You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by xu...@apache.org on 2010/09/27 07:38:22 UTC
svn commit: r1001592 - in
/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src:
main/java/org/apache/geronimo/web25/deployment/security/
test/java/org/apache/geronimo/web25/deployment/security/
test/resources/security/
Author: xuhaihong
Date: Mon Sep 27 05:38:22 2010
New Revision: 1001592
URL: http://svn.apache.org/viewvc?rev=1001592&view=rev
Log:
GERONIMO-5578 WebResourcePermission must be added to the corresponding role for each distinct combination in the cross-product of url-pattern and role-name (Patch from Han Hong Fang)
Added:
geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml (with props)
Modified:
geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java
geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
Modified: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java?rev=1001592&r1=1001591&r2=1001592&view=diff
==============================================================================
--- geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java (original)
+++ geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/SpecSecurityBuilder.java Mon Sep 27 05:38:22 2010
@@ -53,7 +53,7 @@ public class SpecSecurityBuilder {
private final Map<UncheckedItem, HTTPMethods> uncheckedResourcePatterns = new HashMap<UncheckedItem, HTTPMethods>();
private final Map<UncheckedItem, HTTPMethods> uncheckedUserPatterns = new HashMap<UncheckedItem, HTTPMethods>();
private final Map<String, URLPattern> excludedPatterns = new HashMap<String, URLPattern>();
- private final Map<String, URLPattern> rolesPatterns = new HashMap<String, URLPattern>();
+ private final Map<String, Map<String, URLPattern>> rolesPatterns = new HashMap<String, Map<String, URLPattern>>();
private final Set<URLPattern> allSet = new HashSet<URLPattern>(); // == allMap.values()
private final Map<String, URLPattern> allMap = new HashMap<String, URLPattern>(); //uncheckedPatterns union excludedPatterns union rolesPatterns.
// private boolean useExcluded = false;
@@ -83,12 +83,19 @@ public class SpecSecurityBuilder {
public void analyzeSecurityConstraints(SecurityConstraintType[] securityConstraintArray) {
for (SecurityConstraintType securityConstraintType : securityConstraintArray) {
- Map<String, URLPattern> currentPatterns;
+ Map<String, URLPattern> currentPatterns = null;
+ Set<String> roleNames = null;
if (securityConstraintType.isSetAuthConstraint()) {
if (securityConstraintType.getAuthConstraint().getRoleNameArray().length == 0) {
currentPatterns = excludedPatterns;
} else {
- currentPatterns = rolesPatterns;
+ roleNames = new HashSet<String>();
+ for (RoleNameType roleName : securityConstraintType.getAuthConstraint().getRoleNameArray()) {
+ roleNames.add(roleName.getStringValue().trim());
+ }
+ if (roleNames.remove("*")) {
+ roleNames.addAll(securityRoles);
+ }
}
} else {
currentPatterns = uncheckedPatterns;
@@ -104,48 +111,46 @@ public class SpecSecurityBuilder {
UrlPatternType[] urlPatternTypeArray = webResourceCollectionType.getUrlPatternArray();
for (UrlPatternType urlPatternType : urlPatternTypeArray) {
String url = urlPatternType.getStringValue().trim();
- URLPattern pattern = currentPatterns.get(url);
- if (pattern == null) {
- pattern = new URLPattern(url);
- currentPatterns.put(url, pattern);
+ if(currentPatterns == null) {
+ for (String roleName : roleNames) {
+ currentPatterns = rolesPatterns.get(roleName);
+ if (currentPatterns == null) {
+ currentPatterns = new HashMap<String, URLPattern>();
+ rolesPatterns.put(roleName, currentPatterns);
+ }
+ analyzeURLPattern(url, webResourceCollectionType.getHttpMethodArray(), transport, currentPatterns);
+ }
+ } else {
+ analyzeURLPattern(url, webResourceCollectionType.getHttpMethodArray(), transport, currentPatterns);
}
-
URLPattern allPattern = allMap.get(url);
if (allPattern == null) {
allPattern = new URLPattern(url);
allSet.add(allPattern);
allMap.put(url, allPattern);
}
+ analyzeURLPattern(url, webResourceCollectionType.getHttpMethodArray(), transport, allMap);
+ }
+ }
+ }
+ }
