geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From xuhaih...@apache.org
Subject svn commit: r1001578 - in /geronimo/server/trunk/plugins/j2ee: geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/ geronimo-web-2.5-builder/src/test/resources/security/ geronimo-web/src/main/java/org/apache/geronimo/we...
Date Mon, 27 Sep 2010 03:09:41 GMT
Author: xuhaihong
Date: Mon Sep 27 03:09:40 2010
New Revision: 1001578

URL: http://svn.apache.org/viewvc?rev=1001578&view=rev
Log:
GERONIMO-5578 WebResourcePermission must be added to the corresponding role for each distinct
combination in the cross-product of url-pattern and role-name (Patch from Han Hong Fang)

Added:
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web7.xml
  (with props)
Modified:
    geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/SpecSecurityBuilder.java
    geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/URLPattern.java

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java?rev=1001578&r1=1001577&r2=1001578&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
Mon Sep 27 03:09:40 2010
@@ -164,6 +164,21 @@ public class SpecSecurityParsingTest ext
         assertTrue(implies(p, permissions, null));
     }
 
+    public void testDifferentRoleDifferentHttpMethod() throws Exception {
+        WebApp webApp = parse("security/web7.xml");
+        WebAppInfoBuilder webAppInfoBuilder = new WebAppInfoBuilder(webApp, new DefaultWebAppInfoFactory());
+        webAppInfoBuilder.build();
+        SpecSecurityBuilder builder = new SpecSecurityBuilder(webAppInfoBuilder.getWebAppInfo());
+        ComponentPermissions permissions = builder.buildSpecSecurityConfig();
+        Permission p = new WebResourcePermission("/app/*", "GET");
+        assertTrue(implies(p, permissions, "userGet"));
+        assertFalse(implies(p, permissions, "userPost"));
+        p = new WebResourcePermission("/app/home", "POST");
+        assertTrue(implies(p, permissions, "userPost"));
+        assertFalse(implies(p, permissions, "userGet"));
+    }
+
+
     private boolean implies(Permission p, ComponentPermissions permissions, String role)
{
         PermissionCollection excluded = permissions.getExcludedPermissions();
         if (excluded.implies(p)) return false;

Added: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web7.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web7.xml?rev=1001578&view=auto
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web7.xml
(added)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web7.xml
Mon Sep 27 03:09:40 2010
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<web-app xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>resource1</web-resource-name>
+            <url-pattern>/app/*</url-pattern>
+            <url-pattern>/app/home</url-pattern>
+            <http-method>GET</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>userGet</role-name>
+        </auth-constraint>
+    </security-constraint>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>resource2</web-resource-name>
+            <url-pattern>/app/*</url-pattern>
+            <url-pattern>/app/home</url-pattern>
+            <http-method>POST</http-method>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>userPost</role-name>
+        </auth-constraint>
+    </security-constraint>
+</web-app>
\ No newline at end of file

Propchange: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web7.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web7.xml
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web7.xml
------------------------------------------------------------------------------
    svn:mime-type = text/xml

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/SpecSecurityBuilder.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/SpecSecurityBuilder.java?rev=1001578&r1=1001577&r2=1001578&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/SpecSecurityBuilder.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/SpecSecurityBuilder.java
Mon Sep 27 03:09:40 2010
@@ -61,7 +61,7 @@ public class SpecSecurityBuilder {
 
     private final Map<String, URLPattern> excludedPatterns = new HashMap<String,
URLPattern>();
 
-    private final Map<String, URLPattern> rolesPatterns = new HashMap<String, URLPattern>();
+    private final Map<String, Map<String, URLPattern>> rolesPatterns = new HashMap<String,
Map<String, URLPattern>>();
 
     private final Set<URLPattern> allSet = new HashSet<URLPattern>();
 
@@ -93,12 +93,16 @@ public class SpecSecurityBuilder {
 
     private void analyzeSecurityConstraints(List<SecurityConstraintInfo> securityConstraints)
{
         for (SecurityConstraintInfo securityConstraint : securityConstraints) {
-            Map<String, URLPattern> currentPatterns;
+            Map<String, URLPattern> currentPatterns = null;
+            Set<String> roleNames = null;
             if (securityConstraint.authConstraint != null) {
                 if (securityConstraint.authConstraint.roleNames.size() == 0) {
                     currentPatterns = excludedPatterns;
                 } else {
-                    currentPatterns = rolesPatterns;
+                    roleNames = new HashSet<String>(securityConstraint.authConstraint.roleNames);
+                    if(roleNames.remove("*")) {
+                        roleNames.addAll(securityRoles);
+                    }
                 }
             } else {
                 currentPatterns = uncheckedPatterns;
@@ -107,12 +111,17 @@ public class SpecSecurityBuilder {
             for (WebResourceCollectionInfo webResourceCollection : securityConstraint.webResourceCollections)
{
                 //Calculate HTTP methods list
                 for (String urlPattern : webResourceCollection.urlPatterns) {
-                    URLPattern pattern = currentPatterns.get(urlPattern);
-                    if (pattern == null) {
-                        pattern = new URLPattern(urlPattern, webResourceCollection.httpMethods,
webResourceCollection.omission);
-                        currentPatterns.put(urlPattern, pattern);
+                    if (currentPatterns == null) {
+                        for (String roleName : roleNames) {
+                            currentPatterns = rolesPatterns.get(roleName);
+                            if (currentPatterns == null) {
+                                currentPatterns = new HashMap<String, URLPattern>();
+                                rolesPatterns.put(roleName, currentPatterns);
+                            }
+                            analyzeURLPattern(urlPattern, webResourceCollection.httpMethods,
webResourceCollection.omission, transport, currentPatterns);
+                        }
                     } else {
-                        pattern.addMethods(webResourceCollection.httpMethods, webResourceCollection.omission);
+                        analyzeURLPattern(urlPattern, webResourceCollection.httpMethods,
webResourceCollection.omission, transport, currentPatterns);
                     }
                     URLPattern allPattern = allMap.get(urlPattern);
                     if (allPattern == null) {
@@ -122,27 +131,31 @@ public class SpecSecurityBuilder {
                     } else {
                         allPattern.addMethods(webResourceCollection.httpMethods, webResourceCollection.omission);
                     }
-                    if (currentPatterns == rolesPatterns) {
-                        for (String roleName : securityConstraint.authConstraint.roleNames)
{
-                            if (roleName.equals("*")) {
-                                pattern.addAllRoles(securityRoles);
-                            } else {
-                                pattern.addRole(roleName);
-                            }
-                        }
-                    }
-                    pattern.setTransport(transport);
+
                 }
             }
         }
     }
 
