeploymentException;
@@ -144,6 +145,25 @@
         assertFalse(implies(p, permissions, "Peon"));
     }
 
+    //overlapping excluded and role constraint, excluded constraint wins.
+    public void testExcludedAndRoleConstraint() throws Exception {
+        URL srcXml = classLoader.getResource("security/web5.xml");
+        WebAppDocument webAppDoc = WebAppDocument.Factory.parse(srcXml, options);
+        WebAppType webAppType = webAppDoc.getWebApp();
+        SpecSecurityBuilder builder = new SpecSecurityBuilder();
+        ComponentPermissions permissions = builder.buildSpecSecurityConfig(webAppType);
+        // test excluding longer path than allowed
+        Permission p = new WebResourcePermission("/foo/Baz", "GET");
+        assertFalse(implies(p, permissions, "user"));
+        assertFalse(implies(p, permissions, null));
+        p = new WebResourcePermission("/bar", "GET");
+        assertTrue(implies(p, permissions, "user"));
+        assertTrue(implies(p, permissions, null));
+        p = new WebUserDataPermission("/bar", "GET");
+        assertTrue(implies(p, permissions, "user"));
+        assertTrue(implies(p, permissions, null));
+    }
+
     private boolean implies(Permission p, ComponentPermissions permissions, String role)
{
         PermissionCollection excluded = permissions.getExcludedPermissions();
         if (excluded.implies(p)) return false;

Copied: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml
(from r670784, geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web4.xml)
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml?p2=geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml&p1=geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web4.xml&r1=670784&r2=673535&rev=673535&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web4.xml
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml
Wed Jul  2 15:54:44 2008
@@ -18,30 +18,27 @@
 <web-app xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
          version="2.5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
     <security-constraint>
+        <display-name>C1</display-name>
         <web-resource-collection>
-            <web-resource-name>wr1</web-resource-name>
-            <url-pattern>/Foo/*</url-pattern>
-            <url-pattern>/Foo/Bar/*</url-pattern>
-            <url-pattern>/Bar/*</url-pattern>
+            <web-resource-name>R1</web-resource-name>
+            <url-pattern>/foo/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
-            <role-name>Admin</role-name>
+            <role-name>user</role-name>
         </auth-constraint>
     </security-constraint>
+
     <security-constraint>
+        <display-name>C2</display-name>
         <web-resource-collection>
-            <web-resource-name>wr3</web-resource-name>
-            <url-pattern>/Foo/Bar/*</url-pattern>
-            <url-pattern>/Bar/Bar/*</url-pattern>
-            <http-method>GET</http-method>
+            <web-resource-name>R2</web-resource-name>
+            <url-pattern>/foo/*</url-pattern>
         </web-resource-collection>
         <auth-constraint/>
     </security-constraint>
+
     <security-role>
-        <role-name>Admin</role-name>
+        <role-name>user</role-name>
     </security-role>
-    <security-role>
-        <role-name>Peon</role-name>
-    </security-role>
- 
+
 </web-app>



Mime
View raw message