- String[] httpMethodTypeArray = webResourceCollectionType.getHttpMethodArray();
- if (httpMethodTypeArray.length == 0) {
- pattern.addMethod("");
- allPattern.addMethod("");
- } else {
- for (String aHttpMethodTypeArray : httpMethodTypeArray) {
- String method = (aHttpMethodTypeArray == null ? null : aHttpMethodTypeArray.trim());
- if (method != null) {
- pattern.addMethod(method);
- allPattern.addMethod(method);
- }
- }
- }
- if (currentPatterns == rolesPatterns) {
- RoleNameType[] roleNameTypeArray = securityConstraintType.getAuthConstraint().getRoleNameArray();
- for (RoleNameType roleNameType : roleNameTypeArray) {
- String role = roleNameType.getStringValue().trim();
- if (role.equals("*")) {
- pattern.addAllRoles(securityRoles);
- } else {
- pattern.addRole(role);
- }
- }
- }
-
- pattern.setTransport(transport);
+ private void analyzeURLPattern(String urlPattern, String[] httpMethods, String transport, Map<String, URLPattern> currentPatterns) {
+ URLPattern pattern = currentPatterns.get(urlPattern);
+ if (pattern == null) {
+ pattern = new URLPattern(urlPattern);
+ currentPatterns.put(urlPattern, pattern);
+ }
+ if (httpMethods.length == 0) {
+ pattern.addMethod("");
+ } else {
+ for (String httpMethod : httpMethods) {
+ if (httpMethod != null) {
+ pattern.addMethod(httpMethod.trim());
}
}
}
+ pattern.setTransport(transport);
}
public void removeExcludedDups() {
@@ -153,7 +158,9 @@ public class SpecSecurityBuilder {
String url = excluded.getKey();
URLPattern pattern = excluded.getValue();
removeExcluded(url, pattern, uncheckedPatterns);
- removeExcluded(url, pattern, rolesPatterns);
+ for (Map<String, URLPattern> rolePatterns : rolesPatterns.values()) {
+ removeExcluded(url, pattern, rolePatterns);
+ }
}
}
@@ -177,21 +184,17 @@ public class SpecSecurityBuilder {
policyConfiguration.addToExcludedPolicy(new WebUserDataPermission(name, actions));
}
}
-
- for (URLPattern pattern : rolesPatterns.values()) {
- String name = pattern.getQualifiedPattern(allSet);
- String actions = pattern.getMethods();
- WebResourcePermission permission = new WebResourcePermission(name, actions);
-
- for (String roleName : pattern.getRoles()) {
- policyConfiguration.addToRole(roleName, permission);
+ for (Map.Entry<String, Map<String, URLPattern>> entry : rolesPatterns.entrySet()) {
+ for (URLPattern pattern : entry.getValue().values()) {
+ String name = pattern.getQualifiedPattern(allSet);
+ String actions = pattern.getMethods();
+ WebResourcePermission permission = new WebResourcePermission(name, actions);
+ policyConfiguration.addToRole(entry.getKey(), permission);
+ HTTPMethods methods = pattern.getHTTPMethods();
+ int transportType = pattern.getTransport();
+ addOrUpdatePattern(uncheckedUserPatterns, name, methods, transportType);
}
- HTTPMethods methods = pattern.getHTTPMethods();
- int transportType = pattern.getTransport();
-
- addOrUpdatePattern(uncheckedUserPatterns, name, methods, transportType);
}
-
for (URLPattern pattern : uncheckedPatterns.values()) {
String name = pattern.getQualifiedPattern(allSet);
HTTPMethods methods = pattern.getHTTPMethods();
@@ -246,8 +249,7 @@ public class SpecSecurityBuilder {
policyConfiguration.addToUncheckedPolicy(new WebUserDataPermission(item.getName(), actions));
}
-
-// System.out.println(policyConfiguration.getAudit());
+ //System.out.println(policyConfiguration.getAudit());
return policyConfiguration.getComponentPermissions();
}
Modified: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java?rev=1001592&r1=1001591&r2=1001592&view=diff
==============================================================================
--- geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java (original)
+++ geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/main/java/org/apache/geronimo/web25/deployment/security/URLPattern.java Mon Sep 27 05:38:22 2010
@@ -38,7 +38,6 @@ public class URLPattern {
private final String pattern;
private final HTTPMethods httpMethods = new HTTPMethods();
private int transport;
- private final HashSet<String> roles = new HashSet<String>();
/**
* Construct an instance of the utility class for <code>WebModuleConfiguration</code>.
