/*
* JBoss, Home of Professional Open Source
* Copyright 2005, JBoss Inc., and individual contributors as indicated
* by the @authors tag. See the copyright.txt in the distribution for a
* full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.security.authorization.sunxacml;
import java.io.ByteArrayOutputStream;
import java.net.URI;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.jboss.logging.Logger;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.XACMLConstants;
import com.sun.xacml.Indenter;
import com.sun.xacml.PDP;
import com.sun.xacml.PDPConfig;
import com.sun.xacml.Policy;
import com.sun.xacml.ctx.RequestCtx;
import com.sun.xacml.ctx.ResponseCtx;
import com.sun.xacml.ctx.Result;
import com.sun.xacml.finder.AttributeFinder;
import com.sun.xacml.finder.PolicyFinder;
import com.sun.xacml.finder.impl.CurrentEnvModule;
import com.sun.xacml.finder.impl.SelectorModule;
import com.sun.xacml.support.finder.URLPolicyFinderModule;
//$Id: JBossXACMLUtil.java 62898 2007-05-08 21:12:17Z anil.saldhana@jboss.com $
/**
* Util class for XACML Integration
* @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
* @since Jun 21, 2006
* @version $Revision: 62898 $
*/
public class JBossXACMLUtil
{
private static Logger log = Logger.getLogger(JBossXACMLUtil.class);
private static boolean trace = log.isTraceEnabled();
/**
* Peek into the XACML Reponse to derive the result
* of authorization (either AuthorizationContext.PERMIT or
* AuthorizationContext.DENY)
* Also, @see JBossXACMLUtil#checkXACMLAuthorization(RequestCtx, Policy)
* @param response xacml response
* @return AuthorizationContext.PERMIT or AuthorizationContext.DENY
* @throws Exception
*/
public static int analyzeResponseCtx(ResponseCtx response) throws Exception
{
if(trace)
{
ByteArrayOutputStream baos = new ByteArrayOutputStream();
response.encode(baos, new Indenter());
log.trace("XACML Response:"+baos.toString());
baos.close();
}
int result = AuthorizationContext.DENY;
Set results = response.getResults();
if(results.size() > 1)
throw new IllegalArgumentException("Number of results > 1");
Iterator iter = results.iterator();
if(iter.hasNext())
{
Result res = (Result)iter.next();
int decision = res.getDecision();
if(decision == Result.DECISION_PERMIT)
result = AuthorizationContext.PERMIT;
}
return result;
}
/**
* Perform XACML Authorization in one step
* @param request xacml request
* @param policy xacml Policy Object
* @return AuthorizationContext.PERMIT or AuthorizationContext.DENY
* @throws Exception
*/
public static synchronized int checkXACMLAuthorization(RequestCtx request,
Policy policy) throws Exception
{
ResponseCtx response = getXACMLResponse(request,policy);
return analyzeResponseCtx(response);
}
/**
* Get the default policy id created for dynamic policy files
* @return
*/
public static URI getDefaultPolicyID()
{
URI policyID = null;
try
{
policyID = new URI(XACMLConstants.JBOSS_DYNAMIC_POLICY_SET_IDENTIFIER);
}
catch(Exception e)
{
log.debug("Exception in getDefaultPolicyID:",e);
}
return policyID;
}
/**
* Invoke the XACML PDP
* Also, @see JBossXACMLUtil#checkXACMLAuthorization(RequestCtx, Policy)
* @param request xacml request
* @param policy XACML Policy object
* @return xacml response
*/
public static synchronized ResponseCtx getXACMLResponse(RequestCtx request,
Policy policy)
{
AttributeFinder attributeFinder = new AttributeFinder();
List attributeModules = new ArrayList();
attributeModules.add(new CurrentEnvModule());
attributeModules.add(new SelectorModule());
attributeFinder.setModules(attributeModules);
//List policyFileList = Arrays.asList(policyFiles);
PolicyFinder policyFinder = new PolicyFinder();
HashSet policyModules = new HashSet();
policyModules.add(new EnclosingPolicyFinderModule(policy));
/*policyModules.add(new JBossStaticPolicyFinderModule(PermitOverridesPolicyAlg.algId,
policyFileList));*/
//policyModules.add(new StaticRefPolicyFinderModule(policyFileList));
policyModules.add(new URLPolicyFinderModule());
policyFinder.setModules(policyModules);
PDP pdp = new PDP(new PDPConfig(attributeFinder,
policyFinder, null));
return pdp.evaluate(request);
}
}