You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by cs...@apache.org on 2013/07/12 15:37:12 UTC
svn commit: r1502553 - in /cxf/trunk/rt/security: ./
src/main/java/org/apache/cxf/rt/security/xacml/
src/main/java/org/apache/cxf/rt/security/xacml/pdp/
src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/
src/test/java/org/apache/cxf/rt/security/xa...
Author: cschneider
Date: Fri Jul 12 13:37:12 2013
New Revision: 1502553
URL: http://svn.apache.org/r1502553
Log:
CXF-5121 Refactor for better readability
Added:
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
- copied, changed from r1502463, cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java (with props)
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PDPException.java (with props)
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java (with props)
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/CXFMessageParserTest.java (with props)
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyXACMLAuthorizingInterceptor.java
- copied, changed from r1502463, cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
Removed:
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
Modified:
cxf/trunk/rt/security/ (props changed)
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
Propchange: cxf/trunk/rt/security/
------------------------------------------------------------------------------
--- svn:ignore (original)
+++ svn:ignore Fri Jul 12 13:37:12 2013
@@ -1 +1,7 @@
target
+
+.settings
+
+.project
+
+.classpath
Copied: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java (from r1502463, cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java)
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java?p2=cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java&p1=cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java&r1=1502463&r2=1502553&rev=1502553&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java (original)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java Fri Jul 12 13:37:12 2013
@@ -40,10 +40,11 @@ import org.apache.cxf.security.LoginSecu
import org.apache.cxf.security.SecurityContext;
import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.xacml.ctx.DecisionType;
+import org.opensaml.xacml.ctx.DecisionType.DECISION;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.ctx.ResponseType;
import org.opensaml.xacml.ctx.ResultType;
+import org.opensaml.xacml.ctx.StatusType;
/**
@@ -129,31 +130,20 @@ public abstract class AbstractXACMLAutho
// Handle any Obligations returned by the PDP
handleObligations(request, principal, message, result);
- List<String> resources = requestBuilder.getResources(message);
- if (result != null
- && (result.getDecision().getDecision() == DecisionType.DECISION.Permit)) {
- if (result.getResourceId() == null) {
- LOG.fine("XACML authorization permitted");
- return true;
- }
- for (String resource : resources) {
- if (resource.equals(result.getResourceId())) {
- LOG.fine("XACML authorization permitted");
- return true;
- }
- }
+ if (result == null) {
+ return false;
}
- LOG.fine("XACML authorization not permitted:");
- if (result != null && result.getStatus() != null) {
- if (result.getStatus().getStatusCode() != null) {
- LOG.fine("XACML Status Code: " + result.getStatus().getStatusCode().getValue());
- }
- if (result.getStatus().getStatusMessage() != null) {
- LOG.fine("XACML Status Message: " + result.getStatus().getStatusMessage().getValue());
- }
+
+ DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny;
+ String code = "";
+ String statusMessage = "";
+ if (result.getStatus() != null) {
+ StatusType status = result.getStatus();
+ code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
+ statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
}
-
- return false;
+ LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
+ return decision == DECISION.Permit;
}
public abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java?rev=1502553&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java Fri Jul 12 13:37:12 2013
@@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.interceptor.security.SAMLSecurityContext;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+
+public class CXFMessageParser {
+ private Message message;
+
+ /**
+ * @param message
