use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.
the class CreateSessionSample method createSessionTrusted.
/**
* Create trusted RBAC Session. This API will attempt to activate all of the User's assigned Roles.
*
* @param userId Case insensitive userId.
*/
public static void createSessionTrusted(String userId) {
String szLocation = ".createSessionTrusted";
try {
// Instantiate the AccessMgr implementation which perform runtime RBAC operations.
AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
// The User entity is used to pass data into the createSession API.
User user = new User(userId);
// The API will verify User is good and perform Role activations. Request will fail if User is locked out of ldap for any reason.
Session session = accessMgr.createSession(user, true);
// createSession will throw SecurityException if fails thus the Session should never be null.
assertNotNull(session);
LOG.info(szLocation + " userId [" + userId + "] successful");
} catch (SecurityException ex) {
LOG.error(szLocation + " userId [" + userId + "] caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.
the class CreateSessionSample method createSessionsWithRole.
/**
* Call the AccessMgr createSession API passing a single Role for activation. Successful RBAC Session should
* contains same Role activated.
*
* @param userId Case insensitive userId.
* @param password Password is case sensitive, clear text but is stored in directory as hashed value.
* @param role contains role name of Role targeted for Activation.
*/
public static void createSessionsWithRole(String userId, String password, String role) {
String szLocation = ".createSessionsWithRole";
try {
// Instantiate the AccessMgr implementation which perform runtime RBAC operations.
AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
// The User entity is used to pass data into the createSession API.
User user = new User(userId, password, role);
// The API will authenticate the User password, evaluate password policies and perform Role activations.
Session session = accessMgr.createSession(user, false);
// createSession will throw SecurityException if fails thus the Session should never be null.
assertNotNull(session);
// do some validations
// Get the User's activated Roles.
List<UserRole> sessRoles = session.getRoles();
assertTrue(szLocation + " userId [" + userId + "] with roles failed role check", sessRoles.contains(new UserRole(role)));
LOG.info(szLocation + " userId [" + userId + "] successful");
} catch (SecurityException ex) {
LOG.error(szLocation + " userId [" + userId + "] caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.
the class AccessMgrSample method testSessionRoles.
/**
* The RBAC Session can be interrogated to return the list of all activated Roles within a User's Session. The API
* will cache these Roles in the User's Session object. The Roles will also include temporal data that is used to
* enforce the day, date and time for which a given Role may be placed in the User's Session.
*/
public static void testSessionRoles() {
String szLocation = ".testSessionRoles";
User inUser = new User(CreateUserSample.TEST_USERID);
try {
// Instantiate the AccessMgr implementation.
AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
// utility function will create an Fortress Session. The Session contains the user's activated
// roles along with other related attributes and status information (i.e. password status)
Session session = createSession(CreateUserSample.TEST_USERID, CreateUserSample.TEST_PASSWORD, accessMgr);
// A null Session would be a bug and should never happen. Fortress will throw a SecurityException if it cannot create.
assertNotNull(session);
// Get the activated Roles from the Session.
List<UserRole> uRoles = accessMgr.sessionRoles(session);
// The list of Roles could be null if User has not been assigned any or if all assigned failed activation checks.
assertNotNull(uRoles);
// Test to see that the list size is same as expected.
assertTrue(szLocation + " list check, expected: 10, actual:" + uRoles.size(), uRoles.size() == 10);
// program this would not be necessary.
for (int i = 1; i < 11; i++) {
UserRole inUserRole = new UserRole(inUser.getUserId(), CreateRoleSample.TEST_ROLE_PREFIX + i);
assertTrue(szLocation + " contains check userId [" + inUserRole.getUserId() + "] role [" + inUserRole.getName() + "]", uRoles.contains(inUserRole));
LOG.info(szLocation + " userId [" + inUserRole.getUserId() + "] activated role [" + inUserRole.getName() + "] found in session");
}
} catch (SecurityException ex) {
LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.
the class AccessMgrSample method testAddActiveRoles.
/**
* The addActivateRole API allows only Roles that have been assigned to a given User to be activated in their
* RBAC Session. The API will also ensure that a given Role has passed its constraint tests which include
* Static Separation of Duty (SSD) and RBAC Role temporal constraint validations.
*/
public static void testAddActiveRoles() {
String szLocation = ".testAddActiveRoles";
try {
// Instantiate the AccessMgr implementation.
AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
// authenticate will check the password but will not activated any roles into Session.
Session session = authenticate(CreateUserSample.TEST_USERID, CreateUserSample.TEST_PASSWORD, accessMgr);
assertNotNull(session);
// now, activate roles into User's Session one at a time:
for (int i = 1; i < 11; i++) {
UserRole addUserRole = new UserRole(CreateUserSample.TEST_USERID, CreateRoleSample.TEST_ROLE_PREFIX + i);
accessMgr.addActiveRole(session, addUserRole);
LOG.info(szLocation + " userId [" + addUserRole.getUserId() + "] activated role [" + addUserRole.getName() + "] added to session");
}
} catch (SecurityException ex) {
LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.
the class AccessMgrSample method testCheckAccess.
/**
* The checkAccess API is used to perform authorization on User. It will return a 'true' if User is authorized to
* perform operation or a 'false' if User is not. This API is useful for performing method or service level authorization
* within Server side programs. It is expected that this API will be wrapped by other application Security frameworks
* i.e. Spring or Java EE to provide fine-grained permission check authorization capabilities to business applications
* running in the datacenter.
*/
public static void testCheckAccess() {
String szLocation = ".testCheckAccess";
try {
// Instantiate the AccessMgr implementation.
AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
// utility function will create an Fortress Session. The Session contains the user's activated
// roles along with other related attributes and status information (i.e. password status)
Session session = createSession(CreateUserSample.TEST_USERID, CreateUserSample.TEST_PASSWORD, accessMgr);
assertNotNull(session);
for (int i = 1; i < 6; i++) {
// Fortress Permissions have an Object name and Operation name. There is a one to many relationship between
// objects and operations. An example is object name "MyDataBaseTable" operations "READ", "WRITE", "DELETE". or object "MyFile" operations "R", "W", "C" or "MyClassName" "methodA", "methodB", "methodC", or "MyPageName.ControlName" "checkOut", "applyDiscount".
Permission inPerm = new Permission(CreatePermSample.TEST_PERM_OBJECT, CreatePermSample.TEST_PERM_OPERATION_PREFIX + i);
// method will return a 'true' if authorized or 'false' if not.
boolean result = accessMgr.checkAccess(session, inPerm);
assertTrue(szLocation, result);
LOG.info(szLocation + " user [" + session.getUserId() + "] permission object [" + inPerm.getObjName() + "] operation name [" + inPerm.getOpName() + "] success");
}
} catch (SecurityException ex) {
LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
Aggregations