You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/11/11 21:16:28 UTC
[4/5] directory-fortress-realm git commit: change package structure,
names, license, and pom improvements
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/J2eePolicyMgrImpl.java
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/J2eePolicyMgrImpl.java b/impl/src/main/java/org/apache/directory/fortress/realm/J2eePolicyMgrImpl.java
new file mode 100644
index 0000000..2f3790a
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/J2eePolicyMgrImpl.java
@@ -0,0 +1,575 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.realm;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.security.Principal;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ReviewMgr;
+import org.apache.directory.fortress.core.ReviewMgrFactory;
+import org.apache.directory.fortress.core.AccessMgr;
+import org.apache.directory.fortress.core.AccessMgrFactory;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.rbac.User;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.realm.tomcat.TcPrincipal;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+
+/**
+ * This class is for components that use Websphere and Tomcat Container SPI's to provide
+ * Java EE Security capabilities. These APIs may be called by external programs as needed though the recommended
+ * practice is to use Fortress Core APIs like {@link org.apache.directory.fortress.core.AccessMgr} and {@link org.apache.directory.fortress.core.ReviewMgr}.
+ *
+ * @author Shawn McKinney
+ */
+public class J2eePolicyMgrImpl implements J2eePolicyMgr
+{
+ private static final String CLS_NM = J2eePolicyMgrImpl.class.getName();
+ private static final Logger log = Logger.getLogger( CLS_NM );
+ private static AccessMgr accessMgr;
+ private static ReviewMgr reviewMgr;
+ private static final String SESSION = "session";
+ private static int CONTEXT_SERIALIZATION_FAILED = 102;
+
+ static
+ {
+ try
+ {
+ accessMgr = AccessMgrFactory.createInstance( GlobalIds.HOME );
+ reviewMgr = ReviewMgrFactory.createInstance( GlobalIds.HOME );
+ log.info( J2eePolicyMgrImpl.class.getName() + " - Initialized successfully" );
+ }
+ catch ( SecurityException se )
+ {
+ String error = CLS_NM + " caught SecurityException=" + se;
+ log.fatal( error );
+ }
+ }
+
+
+ /**
+ * Perform user authentication and evaluate password policies.
+ *
+ * @param userId Contains the userid of the user signing on.
+ * @param password Contains the user's password.
+ * @return boolean true if succeeds, false otherwise.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * in the event of data validation failure, security policy violation or DAO error.
+ */
+ @Override
+ public boolean authenticate( String userId, char[] password ) throws SecurityException
+ {
+ boolean result = false;
+ Session session = accessMgr.authenticate( userId, password );
+ if ( session != null )
+ {
+ result = true;
+ if ( log.isEnabledFor( Level.DEBUG ) )
+ {
+ log.debug( CLS_NM + ".authenticate userId [" + userId + "] successful" );
+ }
+ }
+ else
+ {
+ if ( log.isEnabledFor( Level.DEBUG ) )
+ {
+ log.debug( CLS_NM + ".authenticate userId [" + userId + "] failed" );
+ }
+ }
+
+ return result;
+ }
+
+
+ /**
+ * Perform user authentication {@link org.apache.directory.fortress.core.rbac.User#password} and role activations.<br />
+ * This method must be called once per user prior to calling other methods within this class.
+ * The successful result is {@link org.apache.directory.fortress.core.rbac.Session} that contains target user's RBAC {@link
+ * User#roles} and Admin role {@link User#adminRoles}.<br />
+ * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap
+ * .fortress.rbac.User#pwPolicy}..<br />
+ * Method may also store parms passed in for audit trail {@link org.apache.directory.fortress.core.rbac.FortEntity}.
+ * <h4> This API will...</h4>
+ * <ul>
+ * <li> authenticate user password if trusted == false.
+ * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf
+ * .org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
+ * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.rbac.User#isLocked()},
+ * regardless of trusted flag being set as parm on API.
+ * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link org.apache.directory.fortress.core.rbac.User},
+ * {@link org.apache.directory.fortress.core.rbac.UserRole} and {@link org.apache.directory.fortress.core.rbac.UserAdminRole} entities.
+ * <li> process selective role activations into User RBAC Session {@link User#roles}.
+ * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.rbac.DSDChecker#validate(org.apache.directory.fortress.core.rbac.Session,
+ * org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core
+ * .rbac.User#roles}.
+ * <li> process selective administrative role activations {@link User#adminRoles}.
+ * <li> return a {@link org.apache.directory.fortress.core.rbac.Session} containing {@link org.apache.directory.fortress.core.rbac.Session#getUser()},
+ * {@link org.apache.directory.fortress.core.rbac.Session#getRoles()} and {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()} if
+ * everything checks out good.
+ * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.
+ * <li> throw a {@link SecurityException} for system failures.
+ * <li> throw a {@link org.apache.directory.fortress.core.PasswordException} for authentication and password policy violations.
+ * <li> throw a {@link org.apache.directory.fortress.core.ValidationException} for data validation errors.
+ * <li> throw a {@link org.apache.directory.fortress.core.FinderException} if User id not found.
+ * </ul>
+ * <h4>
+ * The function is valid if and only if:
+ * </h4>
+ * <ul>
+ * <li> the user is a member of the USERS data set
+ * <li> the password is supplied (unless trusted).
+ * <li> the (optional) active role set is a subset of the roles authorized for that user.
+ * </ul>
+ * <h4>
+ * The following attributes may be set when calling this method
+ * </h4>
+ * <ul>
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#userId} - required
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#password}
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#roles} contains a list of RBAC role names authorized for user and
+ * targeted for activation within this session. Default is all authorized RBAC roles will be activated into this
+ * Session.
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#adminRoles} contains a list of Admin role names authorized for user and
+ * targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
+ * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon. For example
+ * hostname:myservername or ip:192.168.1.99
+ * </ul>
+ * <h4>
+ * Notes:
+ * </h4>
+ * <ul>
+ * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
+ * <li> role activations will proceed in same order as supplied to User entity setter,
+ * see {@link org.apache.directory.fortress.core.rbac.User#setRole(String)}.
+ * </ul>
+ * </p>
+ *
+ * @param userId maps to {@link org.apache.directory.fortress.core.rbac.User#userId}.
+ * @param password maps to {@link org.apache.directory.fortress.core.rbac.User#password}.
+ * @return TcPrincipal which contains the User's RBAC Session data formatted into a java.security.Principal that
+ * is used by Tomcat runtime.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * in the event of data validation failure, security policy violation or DAO error.
+ */
+ @Override
+ public TcPrincipal createSession( String userId, char[] password ) throws SecurityException
+ {
+ User user = new User( userId, password );
+ return createSession( user );
+ }
+
+
+ /**
+ * Perform user authentication {@link User#password} and role activations.<br />
+ * This method must be called once per user prior to calling other methods within this class.
