Author: sletellier Date: 2010-06-03 16:29:42 +0200 (Thu, 03 Jun 2010) New Revision: 1992 Url: http://nuiton.org/repositories/revision/topia/1992 Log: Fork TAAS (AccessController) to check permissions, don't work with JBoss 5.1.0 Modified: trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/TaasService.java trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasLoginModule.java trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasPermission.java trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasPolicy.java Modified: trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/TaasService.java =================================================================== --- trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/TaasService.java 2010-06-02 23:28:25 UTC (rev 1991) +++ trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/TaasService.java 2010-06-03 14:29:42 UTC (rev 1992) @@ -26,13 +26,13 @@ /* * * TopiaSecurityVetoableListener.java * - * Created: 10 f�vr. 2006 + * Created: 10 févr. 2006 * * @author Arnaud Thimel <thimel@codelutin.com> * @version $Revision$ * * Mise a jour: $Date$ - * par : */ + * par : sletellier */ package org.nuiton.topia.taas; @@ -54,27 +54,19 @@ import org.nuiton.topia.taas.entities.TaasUserImpl; import org.nuiton.topia.taas.event.TaasAccessEntity; import org.nuiton.topia.taas.event.TaasEntityVetoable; -import org.nuiton.topia.taas.jaas.TaasConfiguration; -import org.nuiton.topia.taas.jaas.TaasLoginModule; -import org.nuiton.topia.taas.jaas.TaasPermission; -import org.nuiton.topia.taas.jaas.TaasPolicy; -import org.nuiton.topia.taas.jaas.TaasSubjectFinder; -import org.nuiton.topia.taas.jaas.TaasSubjectFinderImpl; +import org.nuiton.topia.taas.jaas.*; import javax.security.auth.Subject; import javax.security.auth.login.Configuration; import java.lang.reflect.Constructor; import java.security.AccessController; import java.security.Permission; -import java.util.Collection; -import java.util.Iterator; -import java.util.List; -import java.util.Properties; +import java.util.*; import static org.nuiton.topia.taas.TaasUtil.getPrincipalNames; /** - * Service pour la s�curit� + * Service pour la sécurité * <p/> * Pour utiliser le service taas, il suffit de rajouter les lignes suivantes * dans le TopiaContext.properties :<p> topia.service.taas=org.nuiton.topia.taas.TaasService @@ -89,11 +81,14 @@ public static final String SERVICE_NAME = "taas"; - public static final String SERVICE_LOGIN_MODULE = TaasLoginModule.class.getName(); + public static final String SERVICE_LOGIN_MODULE = + TaasLoginModule.class.getName(); - public static final String SERVICE_EVENT = "topia.service.taas.event"; + public static final String SERVICE_EVENT = + "topia.service.taas.event"; - public static final String SERVICE_SUBJECT = "topia.service.taas.subject"; + public static final String SERVICE_SUBJECT = + "topia.service.taas.subject"; private TaasPolicy policy = new TaasPolicy(this); @@ -143,7 +138,8 @@ rootContext = context; initSecurity(rootContext); try { - org.hibernate.cfg.Configuration configuration = rootContext.getHibernateConfiguration(); + org.hibernate.cfg.Configuration configuration = + rootContext.getHibernateConfiguration(); // Recuperation du parametre pour l'evenemnt String eventString = configuration.getProperty(SERVICE_EVENT); @@ -220,7 +216,8 @@ // Si pas de configuration autre que celle par d�faut if (Configuration.getConfiguration() == null) { - Configuration.setConfiguration(new TaasConfiguration(SERVICE_NAME, this)); + Configuration.setConfiguration( + new TaasConfiguration(SERVICE_NAME, this)); } return true; } @@ -240,19 +237,22 @@ * @return context root non securise * @throws TopiaException */ - public TopiaContext getRootContextNoSecure() throws TopiaException { + public TopiaContext getRootContextNoSecure() + throws TopiaException { return rootContextNoSecure; } /** - * Permet de r�cup�rer le subject en cours + * Permet de récupérer le subject en cours * @return subject */ public Subject findSubject() { Subject subject = subjectFinder.findSubject(); if (log.isDebugEnabled()) { - log.debug("findSubject : " + subjectFinder + " value " + subject); + log.debug("findSubject : " + + subjectFinder + " value " + + subject); } return subject; @@ -260,22 +260,26 @@ /** * Permet de verifier les authorizations sur une collection et de supprimer - * les donnees non autoris�es + * les donnees non autorisées * * @param entities collection d'entites * @param actions actions - * @throws SecurityException en cas d'erreur de s�curit� + * @throws SecurityException en cas d'erreur de sécurité */ - public void check(Collection<? extends TopiaEntity> entities, int actions) throws SecurityException { + public void check(Collection<? extends TopiaEntity> entities, int actions) + throws SecurityException { Subject subj = findSubject(); if (subj != null) { - for (Iterator<? extends TopiaEntity> iterator = entities.iterator(); iterator.hasNext();) { + for (Iterator<? extends TopiaEntity> iterator = + entities.iterator(); iterator.hasNext();) { TopiaEntity entity = iterator.next(); try { - AccessController.checkPermission(new TaasPermission(entity.getTopiaId(), actions)); + TaasPermission myp = new TaasPermission(entity.getTopiaId(), actions); + checkPermission(subj, myp); } catch (SecurityException se) { if (log.isDebugEnabled()) { - log.debug(getPrincipalNames(subj) + " does not have permissions to load: " + entity); + log.debug(getPrincipalNames(subj) + + " does not have permissions to load: " + entity, se); } iterator.remove(); } @@ -286,39 +290,33 @@ } /** - * Permet de v�rifier les authorizations + * Permet de vérifier les authorizations * - * @param entity entit� + * @param entity entité * @param actions actions - * @throws SecurityException en cas d'erreur de s�curit� + * @throws SecurityException en cas d'erreur de sécurité */ - public void check(TopiaEntity entity, int actions) throws SecurityException { - Subject subj = findSubject(); - if (subj != null) { - try { - AccessController.checkPermission(new TaasPermission(entity.getTopiaId(), actions)); - } catch (SecurityException se) { - throw new SecurityException("Access denied to object \"" + entity.getTopiaId() + "\" for \"" + getPrincipalNames(subj) + "\""); - } - } else { - throw new SecurityException("Use doAs() and login first"); - } + public void check(TopiaEntity entity, int actions) + throws SecurityException { + check(entity.getTopiaId(), actions); } /** - * Permet de v�rifier les authorizations + * Permet de vérifier les authorizations * * @param topiaId id de l'entite * @param actions actions - * @throws SecurityException en cas d'erreur de s�curit� + * @throws SecurityException en cas d'erreur de sécurité */ public void check(String topiaId, int actions) throws SecurityException { Subject subj = findSubject(); if (subj != null) { try { - AccessController.checkPermission(new TaasPermission(topiaId, actions)); + TaasPermission myp = new TaasPermission(topiaId, actions); + checkPermission(subj, myp); } catch (SecurityException se) { - throw new SecurityException("Access denied to object \"" + topiaId + "\" for \"" + getPrincipalNames(subj) + "\""); + throw new SecurityException("Access denied to object \"" + + topiaId + "\" for \"" + getPrincipalNames(subj) + "\"", se); } } else { throw new SecurityException("Use doAs() and login first"); @@ -326,13 +324,40 @@ } /** - * Permet de v�rifier les authorizations + * Hack pour faire fonctionner la security. Normalement cette methode devrait etre seulement + * <pre> + * AccessController.checkPermission(myp); + * </pre> * - * @param entity entit� + * Mais comme ca ne fonctionne pas et pas vraiment de raison. Que le code au final a seulement besoin + * de checker les TaasPermissions des principales du subject. Cette methode est plus simple et plus rapide + * que le mode normal. + * + * @param subj + * @param myp + */ + protected void checkPermission(Subject subj, Permission myp) { + + // Code that note use realy jaas + Set<TaasPrincipalWrapper> ps = subj.getPrincipals(TaasPrincipalWrapper.class); + for (TaasPrincipalWrapper p : ps) { + if (!p.getPermissions().implies(myp)) { + throw new SecurityException("Access denied to object " + myp); + } + } + // Old code that use realy jaas + //AccessController.checkPermission(myp); + } + + /** + * Permet de vérifier les authorizations + * + * @param entity entité * @param actions actions - * @throws SecurityException en cas d'erreur de s�curit� + * @throws SecurityException en cas d'erreur de sécurité */ - public void checkRequestPermission(TopiaEntity entity, int actions) throws SecurityException { + public void checkRequestPermission(TopiaEntity entity, int actions) + throws SecurityException { Subject subj = findSubject(); if (subj != null) { @@ -340,17 +365,22 @@ if (permissions == null) { try { - AccessController.checkPermission(new TaasPermission(entity.getTopiaId(), actions)); + TaasPermission myp = new TaasPermission(entity.getTopiaId(), actions); + checkPermission(subj, myp); } catch (SecurityException se) { - throw new SecurityException("Access denied to object \"" + entity.getTopiaId() + "\" for \"" + getPrincipalNames(subj) + "\""); + throw new SecurityException("Access denied to object \"" + + entity.getTopiaId() + "\" for \"" + + getPrincipalNames(subj) + "\"", se); } } else { for (Permission permission : permissions) { try { - AccessController.checkPermission(permission); + checkPermission(subj, permission); break; } catch (SecurityException se) { - throw new SecurityException("Access denied to object \"" + entity.getTopiaId() + "\" for \"" + getPrincipalNames(subj) + "\""); + throw new SecurityException("Access denied to object \"" + + entity.getTopiaId() + "\" for \"" + + getPrincipalNames(subj) + "\"", se); } } } @@ -360,14 +390,15 @@ } /** - * Permet de v�rifier les authorizations sur une collection et de supprimer - * les donn�es non autoris�es + * Permet de vérifier les authorizations sur une collection et de supprimer + * les données non autorisées * - * @param entities