Return-Path: Delivered-To: apmail-geronimo-scm-archive@www.apache.org Received: (qmail 82984 invoked from network); 2 Jul 2008 22:55:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 2 Jul 2008 22:55:36 -0000 Received: (qmail 63384 invoked by uid 500); 2 Jul 2008 22:55:37 -0000 Delivered-To: apmail-geronimo-scm-archive@geronimo.apache.org Received: (qmail 63345 invoked by uid 500); 2 Jul 2008 22:55:37 -0000 Mailing-List: contact scm-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list scm@geronimo.apache.org Received: (qmail 63336 invoked by uid 99); 2 Jul 2008 22:55:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2008 15:55:37 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Jul 2008 22:54:54 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 7F53D23889F1; Wed, 2 Jul 2008 15:54:45 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r673535 - in /geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src: main/java/org/apache/geronimo/web25/deployment/security/ test/java/org/apache/geronimo/web25/deployment/security/ test/resources/security/ Date: Wed, 02 Jul 2008 22:54:45 -0000 To: scm@geronimo.apache.org From: djencks@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20080702225445.7F53D23889F1@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: djencks Date: Wed Jul 2 15:54:44 2008 New Revision: 673535 URL: http://svn.apache.org/viewvc?rev=673535&view=rev Log: Make it easier to find out what permissions are being added to the policy Added: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml - copied, changed from r670784, geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web4.xml Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java?rev=673535&r1=673534&r2=673535&view=diff ============================================================================== --- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java (original) +++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java Wed Jul 2 15:54:44 2008 @@ -31,6 +31,8 @@ import javax.security.jacc.WebResourcePermission; import javax.security.jacc.WebUserDataPermission; import javax.security.jacc.WebRoleRefPermission; +import javax.security.jacc.PolicyConfiguration; +import javax.security.jacc.PolicyContextException; import org.apache.geronimo.security.jacc.ComponentPermissions; import org.apache.geronimo.xbeans.javaee.RoleNameType; @@ -47,7 +49,6 @@ */ public class SpecSecurityBuilder { private final Set securityRoles = new HashSet(); - private final Map rolePermissions = new HashMap(); private final Map uncheckedPatterns = new HashMap(); private final Map uncheckedResourcePatterns = new HashMap(); private final Map uncheckedUserPatterns = new HashMap(); @@ -58,21 +59,26 @@ // private boolean useExcluded = false; private boolean useExcluded = true; + private final RecordingPolicyConfiguration policyConfiguration = new RecordingPolicyConfiguration(true); + public ComponentPermissions buildSpecSecurityConfig(WebAppType webApp) { collectRoleNames(webApp.getSecurityRoleArray()); //role refs - for (ServletType servletType: webApp.getServletArray()) { - processRoleRefPermissions(servletType); - } - //add the role-ref permissions for unmapped jsps - addUnmappedJSPPermissions(); + try { + for (ServletType servletType: webApp.getServletArray()) { + processRoleRefPermissions(servletType); + } + //add the role-ref permissions for unmapped jsps + addUnmappedJSPPermissions(); - analyzeSecurityConstraints(webApp.getSecurityConstraintArray()); + analyzeSecurityConstraints(webApp.getSecurityConstraintArray()); // if (!useExcluded) { removeExcludedDups(); // } - - return buildComponentPermissions(); + return buildComponentPermissions(); + } catch (PolicyContextException e) { + throw new IllegalStateException("Should not happen", e); + } } public void analyzeSecurityConstraints(SecurityConstraintType[] securityConstraintArray) { @@ -160,17 +166,15 @@ } } - public ComponentPermissions buildComponentPermissions() { - PermissionCollection excludedPermissions = new Permissions(); - PermissionCollection uncheckedPermissions = new Permissions(); + public ComponentPermissions buildComponentPermissions() throws PolicyContextException { if (useExcluded) { for (URLPattern pattern : excludedPatterns.values()) { String name = pattern.getQualifiedPattern(allSet); String actions = pattern.getMethods(); - excludedPermissions.add(new WebResourcePermission(name, actions)); - excludedPermissions.add(new