Search in sources :

Example 1 with AzResult

use of org.glassfish.security.services.api.authorization.AzResult in project Payara by payara.

the class AuthorizationServiceImpl method isAuthorized.

/**
 * Determine whether the given Subject is authorized to access the given resource,
 * specified by a URI.
 *
 * @param subject The Subject being tested.
 * @param resource URI of the resource being tested.
 * @param action The action, with respect to the resource parameter,
 * for which authorization is desired. To check authorization for all actions,
 * action is represented by null or "*".
 * @return True or false, depending on whether the access is authorized.
 * @throws IllegalArgumentException Given null or illegal subject or resource
 * @throws IllegalStateException Service was not initialized.
 * @see AuthorizationService#isAuthorized(javax.security.auth.Subject, java.net.URI, String)
 */
@Override
public boolean isAuthorized(final Subject subject, final URI resource, final String action) {
    checkServiceAvailability();
    // Validate inputs
    if (null == subject) {
        throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
    }
    if (null == resource) {
        throw new IllegalArgumentException(localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
    }
    // Note: null action means all actions (i.e., no action condition)
    // Convert parameters
    AzSubject azSubject = makeAzSubject(subject);
    AzResource azResource = makeAzResource(resource);
    AzAction azAction = makeAzAction(action);
    AzResult azResult = getAuthorizationDecision(azSubject, azResource, azAction);
    boolean result = AzResult.Status.OK.equals(azResult.getStatus()) && AzResult.Decision.PERMIT.equals(azResult.getDecision());
    return result;
}
Also used : AzSubject(org.glassfish.security.services.api.authorization.AzSubject) AzResult(org.glassfish.security.services.api.authorization.AzResult) AzAction(org.glassfish.security.services.api.authorization.AzAction) AzResource(org.glassfish.security.services.api.authorization.AzResource)

Example 2 with AzResult

use of org.glassfish.security.services.api.authorization.AzResult in project Payara by payara.

the class AuthorizationServiceImpl method getAuthorizationDecision.

/**
 * The primary authorization method.  The isAuthorized() methods call this method
 * after converting their arguments into the appropriate attribute collection type.
 * It returns a full AzResult, including authorization status, decision, and
 * obligations.
 *
 * This method performs two steps prior to invoking the configured AuthorizationProvider
 * to evaluate the request:  First, it acquires the current AzEnvironment attributes by
 * calling the Security Context service.  Second, it calls the Role Mapping service to
 * determine which roles the subject has, and adds the resulting role attributes into
 * the AzSubject.
 *
 * @param subject The attributes collection representing the Subject for which an authorization
 * decision is requested.
 * @param resource The attributes collection representing the resource for which access is
 * being requested.
 * @param action  The attributes collection representing the action, with respect to the resource,
 * for which access is being requested.  A null action is interpreted as all
 * actions, however all actions may also be represented by the AzAction instance.
 * See <code>{@link org.glassfish.security.services.api.authorization.AzAction}</code>.
 * @return The AzResult indicating the result of the access decision.
 * @throws IllegalArgumentException Given null or illegal subject or resource
 * @throws IllegalStateException Service was not initialized.
 * @see AuthorizationService#getAuthorizationDecision
 */
@Override
public AzResult getAuthorizationDecision(final AzSubject subject, final AzResource resource, final AzAction action) {
    checkServiceAvailability();
    // Validate inputs
    if (null == subject) {
        throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
    }
    if (null == resource) {
        throw new IllegalArgumentException(localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
    }
    // TODO: setup current AzEnvironment instance. Should a null or empty instance to represent current environment?
    final AzEnvironment env = new AzEnvironmentImpl();
    final Attributes attrs = securityContextService.getEnvironmentAttributes();
    for (String attrName : attrs.getAttributeNames()) {
        env.addAttribute(attrName, attrs.getAttributeValue(attrName), true);
    }
    AzResult result = provider.getAuthorizationDecision(subject, resource, action, env, attributeResolvers);
    if (isDebug()) {
        logger.log(DEBUG_LEVEL, "Authorization Service result for {0} was {1}.", new String[] { subject.toString(), result.toString() });
    }
    return result;
}
Also used : AzResult(org.glassfish.security.services.api.authorization.AzResult) Attributes(org.glassfish.security.services.api.common.Attributes)

Example 3 with AzResult

use of org.glassfish.security.services.api.authorization.AzResult in project Payara by payara.

the class CommandSecurityChecker method checkAccessRequired.

private boolean checkAccessRequired(Subject subject, final Map<String, Object> env, final AdminCommand command, final List<AccessCheckWork> accessChecks) throws NoSuchFieldException, IllegalArgumentException, IllegalAccessException, URISyntaxException, UnsupportedEncodingException {
    final boolean isTaggable = ADMSEC_AUTHZ_LOGGER.isLoggable(PROGRESS_LEVEL);
    boolean result = true;
    final StringBuilder sb = (isTaggable ? (new StringBuilder(LINE_SEP)).append("AccessCheck processing on ").append(command.getClass().getName()).append(LINE_SEP) : null);
    for (final AccessCheckWork a : accessChecks) {
        final URI resourceURI = resourceURIFromAccessCheck(a.accessCheck);
        final AzSubject azSubject = authService.makeAzSubject(subject);
        final AzResource azResource = authService.makeAzResource(resourceURI);
        final AzAction azAction = authService.makeAzAction(a.accessCheck.action());
        final Map<String, String> subjectAttrs = new HashMap<String, String>();
        final Map<String, String> resourceAttrs = new HashMap<String, String>();
        final Map<String, String> actionAttrs = new HashMap<String, String>();
        for (AuthorizationPreprocessor ap : authPreprocessors) {
            ap.describeAuthorization(subject, a.accessCheck.resourceName(), a.accessCheck.action(), command, env, subjectAttrs, resourceAttrs, actionAttrs);
        }
        mapToAzAttrs(subjectAttrs, azSubject);
        mapToAzAttrs(resourceAttrs, azResource);
        mapToAzAttrs(actionAttrs, azAction);
        final AzResult azResult = authService.getAuthorizationDecision(azSubject, azResource, azAction);
        a.accessCheck.setSuccessful(azResult.getDecision() == AzResult.Decision.PERMIT);
        if (isTaggable) {
            sb.append(a.tag).append(LINE_SEP).append("    ").append(formattedAccessCheck(resourceURI, a.accessCheck)).append(LINE_SEP);
        }
        result &= ((!a.accessCheck.isFailureFinal()) || a.accessCheck.isSuccessful());
    }
    if (isTaggable) {
        sb.append(LINE_SEP).append("...final result: ").append(result).append(LINE_SEP);
        ADMSEC_AUTHZ_LOGGER.log(PROGRESS_LEVEL, sb.toString());
    }
    return result;
}
Also used : AzSubject(org.glassfish.security.services.api.authorization.AzSubject) AzResult(org.glassfish.security.services.api.authorization.AzResult) AzAction(org.glassfish.security.services.api.authorization.AzAction) URI(java.net.URI) AzResource(org.glassfish.security.services.api.authorization.AzResource)

Aggregations

AzResult (org.glassfish.security.services.api.authorization.AzResult)3 AzAction (org.glassfish.security.services.api.authorization.AzAction)2 AzResource (org.glassfish.security.services.api.authorization.AzResource)2 AzSubject (org.glassfish.security.services.api.authorization.AzSubject)2 URI (java.net.URI)1 Attributes (org.glassfish.security.services.api.common.Attributes)1