collection d'entit�s + * @param entities collection d'entités * @param actions actions - * @throws SecurityException en cas d'erreur de s�curit� + * @throws SecurityException en cas d'erreur de sécurité */ - public void checkRequestPermission(Collection<? extends TopiaEntity> entities, int actions) throws SecurityException { + public void checkRequestPermission(Collection<? extends TopiaEntity> entities, + int actions) throws SecurityException { Subject subj = findSubject(); if (subj != null) { @@ -398,11 +429,11 @@ } /** - * R�cup�ration des requests permissions dans les DAOs + * Récupération des requests permissions dans les DAOs * - * @param entity entit� + * @param entity entité * @param actions actions - * @return permissions � v�rifier + * @return permissions à vérifier */ public List<Permission> getRequestPermission(TopiaEntity entity, int actions) { String topiaId = entity.getTopiaId(); Modified: trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasLoginModule.java =================================================================== --- trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasLoginModule.java 2010-06-02 23:28:25 UTC (rev 1991) +++ trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasLoginModule.java 2010-06-03 14:29:42 UTC (rev 1992) @@ -195,8 +195,25 @@ */ @Override public boolean commit() throws LoginException { - subject.getPrincipals().addAll(principals); - subject.getPrivateCredentials().add(privateCredential); + try { + subject.getPrincipals().addAll(principals); + if (log.isDebugEnabled()) { + for (TaasPrincipalWrapper principal : principals) { + log.debug("Permissions for principal " + + principal.getName() + " : " + + principal.getPermissions()); + } + } + subject.getPrivateCredentials().add(privateCredential); + if (log.isDebugEnabled()) { + log.debug("Private credential size : " + + subject.getPrivateCredentials().size() + + " for subject : " + subject); + } + } catch (Exception eee) { + log.error("Cant commit : ", eee); + throw new LoginException(eee.getMessage()); + } return true; } Modified: trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasPermission.java =================================================================== --- trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasPermission.java 2010-06-02 23:28:25 UTC (rev 1991) +++ trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasPermission.java 2010-06-03 14:29:42 UTC (rev 1992) @@ -95,8 +95,11 @@ return false; } TaasPermission other = (TaasPermission)permission; - return impliesExpression(authorizationExpression, other.getAuthorizationExpression()) && - impliesActions(authorizationActions, other.getAuthorizationActions()); + boolean isImplies = impliesExpression(authorizationExpression, other.getAuthorizationExpression()) && + impliesActions(authorizationActions, other.getAuthorizationActions()); + + log.debug("Implies " + permission + " with other " + other + " implies : " + isImplies); + return isImplies; } /* Modified: trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasPolicy.java =================================================================== --- trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasPolicy.java 2010-06-02 23:28:25 UTC (rev 1991) +++ trunk/topia-service-security/src/main/java/org/nuiton/topia/taas/jaas/TaasPolicy.java 2010-06-03 14:29:42 UTC (rev 1992) @@ -97,26 +97,34 @@ */ @Override public PermissionCollection getPermissions(ProtectionDomain domain) { - PermissionCollection pc = parentPolicy.getPermissions(domain); - - Subject subject = taasService.findSubject(); - if (subject != null) { - for (Principal principal : subject.getPrincipals()) { - if(principal instanceof TaasPrincipalWrapper) { - TaasPrincipalWrapper principalWrapper = (TaasPrincipalWrapper) principal; - PermissionCollection permissions = principalWrapper.getPermissions(); - - Enumeration<Permission> enumeration = permissions.elements(); - while(enumeration.hasMoreElements()){ - Permission permission = enumeration.nextElement(); - pc.add(permission); + if (log.isDebugEnabled()) { + log.debug("Get all permissions for domain : " + (domain==null?null:domain.getClass())); + } + try { + PermissionCollection pc = parentPolicy.getPermissions(domain); + + Subject subject = taasService.findSubject(); + if (subject != null) { + for (Principal principal : subject.getPrincipals()) { + if(principal instanceof TaasPrincipalWrapper) { + TaasPrincipalWrapper principalWrapper = (TaasPrincipalWrapper) principal; + PermissionCollection permissions = principalWrapper.getPermissions(); + + Enumeration<Permission> enumeration = permissions.elements(); + while(enumeration.hasMoreElements()){ + Permission permission = enumeration.nextElement(); + pc.add(permission); + } } } + } else { + log.error("R�cup�ration des Permissions impossible"); } - } else { - log.error("R�cup�ration des Permissions impossible"); + return pc; + } catch (Throwable eee) { + log.error("Cant get permissions : ", eee); } - return pc; + return null; } /* (non-Javadoc)