WebUserDataPermission(name, actions)); + policyConfiguration.addToExcludedPolicy(new WebResourcePermission(name, actions)); + policyConfiguration.addToExcludedPolicy(new WebUserDataPermission(name, actions)); } } @@ -180,7 +184,7 @@ WebResourcePermission permission = new WebResourcePermission(name, actions); for (String roleName : pattern.getRoles()) { - addPermissionToRole(roleName, permission); + policyConfiguration.addToRole(roleName, permission); } HTTPMethods methods = pattern.getHTTPMethods(); int transportType = pattern.getTransport(); @@ -233,26 +237,18 @@ HTTPMethods methods = uncheckedResourcePatterns.get(item); String actions = URLPattern.getMethodsWithTransport(methods, item.getTransportType()); - uncheckedPermissions.add(new WebResourcePermission(item.getName(), actions)); + policyConfiguration.addToUncheckedPolicy(new WebResourcePermission(item.getName(), actions)); } //Create the uncheckedPermissions for WebUserDataPermissions for (UncheckedItem item : uncheckedUserPatterns.keySet()) { HTTPMethods methods = uncheckedUserPatterns.get(item); String actions = URLPattern.getMethodsWithTransport(methods, item.getTransportType()); - uncheckedPermissions.add(new WebUserDataPermission(item.getName(), actions)); + policyConfiguration.addToUncheckedPolicy(new WebUserDataPermission(item.getName(), actions)); } - return new ComponentPermissions(excludedPermissions, uncheckedPermissions, rolePermissions); - } - - public void addPermissionToRole(String roleName, Permission permission) { - PermissionCollection permissionsForRole = rolePermissions.get(roleName); - if (permissionsForRole == null) { - permissionsForRole = new Permissions(); - rolePermissions.put(roleName, permissionsForRole); - } - permissionsForRole.add(permission); +// System.out.println(policyConfiguration.getAudit()); + return policyConfiguration.getComponentPermissions(); } private void addOrUpdatePattern(Map patternMap, String name, HTTPMethods actions, int transportType) { @@ -266,7 +262,7 @@ patternMap.put(item, new HTTPMethods(actions, false)); } - protected void processRoleRefPermissions(ServletType servletType) { + protected void processRoleRefPermissions(ServletType servletType) throws PolicyContextException { String servletName = servletType.getServletName().getStringValue().trim(); //WebRoleRefPermissions SecurityRoleRefType[] securityRoleRefTypeArray = servletType.getSecurityRoleRefArray(); @@ -282,17 +278,17 @@ * WebRoleRefPermission object resulting from the translation to the role * identified in the role-link appearing in the security-role-ref. */ - addPermissionToRole(roleLink, new WebRoleRefPermission(servletName, roleName)); + policyConfiguration.addToRole(roleLink, new WebRoleRefPermission(servletName, roleName)); unmappedRoles.remove(roleName); } for (String roleName : unmappedRoles) { - addPermissionToRole(roleName, new WebRoleRefPermission(servletName, roleName)); + policyConfiguration.addToRole(roleName, new WebRoleRefPermission(servletName, roleName)); } } - protected void addUnmappedJSPPermissions() { + protected void addUnmappedJSPPermissions() throws PolicyContextException { for (String roleName : securityRoles) { - addPermissionToRole(roleName, new WebRoleRefPermission("", roleName)); + policyConfiguration.addToRole(roleName, new WebRoleRefPermission("", roleName)); } } @@ -302,4 +298,103 @@ } } + + private static class RecordingPolicyConfiguration implements PolicyConfiguration { + private final PermissionCollection excludedPermissions = new Permissions(); + private final PermissionCollection uncheckedPermissions = new Permissions(); + private final Map rolePermissions = new HashMap(); + + private final StringBuilder audit; + + + private RecordingPolicyConfiguration(boolean audit) { + if (audit) { + this.audit = new StringBuilder(); + } else { + this.audit = null; + } + } + + public String getContextID() throws PolicyContextException { + return null; + } + + public void addToRole(String roleName, PermissionCollection permissions) { + throw new IllegalStateException("not implemented"); + } + + public void addToRole(String roleName, Permission permission) throws PolicyContextException { + if (audit != null) { + audit.append("Role: ").append(roleName).append(" -> ").append(permission).append('\n'); + } + PermissionCollection permissionsForRole = rolePermissions.get(roleName); + if (permissionsForRole == null) { + permissionsForRole = new Permissions(); + rolePermissions.put(roleName, permissionsForRole); + } + permissionsForRole.add(permission); + } + + public