You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@aries.apache.org by cs...@apache.org on 2014/07/15 15:41:46 UTC
svn commit: r1610698 - in /aries/trunk/blueprint: ./ blueprint-authz/
blueprint-authz/src/ blueprint-authz/src/main/
blueprint-authz/src/main/java/ blueprint-authz/src/main/java/org/
blueprint-authz/src/main/java/org/apache/ blueprint-authz/src/main/ja...
Author: cschneider
Date: Tue Jul 15 13:41:44 2014
New Revision: 1610698
URL: http://svn.apache.org/r1610698
Log:
ARIES-1226 JAAS and JEE annotation based authorization
Added:
aries/trunk/blueprint/blueprint-authz/
aries/trunk/blueprint/blueprint-authz/.gitignore
aries/trunk/blueprint/blueprint-authz/LICENSE
aries/trunk/blueprint/blueprint-authz/README.md
aries/trunk/blueprint/blueprint-authz/pom.xml
aries/trunk/blueprint/blueprint-authz/src/
aries/trunk/blueprint/blueprint-authz/src/main/
aries/trunk/blueprint/blueprint-authz/src/main/java/
aries/trunk/blueprint/blueprint-authz/src/main/java/org/
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/Activator.java
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AnnotationParser.java
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationNsHandler.java
aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/SecurityAnotationParser.java
aries/trunk/blueprint/blueprint-authz/src/main/resources/
aries/trunk/blueprint/blueprint-authz/src/main/resources/authz10.xsd
aries/trunk/blueprint/blueprint-authz/src/test/
aries/trunk/blueprint/blueprint-authz/src/test/java/
aries/trunk/blueprint/blueprint-authz/src/test/java/org/
aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/
aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/
aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/
aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/
aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/
aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/SecurityAnnoationParserTest.java
aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/test/
aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/test/SecuredClass.java
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/GroupPrincipal.java
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/JAASHelper.java
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/NamedPrincipal.java
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/SimpleLoginModule.java
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/UserPrincipal.java
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/SecuredService.java
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/impl/
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/impl/SecuredServiceImpl.java
aries/trunk/blueprint/blueprint-itests/src/test/resources/authz.xml
aries/trunk/blueprint/blueprint-parser/.gitignore
Modified:
aries/trunk/blueprint/blueprint-itests/pom.xml
aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/AbstractBlueprintIntegrationTest.java
aries/trunk/blueprint/pom.xml
Added: aries/trunk/blueprint/blueprint-authz/.gitignore
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/.gitignore?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/.gitignore (added)
+++ aries/trunk/blueprint/blueprint-authz/.gitignore Tue Jul 15 13:41:44 2014
@@ -0,0 +1,17 @@
+*.class
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.jar
+*.war
+*.ear
+
+# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+hs_err_pid*
+/target/
+
+.classpath
+.project
+.settings/
Added: aries/trunk/blueprint/blueprint-authz/LICENSE
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/LICENSE?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/LICENSE (added)
+++ aries/trunk/blueprint/blueprint-authz/LICENSE Tue Jul 15 13:41:44 2014
@@ -0,0 +1,201 @@
+Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "{}"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright {yyyy} {name of copyright owner}
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
\ No newline at end of file
Added: aries/trunk/blueprint/blueprint-authz/README.md
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/README.md?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/README.md (added)
+++ aries/trunk/blueprint/blueprint-authz/README.md Tue Jul 15 13:41:44 2014
@@ -0,0 +1,18 @@
+Blueprint extension for role based access control based on JAAS and JEE annotations
+===================================================================================
+
+An aries blueprint extension that supports role based access control based on a JAAS login and the JEE @RolesAllowed annotation.
+
+install -s mvn:org.apache.aries.blueprint/org.apache.aries.blueprint.annotation-authz/1.0.0-SNAPSHOT
+
+To use it add the authz namespace xmlns:authz="http://aries.apache.org/xmlns/authorization/v1.0.0" to your blueprint file and place a <authz:enable/> element at the start of your context.