+ * @param fullRequestURL Whether to send the full Request URL as the resource or not. If set to true, the
+ * full Request URL will be sent for both a JAX-WS and JAX-RS service. If set to false (the
+ * default), a JAX-WS service will send the "{namespace}operation" QName, and a JAX-RS service
+ * will send the RequestURI (i.e. minus the initial https:<ip> prefix)
+ */
+ public CXFMessageParser(Message message) {
+ this.message = message;
+ }
+
+ /**
+ * Return the Resources that have been inserted into the Request
+ */
+ public List<String> getResources(boolean fullRequestURL) {
+ if (message == null) {
+ return Collections.emptyList();
+ }
+ List<String> resources = new ArrayList<String>();
+ if (message.get(Message.WSDL_OPERATION) != null) {
+ resources.add(message.get(Message.WSDL_OPERATION).toString());
+ }
+ String property = fullRequestURL ? Message.REQUEST_URL : Message.REQUEST_URI;
+ String request = (String)message.get(property);
+ if (request != null) {
+ resources.add(request);
+ }
+ return resources;
+ }
+
+ public String getAction(String defaultSOAPAction) {
+ String actionToUse = defaultSOAPAction;
+ // For REST use the HTTP Verb
+ if (message.get(Message.WSDL_OPERATION) == null && message.get(Message.HTTP_REQUEST_METHOD) != null) {
+ actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD);
+ }
+ return actionToUse;
+ }
+
+ /**
+ * Get the Issuer of the SAML Assertion
+ */
+ public String getIssuer() throws WSSecurityException {
+ SecurityContext sc = message.get(SecurityContext.class);
+
+ if (sc instanceof SAMLSecurityContext) {
+ Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
+ if (assertionElement != null) {
+ SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement);
+ return wrapper.getIssuerString();
+ }
+ }
+
+ return null;
+ }
+}
Propchange: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java?rev=1502553&r1=1502552&r2=1502553&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java (original)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java Fri Jul 12 13:37:12 2013
@@ -24,181 +24,103 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.interceptor.security.SAMLSecurityContext;
import org.apache.cxf.message.Message;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.joda.time.DateTime;
import org.opensaml.xacml.ctx.ActionType;
import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
import org.opensaml.xacml.ctx.EnvironmentType;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.ctx.ResourceType;
import org.opensaml.xacml.ctx.SubjectType;
-
/**
- * This class constructs an XACML Request given a Principal, list of roles and MessageContext,
- * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
- * and the list of roles associated with that principal are inserted as Subject roles.
- *
- * The action to send defaults to "execute". The resource is the WSDL Operation for a SOAP service,
- * and the request URI for a REST service. You can also configure the ability to send the full
- * request URL instead for a SOAP or REST service. The current DateTime is also sent in an
- * Environment, however this can be disabled via configuration.
+ * This class constructs an XACML Request given a Principal, list of roles and MessageContext, following the
+ * SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID, and the list of roles
+ * associated with that principal are inserted as Subject roles. The action to send defaults to "execute". The
+ * resource is the WSDL Operation for a SOAP service, and the request URI for a REST service. You can also
+ * configure the ability to send the full request URL instead for a SOAP or REST service. The current DateTime
+ * is also sent in an Environment, however this can be disabled via configuration.
*/
public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
-
- private String action = "execute";
+
private boolean sendDateTime = true;
+ private String action = "execute";
private boolean sendFullRequestURL;
-
- /**
- * Set a new Action String to use
- */
- public void setAction(String newAction) {
- action = newAction;
- }
-
- /**
- * Get the Action String currently in use
- */
- public String getAction() {
- return action;
- }
-
+
/**
* Create an XACML Request given a Principal, list of roles and Message.