+ * The successful result is {@link org.apache.directory.fortress.core.rbac.Session} that contains target user's RBAC {@link User#roles} and Admin role {@link User#adminRoles}.<br />
+ * In addition to checking user password validity it will apply configured password policy checks {@link org.apache.directory.fortress.core.rbac.User#pwPolicy}..<br />
+ * Method may also store parms passed in for audit trail {@link org.apache.directory.fortress.core.rbac.FortEntity}.
+ * <h4> This API will...</h4>
+ * <ul>
+ * <li> authenticate user password if trusted == false.
+ * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
+ * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.rbac.User#isLocked()}, regardless of trusted flag being set as parm on API.
+ * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link User}, {@link org.apache.directory.fortress.core.rbac.UserRole} and {@link org.apache.directory.fortress.core.rbac.UserAdminRole} entities.
+ * <li> process selective role activations into User RBAC Session {@link User#roles}.
+ * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.rbac.DSDChecker#validate(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core.rbac.User#roles}.
+ * <li> process selective administrative role activations {@link User#adminRoles}.
+ * <li> return a {@link org.apache.directory.fortress.core.rbac.Session} containing {@link org.apache.directory.fortress.core.rbac.Session#getUser()}, {@link org.apache.directory.fortress.core.rbac.Session#getRoles()} and {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()} if everything checks out good.
+ * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.
+ * <li> throw a {@link SecurityException} for system failures.
+ * <li> throw a {@link org.apache.directory.fortress.core.PasswordException} for authentication and password policy violations.
+ * <li> throw a {@link org.apache.directory.fortress.core.ValidationException} for data validation errors.
+ * <li> throw a {@link org.apache.directory.fortress.core.FinderException} if User id not found.
+ * </ul>
+ * <h4>
+ * The function is valid if and only if:
+ * </h4>
+ * <ul>
+ * <li> the user is a member of the USERS data set
+ * <li> the password is supplied (unless trusted).
+ * <li> the (optional) active role set is a subset of the roles authorized for that user.
+ * </ul>
+ * <h4>
+ * The following attributes may be set when calling this method
+ * </h4>
+ * <ul>
+ * <li> {@link User#userId} - required
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#password}
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#roles} contains a list of RBAC role names authorized for user and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session.
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#adminRoles} contains a list of Admin role names authorized for user and targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
+ * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon. For example hostname:myservername or ip:192.168.1.99
+ * </ul>
+ * <h4>
+ * Notes:
+ * </h4>
+ * <ul>
+ * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
+ * <li> role activations will proceed in same order as supplied to User entity setter, see {@link User#setRole(String)}.
+ * </ul>
+ * </p>
+ *
+ * @param userId maps to {@link org.apache.directory.fortress.core.rbac.User#userId}.
+ * @param password maps to {@link org.apache.directory.fortress.core.rbac.User#password}.
+ * @param roles constains list of role names to activate.
+ * @return TcPrincipal which contains the User's RBAC Session data formatted into a java.security.Principal that is used by Tomcat runtime.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * in the event of data validation failure, security policy violation or DAO error.
+ */
+ public TcPrincipal createSession(String userId, char[] password, List<String> roles)
+ throws SecurityException
+ {
+ User user = new User( userId, password );
+ // Load the passed in role list into list of User requested roles:
+ if(VUtil.isNotNullOrEmpty( roles ))
+ {
+ for(String role : roles)
+ {
+ user.setRole( role );
+ }
+ }
+ return createSession( user );
+ }
+
+
+ /**
+ * Utility function to call Fortress createSession, build the principal on behalf of caller.
+ *
+ * @param user
+ * @return
+ * @throws SecurityException
+ */
+ private TcPrincipal createSession( User user ) throws SecurityException
+ {
+ Session session = accessMgr.createSession( user, false );
+ if ( log.isEnabledFor( Level.DEBUG ) )
+ {
+ log.debug( CLS_NM + ".createSession userId [" + user.getUserId() + "] successful" );
+ }
+ HashMap context = new HashMap<String, Session>();
+ context.put( SESSION, session );
+
+ // now serialize the principal:
+ String ser = serialize( session );
+
+ // Store the serialized principal inside the context hashmap
+ // which allows overriden toString to return it later, from within an application thread.
+ // This facilitates assertion of rbac session from the tomcat realm into the web application session.
+ context.put( TcPrincipal.SERIALIZED, ser );
+ return new TcPrincipal( user.getUserId(), context );
+ }
+
+ /**
+ * Perform user authentication {@link org.apache.directory.fortress.core.rbac.User#password} and role activations.<br />
+ * This method must be called once per user prior to calling other methods within this class.
+ * The successful result is {@link org.apache.directory.fortress.core.rbac.Session} that contains target user's RBAC {@link
+ * User#roles} and Admin role {@link User#adminRoles}.<br />
+ * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap
+ * .fortress.rbac.User#pwPolicy}..<br />
+ * Method may also store parms passed in for audit trail {@link org.apache.directory.fortress.core.rbac.FortEntity}.
+ * <h4> This API will...</h4>
+ * <ul>
+ * <li> authenticate user password if trusted == false.
+ * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf
+ * .org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
+ * <li> fail for any user who is locked by OpenLDAP's policies {@link org.apache.directory.fortress.core.rbac.User#isLocked()},
+ * regardless of trusted flag being set as parm on API.
+ * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s) on {@link org.apache.directory.fortress.core.rbac.User},
+ * {@link org.apache.directory.fortress.core.rbac.UserRole} and {@link org.apache.directory.fortress.core.rbac.UserAdminRole} entities.
+ * <li> process selective role activations into User RBAC Session {@link User#roles}.
+ * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.rbac.DSDChecker#validate(org.apache.directory.fortress.core.rbac.Session,
+ * org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)} on {@link org.apache.directory.fortress.core
+ * .rbac.User#roles}.
+ * <li> process selective administrative role activations {@link User#adminRoles}.
+ * <li> return a {@link org.apache.directory.fortress.core.rbac.Session} containing {@link org.apache.directory.fortress.core.rbac.Session#getUser()},
+ * {@link org.apache.directory.fortress.core.rbac.Session#getRoles()} and {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()} if
+ * everything checks out good.
+ * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException} or its derivation.
+ * <li> throw a {@link SecurityException} for system failures.
+ * <li> throw a {@link org.apache.directory.fortress.core.PasswordException} for authentication and password policy violations.
+ * <li> throw a {@link org.apache.directory.fortress.core.ValidationException} for data validation errors.
+ * <li> throw a {@link org.apache.directory.fortress.core.FinderException} if User id not found.
+ * </ul>
+ * <h4>
+ * The function is valid if and only if:
+ * </h4>
+ * <ul>
+ * <li> the user is a member of the USERS data set
+ * <li> the password is supplied (unless trusted).
+ * <li> the (optional) active role set is a subset of the roles authorized for that user.
