Search in sources :

Example 1 with AuthorizationInfo

use of org.apache.shiro.authz.AuthorizationInfo in project neo4j by neo4j.

the class LdapRealm method cacheAuthorizationInfo.

private void cacheAuthorizationInfo(String username, Set<String> roleNames) {
    // Use the existing authorizationCache in our base class
    Cache<Object, AuthorizationInfo> authorizationCache = getAuthorizationCache();
    authorizationCache.put(username, new SimpleAuthorizationInfo(roleNames));
}
Also used : SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo)

Example 2 with AuthorizationInfo

use of org.apache.shiro.authz.AuthorizationInfo in project neo4j by neo4j.

the class LdapRealm method queryForAuthorizationInfo.

@Override
protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principals, LdapContextFactory ldapContextFactory) throws NamingException {
    if (authorizationEnabled) {
        String username = getUsername(principals);
        if (username == null) {
            return null;
        }
        if (useSystemAccountForAuthorization) {
            // Perform context search using the system context
            LdapContext ldapContext = useStartTls ? getSystemLdapContextUsingStartTls(ldapContextFactory) : ldapContextFactory.getSystemLdapContext();
            Set<String> roleNames;
            try {
                roleNames = findRoleNamesForUser(username, ldapContext);
            } finally {
                LdapUtils.closeContext(ldapContext);
            }
            return new SimpleAuthorizationInfo(roleNames);
        } else {
            // Authorization info is cached during authentication
            Cache<Object, AuthorizationInfo> authorizationCache = getAuthorizationCache();
            AuthorizationInfo authorizationInfo = authorizationCache.get(username);
            if (authorizationInfo == null) {
                // so that the client can react by re-authenticating.
                throw new AuthorizationExpiredException("LDAP authorization info expired.");
            }
            return authorizationInfo;
        }
    }
    return null;
}
Also used : SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) AuthorizationExpiredException(org.neo4j.graphdb.security.AuthorizationExpiredException) AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) InitialLdapContext(javax.naming.ldap.InitialLdapContext) LdapContext(javax.naming.ldap.LdapContext)

Example 3 with AuthorizationInfo

use of org.apache.shiro.authz.AuthorizationInfo in project neo4j by neo4j.

the class LdapRealm method doGetAuthorizationInfo.

@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
    try {
        AuthorizationInfo info = super.doGetAuthorizationInfo(principals);
        securityLog.debug(withRealm("Queried for authorization info for user '%s'", principals.getPrimaryPrincipal()));
        return info;
    } catch (AuthorizationException e) {
        securityLog.error(withRealm("Failed to get authorization info: '%s' caused by '%s'", e.getMessage(), e.getCause().getMessage()));
        if (isAuthorizationExceptionAnLdapReadTimeout(e)) {
            throw new AuthProviderTimeoutException(LDAP_READ_TIMEOUT_CLIENT_MESSAGE, e);
        }
        throw new AuthProviderFailedException(LDAP_AUTHORIZATION_FAILURE_CLIENT_MESSAGE, e);
    }
}
Also used : AuthorizationException(org.apache.shiro.authz.AuthorizationException) AuthProviderFailedException(org.neo4j.graphdb.security.AuthProviderFailedException) AuthProviderTimeoutException(org.neo4j.graphdb.security.AuthProviderTimeoutException) AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo)

Example 4 with AuthorizationInfo

use of org.apache.shiro.authz.AuthorizationInfo in project killbill by killbill.

the class TestKillBillJndiLdapRealm method testCheckLDAPConnection.

@Test(groups = "external", enabled = false)
public void testCheckLDAPConnection() throws Exception {
    // Convenience method to verify your LDAP connectivity
    final Properties props = new Properties();
    props.setProperty("org.killbill.security.ldap.userDnTemplate", "uid={0},ou=users,dc=mycompany,dc=com");
    props.setProperty("org.killbill.security.ldap.searchBase", "ou=groups,dc=mycompany,dc=com");
    props.setProperty("org.killbill.security.ldap.groupSearchFilter", "memberOf=uid={0},ou=users,dc=mycompany,dc=com");
    props.setProperty("org.killbill.security.ldap.groupNameId", "cn");
    props.setProperty("org.killbill.security.ldap.url", "ldap://ldap:389");
    props.setProperty("org.killbill.security.ldap.disableSSLCheck", "true");
    props.setProperty("org.killbill.security.ldap.systemUsername", "cn=root");
    props.setProperty("org.killbill.security.ldap.systemPassword", "password");
    props.setProperty("org.killbill.security.ldap.authenticationMechanism", "simple");
    props.setProperty("org.killbill.security.ldap.permissionsByGroup", "support-group: entitlement:*\n" + "finance-group: invoice:*, payment:*\n" + "ops-group: *:*");
    final ConfigSource customConfigSource = new SimplePropertyConfigSource(props);
    final SecurityConfig securityConfig = new ConfigurationObjectFactory(customConfigSource).build(SecurityConfig.class);
    final KillBillJndiLdapRealm ldapRealm = new KillBillJndiLdapRealm(securityConfig);
    final String username = "pierre";
    final String password = "password";
    // Check authentication
    final UsernamePasswordToken token = new UsernamePasswordToken(username, password);
    final AuthenticationInfo authenticationInfo = ldapRealm.getAuthenticationInfo(token);
    System.out.println(authenticationInfo);
    // Check permissions
    final SimplePrincipalCollection principals = new SimplePrincipalCollection(username, username);
    final AuthorizationInfo authorizationInfo = ldapRealm.queryForAuthorizationInfo(principals, ldapRealm.getContextFactory());
    System.out.println("Roles: " + authorizationInfo.getRoles());
    System.out.println("Permissions: " + authorizationInfo.getStringPermissions());
}
Also used : SimplePropertyConfigSource(org.skife.config.SimplePropertyConfigSource) ConfigSource(org.skife.config.ConfigSource) SimplePropertyConfigSource(org.skife.config.SimplePropertyConfigSource) SecurityConfig(org.killbill.billing.util.config.definition.SecurityConfig) ConfigurationObjectFactory(org.skife.config.ConfigurationObjectFactory) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) Properties(java.util.Properties) AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo) AuthenticationInfo(org.apache.shiro.authc.AuthenticationInfo) UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken) Test(org.testng.annotations.Test)