*/
- public RequestType createRequest(
- Principal principal, List<String> roles, Message message
- ) throws Exception {
- String issuer = getIssuer(message);
- List<String> resources = getResources(message);
- String actionToUse = getAction(message);
-
- // Subject
+ public RequestType createRequest(Principal principal, List<String> roles, Message message)
+ throws Exception {
+ CXFMessageParser messageParser = new CXFMessageParser(message);
+ String issuer = messageParser.getIssuer();
+ List<String> resources = messageParser.getResources(sendFullRequestURL);
+ String actionToUse = messageParser.getAction(action);
+
+ SubjectType subjectType = createSubjectType(principal, roles, issuer);
+ ResourceType resourceType = createResourceType(resources);
+ AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING,
+ null, actionToUse);
+ ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute));
+
+ return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType),
+ Collections.singletonList(resourceType),
+ actionType,
+ createEnvironmentType());
+ }
+
+ private ResourceType createResourceType(List<String> resources) {
List<AttributeType> attributes = new ArrayList<AttributeType>();
- AttributeValueType subjectIdAttributeValue =
- RequestComponentBuilder.createAttributeValueType(principal.getName());
- AttributeType subjectIdAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ID,
- XACMLConstants.XS_STRING,
- issuer,
- Collections.singletonList(subjectIdAttributeValue)
- );
- attributes.add(subjectIdAttribute);
-
- for (String role : roles) {
- if (role != null) {
- AttributeValueType subjectRoleAttributeValue =
- RequestComponentBuilder.createAttributeValueType(role);
- AttributeType subjectRoleAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.SUBJECT_ROLE,
- XACMLConstants.XS_ANY_URI,
- issuer,
- Collections.singletonList(subjectRoleAttributeValue)
- );
- attributes.add(subjectRoleAttribute);
- }
- }
- SubjectType subjectType = RequestComponentBuilder.createSubjectType(attributes, null);
-
- // Resource
- attributes.clear();
for (String resource : resources) {
if (resource != null) {
- AttributeValueType resourceAttributeValue =
- RequestComponentBuilder.createAttributeValueType(resource);
- AttributeType resourceAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.RESOURCE_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(resourceAttributeValue)
- );
- attributes.add(resourceAttribute);
+ attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null,
+ resource));
}
}
- ResourceType resourceType = RequestComponentBuilder.createResourceType(attributes, null);
-
- // Action
- AttributeValueType actionAttributeValue =
- RequestComponentBuilder.createAttributeValueType(actionToUse);
- AttributeType actionAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.ACTION_ID,
- XACMLConstants.XS_STRING,
- null,
- Collections.singletonList(actionAttributeValue)
- );
- attributes.clear();
- attributes.add(actionAttribute);
- ActionType actionType = RequestComponentBuilder.createActionType(attributes);
-
- // Environment
- attributes.clear();
+ return RequestComponentBuilder.createResourceType(attributes, null);
+ }
+
+ private EnvironmentType createEnvironmentType() {
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
if (sendDateTime) {
- DateTime dateTime = new DateTime();
- AttributeValueType environmentAttributeValue =
- RequestComponentBuilder.createAttributeValueType(dateTime.toString());
- AttributeType environmentAttribute =
- RequestComponentBuilder.createAttributeType(
- XACMLConstants.CURRENT_DATETIME,
- XACMLConstants.XS_DATETIME,
- null,
- Collections.singletonList(environmentAttributeValue)
- );
+ AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
+ XACMLConstants.XS_DATETIME, null,
+ new DateTime().toString());
attributes.add(environmentAttribute);
}
- EnvironmentType environmentType =
- RequestComponentBuilder.createEnvironmentType(attributes);
-
- // Request
- RequestType request =
- RequestComponentBuilder.createRequestType(
- Collections.singletonList(subjectType),
- Collections.singletonList(resourceType),
- actionType,
- environmentType
- );
-
- return request;
+ return RequestComponentBuilder.createEnvironmentType(attributes);
}
-
- /**
- * Get the Issuer of the SAML Assertion
- */
- private String getIssuer(Message message) throws WSSecurityException {
- SecurityContext sc = message.get(SecurityContext.class);
-
- if (sc instanceof SAMLSecurityContext) {
- Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
- if (assertionElement != null) {
- SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement);
- return wrapper.getIssuerString();
+
+ private SubjectType createSubjectType(Principal principal, List<String> roles, String issuer) {