+ * </ul>
+ * <h4>
+ * The following attributes may be set when calling this method
+ * </h4>
+ * <ul>
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#userId} - required
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#password}
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#roles} contains a list of RBAC role names authorized for user and
+ * targeted for activation within this session. Default is all authorized RBAC roles will be activated into this
+ * Session.
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#adminRoles} contains a list of Admin role names authorized for user and
+ * targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
+ * <li> {@link org.apache.directory.fortress.core.rbac.User#props} collection of name value pairs collected on behalf of User during
+ * signon. For example hostname:myservername or ip:192.168.1.99
+ * </ul>
+ * <h4>
+ * Notes:
+ * </h4>
+ * <ul>
+ * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
+ * <li> role activations will proceed in same order as supplied to User entity setter,
+ * see {@link org.apache.directory.fortress.core.rbac.User#setRole(String)}.
+ * </ul>
+ * </p>
+ *
+ * @param user Contains {@link org.apache.directory.fortress.core.rbac.User#userId}, {@link org.apache.directory.fortress.core.rbac.User#password}
+ * (optional if {@code isTrusted} is 'true'), optional {@link org.apache.directory.fortress.core.rbac.User#roles},
+ * optional {@link org.apache.directory.fortress.core.rbac.User#adminRoles}
+ * @param isTrusted if true password is not required.
+ * @return Session object will contain authentication result code {@link org.apache.directory.fortress.core.rbac.Session#errorId},
+ * RBAC role activations {@link org.apache.directory.fortress.core.rbac.Session#getRoles()}, Admin Role activations {@link org.openldap
+ * .fortress.rbac.Session#getAdminRoles()},OpenLDAP pw policy codes {@link org.apache.directory.fortress.core.rbac
+ * .Session#warningId}, {@link org.apache.directory.fortress.core.rbac.Session#expirationSeconds},
+ * {@link org.apache.directory.fortress.core.rbac.Session#graceLogins} and more.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * in the event of data validation failure, security policy violation or DAO error.
+ */
+ @Override
+ public Session createSession( User user, boolean isTrusted ) throws SecurityException
+ {
+ if ( log.isDebugEnabled() )
+ {
+ log.debug( CLS_NM + ".createSession userId [" + user.getUserId() + "] " );
+ }
+ return accessMgr.createSession( user, isTrusted );
+ }
+
+
+ /**
+ * Determine if given Role is contained within User's Tomcat Principal object. This method does not need to hit
+ * the ldap server as the User's activated Roles are loaded into {@link org.apache.directory.fortress.realm.tomcat
+ * .TcPrincipal#setContext(java.util.HashMap)}
+ *
+ * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
+ * @param roleName Maps to {@link org.apache.directory.fortress.core.rbac.Role#name}.
+ * @return True if Role is found in TcPrincipal, false otherwise.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * data validation failure or system error..
+ */
+ @Override
+ public boolean hasRole( Principal principal, String roleName ) throws SecurityException
+ {
+ String fullMethodName = CLS_NM + ".hasRole";
+ if ( log.isDebugEnabled() )
+ {
+ log.debug( fullMethodName + " userId [" + principal.getName() + "] role [" + roleName + "]" );
+ }
+
+ // Fail closed
+ boolean result = false;
+
+ // Principal must contain a HashMap that contains a Fortress session object.
+ HashMap<String, Session> context = ( ( TcPrincipal ) principal ).getContext();
+ VUtil.assertNotNull( context, GlobalErrIds.SESS_CTXT_NULL, fullMethodName );
+
+ // This Map must contain a Fortress Session:
+ Session session = context.get( SESSION );
+ VUtil.assertNotNull( session, GlobalErrIds.USER_SESS_NULL, fullMethodName );
+
+ Set<String> authZRoles = accessMgr.authorizedRoles( session );
+ if ( authZRoles != null && authZRoles.size() > 0 )
+ {
+ // Does the set of authorized roles contain a name matched to the one passed in?
+ if ( authZRoles.contains( roleName ) )
+ {
+ // Yes, we have a match.
+ if ( log.isEnabledFor( Level.DEBUG ) )
+ {
+ log.debug( fullMethodName + " userId [" + principal.getName() + "] role [" + roleName + "] " +
+ "successful" );
+ }
+ result = true;
+ }
+ else
+ {
+ if ( log.isEnabledFor( Level.DEBUG ) )
+ {
+ // User is not authorized in their Session..
+ log.debug( fullMethodName + " userId [" + principal.getName() + "] is not authorized role [" +
+ roleName + "]" );
+ }
+ }
+ }
+ else
+ {
+ // User does not have any authorized Roles in their Session..
+ log.info( fullMethodName + " userId [" + principal.getName() + "], role [" + roleName + "], has no authorized roles" );
+ }
+ return result;
+ }
+
+
+ /**
+ * Method reads Role entity from the role container in directory.
+ *
+ * @param roleName maps to {@link org.apache.directory.fortress.core.rbac.Role#name}, to be read.
+ * @return Role entity that corresponds with role name.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * will be thrown if role not found or system error occurs.
+ */
+ @Override
+ public Role readRole( String roleName ) throws SecurityException
+ {
+ return reviewMgr.readRole( new Role( roleName ) );
+ }
+
+
+ /**
+ * Search for Roles assigned to given User.
+ *
+ * @param searchString Maps to {@link org.apache.directory.fortress.core.rbac.User#userId}.
+ * @param limit controls the size of ldap result set returned.
+ * @return List of type String containing the {@link org.apache.directory.fortress.core.rbac.Role#name} of all assigned Roles.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * in the event of data validation failure or DAO error.
+ */
+ @Override
+ public List<String> searchRoles( String searchString, int limit ) throws SecurityException
+ {
+ return reviewMgr.findRoles( searchString, limit );
+ }
+
+
+ /**
+ * Method returns matching User entity that is contained within the people container in the directory.
+ *
+ * @param userId maps to {@link org.apache.directory.fortress.core.rbac.User#userId} that matches record in the directory. userId
+ * is globally unique in
+ * people container.
+ * @return entity containing matching user data.
+ * @throws SecurityException if record not found or system error occurs.
+ */
+ @Override
+ public User readUser( String userId ) throws SecurityException
+ {
+ return reviewMgr.readUser( new User( userId ) );
+ }
+
+
+ /**
+ * Return a list of type String of all users in the people container that match the userId field passed in User
+ * entity.
+ * This method is used by the Websphere sentry component. The max number of returned users may be set by the
+ * integer limit arg.
+ *
+ * @param searchString contains all or some leading chars that correspond to users stored in the directory.
+ * @param limit integer value sets the max returned records.
+ * @return List of type String containing matching userIds.
+ * @throws SecurityException in the event of system error.