+
+This will enable annotation scanning for all beans in the context. For bean classes that have the @RolesAllowed annotation an Authorization interceptor will be added. This interceptor will read the JAAS Subject from AccesControlContext and use the principles there to do the authorization.
+
+Sample blueprint snippet
+
+<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:authz="http://aries.apache.org/xmlns/authorization/v1.0.0">
+ <authz:enable/>
+ <bean id="personServiceImpl" class="net.lr.tutorial.karaf.cxf.personservice.impl.PersonServiceImpl"/>
+</blueprint>
+
Added: aries/trunk/blueprint/blueprint-authz/pom.xml
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/pom.xml?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/pom.xml (added)
+++ aries/trunk/blueprint/blueprint-authz/pom.xml Tue Jul 15 13:41:44 2014
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.aries</groupId>
+ <artifactId>parent</artifactId>
+ <version>2.0.0</version>
+ </parent>
+
+ <groupId>org.apache.aries.blueprint</groupId>
+ <artifactId>org.apache.aries.blueprint.authz</artifactId>
+ <packaging>bundle</packaging>
+ <version>1.0.0-SNAPSHOT</version>
+ <name>Aries :: blueprint :: annotation based authorization</name>
+
+ <properties>
+ <!-- Export package versions are maintained in packageinfo files -->
+ <aries.osgi.export.pkg>javax.annotation.security</aries.osgi.export.pkg>
+ <aries.osgi.import.pkg>javax.annotation.security,*</aries.osgi.import.pkg>
+ <aries.osgi.private.pkg>org.apache.aries.blueprint.authorization.impl</aries.osgi.private.pkg>
+ <aries.osgi.activator>org.apache.aries.blueprint.authorization.impl.Activator</aries.osgi.activator>
+
+ <!-- Not exporting any packages -->
+ <aries.skip.version.check>true</aries.skip.version.check>
+ </properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.core</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>javax.annotation</groupId>
+ <artifactId>javax.annotation-api</artifactId>
+ <version>1.2</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.aries.blueprint</groupId>
+ <artifactId>org.apache.aries.blueprint.core</artifactId>
+ <version>1.0.0</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.aries.testsupport</groupId>
+ <artifactId>org.apache.aries.testsupport.unit</artifactId>
+ <scope>test</scope>
+ <version>1.0.0</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.osgi</groupId>
+ <artifactId>org.osgi.compendium</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-simple</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+
+ </dependencies>
+
+</project>
+
Added: aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/Activator.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/Activator.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/Activator.java (added)
+++ aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/Activator.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,24 @@
+package org.apache.aries.blueprint.authorization.impl;
+
+import java.util.Dictionary;
+import java.util.Hashtable;
+
+import org.apache.aries.blueprint.NamespaceHandler;
+import org.osgi.framework.BundleActivator;
+import org.osgi.framework.BundleContext;
+
+public class Activator implements BundleActivator {
+
+ @Override
+ public void start(BundleContext context) throws Exception {
+ AuthorizationNsHandler handler = new AuthorizationNsHandler();
+ Dictionary<String, String> props = new Hashtable<String, String>();
+ props.put("osgi.service.blueprint.namespace", "http://aries.apache.org/xmlns/authorization/v1.0.0");
+ context.registerService(NamespaceHandler.class, handler, props);
+ }
+
+ @Override
+ public void stop(BundleContext context) throws Exception {
+ }
+
+}
Added: aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AnnotationParser.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AnnotationParser.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AnnotationParser.java (added)
+++ aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AnnotationParser.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.aries.blueprint.authorization.impl;
+
+import java.lang.reflect.Method;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.RolesAllowed;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.aries.blueprint.BeanProcessor;
+import org.apache.aries.blueprint.ComponentDefinitionRegistry;
+import org.osgi.service.blueprint.reflect.BeanMetadata;
+
+public class AnnotationParser implements BeanProcessor {
+ private static final Logger LOGGER = LoggerFactory.getLogger(AuthorizationInterceptor.class);
+ private ComponentDefinitionRegistry cdr;
+ public static final String ANNOTATION_PARSER_BEAN_NAME = "org_apache_aries_authz_annotations";
+
+ public AnnotationParser() {
+ }
+
+ public void setCdr(ComponentDefinitionRegistry cdr) {
+ this.cdr = cdr;
+ }
+
+ public void afterDestroy(Object arg0, String arg1) {
+ }
+
+ public Object afterInit(Object bean, String beanName, BeanCreator beanCreator, BeanMetadata beanData) {
+ return bean;
+ }
+
+ public void beforeDestroy(Object arg0, String arg1) {
+ }
+
+ public Object beforeInit(Object bean, String beanName, BeanCreator beanCreator, BeanMetadata beanData) {
+ Class<?> c = bean.getClass();
+ if (isSecured(c)) {
+ LOGGER.debug("Adding annotation based authorization interceptor for bean {} with class {}", beanName, c);
+ cdr.registerInterceptorWithComponent(beanData, new AuthorizationInterceptor());
+ }
+ return bean;
+ }
+
+ /**
+ * A class is secured if @RolesAllowed is used on class or method level of the class or its hierarchy.
