You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by sm...@apache.org on 2015/08/17 06:09:11 UTC
[09/10] airavata git commit: Completion of the security solution in
Airavata - adding some missing files from the previous commit and fixing
issues found while testing.
Completion of the security solution in Airavata - adding some missing files from the previous commit and fixing issues found while testing.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/f080ac26
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/f080ac26
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/f080ac26
Branch: refs/heads/master
Commit: f080ac263c6cd1c1df98dcfbd5f3366f0734fb44
Parents: 2777476
Author: hasinitg <ha...@gmail.com>
Authored: Sun Aug 16 23:44:51 2015 -0400
Committer: hasinitg <ha...@gmail.com>
Committed: Sun Aug 16 23:44:51 2015 -0400
----------------------------------------------------------------------
.../DefaultAiravataSecurityManager.java | 2 +-
.../server/security/authzcache/AuthzCache.java | 4 +-
.../security/authzcache/AuthzCacheEntry.java | 63 +++++++++
.../security/authzcache/AuthzCacheIndex.java | 78 +++++++++++
.../security/authzcache/AuthzCacheManager.java | 80 ++++++++++++
.../authzcache/AuthzCacheManagerFactory.java | 60 +++++++++
.../authzcache/DefaultAuthzCacheManager.java | 108 ++++++++++++++++
.../server/security/xacml/DefaultXACMLPEP.java | 129 +++++++++++++++++++
.../main/resources/airavata-server.properties | 2 +-
9 files changed, 523 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
index f42d98d..7078659 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java
@@ -148,7 +148,7 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager {
//cache the authorization decision
authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, accessToken, action),
- new AuthzCacheEntry(decision, expiryTimestamp));
+ new AuthzCacheEntry(decision, expiryTimestamp, System.currentTimeMillis()));
return decision;
} else {
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
index a563caa..8b14556 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java
@@ -55,7 +55,9 @@ public class AuthzCache extends LinkedHashMap<AuthzCacheIndex, AuthzCacheEntry>
@Override
protected boolean removeEldestEntry(Map.Entry<AuthzCacheIndex, AuthzCacheEntry> eldest) {
//TODO: following info log is for demonstration purposes. Remove it.
- logger.info("Authz cache max size exceeded. Removing the old entries.");
+ if (size() > MAX_SIZE) {
+ logger.info("Authz cache max size exceeded. Removing the old entries.");
+ }
return size() > MAX_SIZE;
}
}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
new file mode 100644
index 0000000..03ca229
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java
@@ -0,0 +1,63 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+/**
+ * Cache entry in the default authorization cache.
+ */
+public class AuthzCacheEntry {
+ //authorization decision for the authorization request associated with this cache entry.
+ private boolean decision;
+ //time to live value for the access token in seconds.
+ private long expiryTime;
+ //time stamp in milli seconds at the time this entry is put into the cache
+ private long entryTimestamp;
+
+ public AuthzCacheEntry(boolean decision, long expiryTime, long entryTimestamp) {
+ this.decision = decision;
+ this.expiryTime = expiryTime;
+ this.entryTimestamp = entryTimestamp;
+ }
+
+ public long getEntryTimestamp() {
+ return entryTimestamp;
+ }
+
+ public void setEntryTimestamp(long entryTimestamp) {
+ this.entryTimestamp = entryTimestamp;
+ }
+
+ public long getExpiryTime() {
+ return expiryTime;
+ }
+
+ public void setExpiryTime(long timestamp) {
+ this.expiryTime = timestamp;
+ }
+
+ public boolean getDecision() {
+ return decision;
+ }
+
+ public void setDecision(boolean decision) {
+ this.decision = decision;
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
new file mode 100644
index 0000000..59667d8
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java
@@ -0,0 +1,78 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+/**
+ * Cache index of the default authorization cache.
+ */
+public class AuthzCacheIndex {
+
+ private String subject;
+ private String oauthAccessToken;
+ private String action;
+
+ public AuthzCacheIndex(String userName, String accessToken, String actionString) {
+ this.subject = userName;
+ this.oauthAccessToken = accessToken;
+ this.action = actionString;
+ }
+
+ public String getSubject() {
+ return subject;
+ }
+
+ public void setSubject(String subject) {
+ this.subject = subject;
+ }
+
+ public String getAction() {
+ return action;
+ }
+
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public String getOauthAccessToken() {
+ return oauthAccessToken;
+ }
+
+ public void setOauthAccessToken(String oauthAccessToken) {
+ this.oauthAccessToken = oauthAccessToken;
+ }
+
+ /*Equals and hash code methods are overriden since this is being used as an index of a map and that containsKey method
+ * should return true if the values of two index objects are equal.*/
+ @Override
+ public boolean equals(Object other) {
+ if (other == null || other.getClass() != getClass()) {
+ return false;
+ }
+ return ((this.getSubject().equals(((AuthzCacheIndex) other).getSubject()))
+ && (this.getOauthAccessToken().equals(((AuthzCacheIndex) other).getOauthAccessToken()))
+ && (this.getAction().equals(((AuthzCacheIndex) other).getAction())));
+ }
+
+ @Override
+ public int hashCode() {
+ return this.getSubject().hashCode() + this.getOauthAccessToken().hashCode() + this.getAction().hashCode();
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
new file mode 100644
index 0000000..48cfb03
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java
@@ -0,0 +1,80 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.security.AiravataSecurityException;
+
+/**
+ * This is the interface through which security manager accesses the underlying caching implementation
+ * See the DefaultAuthzCacheManager.java for an example implementation of this interface.