+ */
+ @Override
+ public List<String> searchUsers( String searchString, int limit ) throws SecurityException
+ {
+ return reviewMgr.findUsers( new User( searchString ), limit );
+ }
+
+
+ /**
+ * This function returns the set of users assigned to a given role. The function is valid if and
+ * only if the role is a member of the ROLES data set.
+ * The max number of users returned is constrained by limit argument.
+ * This method is used by the Websphere sentry component. This method does NOT use hierarchical rbac.
+ *
+ * @param roleName maps to {@link org.apache.directory.fortress.core.rbac.Role#name} of Role entity assigned to user.
+ * @param limit integer value sets the max returned records.
+ * @return List of type String containing userIds assigned to a particular role.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * in the event of data validation or system error.
+ */
+ @Override
+ public List<String> assignedUsers( String roleName, int limit ) throws SecurityException
+ {
+ return reviewMgr.assignedUsers( new Role( roleName ), limit );
+ }
+
+
+ /**
+ * This function returns the set of roles authorized for a given user. The function is valid if
+ * and only if the user is a member of the USERS data set.
+ *
+ * @param userId maps to {@link org.apache.directory.fortress.core.rbac.User#userId} matching User entity stored in the directory.
+ * @return Set of type String containing the roles assigned and roles inherited.
+ * @throws SecurityException If user not found or system error occurs.
+ */
+ @Override
+ public List<String> authorizedRoles( String userId ) throws SecurityException
+ {
+ List<String> list = null;
+ // This will check temporal constraints on User and Roles.
+ Session session = createSession( new User( userId ), true );
+ // Get the Set of authorized Roles.
+ Set<String> authZRoleSet = accessMgr.authorizedRoles( session );
+ // If User has authorized roles.
+ if ( authZRoleSet != null && authZRoleSet.size() > 0 )
+ {
+ // Convert the Set into a List before returning:
+ list = new ArrayList<String>( authZRoleSet );
+ }
+ return list;
+ }
+
+ /**
+ * Utility to write any object into a Base64 string. Used by this class to serialize {@link TcPrincipal} object to be returned by its toString method..
+ */
+ private String serialize( Object obj ) throws SecurityException
+ {
+ String szRetVal = null;
+ if( obj != null )
+ {
+ try
+ {
+ ByteArrayOutputStream bo = new ByteArrayOutputStream();
+ ObjectOutputStream so = new ObjectOutputStream( bo );
+ so.writeObject( obj );
+ so.flush();
+ // This encoding induces a bijection between byte[] and String (unlike UTF-8)
+ szRetVal = bo.toString( "ISO-8859-1" );
+ }
+ catch ( IOException ioe )
+ {
+ String error = "serialize caught IOException: " + ioe;
+ throw new SecurityException(CONTEXT_SERIALIZATION_FAILED, error);
+ }
+ }
+ return szRetVal;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/package.html
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/package.html b/impl/src/main/java/org/apache/directory/fortress/realm/package.html
new file mode 100644
index 0000000..d3ee7a1
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/package.html
@@ -0,0 +1,27 @@
+<!--
+ ~ This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ ~
+ ~ Copyright 1998-2014 The OpenLDAP Foundation.
+ ~ All rights reserved.
+ ~
+ ~ Redistribution and use in source and binary forms, with or without
+ ~ modification, are permitted only as authorized by the OpenLDAP
+ ~ Public License.
+ ~
+ ~ A copy of this license is available in the file LICENSE in the
+ ~ top-level directory of the distribution or, alternatively, at
+ ~ <http://www.OpenLDAP.org/license.html>.
+ -->
+<html>
+ <head>
+ <title>Package Documentation for Fortress Sentry</title>
+ </head>
+ <body>
+ <p>
+ This package is the Java Sentry component. The Fortress Java Sentry provides APIs that are used by
+ Java EE applications to perform authentication, authorization and audit within runtime
+ application server environments. The APIs are not called directly by outside client programs rather they
+ are called by the application servers during runtime policy enforcement.
+ </p>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TC7AccessMgrFascade.java
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TC7AccessMgrFascade.java b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TC7AccessMgrFascade.java
new file mode 100644
index 0000000..dccf5c0
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TC7AccessMgrFascade.java
@@ -0,0 +1,238 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.tomcat;
+
+import org.apache.directory.fortress.realm.util.CpUtil;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Wrapper;
+import org.apache.catalina.realm.RealmBase;
+
+import java.net.URL;
+import java.security.Principal;
+import java.net.URLClassLoader;
+import java.util.logging.Logger;
+
+import org.apache.directory.fortress.realm.util.ChildFirstUrlClassLoader;
+
+/**
+ * This class extends the Tomcat 7 and beyond RealmBase class and provides Java EE security services within the Tomcat container.
+ * This class is a "proxy" for the {@link org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl} class which isolates dependencies from the Tomcat
+ * runtime environment by loading the implementation on a URLClassLoader.
+ *
+ * @author Shawn McKinney
+ */
+public class TC7AccessMgrFascade extends RealmBase
+{
+ private static final String CLS_NM = TC7AccessMgrFascade.class.getName();
+ private static final Logger log = Logger.getLogger(CLS_NM);
+ private static final String REALM_IMPL = "org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl";
+ private static final String REALM_CLASSPATH = "REALM_CLASSPATH";
+ private static final String JBOSS_AGENT = "jboss";
+ private static String container = "Catalina7";
+ private static String defaultRoles;
+ private String realmClasspath;
+ private TcAccessMgr realm = new TcAccessMgrImpl();
+
+ /**
+ * Gets the info attribute of the TcAccessMgrProxy object
+ *
+ * @return The info value
+ */
+ @Override
+ public String getInfo()
+ {
+ return info;
+ }
+
+
+ /**
+ * Perform user authentication and evaluate password policies.
+ *
+ * @param userId Contains the userid of the user signing on.
+ * @param password Contains the user's password.
+ * @return Principal whic * This method will load the Fortress Tomcat implementation on a URL classloader. Methods on the implementation are
+ * wrapped by methods on this class and are accessed via the {@code realm} instance variable of this class.
+ */
+ @Override
+ public Principal authenticate(String userId, String password)
+ {
+ if(realm == null)
+ {
+ throw new RuntimeException(CLS_NM + "authenticate detected Fortress Tomcat7 Realm not initialized correctly. Check your Fortress Realm configuration");
+ }
+ return realm.authenticate(userId, password.toCharArray());
+ }
+
+
+ /**
+ * Determine if given Role is contained within User's Tomcat Principal object. This method does not need to hit
+ * the ldap server as the User's activated Roles are loaded into {@link org.apache.directory.fortress.realm.tomcat.TcPrincipal#setContext(java.util.HashMap)}
+ *
+ * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
+ * @param role Maps to {@code org.apache.directory.fortress.core.rbac.Role#name}.
+ * @return True if Role is found in TcPrincipal, false otherwise.
