use of javax.security.jacc.WebUserDataPermission in project wildfly by wildfly.
the class WarJACCService method createPermissions.
/** {@inheritDoc} */
@Override
public void createPermissions(WarMetaData metaData, PolicyConfiguration pc) throws PolicyContextException {
JBossWebMetaData jbossWebMetaData = metaData.getMergedJBossWebMetaData();
HashMap<String, PatternInfo> patternMap = qualifyURLPatterns(jbossWebMetaData);
List<SecurityConstraintMetaData> secConstraints = jbossWebMetaData.getSecurityConstraints();
if (secConstraints != null) {
for (SecurityConstraintMetaData secConstraint : secConstraints) {
WebResourceCollectionsMetaData resourceCollectionsMetaData = secConstraint.getResourceCollections();
UserDataConstraintMetaData userDataConstraintMetaData = secConstraint.getUserDataConstraint();
if (resourceCollectionsMetaData != null) {
if (secConstraint.isExcluded() || secConstraint.isUnchecked()) {
// Process the permissions for the excluded/unchecked resources
for (WebResourceCollectionMetaData resourceCollectionMetaData : resourceCollectionsMetaData) {
List<String> httpMethods = new ArrayList<>(resourceCollectionMetaData.getHttpMethods());
List<String> ommisions = resourceCollectionMetaData.getHttpMethodOmissions();
if (httpMethods.isEmpty() && !ommisions.isEmpty()) {
httpMethods.addAll(WebResourceCollectionMetaData.ALL_HTTP_METHODS);
httpMethods.removeAll(ommisions);
}
List<String> urlPatterns = resourceCollectionMetaData.getUrlPatterns();
for (String urlPattern : urlPatterns) {
PatternInfo info = patternMap.get(urlPattern);
info.descriptor = true;
// Add the excluded methods
if (secConstraint.isExcluded()) {
info.addExcludedMethods(httpMethods);
}
// SECURITY-63: Missing auth-constraint needs unchecked policy
if (secConstraint.isUnchecked() && httpMethods.isEmpty()) {
info.isMissingAuthConstraint = true;
} else {
info.missingAuthConstraintMethods.addAll(httpMethods);
}
}
}
} else {
// Process the permission for the resources x roles
for (WebResourceCollectionMetaData resourceCollectionMetaData : resourceCollectionsMetaData) {
List<String> httpMethods = new ArrayList<>(resourceCollectionMetaData.getHttpMethods());
List<String> methodOmissions = resourceCollectionMetaData.getHttpMethodOmissions();
if (httpMethods.isEmpty() && !methodOmissions.isEmpty()) {
httpMethods.addAll(WebResourceCollectionMetaData.ALL_HTTP_METHODS);
httpMethods.removeAll(methodOmissions);
}
List<String> urlPatterns = resourceCollectionMetaData.getUrlPatterns();
for (String urlPattern : urlPatterns) {
// Get the qualified url pattern
PatternInfo info = patternMap.get(urlPattern);
info.descriptor = true;
HashSet<String> mappedRoles = new HashSet<String>();
secConstraint.getAuthConstraint().getRoleNames();
List<String> authRoles = secConstraint.getAuthConstraint().getRoleNames();
for (String role : authRoles) {
if ("*".equals(role)) {
// The wildcard ref maps to all declared security-role names
mappedRoles.addAll(jbossWebMetaData.getSecurityRoleNames());
} else {
mappedRoles.add(role);
}
}
info.addRoles(mappedRoles, httpMethods);
// Add the transport to methods
if (userDataConstraintMetaData != null && userDataConstraintMetaData.getTransportGuarantee() != null)
info.addTransport(userDataConstraintMetaData.getTransportGuarantee().name(), httpMethods);
}
}
}
}
}
}
JBossServletsMetaData servlets = jbossWebMetaData.getServlets();
List<ServletMappingMetaData> mappings = jbossWebMetaData.getServletMappings();
if (servlets != null && mappings != null) {
Map<String, List<String>> servletMappingMap = new HashMap<>();
for (ServletMappingMetaData mapping : mappings) {