Example 5 with AuthorizationInfo

use of org.apache.shiro.authz.AuthorizationInfo in project ddf by codice.

the class AuthzRealmTest method setup.

@Before
public void setup() throws PdpException {
    String ruleClaim = "FineAccessControls";
    String countryClaim = "CountryOfAffiliation";
    // setup the subject permissions
    List<Permission> permissions = new ArrayList<>();
    KeyValuePermission rulePermission = new KeyValuePermission(ruleClaim);
    rulePermission.addValue("A");
    rulePermission.addValue("B");
    permissions.add(rulePermission);
    KeyValuePermission countryPermission = new KeyValuePermission(countryClaim);
    countryPermission.addValue("AUS");
    permissions.add(countryPermission);
    SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
    authorizationInfo.addObjectPermission(rulePermission);
    authorizationInfo.addObjectPermission(countryPermission);
    authorizationInfo.addObjectPermission(new KeyValuePermission("role", Arrays.asList("admin")));
    authorizationInfo.addRole("admin");
    authorizationInfo.addStringPermission("wild");
    testRealm = new AuthzRealm("src/test/resources/policies", new XmlParser()) {

        @Override
        public AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
            return authorizationInfo;
        }
    };
    mockSubjectPrincipal = Mockito.mock(PrincipalCollection.class);
    when(mockSubjectPrincipal.getPrimaryPrincipal()).thenReturn("user");
    // setup the resource permissions
    permissionList = new ArrayList<>();
    security = new HashMap<>();
    security.put("country", Arrays.asList("AUS", "CAN", "GBR"));
    security.put("rule", Arrays.asList("A", "B"));
    testRealm.setMatchOneMappings(Arrays.asList("CountryOfAffiliation=country"));
    testRealm.setMatchAllMappings(Arrays.asList("FineAccessControls=rule"));
    testRealm.setRolePermissionResolver(roleString -> Arrays.asList(new KeyValuePermission("role", Arrays.asList(roleString))));
}
Also used : XmlParser(org.codice.ddf.parser.xml.XmlParser) AuthzRealm(ddf.security.pdp.realm.AuthzRealm) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) ArrayList(java.util.ArrayList) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) AuthorizationInfo(org.apache.shiro.authz.AuthorizationInfo) SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo) CollectionPermission(ddf.security.permission.CollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Permission(org.apache.shiro.authz.Permission) WildcardPermission(org.apache.shiro.authz.permission.WildcardPermission) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) KeyValuePermission(ddf.security.permission.KeyValuePermission) Before(org.junit.Before)

Aggregations

AuthorizationInfo (org.apache.shiro.authz.AuthorizationInfo)6 SimpleAuthorizationInfo (org.apache.shiro.authz.SimpleAuthorizationInfo)4 CollectionPermission (ddf.security.permission.CollectionPermission)2 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)2 KeyValuePermission (ddf.security.permission.KeyValuePermission)2 Permission (org.apache.shiro.authz.Permission)2 AuthzRealm (ddf.security.pdp.realm.AuthzRealm)1 MatchOneCollectionPermission (ddf.security.permission.MatchOneCollectionPermission)1 ArrayList (java.util.ArrayList)1 Properties (java.util.Properties)1 InitialLdapContext (javax.naming.ldap.InitialLdapContext)1 LdapContext (javax.naming.ldap.LdapContext)1 AuthenticationInfo (org.apache.shiro.authc.AuthenticationInfo)1 UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)1 AuthorizationException (org.apache.shiro.authz.AuthorizationException)1 WildcardPermission (org.apache.shiro.authz.permission.WildcardPermission)1 PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)1 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)1 XmlParser (org.codice.ddf.parser.xml.XmlParser)1 Before (org.junit.Before)1