void addToUncheckedPolicy(PermissionCollection permissions) { + throw new IllegalStateException("not implemented"); + } + + public void addToUncheckedPolicy(Permission permission) throws PolicyContextException { + if (audit != null) { + audit.append("Unchecked -> ").append(permission).append('\n'); + } + uncheckedPermissions.add(permission); + } + + public void addToExcludedPolicy(PermissionCollection permissions) { + throw new IllegalStateException("not implemented"); + } + + public void addToExcludedPolicy(Permission permission) throws PolicyContextException { + if (audit != null) { + audit.append("Excluded -> ").append(permission).append('\n'); + } + excludedPermissions.add(permission); + } + + public void removeRole(String roleName) throws PolicyContextException { + throw new IllegalStateException("not implemented"); + } + + public void removeUncheckedPolicy() throws PolicyContextException { + throw new IllegalStateException("not implemented"); + } + + public void removeExcludedPolicy() throws PolicyContextException { + throw new IllegalStateException("not implemented"); + } + + public void linkConfiguration(PolicyConfiguration link) throws PolicyContextException { + throw new IllegalStateException("not implemented"); + } + + public void delete() throws PolicyContextException { + throw new IllegalStateException("not implemented"); + } + + public void commit() throws PolicyContextException { + throw new IllegalStateException("not implemented"); + } + + public boolean inService() throws PolicyContextException { + throw new IllegalStateException("not implemented"); + } + + public ComponentPermissions getComponentPermissions() { + return new ComponentPermissions(excludedPermissions, uncheckedPermissions, rolePermissions); + } + + public String getAudit() { + if (audit == null) { + return "no audit kept"; + } + return audit.toString(); + } + + } } Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java?rev=673535&r1=673534&r2=673535&view=diff ============================================================================== --- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java (original) +++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java Wed Jul 2 15:54:44 2008 @@ -32,6 +32,7 @@ import java.security.Permission; import javax.security.jacc.WebResourcePermission; +import javax.security.jacc.WebUserDataPermission; import junit.framework.TestCase; import org.apache.geronimo.common.DeploymentException; @@ -144,6 +145,25 @@ assertFalse(implies(p, permissions, "Peon")); } + //overlapping excluded and role constraint, excluded constraint wins. + public void testExcludedAndRoleConstraint() throws Exception { + URL srcXml = classLoader.getResource("security/web5.xml"); + WebAppDocument webAppDoc = WebAppDocument.Factory.parse(srcXml, options); + WebAppType webAppType = webAppDoc.getWebApp(); + SpecSecurityBuilder builder = new SpecSecurityBuilder(); + ComponentPermissions permissions = builder.buildSpecSecurityConfig(webAppType); + // test excluding longer path than allowed + Permission p = new WebResourcePermission("/foo/Baz", "GET"); + assertFalse(implies(p, permissions, "user")); + assertFalse(implies(p, permissions, null)); + p = new WebResourcePermission("/bar", "GET"); + assertTrue(implies(p, permissions, "user")); + assertTrue(implies(p, permissions, null)); + p = new WebUserDataPermission("/bar", "GET"); + assertTrue(implies(p, permissions, "user")); + assertTrue(implies(p, permissions, null)); + } + private boolean implies(Permission p, ComponentPermissions permissions, String role) { PermissionCollection excluded = permissions.getExcludedPermissions(); if (excluded.implies(p)) return false; Copied: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml (from r670784, geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web4.xml) URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml?p2=geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml&p1=geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web4.xml&r1=670784&r2=673535&rev=673535&view=diff ============================================================================== --- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web4.xml (original) +++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web5.xml Wed Jul 2 15:54:44 2008 @@ -18,30 +18,27 @@ + C1 - wr1 - /Foo/* - /Foo/Bar/* - /Bar/* + R1 + /foo/* - Admin + user + + C2 - wr3 - /Foo/Bar/* - /Bar/Bar/* - GET + R2 + /foo/* + - Admin + user - - Peon - - +