You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@juddi.apache.org by al...@apache.org on 2019/06/26 20:00:33 UTC
[juddi] 02/02: [JUDDI-558] inquiry service now filters requst data.
can now get/set permissions,
however only the read access permission is current implemented. api is still
evolving
This is an automated email from the ASF dual-hosted git repository.
alexoree pushed a commit to branch feature/JUDDI-558
in repository https://gitbox.apache.org/repos/asf/juddi.git
commit a3cf0c6de7e326e7c1b70586fb9d112a3a43be65
Author: Alex O'Ree <al...@apache.org>
AuthorDate: Wed Jun 26 16:00:27 2019 -0400
[JUDDI-558] inquiry service now filters requst data. can now get/set permissions, however only the read access permission is current implemented. api is still evolving
---
.../org/apache/juddi/api/impl/UDDIInquiryImpl.java | 75 +++++-----
.../org/apache/juddi/model/BusinessService.java | 4 +-
.../org/apache/juddi/security/AccessLevel.java | 46 ------
.../org/apache/juddi/security/IAccessControl.java | 7 +-
.../apache/juddi/security/rbac/RbacRulesModel.java | 20 ++-
.../security/rbac/RoleBasedAccessControlImpl.java | 154 ++++++++++++++++++++-
.../src/main/webapp/WEB-INF/classes/juddiv3.xml | 7 +
7 files changed, 203 insertions(+), 110 deletions(-)
diff --git a/juddi-core/src/main/java/org/apache/juddi/api/impl/UDDIInquiryImpl.java b/juddi-core/src/main/java/org/apache/juddi/api/impl/UDDIInquiryImpl.java
index c5591ed..9cd0531 100644
--- a/juddi-core/src/main/java/org/apache/juddi/api/impl/UDDIInquiryImpl.java
+++ b/juddi-core/src/main/java/org/apache/juddi/api/impl/UDDIInquiryImpl.java
@@ -141,7 +141,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
try {
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
LogFindBindingRequest(body);
@@ -168,15 +168,14 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.rollback();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.FIND_BINDING, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.BindingTemplate> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterBindingTemplates(
this.ctx,
entityPublisher, result.getBindingTemplate());
result.getBindingTemplate().clear();
result.getBindingTemplate().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -212,7 +211,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
}
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
LogFindBusinessRequest(body);
@@ -226,8 +225,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.rollback();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.FIND_BUSINESS, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.BusinessInfo> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterBusinessInfo(
this.ctx,
@@ -235,7 +233,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
result.getBusinessInfos().getBusinessInfo());
result.getBusinessInfos().getBusinessInfo().clear();
result.getBusinessInfos().getBusinessInfo().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -246,6 +244,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
}
+ @Override
public RelatedBusinessesList findRelatedBusinesses(FindRelatedBusinesses body)
throws DispositionReportFaultMessage {
long startTime = System.currentTimeMillis();
@@ -262,7 +261,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
try {
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
LogFindRelatedBusinessRequest(body);
@@ -277,8 +276,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.rollback();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.FIND_RELATEDBUSINESSES, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.RelatedBusinessInfo> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filtedRelatedBusinessInfos(
this.ctx,
@@ -286,7 +284,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
result.getRelatedBusinessInfos().getRelatedBusinessInfo());
result.getRelatedBusinessInfos().getRelatedBusinessInfo().clear();
result.getRelatedBusinessInfos().getRelatedBusinessInfo().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -313,7 +311,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
try {
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
LogFindServiceRequest(body);
@@ -342,15 +340,14 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.rollback();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.FIND_SERVICE, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.ServiceInfo> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterServiceInfo(