+ */
+public interface AuthzCacheManager {
+ /**
+ * Returns the status of the cache w.r.t the given authorization request which is encapsulated in
+ * the AuthzCacheIndex.
+ *
+ * @param authzCacheIndex
+ * @return
+ */
+ public AuthzCachedStatus getAuthzCachedStatus(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+ /**
+ * Add to cache the authorization decision pertaining to a given authorization request.
+ *
+ * @param authzCacheIndex
+ * @param authzCacheEntry
+ * @throws AiravataSecurityException
+ */
+ public void addToAuthzCache(AuthzCacheIndex authzCacheIndex, AuthzCacheEntry authzCacheEntry) throws AiravataSecurityException;
+
+ /**
+ * Check if a valid decision is cached for a given authorization request.
+ *
+ * @param authzCacheIndex
+ * @return
+ */
+ public boolean isAuthzDecisionCached(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+ /**
+ * Returns the AuthzCacheEntry for a given authorization request.
+ *
+ * @param authzCacheIndex
+ * @return
+ * @throws AiravataSecurityException
+ */
+ public AuthzCacheEntry getAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+ /**
+ * Removes the authorization cache entry for a given authorization request.
+ *
+ * @param authzCacheIndex
+ * @throws AiravataSecurityException
+ */
+ public void removeAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException;
+
+ /**
+ * Clear the authorization cache.
+ *
+ * @return
+ */
+ public void clearCache() throws AiravataSecurityException;
+
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
new file mode 100644
index 0000000..b555122
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java
@@ -0,0 +1,60 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.api.server.security.AiravataSecurityManager;
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.common.utils.ServerSettings;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+/**
+ * This initializes the AuthzCacheManager implementation to be used as defined by the configuration.
+ */
+public class AuthzCacheManagerFactory {
+ private final static Logger logger = LoggerFactory.getLogger(AuthzCacheManagerFactory.class);
+
+ public static AuthzCacheManager getAuthzCacheManager() throws AiravataSecurityException {
+ try {
+ Class authzCacheManagerImpl = Class.forName(ServerSettings.getAuthzCacheManagerClassName());
+ AuthzCacheManager authzCacheManager = (AuthzCacheManager) authzCacheManagerImpl.newInstance();
+ return authzCacheManager;
+ } catch (ClassNotFoundException e) {
+ String error = "Authorization Cache Manager class could not be found.";
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException(error);
+ } catch (ApplicationSettingsException e) {
+ String error = "Error in reading the configuration related to Authorization Cache Manager class.";
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException(error);
+ } catch (InstantiationException e) {
+ String error = "Error in instantiating the Authorization Cache Manager class.";
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException(error);
+ } catch (IllegalAccessException e) {
+ String error = "Error in instantiating the Authorization Cache Manager class.";
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException(error);
+
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
new file mode 100644
index 0000000..232908d
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java
@@ -0,0 +1,108 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.authzcache;
+
+import org.apache.airavata.common.exception.ApplicationSettingsException;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Date;
+
+public class DefaultAuthzCacheManager implements AuthzCacheManager {
+
+ private final static Logger logger = LoggerFactory.getLogger(DefaultAuthzCacheManager.class);
+
+ @Override
+ public AuthzCachedStatus getAuthzCachedStatus(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException {
+ if (isAuthzDecisionCached(authzCacheIndex)) {
+ AuthzCacheEntry cacheEntry = getAuthzCacheEntry(authzCacheIndex);
+ long expiryTime = cacheEntry.getExpiryTime();
+ long currentTime = System.currentTimeMillis();
+ long timePassed = (currentTime - cacheEntry.getEntryTimestamp()) / 1000;
+ if (expiryTime > timePassed) {
+ //access token is still valid. Hence, return the cached decision
+ if (cacheEntry.getDecision()) {
+ return AuthzCachedStatus.AUTHORIZED;
+ } else {
+ return AuthzCachedStatus.NOT_AUTHORIZED;
+ }
+ } else {
+ //access token has been expired. Hence, remove the entry and return.