+ *
+ * @param clazz
+ * @return
+ */
+ private boolean isSecured(Class<?> clazz) {
+ if (clazz == Object.class) {
+ return false;
+ }
+ if (clazz.getAnnotation(RolesAllowed.class) != null || clazz.getAnnotation(DenyAll.class) != null) {
+ return true;
+ }
+ for (Method m : clazz.getMethods()) {
+ if (m.getAnnotation(RolesAllowed.class) != null) {
+ return true;
+ }
+ if (m.getAnnotation(DenyAll.class) != null) {
+ return true;
+ }
+
+ }
+ return false;
+ }
+
+}
Added: aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java (added)
+++ aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationInterceptor.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.aries.blueprint.authorization.impl;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Method;
+import java.security.AccessControlContext;
+import java.security.AccessControlException;
+import java.security.AccessController;
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+import javax.security.auth.Subject;
+
+import org.apache.aries.blueprint.Interceptor;
+import org.osgi.service.blueprint.reflect.ComponentMetadata;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AuthorizationInterceptor implements Interceptor {
+ private static final Logger LOGGER = LoggerFactory.getLogger(AuthorizationInterceptor.class);
+
+ public int getRank() {
+ return 0;
+ }
+
+ public void postCallWithException(ComponentMetadata cm, Method m, Throwable ex, Object preCallToken) {
+ }
+
+ public void postCallWithReturn(ComponentMetadata cm, Method m, Object returnType, Object preCallToken)
+ throws Exception {
+ }
+
+ public Object preCall(ComponentMetadata cm, Method m, Object... parameters) throws Throwable {
+ Annotation ann = new SecurityAnotationParser().getEffectiveAnnotation(m);
+ if (ann instanceof PermitAll) {
+ return null;
+ }
+ String[] rolesAr = new String[] {}; // Also applies for @DenyAll
+ if (ann instanceof RolesAllowed) {
+ rolesAr = ((RolesAllowed) ann).value();
+ }
+ Set<String> roles = new HashSet<String>(Arrays.asList(rolesAr));
+ AccessControlContext acc = AccessController.getContext();
+ Subject subject = Subject.getSubject(acc);
+ if (subject == null) {
+ throw new AccessControlException("Method call " + m.getDeclaringClass() + "." + m.getName() + " denied. No JAAS login present");
+ }
+ Set<Principal> principals = subject.getPrincipals();
+
+
+ for (Principal principal : principals) {
+ if (roles.contains(principal.getName())) {
+ if (LOGGER.isDebugEnabled()) {
+ LOGGER.debug("Granting access to Method: " + m + " for " + principal);
+ }
+ return null;
+ }
+ }
+
+ throw new AccessControlException("Method call " + m.getDeclaringClass() + "." + m.getName() + " denied. Roles allowed are " + roles + ". "
+ + "Your principals are " + getNames(principals) +".");
+ }
+
+ private String getNames(Set<Principal> principals) {
+ StringBuilder sb = new StringBuilder();
+ for (Principal principal : principals) {
+ sb.append(principal.getName() + " ");
+ }
+ return sb.toString();
+ }
+
+}
Added: aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationNsHandler.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationNsHandler.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationNsHandler.java (added)