this.ctx,
entityPublisher, result.getServiceInfos().getServiceInfo());
result.getServiceInfos().getServiceInfo().clear();
result.getServiceInfos().getServiceInfo().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -378,7 +375,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
try {
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
LogFindTModelRequest(body);
@@ -392,15 +389,14 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.rollback();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.FIND_TMODEL, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.TModelInfo> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterTModelInfo(
this.ctx,entityPublisher,
result.getTModelInfos().getTModelInfo());
result.getTModelInfos().getTModelInfo().clear();
result.getTModelInfos().getTModelInfo().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -427,7 +423,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
try {
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
@@ -452,15 +448,14 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.commit();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.GET_BINDINGDETAIL, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.BindingTemplate> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterBindingTemplates(
this.ctx,
entityPublisher, result.getBindingTemplate());
result.getBindingTemplate().clear();
result.getBindingTemplate().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -488,7 +483,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
try {
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
@@ -513,14 +508,13 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.commit();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.GET_BUSINESSDETAIL, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.BusinessEntity> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterBusinesses(
- this.ctx,entityPublisher, result.getBusinessEntity());
+ this.ctx, entityPublisher, result.getBusinessEntity());
result.getBusinessEntity().clear();
result.getBusinessEntity().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -548,7 +542,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
try {
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
@@ -573,14 +567,13 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.commit();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.GET_OPERATIONALINFO, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.OperationalInfo> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterOperationalInfo(
this.ctx,entityPublisher, result.getOperationalInfo());
result.getOperationalInfo().clear();
result.getOperationalInfo().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -609,7 +602,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.begin();
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
ServiceDetail result = new ServiceDetail();
@@ -632,15 +625,14 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.commit();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.GET_SERVICEDETAIL, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.BusinessService> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterServices(
this.ctx,
entityPublisher, result.getBusinessService());
result.getBusinessService().clear();
result.getBusinessService().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
@@ -671,7 +663,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
UddiEntityPublisher entityPublisher=null;
- if (isAuthenticated())
+ if (isAuthenticatedRequired() || (body.getAuthInfo()!=null&& body.getAuthInfo().length()>0))
entityPublisher = this.getEntityPublisher(em, body.getAuthInfo());
TModelDetail result = new TModelDetail();
@@ -694,15 +686,14 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
tx.commit();
long procTime = System.currentTimeMillis() - startTime;
serviceCounter.update(InquiryQuery.GET_TMODELDETAIL, QueryStatus.SUCCESS, procTime);
- if (isAuthenticated() && entityPublisher!=null)
- {
+
List<org.uddi.api_v3.TModel> FilterBindingTemplates =
AccessControlFactory.getAccessControlInstance().filterTModels(
this.ctx,
entityPublisher, result.getTModel());
result.getTModel().clear();