List<String> list = servletMappingMap.get(mapping.getServletName());
if (list == null) {
servletMappingMap.put(mapping.getServletName(), list = new ArrayList<>());
}
list.addAll(mapping.getUrlPatterns());
}
if (!jbossWebMetaData.isMetadataComplete()) {
for (JBossServletMetaData servlet : servlets) {
ServletSecurityMetaData security = servlet.getServletSecurity();
if (security != null) {
List<String> servletMappings = servletMappingMap.get(servlet.getServletName());
if (servletMappings != null) {
if (security.getHttpMethodConstraints() != null) {
for (HttpMethodConstraintMetaData s : security.getHttpMethodConstraints()) {
if (s.getRolesAllowed() == null || s.getRolesAllowed().isEmpty()) {
for (String urlPattern : servletMappings) {
// Get the qualified url pattern
PatternInfo info = patternMap.get(urlPattern);
if (info.descriptor) {
continue;
}
// Add the excluded methods
if (s.getEmptyRoleSemantic() == null || s.getEmptyRoleSemantic() == EmptyRoleSemanticType.PERMIT) {
info.missingAuthConstraintMethods.add(s.getMethod());
} else {
info.addExcludedMethods(Collections.singletonList(s.getMethod()));
}
// Add the transport to methods
if (s.getTransportGuarantee() != null)
info.addTransport(s.getTransportGuarantee().name(), Collections.singletonList(s.getMethod()));
}
} else {
for (String urlPattern : servletMappings) {
// Get the qualified url pattern
PatternInfo info = patternMap.get(urlPattern);
if (info.descriptor) {
continue;
}
HashSet<String> mappedRoles = new HashSet<String>();
List<String> authRoles = s.getRolesAllowed();
for (String role : authRoles) {
if ("*".equals(role)) {
// The wildcard ref maps to all declared security-role names
mappedRoles.addAll(jbossWebMetaData.getSecurityRoleNames());
} else {
mappedRoles.add(role);
}
}
info.addRoles(mappedRoles, Collections.singletonList(s.getMethod()));
// Add the transport to methods
if (s.getTransportGuarantee() != null)
info.addTransport(s.getTransportGuarantee().name(), Collections.singletonList(s.getMethod()));
}
}
}
}
if (security.getRolesAllowed() == null || security.getRolesAllowed().isEmpty()) {
for (String urlPattern : servletMappings) {
// Get the qualified url pattern
PatternInfo info = patternMap.get(urlPattern);
if (info.descriptor) {
continue;
}
// Add the excluded methods
if (security.getEmptyRoleSemantic() == null || security.getEmptyRoleSemantic() == EmptyRoleSemanticType.PERMIT) {
info.isMissingAuthConstraint = true;
} else {
Set<String> methods = new HashSet<>(WebResourceCollectionMetaData.ALL_HTTP_METHODS);
if (security.getHttpMethodConstraints() != null) {
for (HttpMethodConstraintMetaData method : security.getHttpMethodConstraints()) {
methods.remove(method.getMethod());
}
}
info.addExcludedMethods(new ArrayList<>(methods));
}
// Add the transport to methods
if (security.getTransportGuarantee() != null)
info.addTransport(security.getTransportGuarantee().name(), Collections.emptyList());
}
} else {
for (String urlPattern : servletMappings) {
// Get the qualified url pattern
PatternInfo info = patternMap.get(urlPattern);
if (info.descriptor) {
continue;
}
HashSet<String> mappedRoles = new HashSet<String>();
List<String> authRoles = security.getRolesAllowed();
for (String role : authRoles) {
if ("*".equals(role)) {
// The wildcard ref maps to all declared security-role names
mappedRoles.addAll(jbossWebMetaData.getSecurityRoleNames());
} else {
mappedRoles.add(role);
}
}
info.addRoles(mappedRoles, Collections.emptyList());
// Add the transport to methods
if (security.getTransportGuarantee() != null)
info.addTransport(security.getTransportGuarantee().name(), Collections.emptyList());
}
}
}
}
}
}
}