+++ aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/AuthorizationNsHandler.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.aries.blueprint.authorization.impl;
+
+import java.net.URL;
+import java.util.Set;
+
+import org.apache.aries.blueprint.ComponentDefinitionRegistry;
+import org.apache.aries.blueprint.NamespaceHandler;
+import org.apache.aries.blueprint.ParserContext;
+import org.apache.aries.blueprint.mutable.MutableBeanMetadata;
+import org.apache.aries.blueprint.mutable.MutablePassThroughMetadata;
+import org.osgi.service.blueprint.reflect.ComponentMetadata;
+import org.osgi.service.blueprint.reflect.Metadata;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+public class AuthorizationNsHandler implements NamespaceHandler {
+
+ private void parseElement(Element elt, ComponentMetadata cm, ParserContext pc) {
+ ComponentDefinitionRegistry cdr = pc.getComponentDefinitionRegistry();
+
+ if ("enable".equals(elt.getLocalName())) {
+ if (!cdr.containsComponentDefinition(AnnotationParser.ANNOTATION_PARSER_BEAN_NAME)) {
+ MutableBeanMetadata meta = pc.createMetadata(MutableBeanMetadata.class);
+ meta.setId(AnnotationParser.ANNOTATION_PARSER_BEAN_NAME);
+ meta.setRuntimeClass(AnnotationParser.class);
+ meta.setProcessor(true);
+ MutablePassThroughMetadata cdrMeta = pc.createMetadata(MutablePassThroughMetadata.class);
+ cdrMeta.setObject(cdr);
+ meta.addProperty("cdr", cdrMeta);
+ cdr.registerComponentDefinition(meta);
+ }
+ }
+ }
+
+ public ComponentMetadata decorate(Node node, ComponentMetadata cm, ParserContext pc) {
+ if (node instanceof Element) {
+ Element elt = (Element)node;
+ parseElement(elt, cm, pc);
+ }
+ return cm;
+ }
+
+ public Metadata parse(Element elt, ParserContext pc) {
+ parseElement(elt, pc.getEnclosingComponent(), pc);
+ return null;
+ }
+
+ public URL getSchemaLocation(String namespace) {
+ return this.getClass().getResource("/authz10.xsd");
+ }
+
+ @SuppressWarnings("rawtypes")
+ public Set<Class> getManagedClasses() {
+ return null;
+ }
+
+}
Added: aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/SecurityAnotationParser.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/SecurityAnotationParser.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/SecurityAnotationParser.java (added)
+++ aries/trunk/blueprint/blueprint-authz/src/main/java/org/apache/aries/blueprint/authorization/impl/SecurityAnotationParser.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,45 @@
+package org.apache.aries.blueprint.authorization.impl;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.AnnotatedElement;
+import java.lang.reflect.Method;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+
+/**
+ * Evaluates JEE security annotations
+ * @see PermitAll
+ * @see DenyAll
+ * @see RolesAllowed
+ */
+class SecurityAnotationParser {
+
+ /**
+ * Get the effective annotation regarding method annotations override class annotations.
+ * DenyAll has highest priority then RolesAllowed and in the end PermitAll.
+ * So the most restrictive annotation is pereferred.