+ */
+ @Override
+ public boolean hasRole(Wrapper wrapper, Principal principal, String role)
+ {
+ if(realm == null)
+ {
+ throw new RuntimeException(CLS_NM + "authenticate detected Fortress Tomcat7 Realm not initialized correctly. Check your Fortress Realm configuration");
+ }
+ return realm.hasRole(principal, role);
+ }
+
+ /**
+ * Gets the name attribute of the TcAccessMgrProxy object
+ *
+ * @return The name value
+ */
+ @Override
+ protected String getName()
+ {
+ return (CLS_NM);
+ }
+
+
+ /**
+ * Gets the password attribute of the TcAccessMgrProxy object
+ *
+ * @param username Description of the Parameter
+ * @return The password value
+ */
+ @Override
+ protected String getPassword(String username)
+ {
+ return (null);
+ }
+
+
+ /**
+ * Gets the principal attribute of the TcAccessMgrProxy object
+ *
+ * @param username Description of the Parameter
+ * @return The principal value
+ */
+ @Override
+ protected Principal getPrincipal(String username)
+ {
+ return (null);
+ }
+
+
+ /**
+ * Prepare for the beginning of active use of the public methods of this
+ * component and implement the requirements of
+ * {@link org.apache.catalina.util.LifecycleBase#startInternal()}.
+ *
+ * @throws LifecycleException if this component detects a fatal error
+ * that prevents this component from being used
+ */
+ @Override
+ protected void startInternal() throws LifecycleException
+ {
+ super.startInternal();
+ }
+
+ /**
+ * Gracefully terminate the active use of the public methods of this
+ * component and implement the requirements of
+ * {@link org.apache.catalina.util.LifecycleBase#stopInternal()}.
+ *
+ * @throws LifecycleException if this component detects a fatal error
+ * that needs to be reported
+ */
+ @Override
+ protected void stopInternal() throws LifecycleException
+ {
+
+ // Perform normal superclass finalization
+ super.stopInternal();
+
+ // Release reference to our sentry impl
+ realm = null;
+
+ }
+
+ /**
+ * Gets the containerType attribute of the TcAccessMgrProxy object
+ *
+ * @return The containerType value
+ */
+ public String getContainerType()
+ {
+ return container;
+ }
+
+ /**
+ * Sets the containerType attribute of the TcAccessMgrProxy object
+ *
+ * @param container The new containerType value
+ */
+ public void setContainerType(String container)
+ {
+ log.info(CLS_NM + ".setContainerType <" + container + ">");
+ this.container = container;
+ }
+
+ /**
+ * Gets the realmClasspath attribute of the TcAccessMgrProxy object
+ *
+ * @return The realmClasspath value
+ */
+ public String getRealmClasspath()
+ {
+ log.info(CLS_NM + ".getRealmClasspath <" + realmClasspath + ">");
+ return realmClasspath;
+ }
+
+ /**
+ * Sets the realmClasspath attribute of the TcAccessMgrProxy object
+ *
+ * @param rCpth The new realmClasspath value
+ */
+ public void setRealmClasspath(String rCpth)
+ {
+ log.info(CLS_NM + ".setRealmClasspath <" + rCpth + ">");
+ this.realmClasspath = rCpth;
+ }
+
+ /**
+ * Gets the defaultRoles attribute of the TcAccessMgrProxy object. When set, it will be passed into all subsequent calls to Fortress createSession.
+ *
+ * @return String containing comma delimited list of role names.
+ */
+ public static String getDefaultRoles()
+ {
+ log.info(CLS_NM + ".getDefaultRoles <" + defaultRoles + ">");
+ return defaultRoles;
+ }
+
+ /**
+ * Sets the defaultRoles attribute of the TcAccessMgrProxy object. When set, it will be passed into all subsequent calls to Fortress createSession.
+ *
+ * @param defaultRoles containing comma delimited list of role names.
+ */
+ public static void setDefaultRoles( String defaultRoles )
+ {
+ log.info(CLS_NM + ".setDefaultRoles <" + defaultRoles + ">");
+ TC7AccessMgrFascade.defaultRoles = defaultRoles;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java
new file mode 100644
index 0000000..c0628ec
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java
@@ -0,0 +1,156 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.tomcat;
+
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.realm.J2eePolicyMgr;
+import org.apache.directory.fortress.realm.J2eePolicyMgrFactory;
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * This class runs on a URL classloader and provides Fortress runtime security services for the Tomcat container.
+ *
+ * @author Shawn McKinney
+ */
+public class TcAccessMgrImpl implements TcAccessMgr
+{
+ private static final String CLS_NM = TcAccessMgrImpl.class.getName();
+ private static final Logger log = Logger.getLogger(CLS_NM);
+ private static int count = 0;
+ private J2eePolicyMgr j2eeMgr;
+ // If this field gets set, use for all subsequent calls to authenticate:
+ private List<String> defaultRoles;
+
+ /**
+ * Constructor for the TcAccessMgrImpl object
+ */
+ public TcAccessMgrImpl()
+ {
+ try
+ {
+ j2eeMgr = J2eePolicyMgrFactory.createInstance();
+ log.info(CLS_NM + " constructor <" + count++ + ">");
+ }
+ catch (SecurityException se)
+ {
+ String error = CLS_NM + " constructor caught SecurityException=" + se;
+ log.fatal(error);
+ se.printStackTrace();
+ throw new java.lang.RuntimeException(error, se);
+ }
+ }
+
+ /**
+ * Perform user authentication and evaluate password policies.
+ *
+ * @param userId Contains the userid of the user signing on.
+ * @param password Contains the user's password.
+ * @return Principal which contains the Fortress RBAC session data.
+ */
+ public Principal authenticate(String userId, char[] password)
+ {
+ TcPrincipal prin = null;
+ try
+ {
+ // If a 'default.roles' property set in config, user them
+ if( VUtil.isNotNullOrEmpty( defaultRoles ))
+ {
+ prin = j2eeMgr.createSession( userId, password, defaultRoles );
+ if (log.isEnabledFor(Level.DEBUG))
+ {
+ log.debug(CLS_NM + ".authenticate userId [" + userId + "], with default roles [" + defaultRoles + "], successful");
+ }
+ }
+ else
+ {
+ prin = j2eeMgr.createSession(userId, password);
+ if (log.isEnabledFor(Level.DEBUG))
+ {
+ log.debug(CLS_NM + ".authenticate userId [" + userId + "] successful");
+ }
+ }
+ }
+ catch (SecurityException se)
+ {
+ String warning = CLS_NM + ".authenticate userId <" + userId + "> caught SecurityException=" + se;
+ log.warn(warning);
+ }
+ return prin;
+ }
+
+ /**
+ * Determine if given Role is contained within User's Tomcat Principal object. This method does not need to hit
+ * the ldap server as the User's activated Roles are loaded into {@link TcPrincipal#setContext(java.util.HashMap)}
+ *
+ * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
+ * @param roleName Maps to {@code org.apache.directory.fortress.core.rbac.Role#name}.