// Create the permissions
for (PatternInfo info : patternMap.values()) {
String qurl = info.getQualifiedPattern();
if (info.isOverridden) {
continue;
}
// Create the excluded permissions
String[] httpMethods = info.getExcludedMethods();
if (httpMethods != null) {
// There were excluded security-constraints
WebResourcePermission wrp = new WebResourcePermission(qurl, httpMethods);
WebUserDataPermission wudp = new WebUserDataPermission(qurl, httpMethods, null);
pc.addToExcludedPolicy(wrp);
pc.addToExcludedPolicy(wudp);
}
// Create the role permissions
Iterator<Map.Entry<String, Set<String>>> roles = info.getRoleMethods();
Set<String> seenMethods = new HashSet<>();
while (roles.hasNext()) {
Map.Entry<String, Set<String>> roleMethods = roles.next();
String role = roleMethods.getKey();
Set<String> methods = roleMethods.getValue();
seenMethods.addAll(methods);
httpMethods = methods.toArray(new String[methods.size()]);
pc.addToRole(role, new WebResourcePermission(qurl, httpMethods));
}
//there are totally 7 http methods from the jacc spec (See WebResourceCollectionMetaData.ALL_HTTP_METHOD_NAMES)
final int NUMBER_OF_HTTP_METHODS = 7;
// JACC 1.1: create !(httpmethods) in unchecked perms
if (jbossWebMetaData.getDenyUncoveredHttpMethods() == null) {
if (seenMethods.size() != NUMBER_OF_HTTP_METHODS) {
WebResourcePermission wrpUnchecked = new WebResourcePermission(qurl, "!" + getCommaSeparatedString(seenMethods.toArray(new String[seenMethods.size()])));
pc.addToUncheckedPolicy(wrpUnchecked);
}
}
if (jbossWebMetaData.getDenyUncoveredHttpMethods() == null) {
// Create the unchecked permissions
String[] missingHttpMethods = info.getMissingMethods();
int length = missingHttpMethods.length;
roles = info.getRoleMethods();
if (length > 0 && !roles.hasNext()) {
// Create the unchecked permissions WebResourcePermissions
WebResourcePermission wrp = new WebResourcePermission(qurl, missingHttpMethods);
pc.addToUncheckedPolicy(wrp);
} else if (!roles.hasNext()) {
pc.addToUncheckedPolicy(new WebResourcePermission(qurl, (String) null));
}
// SECURITY-63: Missing auth-constraint needs unchecked policy
if (info.isMissingAuthConstraint) {
pc.addToUncheckedPolicy(new WebResourcePermission(qurl, (String) null));
} else if (!info.allMethods.containsAll(WebResourceCollectionMetaData.ALL_HTTP_METHODS)) {
List<String> methods = new ArrayList<>(WebResourceCollectionMetaData.ALL_HTTP_METHODS);
methods.removeAll(info.allMethods);
pc.addToUncheckedPolicy(new WebResourcePermission(qurl, methods.toArray(new String[methods.size()])));
}
if (!info.missingAuthConstraintMethods.isEmpty()) {
pc.addToUncheckedPolicy(new WebResourcePermission(qurl, info.missingAuthConstraintMethods.toArray(new String[info.missingAuthConstraintMethods.size()])));
}
}
// Create the unchecked permissions WebUserDataPermissions
Iterator<Map.Entry<String, Set<String>>> transportConstraints = info.getTransportMethods();
while (transportConstraints.hasNext()) {
Map.Entry<String, Set<String>> transportMethods = transportConstraints.next();
String transport = transportMethods.getKey();
Set<String> methods = transportMethods.getValue();
httpMethods = new String[methods.size()];
methods.toArray(httpMethods);
WebUserDataPermission wudp = new WebUserDataPermission(qurl, httpMethods, transport);
pc.addToUncheckedPolicy(wudp);
// with the url pattern and null
if ("NONE".equals(transport)) {
WebUserDataPermission wudp1 = new WebUserDataPermission(qurl, null);
pc.addToUncheckedPolicy(wudp1);
} else {
// JACC 1.1: Transport is CONFIDENTIAL/INTEGRAL, add a !(http methods)
WebUserDataPermission wudpNonNull = new WebUserDataPermission(qurl, "!" + getCommaSeparatedString(httpMethods));
