use of org.glassfish.security.services.api.authorization.AzResult in project Payara by payara.
the class AuthorizationServiceImpl method isAuthorized.
/**
* Determine whether the given Subject is authorized to access the given resource,
* specified by a URI.
*
* @param subject The Subject being tested.
* @param resource URI of the resource being tested.
* @param action The action, with respect to the resource parameter,
* for which authorization is desired. To check authorization for all actions,
* action is represented by null or "*".
* @return True or false, depending on whether the access is authorized.
* @throws IllegalArgumentException Given null or illegal subject or resource
* @throws IllegalStateException Service was not initialized.
* @see AuthorizationService#isAuthorized(javax.security.auth.Subject, java.net.URI, String)
*/
@Override
public boolean isAuthorized(final Subject subject, final URI resource, final String action) {
checkServiceAvailability();
// Validate inputs
if (null == subject) {
throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
}
if (null == resource) {
throw new IllegalArgumentException(localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
}
// Note: null action means all actions (i.e., no action condition)
// Convert parameters
AzSubject azSubject = makeAzSubject(subject);
AzResource azResource = makeAzResource(resource);
AzAction azAction = makeAzAction(action);
AzResult azResult = getAuthorizationDecision(azSubject, azResource, azAction);
boolean result = AzResult.Status.OK.equals(azResult.getStatus()) && AzResult.Decision.PERMIT.equals(azResult.getDecision());
return result;
}
use of org.glassfish.security.services.api.authorization.AzResult in project Payara by payara.
the class AuthorizationServiceImpl method getAuthorizationDecision.
/**
* The primary authorization method. The isAuthorized() methods call this method
* after converting their arguments into the appropriate attribute collection type.
* It returns a full AzResult, including authorization status, decision, and
* obligations.
*
* This method performs two steps prior to invoking the configured AuthorizationProvider
* to evaluate the request: First, it acquires the current AzEnvironment attributes by
* calling the Security Context service. Second, it calls the Role Mapping service to
* determine which roles the subject has, and adds the resulting role attributes into
* the AzSubject.
*
* @param subject The attributes collection representing the Subject for which an authorization
* decision is requested.
* @param resource The attributes collection representing the resource for which access is
* being requested.
* @param action The attributes collection representing the action, with respect to the resource,
* for which access is being requested. A null action is interpreted as all
* actions, however all actions may also be represented by the AzAction instance.
* See <code>{@link org.glassfish.security.services.api.authorization.AzAction}</code>.
* @return The AzResult indicating the result of the access decision.
* @throws IllegalArgumentException Given null or illegal subject or resource
* @throws IllegalStateException Service was not initialized.
* @see AuthorizationService#getAuthorizationDecision
*/
@Override
public AzResult getAuthorizationDecision(final AzSubject subject, final AzResource resource, final AzAction action) {
checkServiceAvailability();
// Validate inputs
if (null == subject) {
throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
}
if (null == resource) {
throw new IllegalArgumentException(localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
}
// TODO: setup current AzEnvironment instance. Should a null or empty instance to represent current environment?
final AzEnvironment env = new AzEnvironmentImpl();
final Attributes attrs = securityContextService.getEnvironmentAttributes();
for (String attrName : attrs.getAttributeNames()) {
env.addAttribute(attrName, attrs.getAttributeValue(attrName), true);
}
AzResult result = provider.getAuthorizationDecision(subject, resource, action, env, attributeResolvers);
if (isDebug()) {
logger.log(DEBUG_LEVEL, "Authorization Service result for {0} was {1}.", new String[] { subject.toString(), result.toString() });
}
return result;
}
use of org.glassfish.security.services.api.authorization.AzResult in project Payara by payara.
the class CommandSecurityChecker method checkAccessRequired.
private boolean checkAccessRequired(Subject subject, final Map<String, Object> env, final AdminCommand command, final List<AccessCheckWork> accessChecks) throws NoSuchFieldException, IllegalArgumentException, IllegalAccessException, URISyntaxException, UnsupportedEncodingException {
final boolean isTaggable = ADMSEC_AUTHZ_LOGGER.isLoggable(PROGRESS_LEVEL);
boolean result = true;
final StringBuilder sb = (isTaggable ? (new StringBuilder(LINE_SEP)).append("AccessCheck processing on ").append(command.getClass().getName()).append(LINE_SEP) : null);
for (final AccessCheckWork a : accessChecks) {
final URI resourceURI = resourceURIFromAccessCheck(a.accessCheck);
final AzSubject azSubject = authService.makeAzSubject(subject);
final AzResource azResource = authService.makeAzResource(resourceURI);
final AzAction azAction = authService.makeAzAction(a.accessCheck.action());
final Map<String, String> subjectAttrs = new HashMap<String, String>();
final Map<String, String> resourceAttrs = new HashMap<String, String>();
final Map<String, String> actionAttrs = new HashMap<String, String>();
for (AuthorizationPreprocessor ap : authPreprocessors) {
ap.describeAuthorization(subject, a.accessCheck.resourceName(), a.accessCheck.action(), command, env, subjectAttrs, resourceAttrs, actionAttrs);
}
mapToAzAttrs(subjectAttrs, azSubject);
mapToAzAttrs(resourceAttrs, azResource);
mapToAzAttrs(actionAttrs, azAction);
final AzResult azResult = authService.getAuthorizationDecision(azSubject, azResource, azAction);
a.accessCheck.setSuccessful(azResult.getDecision() == AzResult.Decision.PERMIT);
if (isTaggable) {
sb.append(a.tag).append(LINE_SEP).append(" ").append(formattedAccessCheck(resourceURI, a.accessCheck)).append(LINE_SEP);
}
result &= ((!a.accessCheck.isFailureFinal()) || a.accessCheck.isSuccessful());
}
if (isTaggable) {
sb.append(LINE_SEP).append("...final result: ").append(result).append(LINE_SEP);
ADMSEC_AUTHZ_LOGGER.log(PROGRESS_LEVEL, sb.toString());
}
return result;
}
Aggregations