+ * @return True if Role is found in TcPrincipal, false otherwise.
+ */
+ public boolean hasRole(Principal principal, String roleName)
+ {
+ boolean result = false;
+ String userId = principal.getName();
+ try
+ {
+ if (j2eeMgr.hasRole(principal, roleName))
+ {
+ if (log.isEnabledFor(Level.DEBUG))
+ {
+ log.debug(CLS_NM + ".hasRole userId <" + principal.getName() + "> role <" + roleName + "> successful");
+ }
+ result = true;
+ }
+ else
+ {
+ if (log.isEnabledFor(Level.DEBUG))
+ {
+ log.debug(CLS_NM + ".hasRole userId <" + principal.getName() + "> role <" + roleName + "> failed");
+ }
+ }
+ }
+ catch (SecurityException se)
+ {
+ String warning = CLS_NM + ".hasRole userId <" + userId + "> role <" + roleName + "> caught SecurityException=" + se;
+ log.warn(warning);
+ }
+ return result;
+ }
+
+ /**
+ * When the 'defaultRoles' parameter is set on realm proxy config (e.g. in server.xml or context.xml) it will be used to pass into
+ * createSession calls into Fortress. This will scope the roles to be considered for activation to this particular set.
+ *
+ * @param szDefaultRoles contains a String containing comma delimited roles names.
+ */
+ public void setDefaultRoles(String szDefaultRoles)
+ {
+ if( VUtil.isNotNullOrEmpty( szDefaultRoles ))
+ {
+ defaultRoles = Arrays.asList(szDefaultRoles.split("\\s*,\\s*"));
+ log.info( "DEFAULT ROLES: " + defaultRoles );
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcPrincipal.java
----------------------------------------------------------------------
diff --git a/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcPrincipal.java b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcPrincipal.java
new file mode 100644
index 0000000..0c430c1
--- /dev/null
+++ b/impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcPrincipal.java
@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.tomcat;
+
+import org.apache.directory.fortress.core.rbac.Session;
+
+import java.util.HashMap;
+
+/**
+ * Contains the Fortress RBAC session that has been created on behalf of an end user who has
+ * signed onto Tomcat system. The session contains the User's active roles and other security attributes.
+ *
+ * @author Shawn McKinney
+ */
+public class TcPrincipal implements java.security.Principal, java.io.Serializable
+{
+ public static final String SERIALIZED = "SERIALIZED";
+ private HashMap<String, Session> context;
+ private String name;
+
+
+ /**
+ * Constructor for the TcPrincipal object. Accepts a HashMap which
+ * contains the Fortress session.
+ *
+ * @param name contains the userId of User who signed onto Tomcat.
+ * @param context Instantiated HashMap that contains the User's Fortress session data.
+ */
+ public TcPrincipal( String name, HashMap<String, Session> context )
+ {
+ if ( context == null || name == null )
+ {
+ throw new NullPointerException( TcPrincipal.class.getName() + " Null Map passed to constructor" );
+ }
+ this.context = context;
+ this.name = name;
+ }
+
+
+ /**
+ * Return the HashMap to the caller. This HashMap contains the User's Fortress session data.
+ *
+ * @return HashMap reference to security session data.
+ */
+ public final HashMap<String, Session> getContext()
+ {
+ return context;
+ }
+
+
+ /**
+ * Return the userId of the end User who has signed onto Tomcat and is represented by this principal object.
+ *
+ * @return Contains the end userId.
+ */
+ public final String getName()
+ {
+ return name;
+ }
+
+
+ /**
+ * Set a new HashMap reference into this Principal object.
+ *
+ * @param context HashMap reference to security session data.
+ */
+ public final void setContext( HashMap<String, Session> context )
+ {
+ this.context = context;
+ }
+
+
+ /**
+ * This method returns a string containing the serialized instance of this object.
+ *
+ * @return Return this object in serialized format.
+ */
+ public final String toString()
+ {
+ String ser = null;
+ HashMap context = getContext();
+ if ( context != null )
+ {
+ ser = (String)context.get( SERIALIZED );
+ }
+ return ser;
+ }
+
+ /**
+ * Determine if the caller supplied a reference to a security Principal that is equal to the current value.
+ *
+ * @param o Contains reference to the Principal.
+ * @return true if the userId on both Principal objects is equal, false otherwise.
+ */
+ public final boolean equals( Object o )
+ {
+ if ( o == null )
+ {
+ return false;
+ }
+ if ( this == o )
+ {
+ return true;
+ }
+ if ( !( o instanceof TcPrincipal ) )
+ {
+ return false;
+ }
+ TcPrincipal that = ( TcPrincipal ) o;
+
+ if ( this.getName().equals( that.getName() ) )
+ {
+ return true;
+ }
+ return false;
+ }
+
+
+ /**
+ * Compute the hashcode for the current userId asserted into this Principal object.
+ *
+ * @return Description of the Return Value
+ */
+ public final int hashCode()
+ {
+ return name.hashCode();
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/ivy.xml
----------------------------------------------------------------------
diff --git a/ivy.xml b/ivy.xml
index bc145e9..fba7e48 100644
--- a/ivy.xml
+++ b/ivy.xml
@@ -1,21 +1,26 @@
<!--
- ~ This work is part of OpenLDAP Software <http://www.openldap.org/>.
- ~
- ~ Copyright 1998-2014 The OpenLDAP Foundation.
- ~ All rights reserved.
- ~
- ~ Redistribution and use in source and binary forms, with or without
- ~ modification, are permitted only as authorized by the OpenLDAP
- ~ Public License.
- ~
- ~ A copy of this license is available in the file LICENSE in the
- ~ top-level directory of the distribution or, alternatively, at
- ~ <http://www.OpenLDAP.org/license.html>.
- -->
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
<ivy-module version="2.0">
- <info organisation="org.apache" module="openldap-fortress-realm"/>
+ <info organisation="org.apache" module="fortress-core-realm"/>
<dependencies>
- <dependency org="org.openldap" name="fortress" rev="1.0-RC39" conf="default->master"/>
+ <dependency org="org.apache.directory" name="fortress-core" rev="1.0-RC40" conf="default->master"/>
+<!-- <dependency org="org.openldap" name="fortress" rev="1.0-RC39" conf="default->master"/>-->
<dependency org="commons-lang" name="commons-lang" rev="2.4" conf="default->master"/>
<dependency org="commons-configuration" name="commons-configuration" rev="1.6" conf="default->master"/>
<dependency org="commons-lang" name="commons-lang" rev="2.4" conf="default->master"/>
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 4dad5df..bcd9df3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,49 +1,405 @@
+<?xml version="1.0" encoding="UTF-8"?>
<!--
- ~ This work is part of OpenLDAP Software <http://www.openldap.org/>.
- ~
- ~ Copyright 1998-2014 The OpenLDAP Foundation.