result.getTModel().addAll(FilterBindingTemplates);
- }
+
return result;
} finally {
if (tx.isActive()) {
@@ -712,7 +703,7 @@ public class UDDIInquiryImpl extends AuthenticatedService implements UDDIInquiry
}
}
- private boolean isAuthenticated() {
+ private boolean isAuthenticatedRequired() {
boolean result = false;
try {
result = AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTHENTICATE_INQUIRY);
diff --git a/juddi-core/src/main/java/org/apache/juddi/model/BusinessService.java b/juddi-core/src/main/java/org/apache/juddi/model/BusinessService.java
index f26f5ed..4013391 100644
--- a/juddi-core/src/main/java/org/apache/juddi/model/BusinessService.java
+++ b/juddi-core/src/main/java/org/apache/juddi/model/BusinessService.java
@@ -43,8 +43,8 @@ public class BusinessService extends UddiEntity implements java.io.Serializable
private List<ServiceDescr> serviceDescrs = new ArrayList<ServiceDescr>(0);
private List<BindingTemplate> bindingTemplates = new ArrayList<BindingTemplate>(0);
private ServiceCategoryBag categoryBag;
- private List<ServiceProjection> projectingBusinesses = new ArrayList<ServiceProjection>(0);
- private List<Signature> signatures = new ArrayList<Signature>(0);
+ private List<ServiceProjection> projectingBusinesses = new ArrayList<ServiceProjection>(0);
+ private List<Signature> signatures = new ArrayList<Signature>(0);
public BusinessService() {
}
diff --git a/juddi-core/src/main/java/org/apache/juddi/security/AccessLevel.java b/juddi-core/src/main/java/org/apache/juddi/security/AccessLevel.java
deleted file mode 100644
index 7f72645..0000000
--- a/juddi-core/src/main/java/org/apache/juddi/security/AccessLevel.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright 2019 The Apache Software Foundation.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.juddi.security;
-
-
-/**
- * @since 3.4
- * @author Alex O'Ree
- */
-public enum AccessLevel {
- /**
- * No access at all
- */
- NONE,
- /**
- * Read only access, cannot make changes
- */
- READ,
- /**
- * Can view, read, make changes, and delete a specific entity
- */
- WRITE,
- /**
- * Can view, read, make changes, delete a specific entity, can initiate a custody transfer, and delegate permissions
- * to another user
- */
- OWN,
- /**
- * can create new entities
- */
- CREATE
-
-}
\ No newline at end of file
diff --git a/juddi-core/src/main/java/org/apache/juddi/security/IAccessControl.java b/juddi-core/src/main/java/org/apache/juddi/security/IAccessControl.java
index cfdac64..e41cdad 100644
--- a/juddi-core/src/main/java/org/apache/juddi/security/IAccessControl.java
+++ b/juddi-core/src/main/java/org/apache/juddi/security/IAccessControl.java
@@ -16,19 +16,14 @@
package org.apache.juddi.security;
import java.rmi.RemoteException;
-import java.util.ArrayList;
import java.util.List;
-import javax.persistence.EntityManager;
-import javax.persistence.EntityTransaction;
-import javax.persistence.Query;
import javax.xml.ws.WebServiceContext;
+import org.apache.juddi.api_v3.AccessLevel;
import org.apache.juddi.api_v3.GetPermissionsMessageRequest;
import org.apache.juddi.api_v3.GetPermissionsMessageResponse;
import org.apache.juddi.api_v3.SetPermissionsMessageRequest;
import org.apache.juddi.api_v3.SetPermissionsMessageResponse;
-import org.apache.juddi.config.PersistenceManager;
import org.apache.juddi.model.UddiEntityPublisher;
-import org.apache.juddi.security.rbac.RbacRulesModel;
import org.uddi.api_v3.BindingTemplate;
import org.uddi.api_v3.BusinessEntity;
import org.uddi.api_v3.BusinessInfo;
diff --git a/juddi-core/src/main/java/org/apache/juddi/security/rbac/RbacRulesModel.java b/juddi-core/src/main/java/org/apache/juddi/security/rbac/RbacRulesModel.java
index 259296b..a502846 100644
--- a/juddi-core/src/main/java/org/apache/juddi/security/rbac/RbacRulesModel.java
+++ b/juddi-core/src/main/java/org/apache/juddi/security/rbac/RbacRulesModel.java
@@ -20,7 +20,7 @@ import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Table;
-import org.apache.juddi.security.AccessLevel;
+import org.apache.juddi.api_v3.AccessLevel;
/**
*
@@ -39,7 +39,7 @@ public class RbacRulesModel implements Serializable {
*/
private String uddiEntityId;
- @Column(name = "entity_id", nullable = false, length = 51)
+ @Column(name = "entity_id", nullable = false, length = 255)
public String getUddiEntityId() {