+ *
+ * @param m Method to check
+ * @return effective annotation (either DenyAll, PermitAll or RolesAllowed)
+ */
+ Annotation getEffectiveAnnotation(Method m) {
+ Annotation classLevel = getAuthAnnotation(m.getDeclaringClass());
+ Annotation methodLevel = getAuthAnnotation(m);
+ return (methodLevel != null) ? methodLevel : classLevel;
+ }
+
+ private Annotation getAuthAnnotation(AnnotatedElement element) {
+ Annotation ann = null;
+ ann = element.getAnnotation(DenyAll.class);
+ if (ann == null) {
+ ann = element.getAnnotation(RolesAllowed.class);
+ }
+ if (ann == null) {
+ ann = element.getAnnotation(PermitAll.class);
+ }
+ return ann;
+ }
+
+}
Added: aries/trunk/blueprint/blueprint-authz/src/main/resources/authz10.xsd
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/src/main/resources/authz10.xsd?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/src/main/resources/authz10.xsd (added)
+++ aries/trunk/blueprint/blueprint-authz/src/main/resources/authz10.xsd Tue Jul 15 13:41:44 2014
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+-->
+<xsd:schema xmlns="http://aries.apache.org/xmlns/authorization/v1.0.0"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ targetNamespace="http://aries.apache.org/xmlns/authorization/v1.0.0"
+ elementFormDefault="qualified"
+ attributeFormDefault="unqualified"
+ version="1.0.0">
+
+ <xsd:element name="enable" type="xsd:string"></xsd:element>
+</xsd:schema>
\ No newline at end of file
Added: aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/SecurityAnnoationParserTest.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/SecurityAnnoationParserTest.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/SecurityAnnoationParserTest.java (added)
+++ aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/SecurityAnnoationParserTest.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,44 @@
+package org.apache.aries.blueprint.authorization.impl;
+
+import java.lang.annotation.Annotation;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+
+import org.apache.aries.blueprint.authorization.impl.test.SecuredClass;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class SecurityAnnoationParserTest {
+
+ private SecurityAnotationParser annParser;
+
+ public SecurityAnnoationParserTest() {
+ annParser = new SecurityAnotationParser();
+ }
+
+ @Test
+ public void testAnnotationType() throws NoSuchMethodException, SecurityException {
+ Assert.assertTrue(getEffective("admin") instanceof RolesAllowed);
+ Assert.assertTrue(getEffective("user") instanceof RolesAllowed);
+ Assert.assertTrue(getEffective("anon") instanceof PermitAll);
+ Assert.assertTrue(getEffective("closed") instanceof DenyAll);
+ }
+
+ @Test
+ public void testRoles() throws NoSuchMethodException, SecurityException {
+ Assert.assertArrayEquals(new String[]{"admin"}, getRoles("admin"));
+ Assert.assertArrayEquals(new String[]{"user"}, getRoles("user"));
+ }
+
+ private Annotation getEffective(String methodName) throws NoSuchMethodException {
+ return annParser.getEffectiveAnnotation(SecuredClass.class.getMethod(methodName));
+ }
+
+ private String[] getRoles(String methodName) throws NoSuchMethodException {
+ Annotation ann = getEffective(methodName);
+ Assert.assertTrue(ann instanceof RolesAllowed);
+ return ((RolesAllowed)ann).value();
+ }
+}
Added: aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/test/SecuredClass.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/test/SecuredClass.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/test/SecuredClass.java (added)
+++ aries/trunk/blueprint/blueprint-authz/src/test/java/org/apache/aries/blueprint/authorization/impl/test/SecuredClass.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,28 @@
+package org.apache.aries.blueprint.authorization.impl.test;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+
+@RolesAllowed("admin")
+public class SecuredClass {
+
+ public void admin() {
+
+ }
+
+ @RolesAllowed("user")
+ public void user() {
+
+ }
+
+ @PermitAll
+ public void anon() {
+
+ }
+
+ @DenyAll
+ public void closed() {
+
+ }
+}
Modified: aries/trunk/blueprint/blueprint-itests/pom.xml
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/pom.xml?rev=1610698&r1=1610697&r2=1610698&view=diff
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/pom.xml (original)
+++ aries/trunk/blueprint/blueprint-itests/pom.xml Tue Jul 15 13:41:44 2014
@@ -70,6 +70,11 @@
<version>1.2.2-SNAPSHOT</version>
</dependency>
<dependency>