+ removeAuthzCacheEntry(authzCacheIndex);
+ return AuthzCachedStatus.NOT_CACHED;
+ }
+ } else {
+ return AuthzCachedStatus.NOT_CACHED;
+ }
+ }
+
+ @Override
+ public void addToAuthzCache(AuthzCacheIndex authzCacheIndex, AuthzCacheEntry authzCacheEntry) throws AiravataSecurityException {
+ try {
+ AuthzCache.getInstance().put(authzCacheIndex, authzCacheEntry);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+ }
+ }
+
+ @Override
+ public boolean isAuthzDecisionCached(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException {
+ try {
+ return AuthzCache.getInstance().containsKey(authzCacheIndex);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+ }
+ }
+
+ @Override
+ public AuthzCacheEntry getAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException {
+ try {
+ return AuthzCache.getInstance().get(authzCacheIndex);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+ }
+ }
+
+ @Override
+ public void removeAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException {
+ try {
+ AuthzCache.getInstance().remove(authzCacheIndex);
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+ }
+ }
+
+ @Override
+ public void clearCache() throws AiravataSecurityException {
+ try {
+ AuthzCache.getInstance().clear();
+ } catch (ApplicationSettingsException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in obtaining the authorization cache instance.");
+
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
new file mode 100644
index 0000000..42328d1
--- /dev/null
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java
@@ -0,0 +1,129 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.airavata.api.server.security.xacml;
+
+import org.apache.airavata.common.utils.Constants;
+import org.apache.airavata.model.security.AuthzToken;
+import org.apache.airavata.security.AiravataSecurityException;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub;
+import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException;
+import org.wso2.carbon.utils.CarbonUtils;
+import org.xml.sax.SAXException;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.rmi.RemoteException;
+import java.util.Map;
+
+/**
+ * This enforces XACML based fine grained authorization on the API calls, by authorizing the API calls
+ * through default PDP which is WSO2 Identity Server.
+ */
+public class DefaultXACMLPEP {
+
+ private final static Logger logger = LoggerFactory.getLogger(DefaultXACMLPEP.class);
+ private EntitlementServiceStub entitlementServiceStub;
+
+ public DefaultXACMLPEP(String auhorizationServerURL, String username, String password,
+ ConfigurationContext configCtx) throws AiravataSecurityException {
+ try {
+
+ String PDPURL = auhorizationServerURL + "EntitlementService";
+ entitlementServiceStub = new EntitlementServiceStub(configCtx, PDPURL);
+ CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, entitlementServiceStub._getServiceClient());
+ } catch (AxisFault e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error initializing XACML PEP client.");
+ }
+
+ }
+
+ /**
+ * Send the XACML authorization request to XAML PDP and return the authorization decision.
+ *
+ * @param authzToken
+ * @param metaData
+ * @return
+ */
+ public boolean getAuthorizationDecision(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException {
+ String decision;
+ try {
+ String subject = authzToken.getClaimsMap().get(Constants.USER_NAME);
+ String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME);
+ String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null);
+ //parse the XML decision string and obtain the decision
+ decision = parseDecisionString(decisionString);
+ if (Constants.PERMIT.equals(decision)) {
+ return true;
+ } else {
+ logger.error("Authorization decision is: " + decision);
+ return false;
+ }
+ } catch (RemoteException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in authorizing the user.");
+ } catch (EntitlementServiceException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in authorizing the user.");
+ }
+ }
+
+ /**
+ * This parses the XML based authorization response by the PDP and returns the decision string.
+ *
+ * @param decisionString
+ * @return
+ * @throws AiravataSecurityException
+ */
+ private String parseDecisionString(String decisionString) throws AiravataSecurityException {
+ try {
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8"));
+ Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream);
+ Node resultNode = doc.getDocumentElement().getFirstChild();
+ Node decisionNode = resultNode.getFirstChild();
+ String decision = decisionNode.getTextContent();
+ return decision;
+ } catch (ParserConfigurationException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (UnsupportedEncodingException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (SAXException e) {
+ logger.error(e.getMessage(), e);
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ } catch (IOException e) {
+ logger.error("Error in parsing XACML authorization response.");
+ throw new AiravataSecurityException("Error in parsing XACML authorization response.");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/modules/configuration/server/src/main/resources/airavata-server.properties
----------------------------------------------------------------------
diff --git a/modules/configuration/server/src/main/resources/airavata-server.properties b/modules/configuration/server/src/main/resources/airavata-server.properties
index fb57382..d45e3d9 100644
--- a/modules/configuration/server/src/main/resources/airavata-server.properties
+++ b/modules/configuration/server/src/main/resources/airavata-server.properties
@@ -245,7 +245,7 @@ remote.oauth.authorization.server=https://localhost:9443/services/
authorization.policy=airavata-default-xacml-policy
#### authorization cache related configuration ####
authz.cache.enabled=true
-authz.cache.manager.class=org.apache.airavata.api.server.security.cache.DefaultAuthzCacheManager
+authz.cache.manager.class=org.apache.airavata.api.server.security.authzcache.DefaultAuthzCacheManager
in.memory.cache.size=1000
#### admin user credentials of authorization server ####
admin.user.name=admin