+    private void analyzeURLPattern(String urlPattern, Set<String> httpMethods, boolean
omission, String transport, Map<String, URLPattern> currentPatterns) {
+        URLPattern pattern = currentPatterns.get(urlPattern);
+        if (pattern == null) {
+            pattern = new URLPattern(urlPattern, httpMethods, omission);
+            currentPatterns.put(urlPattern, pattern);
+        } else {
+            pattern.addMethods(httpMethods, omission);
+        }
+        pattern.setTransport(transport);
+    }
+
     private void removeExcludedDups() {
         for (Map.Entry<String, URLPattern> excluded : excludedPatterns.entrySet())
{
             String url = excluded.getKey();
             URLPattern pattern = excluded.getValue();
             removeExcluded(url, pattern, uncheckedPatterns);
-            removeExcluded(url, pattern, rolesPatterns);
+            for (Map<String, URLPattern> rolePatterns : rolesPatterns.values()) {
+                removeExcluded(url, pattern, rolePatterns);
+            }
         }
     }
 
@@ -162,16 +175,16 @@ public class SpecSecurityBuilder {
             policyConfiguration.addToExcludedPolicy(new WebResourcePermission(name, actions));
             policyConfiguration.addToExcludedPolicy(new WebUserDataPermission(name, actions));
         }
-        for (URLPattern pattern : rolesPatterns.values()) {
-            String name = pattern.getQualifiedPattern(allSet);
-            String actions = pattern.getMethods();
-            WebResourcePermission permission = new WebResourcePermission(name, actions);
-            for (String roleName : pattern.getRoles()) {
-                policyConfiguration.addToRole(roleName, permission);
+        for (Map.Entry<String, Map<String, URLPattern>> entry : rolesPatterns.entrySet())
{
+            for (URLPattern pattern : entry.getValue().values()) {
+                String name = pattern.getQualifiedPattern(allSet);
+                String actions = pattern.getMethods();
+                WebResourcePermission permission = new WebResourcePermission(name, actions);
+                policyConfiguration.addToRole(entry.getKey(), permission);
+                HTTPMethods methods = pattern.getHTTPMethods();
+                int transportType = pattern.getTransport();
+                addOrUpdatePattern(uncheckedUserPatterns, name, methods, transportType);
             }
-            HTTPMethods methods = pattern.getHTTPMethods();
-            int transportType = pattern.getTransport();
-            addOrUpdatePattern(uncheckedUserPatterns, name, methods, transportType);
         }
         for (URLPattern pattern : uncheckedPatterns.values()) {
             String name = pattern.getQualifiedPattern(allSet);
@@ -217,6 +230,7 @@ public class SpecSecurityBuilder {
             String actions = URLPattern.getMethodsWithTransport(methods, item.getTransportType());
             policyConfiguration.addToUncheckedPolicy(new WebUserDataPermission(item.getName(),
actions));
         }
+        System.out.println(policyConfiguration.getAudit());
         return policyConfiguration.getComponentPermissions();
     }
 

Modified: geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/URLPattern.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/URLPattern.java?rev=1001578&r1=1001577&r2=1001578&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/URLPattern.java
(original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-web/src/main/java/org/apache/geronimo/web/security/URLPattern.java
Mon Sep 27 03:09:40 2010
@@ -17,7 +17,6 @@
 
 package org.apache.geronimo.web.security;
 
-import java.util.Collection;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -38,7 +37,6 @@ public class URLPattern {
     private final String pattern;
     private final HTTPMethods httpMethods;
     private int transport;
-    private final HashSet<String> roles = new HashSet<String>();
 
     /**
      * Construct an instance of the utility class for <code>WebModuleConfiguration</code>.
@@ -78,7 +76,7 @@ public class URLPattern {
         } else {
             HashSet<String> bucket = new HashSet<String>();
             StringBuilder result = new StringBuilder(pattern);
-            
+
             // Collect a set of qualifying patterns, depending on the type of this pattern.
             for (URLPattern p : patterns) {
                 if (type.check(this, p)) {
@@ -177,19 +175,6 @@ public class URLPattern {
         return transport;
     }
 
-    public void addRole(String role) {
-        roles.add(role);
-    }
-
-    public void addAllRoles(Collection<String> collection) {
-        roles.addAll(collection);
-    }
-
-    public HashSet<String> getRoles() {
-        return roles;
-    }
-
-
     /**
      * TODO this is kinda weird without an explanation
      * @param obj object to compare with



Mime
View raw message