+ <groupId>org.apache.aries.blueprint</groupId>
+ <artifactId>org.apache.aries.blueprint.authz</artifactId>
+ <version>1.0.0-SNAPSHOT</version>
+ </dependency>
+ <dependency>
<groupId>org.apache.aries.proxy</groupId>
<artifactId>org.apache.aries.proxy.impl</artifactId>
<version>1.0.3</version>
Modified: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/AbstractBlueprintIntegrationTest.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/AbstractBlueprintIntegrationTest.java?rev=1610698&r1=1610697&r2=1610698&view=diff
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/AbstractBlueprintIntegrationTest.java (original)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/AbstractBlueprintIntegrationTest.java Tue Jul 15 13:41:44 2014
@@ -71,7 +71,7 @@ public abstract class AbstractBlueprintI
}
return composite(
junitBundles(),
- systemProperty("org.ops4j.pax.logging.DefaultServiceLog.level").value("INFO"),
+ systemProperty("org.ops4j.pax.logging.DefaultServiceLog.level").value("DEBUG"),
when(localRepo != null).useOptions(vmOption("-Dorg.ops4j.pax.url.mvn.localRepository=" + localRepo)),
mvnBundle("org.ops4j.pax.logging", "pax-logging-api"),
mvnBundle("org.ops4j.pax.logging", "pax-logging-service")
Added: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,120 @@
+package org.apache.aries.blueprint.itests.authz;
+
+import static org.apache.aries.blueprint.itests.Helper.mvnBundle;
+import static org.ops4j.pax.exam.CoreOptions.streamBundle;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.AccessControlException;
+import java.security.PrivilegedAction;
+
+import javax.inject.Inject;
+import javax.security.auth.login.LoginException;
+
+import org.apache.aries.blueprint.itests.AbstractBlueprintIntegrationTest;
+import org.apache.aries.blueprint.itests.Helper;
+import org.apache.aries.blueprint.itests.authz.helper.JAASHelper;
+import org.apache.aries.blueprint.itests.authz.testbundle.SecuredService;
+import org.apache.aries.blueprint.itests.authz.testbundle.impl.SecuredServiceImpl;
+import org.junit.Test;
+import org.ops4j.pax.exam.CoreOptions;
+import org.ops4j.pax.exam.Option;
+import org.ops4j.pax.exam.ProbeBuilder;
+import org.ops4j.pax.exam.TestProbeBuilder;
+import org.ops4j.pax.tinybundles.core.TinyBundles;
+import org.osgi.framework.BundleException;
+import org.osgi.framework.Constants;
+
+/**
+ * Test calling a service that is secured using the blueprint-authz module.
+ *
+ * Access is regulated using JEE security annotations
+ * @see SecuredServiceImpl
+ */
+public class AuthorizationTest extends AbstractBlueprintIntegrationTest {
+ @Inject
+ SecuredService service;
+
+ @Test
+ public void testOnlyAdminOk() throws LoginException, BundleException {
+ JAASHelper.doAs(new String[] {"admin"}, new CallOnlyAdmin());
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testOnlyAdminDenied() throws LoginException, BundleException {
+ JAASHelper.doAs(new String[] {"user"}, new CallOnlyAdmin());
+ }
+
+ @Test
+ public void testUserAdndAdminOk() throws LoginException, BundleException {
+ JAASHelper.doAs(new String[] {"admin"}, new CallUserAndAdmin());
+ JAASHelper.doAs(new String[] {"user"}, new CallUserAndAdmin());
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testUserAdndAdminDeniedForUnauthenticated() throws LoginException, BundleException {
+ service.userAndAdmin("Hi");
+ }
+
+ @Test
+ public void testAnyOneUnauthenticatedOk() throws LoginException, BundleException {
+ service.anyOne("Hi");
+ }
+
+ @Test(expected = AccessControlException.class)
+ public void testDenyAll() throws LoginException, BundleException {
+ JAASHelper.doAs(new String[] {"admin"}, new CallNoOne());
+ }
+
+ @ProbeBuilder
+ public TestProbeBuilder probeConfiguration(TestProbeBuilder probe) {
+ probe.setHeader(Constants.EXPORT_PACKAGE, SecuredService.class.getPackage().getName());
+ probe.setHeader(Constants.IMPORT_PACKAGE, SecuredService.class.getPackage().getName());
+ return probe;
+ }
+
+ @org.ops4j.pax.exam.Configuration
+ public Option[] configuration() throws IOException, LoginException, BundleException {
+ InputStream testBundle = TinyBundles.bundle()
+ .set(Constants.BUNDLE_SYMBOLICNAME, "authz")
+ .add(SecuredServiceImpl.class)
+ .add(SecuredService.class)
+ .add("OSGI-INF/blueprint/authz.xml", this.getClass().getResourceAsStream("/authz.xml"))
+ .set(Constants.EXPORT_PACKAGE, SecuredService.class.getPackage().getName())
+ .set(Constants.IMPORT_PACKAGE, SecuredService.class.getPackage().getName())
+ .build(TinyBundles.withBnd());
