use of ddf.security.permission.KeyValueCollectionPermission in project ddf by codice.
the class XacmlPdpTest method testSameAccessRedaction.
@Test
public void testSameAccessRedaction() throws PdpException {
HashMap<String, List<String>> security = new HashMap<String, List<String>>();
security.put(RESOURCE_ACCESS, Arrays.asList(ACCESS_TYPE_A, ACCESS_TYPE_B));
KeyValueCollectionPermission resourcePermissions = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION, security);
RequestType request = testRealm.createXACMLRequest(USER_NAME, generateSubjectInfo(TEST_COUNTRY), resourcePermissions);
assertTrue(testRealm.isPermitted(request));
}
use of ddf.security.permission.KeyValueCollectionPermission in project ddf by codice.
the class AuthzRealmTest method testIsNotPermitted.
@Test
public void testIsNotPermitted() {
HashMap<String, List<String>> security = new HashMap<String, List<String>>();
security.put("country", Arrays.asList("AUS", "CAN", "GBR"));
security.put("country2", Arrays.asList("CAN", "GBR"));
security.put("rule", Arrays.asList("A", "B"));
security.put("rule2", Arrays.asList("A", "B", "C"));
KeyValueCollectionPermission kvcp = new KeyValueCollectionPermission("action", security);
permissionList.clear();
permissionList.add(kvcp);
boolean[] permittedArray = testRealm.isPermitted(mockSubjectPrincipal, permissionList);
for (boolean permitted : permittedArray) {
Assert.assertEquals(false, permitted);
}
}
use of ddf.security.permission.KeyValueCollectionPermission in project ddf by codice.
the class PEPAuthorizingInterceptor method handleMessage.
/**
* Intercepts a message. Interceptors should NOT invoke handleMessage or handleFault on the next
* interceptor - the interceptor chain will take care of this.
*
* @param message
*/
@Override
public void handleMessage(Message message) throws Fault {
if (message != null) {
// grab the SAML assertion associated with this Message from the
// token store
SecurityAssertion assertion = SecurityAssertionStore.getSecurityAssertion(message);
boolean isPermitted = false;
if ((assertion != null) && (assertion.getSecurityToken() != null)) {
Subject user = null;
CollectionPermission action = null;
String actionURI = getActionUri(message);
try {
user = securityManager.getSubject(assertion.getSecurityToken());
if (user == null) {
throw new AccessDeniedException("Unauthorized");
}
if (LOGGER.isTraceEnabled()) {
LOGGER.trace(format(assertion.getSecurityToken().getToken()));
}
LOGGER.debug("Is user authenticated: {}", user.isAuthenticated());
LOGGER.debug("Checking for permission");
SecurityLogger.audit("Is Subject authenticated? " + user.isAuthenticated(), user);
if (StringUtils.isEmpty(actionURI)) {
SecurityLogger.audit("Denying access to Subject for unknown action.", user);
throw new AccessDeniedException("Unauthorized");
}
action = new KeyValueCollectionPermission(actionURI);
LOGGER.debug("Permission: {}", action);
isPermitted = user.isPermitted(action);
LOGGER.debug("Result of permission: {}", isPermitted);
SecurityLogger.audit("Is Subject permitted? " + isPermitted, user);
// store the subject so the DDF framework can use it later
ThreadContext.bind(user);
message.put(SecurityConstants.SAML_ASSERTION, user);
LOGGER.debug("Added assertion information to message at key {}", SecurityConstants.SAML_ASSERTION);
} catch (SecurityServiceException e) {
SecurityLogger.audit("Denying access : Caught exception when trying to authenticate user for service [" + actionURI + "]", e);
throw new AccessDeniedException("Unauthorized");
}
if (!isPermitted) {
SecurityLogger.audit("Denying access to Subject for service: " + action.getAction(), user);
throw new AccessDeniedException("Unauthorized");
}
} else {
SecurityLogger.audit("Unable to retrieve the security assertion associated with the web service call.");
throw new AccessDeniedException("Unauthorized");
}
} else {
SecurityLogger.audit("Unable to retrieve the current message associated with the web service call.");
throw new AccessDeniedException("Unauthorized");
}
}
Aggregations