- ~ All rights reserved.
- ~
- ~ Redistribution and use in source and binary forms, with or without
- ~ modification, are permitted only as authorized by the OpenLDAP
- ~ Public License.
- ~
- ~ A copy of this license is available in the file LICENSE in the
- ~ top-level directory of the distribution or, alternatively, at
- ~ <http://www.OpenLDAP.org/license.html>.
- -->
-<project>
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
- <groupId>org.openldap</groupId>
- <artifactId>sentry</artifactId>
- <packaging>jar</packaging>
- <name>Fortress Sentry</name>
- <version>1.0-RC39</version>
- <description>Sentry is an ANSI RBAC INCITS 359 compliant policy enforcement engine.</description>
- <url>http://www.openldap.org/fortress/</url>
+ <groupId>org.apache.directory</groupId>
+ <artifactId>fortress-realm</artifactId>
+ <packaging>pom</packaging>
+ <name>Apache Fortress Realm</name>
+ <description>Fortress Realm is an ANSI RBAC INCITS 359 compliant policy enforcement engine.</description>
+ <url>http://directory.apache.org/foress/</url>
+ <version>1.0-RC40</version>
+
+ <properties>
+ <projectName>apache-directory-fortress-realm</projectName>
+ <distMgmtSiteUrl>scpexe://people.apache.org/www/directory.apache.org/api/gen-docs/${project.version}/
+ </distMgmtSiteUrl>
+
+ <!-- Set versions for depending projects -->
+ <skin.version>1.0.2</skin.version>
+ <org.apache.directory.junit.junit-addons.version>0.1</org.apache.directory.junit.junit-addons.version>
+ <org.apache.directory.checkstyle-configuration.version>0.1</org.apache.directory.checkstyle-configuration.version>
+ <slf4j.api.version>1.7.5</slf4j.api.version>
+ <slf4j.log4j12.version>1.7.5</slf4j.log4j12.version>
+ <junit.version>4.11</junit.version>
+
+ <!-- Set versions for depending jars -->
+ <fortress-core.version>1.0-RC40</fortress-core.version>
+
+ <!-- Set versions for depending jars -->
+ <findbugs.annotations.version>1.0.0</findbugs.annotations.version>
+ </properties>
+
<licenses>
<license>
- <name>OpenLDAP Public License</name>
- <url>http://www.OpenLDAP.org/license.html</url>
- <distribution>repo</distribution>
+ <name>Apache License 2.0</name>
+ <url>http://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
<scm>
- <url>http://www.openldap.org/software/repo/openldap-fortress-realm.git</url>
- <connection>git://git.openldap.org/openldap-fortress-realm.git</connection>
+ <connection>scm:git:http://git-wip-us.apache.org/repos/asf/directory-fortress-realm.git</connection>
+ <developerConnection>scm:git:https://git-wip-us.apache.org/repos/asf/directory-fortress-realm.git</developerConnection>
+ <tag>HEAD</tag>
</scm>
+
+ <issueManagement>
+ <system>jira</system>
+ <url>https://issues.apache.org/jira/browse/DIRREALM</url>
+ </issueManagement>
+
+ <parent>
+ <groupId>org.sonatype.oss</groupId>
+ <artifactId>oss-parent</artifactId>
+ <version>7</version>
+ </parent>
+
+ <mailingLists>
+ <mailingList>
+ <name>Apache Directory -- Fortress List</name>
+ <post>fortress@directory.apache.org</post>
+ <archive>http://mail-archives.apache.org/mod_mbox/directory-fortress/</archive>
+ </mailingList>
+ </mailingLists>
+
<developers>
<developer>
+ <id>elecharny</id>
+ <name>Emmanuel Lecharny</name>
+ <email>elecharny@@apache.org</email>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <organization>Apache Software Foundation</organization>
+ <timezone>+1</timezone>
+ </developer>
+ <developer>
<id>smckinney</id>
<name>Shawn McKinney</name>
- <email>smckinney@symas.com</email>
+ <email>smckinney@apache.org</email>
+ <timezone>-6</timezone>
</developer>
</developers>
+
+ <modules>
+ <module>impl</module>
+ <module>proxy</module>
+ </modules>
+
+ <build>
+
+ <finalName>${project.artifactId}-${version}</finalName>
+
+ <pluginManagement>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-release-plugin</artifactId>
+ <configuration>
+ <tagNameFormat>@{project.version}</tagNameFormat>
+ </configuration>
+ </plugin>
+
+ </plugins>
+ </pluginManagement>
+ <plugins>
+ <!-- Assemble a realm distro archive -->
+ <plugin>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>2.4</version>
+ <executions>
+ <execution>
+ <id>make-assembly</id>
+ <phase>package</phase>
+ <goals>
+ <goal>single</goal>
+ </goals>
+ <configuration>
+ <descriptors>
+ <descriptor>src/main/assembly/distsrc.xml</descriptor>
+ </descriptors>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-source-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>attach-sources</id>
+ <phase>verify</phase>
+ <goals>
+ <goal>jar-no-fork</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-site-plugin</artifactId>
+ <dependencies>
+ <!-- Add support for 'scp'/'sftp' -->
+ <dependency>
+ <groupId>org.apache.maven.wagon</groupId>
+ <artifactId>wagon-ssh</artifactId>
+ <version>2.1</version>
+ </dependency>
+ <!-- Add support for 'scpexe' -->
+ <dependency>
+ <groupId>org.apache.maven.wagon</groupId>
+ <artifactId>wagon-ssh-external</artifactId>
+ <version>2.1</version>
+ </dependency>
+ </dependencies>
+ <configuration>
+ <reportPlugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jxr-plugin</artifactId>
+ <configuration>
+ <aggregate>true</aggregate>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-report-plugin</artifactId>
+ <configuration>
+ <aggregate>true</aggregate>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-project-info-reports-plugin</artifactId>
+ </plugin>
+
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>taglist-maven-plugin</artifactId>
+ <configuration>
+ <tags>
+ <tag>TODO</tag>
+ <tag>@todo</tag>
+ <tag>@deprecated</tag>
+ <tag>FIXME</tag>
+ </tags>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-javadoc-plugin</artifactId>
+ <configuration>
+ <minmemory>512m</minmemory>
+ <maxmemory>1g</maxmemory>
+ <linksource>true</linksource>
+ <tags>
+ <tag>
+ <name>todo</name>
+ <!-- todo tag for all places -->
+ <placement>a</placement>
+ <head>To do:</head>
+ </tag>
+ </tags>
+ <source>1.6</source>
+ </configuration>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>aggregate</report>
+ <report>test-aggregate</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>versions-maven-plugin</artifactId>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>dependency-updates-report</report>
+ <report>plugin-updates-report</report>
+ <report>property-updates-report</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.rat</groupId>
