From 132aa8a77685ec92bc90c03f987650d275a7b639 Mon Sep 17 00:00:00 2001 From: lresende Date: Mon, 30 Sep 2013 06:59:11 +0000 Subject: 2.0.1 RC1 release tag git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1527464 13f79535-47bb-0310-9956-ffa450edef68 --- .../security/jsr250/JSR250PolicyProcessor.java | 221 +++++++++++++++++++++ 1 file changed, 221 insertions(+) create mode 100644 sca-java-2.x/tags/2.0.1-RC1/modules/policy-security-jsr250/src/main/java/org/apache/tuscany/sca/policy/security/jsr250/JSR250PolicyProcessor.java (limited to 'sca-java-2.x/tags/2.0.1-RC1/modules/policy-security-jsr250/src/main/java/org/apache/tuscany/sca/policy/security/jsr250/JSR250PolicyProcessor.java') diff --git a/sca-java-2.x/tags/2.0.1-RC1/modules/policy-security-jsr250/src/main/java/org/apache/tuscany/sca/policy/security/jsr250/JSR250PolicyProcessor.java b/sca-java-2.x/tags/2.0.1-RC1/modules/policy-security-jsr250/src/main/java/org/apache/tuscany/sca/policy/security/jsr250/JSR250PolicyProcessor.java new file mode 100644 index 0000000000..5f3f1a33ff --- /dev/null +++ b/sca-java-2.x/tags/2.0.1-RC1/modules/policy-security-jsr250/src/main/java/org/apache/tuscany/sca/policy/security/jsr250/JSR250PolicyProcessor.java @@ -0,0 +1,221 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.tuscany.sca.policy.security.jsr250; + +import java.lang.reflect.Method; + +import javax.annotation.security.DenyAll; +import javax.annotation.security.PermitAll; +import javax.annotation.security.RolesAllowed; +import javax.annotation.security.RunAs; +import javax.xml.namespace.QName; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathExpression; +import javax.xml.xpath.XPathExpressionException; + +import org.apache.tuscany.sca.assembly.AssemblyFactory; +import org.apache.tuscany.sca.assembly.xml.Constants; +import org.apache.tuscany.sca.common.xml.stax.reader.NamespaceContextImpl; +import org.apache.tuscany.sca.common.xml.xpath.XPathHelper; +import org.apache.tuscany.sca.core.ExtensionPointRegistry; +import org.apache.tuscany.sca.core.FactoryExtensionPoint; +import org.apache.tuscany.sca.implementation.java.IntrospectionException; +import org.apache.tuscany.sca.implementation.java.JavaImplementation; +import org.apache.tuscany.sca.implementation.java.introspect.BaseJavaClassVisitor; +import org.apache.tuscany.sca.interfacedef.Operation; +import org.apache.tuscany.sca.interfacedef.java.JavaOperation; +import org.apache.tuscany.sca.policy.PolicyExpression; +import org.apache.tuscany.sca.policy.PolicyFactory; +import org.apache.tuscany.sca.policy.PolicySet; +import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy; +import org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicy; + +/** + * Processes an {@link javax.annotation.security.*} annotation + * Below is a list of annotations + * + * Type Method + * RunAs x + * RolesAllowed x x + * PermitAll x x + * DenyAll x + * + */ +public class JSR250PolicyProcessor extends BaseJavaClassVisitor { + private static final QName RUN_AS = new QName(Constants.SCA11_TUSCANY_NS,"runAs"); + private static final QName ALLOW = new QName(Constants.SCA11_TUSCANY_NS,"allow"); + private static final QName PERMIT_ALL = new QName(Constants.SCA11_TUSCANY_NS,"permitAll"); + private static final QName DENY_ALL = new QName(Constants.SCA11_TUSCANY_NS,"denyAll"); + + private PolicyFactory policyFactory; + private XPathHelper xpathHelper; + private String appliesToString = "//sca:implementation.java"; + private XPathExpression appliesToExpression = null; + + public JSR250PolicyProcessor(ExtensionPointRegistry registry) throws IntrospectionException { + super(registry.getExtensionPoint(FactoryExtensionPoint.class).getFactory(AssemblyFactory.class)); + this.policyFactory = registry.getExtensionPoint(FactoryExtensionPoint.class).getFactory(PolicyFactory.class); + + this.xpathHelper = XPathHelper.getInstance(registry); + NamespaceContextImpl nsContext = new NamespaceContextImpl(null); + nsContext.register("sca", "http://docs.oasis-open.org/ns/opencsa/sca/200912"); + XPath path = xpathHelper.newXPath(); + try { + appliesToExpression = xpathHelper.compile(path, nsContext, appliesToString); + } catch (XPathExpressionException e) { + throw new IntrospectionException(e); + } + } + +/* + public JSR250PolicyProcessor(AssemblyFactory assemblyFactory, PolicyFactory policyFactory) { + super(assemblyFactory); + this.policyFactory = policyFactory; + } +*/ + + @Override + public void visitClass(Class clazz, JavaImplementation type) throws IntrospectionException { + + RunAs runAs = clazz.getAnnotation(javax.annotation.security.RunAs.class); + if (runAs != null) { + + String roleName = runAs.value(); + if(roleName == null) { + //FIXME handle monitor or error + } + + SecurityIdentityPolicy policy = new SecurityIdentityPolicy(); + policy.setRunAsRole(roleName); + PolicySet policySet = createPolicySet(RUN_AS, SecurityIdentityPolicy.NAME, policy); + type.getPolicySets().add(policySet); + } + + RolesAllowed rolesAllowed = clazz.getAnnotation(javax.annotation.security.RolesAllowed.class); + if(rolesAllowed != null) { + if(rolesAllowed.value().length == 0) { + //FIXME handle monitor or error + } + + AuthorizationPolicy policy = new AuthorizationPolicy(); + policy.setAccessControl(AuthorizationPolicy.AcessControl.allow); + + for(String role : rolesAllowed.value()) { + policy.getRoleNames().add(role); + } + + PolicySet policySet = createPolicySet(ALLOW, AuthorizationPolicy.NAME, policy); + type.getPolicySets().add(policySet); + } + + PermitAll permitAll = clazz.getAnnotation(javax.annotation.security.PermitAll.class); + if(permitAll != null) { + AuthorizationPolicy policy = new AuthorizationPolicy(); + policy.setAccessControl(AuthorizationPolicy.AcessControl.permitAll); + PolicySet policySet = createPolicySet(PERMIT_ALL, AuthorizationPolicy.NAME, policy); + type.getPolicySets().add(policySet); + } + + } + + @Override + public void visitMethod(Method method, JavaImplementation type) throws IntrospectionException { + RolesAllowed rolesAllowed = method.getAnnotation(javax.annotation.security.RolesAllowed.class); + if(rolesAllowed != null) { + if(rolesAllowed.value().length == 0) { + //FIXME handle monitor or error + } + + AuthorizationPolicy policy = new AuthorizationPolicy(); + policy.setAccessControl(AuthorizationPolicy.AcessControl.allow); + + for(String role : rolesAllowed.value()) { + policy.getRoleNames().add(role); + } + + // find the operation in the interface model + Operation operation = getOperationModel(method, type); + + if (operation != null){ + PolicySet policySet = createPolicySet(ALLOW, AuthorizationPolicy.NAME, policy); + operation.getPolicySets().add(policySet); + } + } + + PermitAll permitAll = method.getAnnotation(javax.annotation.security.PermitAll.class); + if(permitAll != null) { + AuthorizationPolicy policy = new AuthorizationPolicy(); + policy.setAccessControl(AuthorizationPolicy.AcessControl.permitAll); + + // find the operation in the interface model + Operation operation = getOperationModel(method, type); + + if (operation != null){ + PolicySet policySet = createPolicySet(PERMIT_ALL, AuthorizationPolicy.NAME, policy); + operation.getPolicySets().add(policySet); + } + } + + DenyAll denyAll = method.getAnnotation(javax.annotation.security.DenyAll.class); + if(denyAll != null) { + AuthorizationPolicy policy = new AuthorizationPolicy(); + policy.setAccessControl(AuthorizationPolicy.AcessControl.denyAll); + + // find the operation in the interface model + Operation operation = getOperationModel(method, type); + + if (operation != null){ + PolicySet policySet = createPolicySet(DENY_ALL, AuthorizationPolicy.NAME, policy); + operation.getPolicySets().add(policySet); + } + } + } + + private Operation getOperationModel(Method method, JavaImplementation type){ + + for(Operation op : type.getOperations()){ + if (((JavaOperation)op).getJavaMethod().equals(method)){ + return op; + } + } + + return null; + } + + /** + * Here we generate policy sets on the fly so they have to be configured as though they + * had been read and resolved from a defintions.xml file. I.e. they have to have appropriate + * appliesTo configuration and be marked as resolved. + */ + private PolicySet createPolicySet(QName policySetName, QName policyExpressionName, Object policy){ + + PolicyExpression policyExpression = policyFactory.createPolicyExpression(); + policyExpression.setName(policyExpressionName); + policyExpression.setPolicy(policy); + + PolicySet policySet = policyFactory.createPolicySet(); + policySet.setName(policySetName); + policySet.setAppliesTo(appliesToString); + policySet.setAppliesToXPathExpression(appliesToExpression); + policySet.getPolicies().add(policyExpression); + policySet.setUnresolved(false); + + return policySet; + } +} -- cgit v1.2.3