+ List<AttributeType> attributes = new ArrayList<AttributeType>();
+ attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer,
+ principal.getName()));
+
+ for (String role : roles) {
+ if (role != null) {
+ attributes.add(createAttribute(XACMLConstants.SUBJECT_ROLE, XACMLConstants.XS_ANY_URI,
+ issuer, role));
}
}
-
- return null;
+
+ return RequestComponentBuilder.createSubjectType(attributes, null);
}
- public boolean isSendDateTime() {
- return sendDateTime;
+ private AttributeType createAttribute(String id, String type, String issuer, String value) {
+ return RequestComponentBuilder.createAttributeType(id, type, issuer,
+ Collections.singletonList(
+ RequestComponentBuilder.createAttributeValueType(value)));
}
- public void setSendDateTime(boolean sendDateTime) {
- this.sendDateTime = sendDateTime;
+ /**
+ * Set a new Action String to use
+ */
+ public void setAction(String action) {
+ this.action = action;
}
- public boolean isSendFullRequestURL() {
- return sendFullRequestURL;
+ public void setSendDateTime(boolean sendDateTime) {
+ this.sendDateTime = sendDateTime;
}
/**
@@ -210,49 +132,15 @@ public class DefaultXACMLRequestBuilder
public void setSendFullRequestURL(boolean sendFullRequestURL) {
this.sendFullRequestURL = sendFullRequestURL;
}
-
-
- /**
- * Return the Resources that have been inserted into the Request
- */
+
+ @Override
public List<String> getResources(Message message) {
- if (message == null) {
- return Collections.emptyList();
- }
- List<String> resources = new ArrayList<String>();
- if (message.get(Message.WSDL_OPERATION) != null) {
- resources.add(message.get(Message.WSDL_OPERATION).toString());
- }
- if (sendFullRequestURL) {
- resources.add((String)message.get(Message.REQUEST_URL));
- } else {
- resources.add((String)message.get(Message.REQUEST_URI));
- }
- return resources;
+ throw new IllegalAccessError("Deprecated");
}
-
+
+ @Override
public String getResource(Message message) {
- if (message == null) {
- return null;
- }
- String resource = null;
- if (sendFullRequestURL) {
- resource = (String)message.get(Message.REQUEST_URL);
- } else if (message.get(Message.WSDL_OPERATION) != null) {
- resource = message.get(Message.WSDL_OPERATION).toString();
- } else {
- resource = (String)message.get(Message.REQUEST_URI);
- }
- return resource;
- }
-
- private String getAction(Message message) {
- String actionToUse = action;
- // For REST use the HTTP Verb
- if (message.get(Message.WSDL_OPERATION) == null
- && message.get(Message.HTTP_REQUEST_METHOD) != null) {
- actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD);
- }
- return actionToUse;
+ throw new IllegalAccessError("Deprecated");
}
+
}
Modified: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java?rev=1502553&r1=1502552&r2=1502553&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java (original)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java Fri Jul 12 13:37:12 2013
@@ -40,9 +40,7 @@ public interface XACMLRequestBuilder {
* @return An OpenSAML RequestType object
* @throws Exception
*/
- RequestType createRequest(
- Principal principal, List<String> roles, Message message
- ) throws Exception;
+ RequestType createRequest(Principal principal, List<String> roles, Message message) throws Exception;
/**
* Return the list of Resources that have been inserted into the Request.
@@ -50,6 +48,7 @@ public interface XACMLRequestBuilder {
* @param message The Message from which to retrieve the resource
* @return the list of Resources that have been inserted into the Request
*/
+ @Deprecated
List<String> getResources(Message message);
/**
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PDPException.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PDPException.java?rev=1502553&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PDPException.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PDPException.java Fri Jul 12 13:37:12 2013
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.xacml.pdp.api;
+
+/**
+ * A RuntimeException that can be thrown by a PDP implementation.
+ */
+public class PDPException extends RuntimeException {
+
+ /**
+ *
+ */
+ private static final long serialVersionUID = 5618129354705668073L;
+
+ public PDPException(String message) {
+ super(message);
+ }
+
+ public PDPException(String message, Throwable e) {
+ super(message, e);
+ }
+
+}
Propchange: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PDPException.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java?rev=1502553&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java (added)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java Fri Jul 12 13:37:12 2013
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.xacml.pdp.api;
+
+import javax.xml.transform.Source;
+
+/**
+ * An interface that describes a PolicyDecisionPoint (PDP).