+ <artifactId>apache-rat-plugin</artifactId>
+ <!-- must add configuration here too, it isn't inherited from <pluginConfiguration> :-( -->
+ <configuration>
+ <excludeSubProjects>false</excludeSubProjects>
+ <excludes>
+ <!-- MAVEN_DEFAULT_EXCLUDES -->
+ <exclude>**/target/**/*</exclude>
+ <exclude>**/cobertura.ser</exclude>
+ <!-- ECLIPSE_DEFAULT_EXCLUDES -->
+ <exclude>**/.classpath</exclude>
+ <exclude>**/.project</exclude>
+ <exclude>**/.settings/**/*</exclude>
+ <!-- IDEA_DEFAULT_EXCLUDES -->
+ <exclude>**/*.iml</exclude>
+ <exclude>**/*.ipr</exclude>
+ <exclude>**/*.iws</exclude>
+ <!-- MANIFEST_MF_EXCLUDES -->
+ <exclude>**/MANIFEST.MF</exclude>
+ <!-- 3RD_PARTY_LICENSES -->
+ <exclude>distribution/src/main/release/licenses/*</exclude>
+ <exclude>src/main/release/licenses/*</exclude>
+ <!-- Missing license header in dependency reduced pom, see http://jira.codehaus.org/browse/MSHADE-48 -->
+ <exclude>**/dependency-reduced-pom.xml</exclude>
+ <!-- Generated ldif files -->
+ <exclude>**/src/main/resources/schema/**/*.ldif</exclude>
+ <exclude>**/src/main/resources/schema-all.ldif</exclude>
+ <exclude>**/src/main/resources/schema/**/*.ldif</exclude>
+ <exclude>**/src/main/resources/schema-all.ldif</exclude>
+ <!-- Files having a Bouncy Castle license -->
+ <exclude>ldap/src/main/java/org/apache/directory/api/asn1/der/*.java</exclude>
+ <exclude>src/main/java/org/apache/directory/api/asn1/der/*.java</exclude>
+ </excludes>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>javancss-maven-plugin</artifactId>
+ </plugin>
+
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>jdepend-maven-plugin</artifactId>
+ </plugin>
+
+ <!--
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-changes-plugin</artifactId>
+ <configuration>
+ <onlyCurrentVersion>true</onlyCurrentVersion>
+ <resolutionIds>Fixed</resolutionIds>
+ <statusIds>Resolved,Closed</statusIds>
+ <columnNames>Type,Key,Summary,Status,Resolution,Fix Version</columnNames>
+ </configuration>
+ <reportSets>
+ <reportSet>
+ <reports>
+ <report>jira-report</report>
+ </reports>
+ </reportSet>
+ </reportSets>
+ </plugin>
+ -->
+ </reportPlugins>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+ <dependencyManagement>
+ <dependencies>
+ <!-- Project sub-modules dependencies -->
+ <dependency>
+ <groupId>org.apache.directory</groupId>
+ <artifactId>fortress-core</artifactId>
+ <version>${fortress-core.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.tomcat</groupId>
+ <artifactId>tomcat-catalina</artifactId>
+ <version>7.0.22</version>
+ </dependency>
+
+ </dependencies>
+ </dependencyManagement>
+
<dependencies>
+ <!-- for Java5 findbugs annotations are required in each module at compile time -->
+ <dependency>
+ <groupId>findbugs</groupId>
+ <artifactId>annotations</artifactId>
+ <scope>provided</scope>
+ <version>1.0.0</version>
+ </dependency>
+
+ <!-- common logging interface -->
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${slf4j.api.version}</version>
+ </dependency>
+
+ <!-- logging implementation used for unit tests -->
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ <scope>test</scope>
+ <version>${slf4j.log4j12.version}</version>
+ </dependency>
+
<dependency>
- <groupId>org.openldap</groupId>
- <artifactId>fortress</artifactId>
- <version>1.0-RC39</version>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ <version>4.11</version>
</dependency>
</dependencies>
-</project>
\ No newline at end of file
+
+ <profiles>
+ <profile>
+ <id>release-sign-artifacts</id>
+ <activation>
+ <activeByDefault>false</activeByDefault>
+ <property>
+ <name>performRelease</name>
+ <value>true</value>
+ </property>
+ </activation>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-gpg-plugin</artifactId>
+ <version>1.4</version>
+ <executions>
+ <execution>
+ <id>sign-artifacts</id>
+ <phase>verify</phase>
+ <goals>
+ <goal>sign</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+
+
+</project>
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/pom.xml
----------------------------------------------------------------------
diff --git a/proxy/pom.xml b/proxy/pom.xml
new file mode 100644
index 0000000..876e755
--- /dev/null
+++ b/proxy/pom.xml
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.directory</groupId>
+ <artifactId>fortress-realm</artifactId>
+ <version>1.0-RC40</version>
+ </parent>
+
+ <artifactId>fortress-realm-proxy</artifactId>
+ <name>Apache Fortress Realm Proxy</name>
+ <packaging>jar</packaging>
+<!-- <packaging>bundle</packaging>-->
+ <description>
+ Proxy classes for the Fortress Realm Component.
+ </description>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.directory.junit</groupId>
+ <artifactId>junit-addons</artifactId>
+ <scope>test</scope>
+ <version>0.1</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.directory.api</groupId>
+ <artifactId>api-all</artifactId>
+ <version>1.0.0-M24</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.tomcat</groupId>
+ <artifactId>tomcat-catalina</artifactId>
+ <version>7.0.22</version>
+ </dependency>
+
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>3.1</version>
+ <configuration>
+ <source>1.7</source>
+ <target>1.7</target>
+ </configuration>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <version>2.5</version>
+ </plugin>
+ </plugins>
+ </build>
+</project>
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/fortress-javadoc.css
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/fortress-javadoc.css b/proxy/src/main/java/fortress-javadoc.css
new file mode 100644
index 0000000..44ace3f
--- /dev/null
+++ b/proxy/src/main/java/fortress-javadoc.css
@@ -0,0 +1,32 @@
+BODY { color: #000000;
+ background-color: #FFFFFF;
+ font-family: sans-serif }
+
+A:link { color: #0101DF;
+ text-decoration: underline }
+
+A:visited { color: #610B38;
+ text-decoration: underline }
+
+A:hover { color: #0B3B0B;
+ text-decoration: underline }
+
+PRE { background-color: #99CC66;
+ margin: 15px 30px;
+ padding: 10px 10px;
+ border: 1px solid #000000 }
+
+# the following will add space between list items:
+#LI { margin: 10px 0px }
+
+TH { background-color: #FFFFFF; color: #003300;
+ font-size: 125%;
+ font-weight: bold }
+
+
+# Classes defined specifically for Javadoc
+.TableHeadingColor { background-color: #D8D8D8 }
+
+.NavBarCell1 { background-color: #99CC66 }
+
+.FrameItemFont { font-size: 90% }