return uddiEntityId;
}
@@ -48,7 +48,7 @@ public class RbacRulesModel implements Serializable {
this.uddiEntityId = uddiEntityId;
}
- @Column(name = "container_role", nullable = false, length = 51)
+ @Column(name = "container_role", nullable = false, length = 128)
public String getContainerRole() {
return containerRole;
}
@@ -58,12 +58,18 @@ public class RbacRulesModel implements Serializable {
}
@Column(name = "access_level", nullable = false, length = 51)
- public AccessLevel getAccessLevel() {
- return AccessLevel.valueOf(level);
+ public String getAccessLevel() {
+ return (level);
}
+
+ public AccessLevel getAccessLevelAsEnum() {
+ return AccessLevel.valueOf(getAccessLevel());
+ }
+
+
- public void setAccessLevel(AccessLevel level) {
- this.level = level.name();
+ public void setAccessLevel(String level) {
+ this.level = level;
}
@Id
diff --git a/juddi-core/src/main/java/org/apache/juddi/security/rbac/RoleBasedAccessControlImpl.java b/juddi-core/src/main/java/org/apache/juddi/security/rbac/RoleBasedAccessControlImpl.java
index 852ed96..99f2ba5 100644
--- a/juddi-core/src/main/java/org/apache/juddi/security/rbac/RoleBasedAccessControlImpl.java
+++ b/juddi-core/src/main/java/org/apache/juddi/security/rbac/RoleBasedAccessControlImpl.java
@@ -18,12 +18,14 @@ package org.apache.juddi.security.rbac;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.List;
+import java.util.UUID;
import javax.persistence.EntityManager;
import javax.persistence.EntityTransaction;
import javax.persistence.Query;
import javax.xml.ws.WebServiceContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.juddi.api_v3.AccessLevel;
import org.apache.juddi.api_v3.Action;
import org.apache.juddi.api_v3.GetPermissionsMessageRequest;
import org.apache.juddi.api_v3.GetPermissionsMessageResponse;
@@ -34,7 +36,6 @@ import org.apache.juddi.config.PersistenceManager;
import org.apache.juddi.config.ResourceConfig;
import org.apache.juddi.model.UddiEntity;
import org.apache.juddi.model.UddiEntityPublisher;
-import org.apache.juddi.security.AccessLevel;
import org.apache.juddi.security.IAccessControl;
import org.uddi.api_v3.BindingTemplate;
import org.uddi.api_v3.BusinessEntity;
@@ -84,7 +85,7 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
private boolean hasReadAccess(WebServiceContext ctx, List<RbacRulesModel> rules) {
for (RbacRulesModel r : rules) {
if (ctx.isUserInRole(r.getContainerRole())) {
- if (r.getAccessLevel() == AccessLevel.NONE) //explicit deny
+ if (r.getAccessLevelAsEnum() == AccessLevel.NONE) //explicit deny
{
return false;
}
@@ -157,6 +158,11 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
redact(bs);
continue; //access denied
}
+ if (username == null) {
+ redact(bs);
+ continue; //access denied
+
+ }
if (username.isOwner(ue)) {
//keep it
continue;
@@ -193,6 +199,11 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
redact(bs);
continue; //access denied
}
+ if (username == null) {
+ redact(bs);
+ continue; //access denied
+
+ }
if (username.isOwner(ue)) {
//keep it
continue;
@@ -216,12 +227,75 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
@Override
public List<BusinessInfo> filterBusinessInfo(WebServiceContext ctx, UddiEntityPublisher username, List<BusinessInfo> items) {
+ //load access rules from database
+ for (BusinessInfo bs : items) {
+ //get the permission for this entity.
+ UddiEntity ue = loadEntity(bs.getBusinessKey(), org.apache.juddi.model.BusinessService.class);
+ if (ue == null) {
+ redact(bs);
+ continue; //access denied
+ }
+ if (username == null) {
+ redact(bs);
+ continue; //access denied
+
+ }
+ if (username.isOwner(ue)) {
+ //keep it
+ continue;
+ }
+
+ List<RbacRulesModel> rules = getPermissionSet(bs.getBusinessKey());
+ if (rules.isEmpty()) {
+ redact(bs);
+ continue; //access denied
+ }
+ if (!hasReadAccess(ctx, rules)) {
+ redact(bs); //also access denied, either no matching role or an explicit deny
+ continue;
+ }
+ if (bs.getServiceInfos() != null) {
+ filterServiceInfo(ctx, username, bs.getServiceInfos().getServiceInfo());
+ }
+
+ }
return new ArrayList(items);
+
}
@Override
public List<TModel> filterTModels(WebServiceContext ctx, UddiEntityPublisher username, List<TModel> items) {
+ //load access rules from database
+ for (TModel bs : items) {
+ //get the permission for this entity.