+ */
+public interface PolicyDecisionPoint {
+
+ /**
+ * Evaluate an XACML Request and return a Response
+ * @param request an XACML Request as a Source
+ * @return the XACML Response as a Source
+ */
+ Source evaluate(Source request);
+
+}
Propchange: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/CXFMessageParserTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/CXFMessageParserTest.java?rev=1502553&view=auto
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/CXFMessageParserTest.java (added)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/CXFMessageParserTest.java Fri Jul 12 13:37:12 2013
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rt.security.xacml;
+
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class CXFMessageParserTest {
+
+ @Test
+ public void testSOAPResource() throws Exception {
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, operation);
+ CXFMessageParser messageParser = new CXFMessageParser(msg);
+ assertSingleElement(operation, messageParser.getResources(true));
+ }
+
+ @Test
+ public void testSOAPResourceWithRequestURI() throws Exception {
+ String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.WSDL_OPERATION, operation);
+ msg.put(Message.REQUEST_URI, "/doubleIt");
+ CXFMessageParser messageParser = new CXFMessageParser(msg);
+ Assert.assertEquals(2, messageParser.getResources(false).size());
+ }
+
+ @Test
+ public void testRelativeRestResource() throws Exception {
+ String operation = "user/list.json";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.REQUEST_URI, operation);
+
+ CXFMessageParser messageParser = new CXFMessageParser(msg);
+ assertSingleElement(operation, messageParser.getResources(false));
+ }
+
+ @Test
+ public void testAbsoluteRestResource() throws Exception {
+ String operation = "https://localhost:8080/user/list.json";
+ MessageImpl msg = new MessageImpl();
+ msg.put(Message.REQUEST_URL, operation);
+
+ CXFMessageParser messageParser = new CXFMessageParser(msg);
+ assertSingleElement(operation, messageParser.getResources(true));
+ }
+
+ public void assertSingleElement(String content, List<String> strings) {
+ Assert.assertEquals(1, strings.size());
+ Assert.assertEquals(content, strings.get(0));
+ }
+}
Propchange: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/CXFMessageParserTest.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Copied: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyXACMLAuthorizingInterceptor.java (from r1502463, cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java)
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyXACMLAuthorizingInterceptor.java?p2=cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyXACMLAuthorizingInterceptor.java&p1=cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java&r1=1502463&r2=1502553&rev=1502553&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java (original)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/DummyXACMLAuthorizingInterceptor.java Fri Jul 12 13:37:12 2013
@@ -26,6 +26,7 @@ import org.opensaml.Configuration;
import org.opensaml.xacml.XACMLObjectBuilder;
import org.opensaml.xacml.ctx.AttributeType;
import org.opensaml.xacml.ctx.DecisionType;
+import org.opensaml.xacml.ctx.DecisionType.DECISION;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.ctx.ResponseType;
import org.opensaml.xacml.ctx.ResultType;
@@ -40,10 +41,15 @@ import org.opensaml.xml.XMLObjectBuilder
* object based on the role of the Subject. If the role is "manager" then it permits the
* request, otherwise it denies it.
