Search in sources :

Example 1 with AzResource

use of org.glassfish.security.services.api.authorization.AzResource in project Payara by payara.

the class AuthorizationServiceImpl method isAuthorized.

/**
 * Determine whether the given Subject is authorized to access the given resource,
 * specified by a URI.
 *
 * @param subject The Subject being tested.
 * @param resource URI of the resource being tested.
 * @param action The action, with respect to the resource parameter,
 * for which authorization is desired. To check authorization for all actions,
 * action is represented by null or "*".
 * @return True or false, depending on whether the access is authorized.
 * @throws IllegalArgumentException Given null or illegal subject or resource
 * @throws IllegalStateException Service was not initialized.
 * @see AuthorizationService#isAuthorized(javax.security.auth.Subject, java.net.URI, String)
 */
@Override
public boolean isAuthorized(final Subject subject, final URI resource, final String action) {
    checkServiceAvailability();
    // Validate inputs
    if (null == subject) {
        throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
    }
    if (null == resource) {
        throw new IllegalArgumentException(localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
    }
    // Note: null action means all actions (i.e., no action condition)
    // Convert parameters
    AzSubject azSubject = makeAzSubject(subject);
    AzResource azResource = makeAzResource(resource);
    AzAction azAction = makeAzAction(action);
    AzResult azResult = getAuthorizationDecision(azSubject, azResource, azAction);
    boolean result = AzResult.Status.OK.equals(azResult.getStatus()) && AzResult.Decision.PERMIT.equals(azResult.getDecision());
    return result;
}
Also used : AzSubject(org.glassfish.security.services.api.authorization.AzSubject) AzResult(org.glassfish.security.services.api.authorization.AzResult) AzAction(org.glassfish.security.services.api.authorization.AzAction) AzResource(org.glassfish.security.services.api.authorization.AzResource)

Example 2 with AzResource

use of org.glassfish.security.services.api.authorization.AzResource in project Payara by payara.

the class CommandSecurityChecker method checkAccessRequired.

private boolean checkAccessRequired(Subject subject, final Map<String, Object> env, final AdminCommand command, final List<AccessCheckWork> accessChecks) throws NoSuchFieldException, IllegalArgumentException, IllegalAccessException, URISyntaxException, UnsupportedEncodingException {
    final boolean isTaggable = ADMSEC_AUTHZ_LOGGER.isLoggable(PROGRESS_LEVEL);
    boolean result = true;
    final StringBuilder sb = (isTaggable ? (new StringBuilder(LINE_SEP)).append("AccessCheck processing on ").append(command.getClass().getName()).append(LINE_SEP) : null);
    for (final AccessCheckWork a : accessChecks) {
        final URI resourceURI = resourceURIFromAccessCheck(a.accessCheck);
        final AzSubject azSubject = authService.makeAzSubject(subject);
        final AzResource azResource = authService.makeAzResource(resourceURI);
        final AzAction azAction = authService.makeAzAction(a.accessCheck.action());
        final Map<String, String> subjectAttrs = new HashMap<String, String>();
        final Map<String, String> resourceAttrs = new HashMap<String, String>();
        final Map<String, String> actionAttrs = new HashMap<String, String>();
        for (AuthorizationPreprocessor ap : authPreprocessors) {
            ap.describeAuthorization(subject, a.accessCheck.resourceName(), a.accessCheck.action(), command, env, subjectAttrs, resourceAttrs, actionAttrs);
        }
        mapToAzAttrs(subjectAttrs, azSubject);
        mapToAzAttrs(resourceAttrs, azResource);
        mapToAzAttrs(actionAttrs, azAction);
        final AzResult azResult = authService.getAuthorizationDecision(azSubject, azResource, azAction);
        a.accessCheck.setSuccessful(azResult.getDecision() == AzResult.Decision.PERMIT);
        if (isTaggable) {
            sb.append(a.tag).append(LINE_SEP).append("    ").append(formattedAccessCheck(resourceURI, a.accessCheck)).append(LINE_SEP);
        }
        result &= ((!a.accessCheck.isFailureFinal()) || a.accessCheck.isSuccessful());
    }
    if (isTaggable) {
        sb.append(LINE_SEP).append("...final result: ").append(result).append(LINE_SEP);
        ADMSEC_AUTHZ_LOGGER.log(PROGRESS_LEVEL, sb.toString());
    }
    return result;
}
Also used : AzSubject(org.glassfish.security.services.api.authorization.AzSubject) AzResult(org.glassfish.security.services.api.authorization.AzResult) AzAction(org.glassfish.security.services.api.authorization.AzAction) URI(java.net.URI) AzResource(org.glassfish.security.services.api.authorization.AzResource)

Aggregations

AzAction (org.glassfish.security.services.api.authorization.AzAction)2 AzResource (org.glassfish.security.services.api.authorization.AzResource)2 AzResult (org.glassfish.security.services.api.authorization.AzResult)2 AzSubject (org.glassfish.security.services.api.authorization.AzSubject)2 URI (java.net.URI)1