@@ -176,19 +175,6 @@ public class URLPattern {
return transport;
}
- public void addRole(String role) {
- roles.add(role);
- }
-
- public void addAllRoles(Collection<String> collection) {
- roles.addAll(collection);
- }
-
- public HashSet<String> getRoles() {
- return roles;
- }
-
-
/**
* TODO this is kinda weird without an explanation
* @param obj object to compare with
Modified: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java?rev=1001592&r1=1001591&r2=1001592&view=diff
==============================================================================
--- geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java (original)
+++ geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/java/org/apache/geronimo/web25/deployment/security/SpecSecurityParsingTest.java Mon Sep 27 05:38:22 2010
@@ -21,30 +21,17 @@
package org.apache.geronimo.web25.deployment.security;
import java.net.URL;
-import java.util.Collection;
-import java.util.Set;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.HashMap;
-import java.util.Collections;
-import java.util.jar.JarFile;
-import java.security.PermissionCollection;
import java.security.Permission;
+import java.security.PermissionCollection;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebUserDataPermission;
import junit.framework.TestCase;
-import org.apache.geronimo.common.DeploymentException;
-import org.apache.geronimo.deployment.ModuleIDBuilder;
-import org.apache.geronimo.gbean.AbstractName;
-import org.apache.geronimo.j2ee.deployment.EARContext;
-import org.apache.geronimo.j2ee.deployment.Module;
-import org.apache.geronimo.kernel.Naming;
-import org.apache.geronimo.xbeans.javaee.WebAppType;
-import org.apache.geronimo.xbeans.javaee.WebAppDocument;
+
import org.apache.geronimo.security.jacc.ComponentPermissions;
-import org.apache.geronimo.web25.deployment.AbstractWebModuleBuilder;
+import org.apache.geronimo.xbeans.javaee.WebAppDocument;
+import org.apache.geronimo.xbeans.javaee.WebAppType;
import org.apache.xmlbeans.XmlOptions;
/**
@@ -86,7 +73,7 @@ public class SpecSecurityParsingTest ext
assertFalse(implies(new WebResourcePermission("/Test", ""), permissions, null));
assertFalse(implies(new WebResourcePermission("/Test", "!"), permissions, null));
}
-
+
public void testExcludedConstraint() throws Exception {
URL srcXml = classLoader.getResource("security/web3.xml");
WebAppDocument webAppDoc = WebAppDocument.Factory.parse(srcXml, options);
@@ -164,6 +151,20 @@ public class SpecSecurityParsingTest ext
assertTrue(implies(p, permissions, null));
}
+ public void testDifferentRoleDifferentHttpMethod() throws Exception {
+ URL srcXml = classLoader.getResource("security/web6.xml");
+ WebAppDocument webAppDoc = WebAppDocument.Factory.parse(srcXml, options);
+ WebAppType webAppType = webAppDoc.getWebApp();
+ SpecSecurityBuilder builder = new SpecSecurityBuilder();
+ ComponentPermissions permissions = builder.buildSpecSecurityConfig(webAppType);
+ Permission p = new WebResourcePermission("/app/*", "GET");
+ assertTrue(implies(p, permissions, "userGet"));
+ assertFalse(implies(p, permissions, "userPost"));
+ p = new WebResourcePermission("/app/home", "POST");
+ assertTrue(implies(p, permissions, "userPost"));
+ assertFalse(implies(p, permissions, "userGet"));
+ }
+
private boolean implies(Permission p, ComponentPermissions permissions, String role) {
PermissionCollection excluded = permissions.getExcludedPermissions();
if (excluded.implies(p)) return false;
@@ -173,5 +174,4 @@ public class SpecSecurityParsingTest ext
PermissionCollection rolePermissions = permissions.getRolePermissions().get(role);
return rolePermissions != null && rolePermissions.implies(p);
}
-
}
Added: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml?rev=1001592&view=auto
==============================================================================
--- geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml (added)
+++ geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml Mon Sep 27 05:38:22 2010
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<web-app xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+ version="2.5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>resource1</web-resource-name>
+ <url-pattern>/app/*</url-pattern>
+ <url-pattern>/app/home</url-pattern>
+ <http-method>GET</http-method>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>userGet</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>resource2</web-resource-name>
+ <url-pattern>/app/*</url-pattern>
+ <url-pattern>/app/home</url-pattern>
+ <http-method>POST</http-method>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>userPost</role-name>
+ </auth-constraint>
+ </security-constraint>
+</web-app>
\ No newline at end of file
Propchange: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/branches/2.2/plugins/j2ee/geronimo-web-2.5-builder/src/test/resources/security/web6.xml
------------------------------------------------------------------------------
svn:mime-type = text/xml