*/
-public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
-
+public class DummyXACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
+
public ResponseType performRequest(RequestType request, Message message) throws Exception {
-
+ String role = getSubjectRole(request);
+ DECISION decision = "manager".equals(role) ? DecisionType.DECISION.Permit : DecisionType.DECISION.Deny;
+ return createResponse(decision);
+ }
+
+ private ResponseType createResponse(DECISION decision) {
XMLObjectBuilderFactory builderFactory = Configuration.getBuilderFactory();
@SuppressWarnings("unchecked")
@@ -71,16 +77,10 @@ public class XACMLAuthorizingInterceptor
(XACMLObjectBuilder<StatusCodeType>)
builderFactory.getBuilder(StatusCodeType.DEFAULT_ELEMENT_NAME);
- DecisionType decisionType = decisionTypeBuilder.buildObject();
-
- String role = getSubjectRole(request);
- if ("manager".equals(role)) {
- decisionType.setDecision(DecisionType.DECISION.Permit);
- } else {
- decisionType.setDecision(DecisionType.DECISION.Deny);
- }
-
ResultType result = resultTypeBuilder.buildObject();
+
+ DecisionType decisionType = decisionTypeBuilder.buildObject();
+ decisionType.setDecision(decision);
result.setDecision(decisionType);
StatusType status = statusTypeBuilder.buildObject();
@@ -91,7 +91,6 @@ public class XACMLAuthorizingInterceptor
ResponseType response = responseTypeBuilder.buildObject();
response.setResult(result);
-
return response;
}
@@ -111,6 +110,5 @@ public class XACMLAuthorizingInterceptor
}
return null;
}
-
}
Modified: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java?rev=1502553&r1=1502552&r2=1502553&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java (original)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java Fri Jul 12 13:37:12 2013
@@ -50,8 +50,8 @@ public class XACMLAuthorizingInterceptor
msg.put(Message.WSDL_OPERATION, operation);
msg.put(SecurityContext.class, sc);
- XACMLAuthorizingInterceptor authorizingInterceptor =
- new XACMLAuthorizingInterceptor();
+ AbstractXACMLAuthorizingInterceptor authorizingInterceptor =
+ new DummyXACMLAuthorizingInterceptor();
authorizingInterceptor.handleMessage(msg);
}
@@ -65,8 +65,8 @@ public class XACMLAuthorizingInterceptor
msg.put(Message.WSDL_OPERATION, operation);
msg.put(SecurityContext.class, sc);
- XACMLAuthorizingInterceptor authorizingInterceptor =
- new XACMLAuthorizingInterceptor();
+ AbstractXACMLAuthorizingInterceptor authorizingInterceptor =
+ new DummyXACMLAuthorizingInterceptor();
try {
authorizingInterceptor.handleMessage(msg);
Modified: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java?rev=1502553&r1=1502552&r2=1502553&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java (original)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java Fri Jul 12 13:37:12 2013
@@ -54,46 +54,7 @@ public class XACMLRequestBuilderTest ext
builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
}
-
- @org.junit.Test
- public void testResource() throws Exception {
- // Mock up a request
- Principal principal = new Principal() {
- public String getName() {
- return "alice";
- }
- };
-
- String operation = "{http://www.example.org/contract/DoubleIt}DoubleIt";
- MessageImpl msg = new MessageImpl();
- msg.put(Message.WSDL_OPERATION, operation);
-
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
- RequestType request =
- builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- assertTrue(builder.getResources(msg).contains(operation));
-
- operation = "user/list.json";
- msg = new MessageImpl();
- msg.put(Message.REQUEST_URI, operation);
-
- request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- assertTrue(builder.getResources(msg).contains(operation));
-
- operation = "https://localhost:8080/user/list.json";
- msg = new MessageImpl();
- msg.put(Message.REQUEST_URL, operation);
-
- ((DefaultXACMLRequestBuilder)builder).setSendFullRequestURL(true);
- request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
- assertNotNull(request);
-
- assertTrue(builder.getResources(msg).contains(operation));
- }
+
@org.junit.Test
public void testAction() throws Exception {
@@ -108,22 +69,22 @@ public class XACMLRequestBuilderTest ext
MessageImpl msg = new MessageImpl();
msg.put(Message.WSDL_OPERATION, operation);
- XACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
+ DefaultXACMLRequestBuilder builder = new DefaultXACMLRequestBuilder();
RequestType request =
builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
String action =
request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
- assertEquals(action, "execute");
+ assertEquals("execute", action);
- ((DefaultXACMLRequestBuilder)builder).setAction("write");
+ builder.setAction("write");
request = builder.createRequest(principal, Collections.singletonList("manager"), msg);
assertNotNull(request);
action =
request.getAction().getAttributes().get(0).getAttributeValues().get(0).getValue();
- assertEquals(action, "write");
+ assertEquals("write", action);
}
@org.junit.Test