+
+ return new Option[] {
+ baseOptions(),
+ CoreOptions.keepCaches(),
+ Helper.blueprintBundles(),
+ mvnBundle("org.apache.aries.blueprint", "org.apache.aries.blueprint.authz"),
+ streamBundle(testBundle),
+ };
+ }
+
+ private final class CallUserAndAdmin implements PrivilegedAction<Void> {
+ @Override
+ public Void run() {
+ service.userAndAdmin("Hi");
+ return null;
+ }
+ }
+
+ private final class CallOnlyAdmin implements PrivilegedAction<Void> {
+ @Override
+ public Void run() {
+ service.onlyAdmin("Hi");
+ return null;
+ }
+ }
+
+ private final class CallNoOne implements PrivilegedAction<Void> {
+ @Override
+ public Void run() {
+ service.noOne("Hi");
+ return null;
+ }
+ }
+
+}
\ No newline at end of file
Added: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/GroupPrincipal.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/GroupPrincipal.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/GroupPrincipal.java (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/GroupPrincipal.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,7 @@
+package org.apache.aries.blueprint.itests.authz.helper;
+
+public class GroupPrincipal extends NamedPrincipal {
+ public GroupPrincipal(String name) {
+ super(name);
+ }
+}
Added: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/JAASHelper.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/JAASHelper.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/JAASHelper.java (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/JAASHelper.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,44 @@
+package org.apache.aries.blueprint.itests.authz.helper;
+
+import java.security.PrivilegedAction;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+public class JAASHelper {
+
+ public static <T> void doAs(final String[] groups, PrivilegedAction<T> action) {
+ Configuration config = new Configuration() {
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ Map<String, Object> options = new HashMap<String, Object>();
+ options.put("username", "dummy"); // The user does not matter
+ options.put("groups", groups);
+ AppConfigurationEntry entry = new AppConfigurationEntry(SimpleLoginModule.class.getName(),
+ LoginModuleControlFlag.REQUIRED,
+ options);
+ return new AppConfigurationEntry[] {
+ entry
+ };
+ }
+
+ };
+ try {
+ LoginContext lc = new LoginContext("test", new Subject(), null, config);
+ lc.login();
+ Subject.doAs(lc.getSubject(), action);
+ lc.logout();
+ } catch (LoginException e) {
+ throw new RuntimeException(e.getMessage(), e);
+ }
+ }
+
+
+}
Added: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/NamedPrincipal.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/NamedPrincipal.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/NamedPrincipal.java (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/NamedPrincipal.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,17 @@
+package org.apache.aries.blueprint.itests.authz.helper;
+
+import java.security.Principal;
+
+public class NamedPrincipal implements Principal {
+ private String name;
+
+ public NamedPrincipal(String name) {
+ this.name = name;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+}
\ No newline at end of file
Added: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/SimpleLoginModule.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/SimpleLoginModule.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/SimpleLoginModule.java (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/SimpleLoginModule.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,49 @@
+package org.apache.aries.blueprint.itests.authz.helper;
+
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+
+public class SimpleLoginModule implements LoginModule {
+
+ private Subject subject;
+ private String name;
+ private String[] groups;
+
+ @Override
+ public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState,
+ Map<String, ?> options) {
+ this.subject = subject;
+ this.name = (String)options.get("username");
+ this.groups = (String[])options.get("groups");
+ }
+
+ @Override
+ public boolean login() throws LoginException {
+ return true;
+ }
+
+ @Override
+ public boolean commit() throws LoginException {
+ subject.getPrincipals().add(new UserPrincipal(name));
+ for (String group : groups) {
+ subject.getPrincipals().add(new GroupPrincipal(group));
+ }
+ return true;
+ }
+
+ @Override
+ public boolean abort() throws LoginException {
+ return true;
+ }
+
+ @Override
