use of org.glassfish.security.services.api.authorization.AzSubject in project Payara by payara.
the class AuthorizationServiceImpl method isAuthorized.
/**
* Determine whether the given Subject is authorized to access the given resource,
* specified by a URI.
*
* @param subject The Subject being tested.
* @param resource URI of the resource being tested.
* @param action The action, with respect to the resource parameter,
* for which authorization is desired. To check authorization for all actions,
* action is represented by null or "*".
* @return True or false, depending on whether the access is authorized.
* @throws IllegalArgumentException Given null or illegal subject or resource
* @throws IllegalStateException Service was not initialized.
* @see AuthorizationService#isAuthorized(javax.security.auth.Subject, java.net.URI, String)
*/
@Override
public boolean isAuthorized(final Subject subject, final URI resource, final String action) {
checkServiceAvailability();
// Validate inputs
if (null == subject) {
throw new IllegalArgumentException(localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
}
if (null == resource) {
throw new IllegalArgumentException(localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
}
// Note: null action means all actions (i.e., no action condition)
// Convert parameters
AzSubject azSubject = makeAzSubject(subject);
AzResource azResource = makeAzResource(resource);
AzAction azAction = makeAzAction(action);
AzResult azResult = getAuthorizationDecision(azSubject, azResource, azAction);
boolean result = AzResult.Status.OK.equals(azResult.getStatus()) && AzResult.Decision.PERMIT.equals(azResult.getDecision());
return result;
}
use of org.glassfish.security.services.api.authorization.AzSubject in project Payara by payara.
the class CommandSecurityChecker method checkAccessRequired.
private boolean checkAccessRequired(Subject subject, final Map<String, Object> env, final AdminCommand command, final List<AccessCheckWork> accessChecks) throws NoSuchFieldException, IllegalArgumentException, IllegalAccessException, URISyntaxException, UnsupportedEncodingException {
final boolean isTaggable = ADMSEC_AUTHZ_LOGGER.isLoggable(PROGRESS_LEVEL);
boolean result = true;
final StringBuilder sb = (isTaggable ? (new StringBuilder(LINE_SEP)).append("AccessCheck processing on ").append(command.getClass().getName()).append(LINE_SEP) : null);
for (final AccessCheckWork a : accessChecks) {
final URI resourceURI = resourceURIFromAccessCheck(a.accessCheck);
final AzSubject azSubject = authService.makeAzSubject(subject);
final AzResource azResource = authService.makeAzResource(resourceURI);
final AzAction azAction = authService.makeAzAction(a.accessCheck.action());
final Map<String, String> subjectAttrs = new HashMap<String, String>();
final Map<String, String> resourceAttrs = new HashMap<String, String>();
final Map<String, String> actionAttrs = new HashMap<String, String>();
for (AuthorizationPreprocessor ap : authPreprocessors) {
ap.describeAuthorization(subject, a.accessCheck.resourceName(), a.accessCheck.action(), command, env, subjectAttrs, resourceAttrs, actionAttrs);
}
mapToAzAttrs(subjectAttrs, azSubject);
mapToAzAttrs(resourceAttrs, azResource);
mapToAzAttrs(actionAttrs, azAction);
final AzResult azResult = authService.getAuthorizationDecision(azSubject, azResource, azAction);
a.accessCheck.setSuccessful(azResult.getDecision() == AzResult.Decision.PERMIT);
if (isTaggable) {
sb.append(a.tag).append(LINE_SEP).append(" ").append(formattedAccessCheck(resourceURI, a.accessCheck)).append(LINE_SEP);
}
result &= ((!a.accessCheck.isFailureFinal()) || a.accessCheck.isSuccessful());
}
if (isTaggable) {
sb.append(LINE_SEP).append("...final result: ").append(result).append(LINE_SEP);
ADMSEC_AUTHZ_LOGGER.log(PROGRESS_LEVEL, sb.toString());
}
return result;
}
Aggregations