pc.addToUncheckedPolicy(wudpNonNull);
}
}
}
Set<String> declaredRoles = jbossWebMetaData.getSecurityRoleNames();
declaredRoles.add(ANY_AUTHENTICATED_USER_ROLE);
/*
* Create WebRoleRefPermissions for all servlet/security-role-refs along with all the cross product of servlets and
* security-role elements that are not referenced via a security-role-ref as described in JACC section 3.1.3.2
*/
JBossServletsMetaData servletsMetaData = jbossWebMetaData.getServlets();
for (JBossServletMetaData servletMetaData : servletsMetaData) {
Set<String> unrefRoles = new HashSet<String>(declaredRoles);
String servletName = servletMetaData.getName();
SecurityRoleRefsMetaData roleRefsMetaData = servletMetaData.getSecurityRoleRefs();
// Perform the unreferenced roles processing for every servlet name
if (roleRefsMetaData != null) {
for (SecurityRoleRefMetaData roleRefMetaData : roleRefsMetaData) {
String roleRef = roleRefMetaData.getRoleLink();
String roleName = roleRefMetaData.getRoleName();
WebRoleRefPermission wrrp = new WebRoleRefPermission(servletName, roleName);
pc.addToRole(roleRef, wrrp);
// Remove the role from the unreferencedRoles
unrefRoles.remove(roleName);
}
}
// in a security-role-ref within the servlet element.
for (String unrefRole : unrefRoles) {
WebRoleRefPermission unrefP = new WebRoleRefPermission(servletName, unrefRole);
pc.addToRole(unrefRole, unrefP);
}
}
// such permission must be the role-name of the corresponding role.
for (String role : declaredRoles) {
WebRoleRefPermission wrrep = new WebRoleRefPermission("", role);
pc.addToRole(role, wrrep);
}
}
use of javax.security.jacc.WebUserDataPermission in project wildfly by wildfly.
the class JACCAuthorizationManager method transportGuarantee.
@Override
public TransportGuaranteeType transportGuarantee(TransportGuaranteeType currentConnGuarantee, TransportGuaranteeType configuredRequiredGuarantee, final HttpServletRequest request) {
final ProtectionDomain domain = new ProtectionDomain(null, null, null, null);
final String[] httpMethod = new String[] { request.getMethod() };
final String canonicalURI = getCanonicalURI(request);
switch(currentConnGuarantee) {
case NONE:
{
// unprotected connection - create a WebUserDataPermission without any transport guarantee.
WebUserDataPermission permission = new WebUserDataPermission(canonicalURI, httpMethod, null);
// if permission was implied then the unprotected connection is ok.
if (hasPermission(domain, permission)) {
return TransportGuaranteeType.NONE;
} else {
permission = new WebUserDataPermission(canonicalURI, httpMethod, TransportGuaranteeType.CONFIDENTIAL.name());
// permission is only granted with CONFIDENTIAL
if (hasPermission(domain, permission)) {
return TransportGuaranteeType.CONFIDENTIAL;
}
//either way we just don't have permission, let the request proceed and be rejected later
return TransportGuaranteeType.NONE;
}
}
case INTEGRAL:
case CONFIDENTIAL:
{
// we will try using both transport guarantees (CONFIDENTIAL and INTEGRAL) as SSL provides both.
WebUserDataPermission permission = new WebUserDataPermission(canonicalURI, httpMethod, TransportGuaranteeType.CONFIDENTIAL.name());
if (hasPermission(domain, permission)) {
return TransportGuaranteeType.CONFIDENTIAL;
} else {
// try with the INTEGRAL connection guarantee type.
permission = new WebUserDataPermission(canonicalURI, httpMethod, TransportGuaranteeType.INTEGRAL.name());
if (hasPermission(domain, permission)) {
return TransportGuaranteeType.INTEGRAL;
} else {
return TransportGuaranteeType.REJECTED;
}
}
}
default:
return TransportGuaranteeType.REJECTED;
}
}
Aggregations