+ public boolean logout() throws LoginException {
+ subject.getPrincipals().clear();
+ return true;
+ }
+
+}
Added: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/UserPrincipal.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/UserPrincipal.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/UserPrincipal.java (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/helper/UserPrincipal.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,7 @@
+package org.apache.aries.blueprint.itests.authz.helper;
+
+public class UserPrincipal extends NamedPrincipal {
+ public UserPrincipal(String name) {
+ super(name);
+ }
+}
Added: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/SecuredService.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/SecuredService.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/SecuredService.java (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/SecuredService.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.aries.blueprint.itests.authz.testbundle;
+
+public interface SecuredService {
+ String userAndAdmin(String msg);
+ String onlyAdmin(String msg);
+ String anyOne(String msg);
+ String noOne(String msg);
+}
Added: aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/impl/SecuredServiceImpl.java
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/impl/SecuredServiceImpl.java?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/impl/SecuredServiceImpl.java (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/testbundle/impl/SecuredServiceImpl.java Tue Jul 15 13:41:44 2014
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.aries.blueprint.itests.authz.testbundle.impl;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+
+import org.apache.aries.blueprint.itests.authz.testbundle.SecuredService;
+
+@RolesAllowed("admin")
+public class SecuredServiceImpl implements SecuredService {
+
+ @RolesAllowed({"user", "admin"})
+ public String userAndAdmin(String msg) {
+ return msg;
+ }
+
+ public String onlyAdmin(String msg) {
+ return msg;
+ }
+
+ @PermitAll
+ public String anyOne(String msg) {
+ return msg;
+ }
+
+ @DenyAll
+ public String noOne(String msg) {
+ return msg;
+ }
+
+}
Added: aries/trunk/blueprint/blueprint-itests/src/test/resources/authz.xml
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-itests/src/test/resources/authz.xml?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-itests/src/test/resources/authz.xml (added)
+++ aries/trunk/blueprint/blueprint-itests/src/test/resources/authz.xml Tue Jul 15 13:41:44 2014
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+ <!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version
+ 2.0 (the "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0 Unless required by
+ applicable law or agreed to in writing, software distributed under the
+ License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ CONDITIONS OF ANY KIND, either express or implied. See the License for
+ the specific language governing permissions and limitations under the
+ License.
+ -->
+<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
+ xmlns:authz="http://aries.apache.org/xmlns/authorization/v1.0.0"
+>
+ <authz:enable/>
+
+ <bean id="securedService" class="org.apache.aries.blueprint.itests.authz.testbundle.impl.SecuredServiceImpl"/>
+ <service interface="org.apache.aries.blueprint.itests.authz.testbundle.SecuredService" ref="securedService"/>
+
+</blueprint>
\ No newline at end of file
Added: aries/trunk/blueprint/blueprint-parser/.gitignore
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/blueprint-parser/.gitignore?rev=1610698&view=auto
==============================================================================
--- aries/trunk/blueprint/blueprint-parser/.gitignore (added)
+++ aries/trunk/blueprint/blueprint-parser/.gitignore Tue Jul 15 13:41:44 2014
@@ -0,0 +1 @@
+/target/
Modified: aries/trunk/blueprint/pom.xml
URL: http://svn.apache.org/viewvc/aries/trunk/blueprint/pom.xml?rev=1610698&r1=1610697&r2=1610698&view=diff
==============================================================================
--- aries/trunk/blueprint/pom.xml (original)
+++ aries/trunk/blueprint/pom.xml Tue Jul 15 13:41:44 2014
@@ -52,6 +52,7 @@
<module>blueprint-sample</module>
<module>blueprint-annotation-api</module>
<module>blueprint-annotation-impl</module>
+ <module>blueprint-authz</module>
<module>blueprint-sample-annotation</module>
<module>blueprint-sample-fragment</module>
<module>blueprint-sample-war</module>