Example 16 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class XacmlPdpTest method testActionGoodSiteName.
@Test
public void testActionGoodSiteName() {
SimpleAuthorizationInfo blankUserInfo = new SimpleAuthorizationInfo(new HashSet<String>());
blankUserInfo.setObjectPermissions(new HashSet<Permission>());
RequestType request = testRealm.createXACMLRequest(USER_NAME, blankUserInfo, new KeyValueCollectionPermissionImpl(SITE_NAME_ACTION));
assertThat(testRealm.isPermitted(request), equalTo(true));
}
Also used :
SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
RequestType(oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)
Test(org.junit.Test)
Example 17 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class PEPAuthorizingInterceptor method handleMessage.
/**
* Intercepts a message. Interceptors should NOT invoke handleMessage or handleFault on the next
* interceptor - the interceptor chain will take care of this.
*
* @param message
*/
@Override
public void handleMessage(Message message) throws Fault {
if (message != null) {
// grab the SAML assertion associated with this Message from the
// token store
SecurityAssertion assertion = assertionRetriever.apply(message);
boolean isPermitted = false;
if ((assertion != null) && (assertion.getToken() != null)) {
Subject user = null;
CollectionPermission action = null;
String actionURI = getActionUri(message);
try {
user = securityManager.getSubject(assertion.getToken());
if (user == null) {
throw new AccessDeniedException(UNAUTH);
}
LOGGER.debug("Is user authenticated: {}", user.isAuthenticated());
LOGGER.debug("Checking for permission");
securityLogger.audit("Is Subject authenticated? " + user.isAuthenticated(), user);
if (StringUtils.isEmpty(actionURI)) {
securityLogger.audit("Denying access to Subject for unknown action.", user);
throw new AccessDeniedException(UNAUTH);
}
action = new KeyValueCollectionPermissionImpl(actionURI);
LOGGER.debug("Permission: {}", action);
isPermitted = user.isPermitted(action);
LOGGER.debug("Result of permission: {}", isPermitted);
securityLogger.audit("Is Subject permitted? " + isPermitted, user);
// store the subject so the DDF framework can use it later
ThreadContext.bind(user);
message.put(SecurityConstants.SECURITY_TOKEN_KEY, user);
LOGGER.debug("Added assertion information to message at key {}", SecurityConstants.SECURITY_TOKEN_KEY);
} catch (SecurityServiceException e) {
securityLogger.audit("Denying access : Caught exception when trying to authenticate user for service [" + actionURI + "]", e);
throw new AccessDeniedException(UNAUTH);
}
if (!isPermitted) {
securityLogger.audit("Denying access to Subject for service: " + action.getAction(), user);
throw new AccessDeniedException(UNAUTH);
}
} else {
securityLogger.audit("Unable to retrieve the security assertion associated with the web service call.");
throw new AccessDeniedException(UNAUTH);
}
} else {
securityLogger.audit("Unable to retrieve the current message associated with the web service call.");
throw new AccessDeniedException(UNAUTH);
}
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
SecurityServiceException(ddf.security.service.SecurityServiceException)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
CollectionPermission(ddf.security.permission.CollectionPermission)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Subject(ddf.security.Subject)
Example 18 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class Policy method getAllowedAttributePermissions.
@Override
public CollectionPermission getAllowedAttributePermissions() {
List<KeyValuePermission> perms = new ArrayList<>();
for (ContextAttributeMapping mapping : attributeMappings) {
perms.add(mapping.getAttributePermission());
}
KeyValueCollectionPermission permissions = new KeyValueCollectionPermissionImpl(getContextPath());
permissions.addAll(perms);
return permissions;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
ArrayList(java.util.ArrayList)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
ContextAttributeMapping(org.codice.ddf.security.policy.context.attributes.ContextAttributeMapping)
Example 19 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class AuthzRealmTest method testIsNotPermitted.
@Test
public void testIsNotPermitted() {
HashMap<String, List<String>> security = new HashMap<String, List<String>>();
security.put("country", Arrays.asList("AUS", "CAN", "GBR"));
security.put("country2", Arrays.asList("CAN", "GBR"));
security.put("rule", Arrays.asList("A", "B"));
security.put("rule2", Arrays.asList("A", "B", "C"));
KeyValueCollectionPermission kvcp = new KeyValueCollectionPermissionImpl("action", security);
permissionList.clear();
permissionList.add(kvcp);
boolean[] permittedArray = testRealm.isPermitted(mockSubjectPrincipal, permissionList);
for (boolean permitted : permittedArray) {
Assert.assertEquals(false, permitted);
}
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
HashMap(java.util.HashMap)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
ArrayList(java.util.ArrayList)
List(java.util.List)
Test(org.junit.Test)
Example 20 with KeyValueCollectionPermissionImpl
use of ddf.security.permission.impl.KeyValueCollectionPermissionImpl in project ddf by codice.
the class AuthzRealmTest method testIsPermitted.
@Test
public void testIsPermitted() {
permissionList.clear();
KeyValueCollectionPermission kvcp = new KeyValueCollectionPermissionImpl("action", security);
permissionList.add(kvcp);
boolean[] permittedArray = testRealm.isPermitted(mockSubjectPrincipal, permissionList);
for (boolean permitted : permittedArray) {
Assert.assertEquals(true, permitted);
}
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
KeyValueCollectionPermissionImpl(ddf.security.permission.impl.KeyValueCollectionPermissionImpl)
Test(org.junit.Test)
Aggregations
KeyValueCollectionPermissionImpl (ddf.security.permission.impl.KeyValueCollectionPermissionImpl)22
KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)16
Test (org.junit.Test)13
ArrayList (java.util.ArrayList)12
RequestType (oasis.names.tc.xacml._3_0.core.schema.wd_17.RequestType)8
KeyValuePermission (ddf.security.permission.KeyValuePermission)7
List (java.util.List)7
KeyValuePermissionImpl (ddf.security.permission.impl.KeyValuePermissionImpl)6
HashMap (java.util.HashMap)5
CollectionPermission (ddf.security.permission.CollectionPermission)4
Permission (org.apache.shiro.authz.Permission)4
PermissionsImpl (ddf.security.permission.impl.PermissionsImpl)3
PdpException (ddf.security.pdp.realm.xacml.processor.PdpException)2
PolicyExtension (ddf.security.policy.extension.PolicyExtension)2
AuthenticationException (org.apache.shiro.authc.AuthenticationException)2
Subject (ddf.security.Subject)1
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
Expansion (ddf.security.expansion.Expansion)1
CollectionPermissionImpl (ddf.security.permission.impl.CollectionPermissionImpl)1
MatchOneCollectionPermission (ddf.security.permission.impl.MatchOneCollectionPermission)1