+ UddiEntity ue = loadEntity(bs.getTModelKey(), org.apache.juddi.model.Tmodel.class);
+ if (ue == null) {
+ redact(bs);
+ continue; //access denied
+ }
+ if (username == null) {
+ redact(bs);
+ continue; //access denied
+
+ }
+ if (username.isOwner(ue)) {
+ //keep it
+ continue;
+ }
+
+ List<RbacRulesModel> rules = getPermissionSet(bs.getTModelKey());
+ if (rules.isEmpty()) {
+ redact(bs);
+ continue; //access denied
+ }
+ if (!hasReadAccess(ctx, rules)) {
+ redact(bs); //also access denied, either no matching role or an explicit deny
+ continue;
+ }
+
+ }
return new ArrayList(items);
+
}
@Override
@@ -235,6 +309,11 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
redact(bs);
continue; //access denied
}
+ if (username == null) {
+ redact(bs);
+ continue; //access denied
+
+ }
if (username.isOwner(ue)) {
//keep it
continue;
@@ -273,6 +352,11 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
si.setServiceKey(REDACTED);
continue; //access denied
}
+ if (username == null) {
+ si.setServiceKey(REDACTED);
+ continue; //access denied
+
+ }
if (username.isOwner(ue)) {
//keep it
continue;
@@ -333,12 +417,12 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
tx.begin();
Query createQuery = null;
if (arg0.getEntityId() != null && arg0.getEntityId().length() > 0) {
- createQuery = em.createQuery("select c from RbacRulesModel c where c.uddiEntityId=:id");
+ createQuery = em.createQuery("select c from RbacRulesModel c where c.uddiEntityId=:id", RbacRulesModel.class);
createQuery.setParameter("id", arg0.getEntityId());
} else {
- createQuery = em.createQuery("select c from RbacRulesModel c");
+ createQuery = em.createQuery("select c from RbacRulesModel c", RbacRulesModel.class);
}
-
+
set = createQuery.getResultList();
} finally {
@@ -351,7 +435,7 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
for (RbacRulesModel item : set) {
Permission permission = new Permission();
permission.setEntityId(item.getUddiEntityId());
- permission.setLevel(org.apache.juddi.api_v3.AccessLevel.fromValue(item.getAccessLevel().name()));
+ permission.setLevel((item.getAccessLevelAsEnum()));
permission.setAction(Action.NOOP);
permission.setTarget(item.getContainerRole());
//TODO permission.setType(item.);
@@ -363,7 +447,63 @@ public class RoleBasedAccessControlImpl implements IAccessControl {
@Override
public SetPermissionsMessageResponse setPermissions(SetPermissionsMessageRequest arg0) throws DispositionReportFaultMessage, RemoteException {
- throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+ EntityManager em = PersistenceManager.getEntityManager();
+ EntityTransaction tx = em.getTransaction();
+ try {
+ tx.begin();
+
+ for (Permission perm : arg0.getLevel()) {
+ if (perm.getAction() != Action.NOOP) {
+ Query createQuery = null;
+
+ createQuery = em.createQuery("delete from RbacRulesModel c where c.uddiEntityId=:id and c.containerRole=:user");
+ createQuery.setParameter("id", perm.getEntityId());
+ createQuery.setParameter("user", perm.getTarget());
+ createQuery.executeUpdate();
+ }
+
+ if (perm.getAction() == Action.ADD) {
+ RbacRulesModel r = new RbacRulesModel();
+ r.setAccessLevel(perm.getLevel().name());
+
+ r.setContainerRole(perm.getTarget());
+ r.setUddiEntityId(perm.getEntityId());
+ r.setId(UUID.randomUUID().toString());
+ em.persist(r);
+ }
+ }
+ tx.commit();
+
+ } finally {
+ if (tx.isActive()) {
+ tx.rollback();
+ }
+ em.close();
+ }
+ SetPermissionsMessageResponse response = new SetPermissionsMessageResponse();
+ return response;
+ }
+
+ private void redact(BusinessInfo bs) {
+
+ bs.setBusinessKey(REDACTED);
+ bs.getDescription().clear();
+ bs.setServiceInfos(null);
+ bs.getName().clear();
+ bs.getName().add(new Name(REDACTED, "en"));
+ }
+
+ private void redact(TModel bs) {
+
+ bs.setTModelKey(REDACTED);
+ bs.getDescription().clear();
+ bs.setCategoryBag(null);
+
+ bs.setName(new Name(REDACTED, "en"));
+ bs.getDescription().clear();
+ bs.getOverviewDoc().clear();
+ bs.getSignature().clear();
+ bs.setIdentifierBag(null);
}
}
diff --git a/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml b/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml
index 39279b0..feeb502 100644
--- a/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml
+++ b/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml
@@ -226,5 +226,12 @@
<logging>
<logInquirySearchPayloads>false</logInquirySearchPayloads>
</logging>
+
+ <!-- additional access control module
+ provides item level access permissions.
+ default is everyone can read everything, only owners can change stuff
+ -->
+ <accessControlProvider>org.apache.juddi.security.rbac.RoleBasedAccessControlImpl</accessControlProvider>
+
</juddi>
</config>
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@juddi.apache.org
For additional commands, e-mail: commits-help@juddi.apache.org