use of org.infinispan.security.PrincipalRoleMapper in project infinispan by infinispan.
the class Parser method parseGlobalAuthorization.
private void parseGlobalAuthorization(ConfigurationReader reader, ConfigurationBuilderHolder holder) {
GlobalAuthorizationConfigurationBuilder builder = holder.getGlobalConfigurationBuilder().security().authorization().enable();
for (int i = 0; i < reader.getAttributeCount(); i++) {
String value = reader.getAttributeValue(i);
Attribute attribute = Attribute.forName(reader.getAttributeName(i));
switch(attribute) {
case AUDIT_LOGGER:
{
builder.auditLogger(Util.getInstance(value, holder.getClassLoader()));
break;
}
default:
{
throw ParseUtils.unexpectedAttribute(reader, i);
}
}
}
PrincipalRoleMapper roleMapper = null;
RolePermissionMapper permissionMapper = null;
while (reader.hasNext()) {
reader.nextElement();
Element element = Element.forName(reader.getLocalName());
switch(element) {
case AUTHORIZATION:
{
reader.require(ConfigurationReader.ElementType.END_ELEMENT);
if (permissionMapper != null) {
builder.rolePermissionMapper(permissionMapper);
}
if (roleMapper != null) {
builder.principalRoleMapper(roleMapper);
}
return;
}
case CLUSTER_PERMISSION_MAPPER:
if (permissionMapper != null) {
throw ParseUtils.unexpectedElement(reader);
}
ParseUtils.requireNoAttributes(reader);
ParseUtils.requireNoContent(reader);
permissionMapper = new ClusterPermissionMapper();
break;
case CUSTOM_PERMISSION_MAPPER:
if (permissionMapper != null) {
throw ParseUtils.unexpectedElement(reader);
}
permissionMapper = parseCustomPermissionMapper(reader, holder);
break;
case IDENTITY_ROLE_MAPPER:
if (roleMapper != null) {
throw ParseUtils.unexpectedElement(reader);
}
ParseUtils.requireNoAttributes(reader);
ParseUtils.requireNoContent(reader);
roleMapper = new IdentityRoleMapper();
break;
case COMMON_NAME_ROLE_MAPPER:
if (roleMapper != null) {
throw ParseUtils.unexpectedElement(reader);
}
ParseUtils.requireNoAttributes(reader);
ParseUtils.requireNoContent(reader);
roleMapper = new CommonNameRoleMapper();
break;
case CLUSTER_ROLE_MAPPER:
if (roleMapper != null) {
throw ParseUtils.unexpectedElement(reader);
}
ParseUtils.requireNoAttributes(reader);
ParseUtils.requireNoContent(reader);
roleMapper = new ClusterRoleMapper();
break;
case CUSTOM_ROLE_MAPPER:
if (roleMapper != null) {
throw ParseUtils.unexpectedElement(reader);
}
roleMapper = parseCustomRoleMapper(reader, holder);
break;
case ROLES:
{
while (reader.inTag()) {
Map.Entry<String, String> item = reader.getMapItem(Attribute.NAME);
parseGlobalRole(reader, builder, item.getKey());
reader.endMapItem();
}
break;
}
case ROLE:
{
parseGlobalRole(reader, builder, null);
break;
}
default:
{
throw ParseUtils.unexpectedElement(reader);
}
}
}
}
use of org.infinispan.security.PrincipalRoleMapper in project infinispan by infinispan.
the class Authorizer method computeSubjectACL.
private SubjectACL computeSubjectACL(Subject subject, AuthorizationConfiguration configuration) {
GlobalAuthorizationConfiguration authorization = globalConfiguration.authorization();
PrincipalRoleMapper roleMapper = authorization.principalRoleMapper();
Set<Principal> principals = subject.getPrincipals();
Set<String> allRoles = new HashSet<>(principals.size());
// Map all the Subject's principals to roles using the role mapper. There may be more than one role per principal
for (Principal principal : principals) {
Set<String> roleNames = roleMapper.principalToRoles(principal);
if (roleNames != null) {
allRoles.addAll(roleNames);
}
}
// Create a bitmask of the permissions this Subject has for the resource identified by the configuration
int subjectMask = 0;
// If this resource has not declared any roles, all the inheritable global roles will be checked
boolean implicit = configuration != null ? configuration.roles().isEmpty() : false;
for (String role : allRoles) {
if (configuration == null || implicit || configuration.roles().contains(role)) {
Role globalRole = authorization.getRole(role);
if (globalRole != null && (!implicit || globalRole.isInheritable())) {
subjectMask |= globalRole.getMask();
}
}
}
if (log.isTraceEnabled()) {
log.tracef("Subject '%s' has roles '%s' and permission mask %d", subject, allRoles, subjectMask);
}
return new SubjectACL(allRoles, subjectMask);
}
use of org.infinispan.security.PrincipalRoleMapper in project infinispan by infinispan.
the class CoreConfigurationSerializer method writeSecurity.
private void writeSecurity(ConfigurationWriter writer, GlobalConfiguration configuration) {
GlobalAuthorizationConfiguration authorization = configuration.security().authorization();
AttributeSet attributes = authorization.attributes();
if (attributes.isModified() && authorization.enabled()) {
writer.writeStartElement(Element.SECURITY);
writer.writeStartElement(Element.AUTHORIZATION);
attributes.write(writer, GlobalAuthorizationConfiguration.AUDIT_LOGGER, Attribute.AUDIT_LOGGER);
PrincipalRoleMapper mapper = authorization.principalRoleMapper();
if (mapper != null) {
if (mapper instanceof IdentityRoleMapper) {
writer.writeEmptyElement(Element.IDENTITY_ROLE_MAPPER);
} else if (mapper instanceof CommonNameRoleMapper) {
writer.writeEmptyElement(Element.COMMON_NAME_ROLE_MAPPER);
} else if (mapper instanceof ClusterRoleMapper) {
writer.writeEmptyElement(Element.CLUSTER_ROLE_MAPPER);
} else {
writer.writeStartElement(Element.CUSTOM_ROLE_MAPPER);
writer.writeAttribute(Attribute.CLASS, mapper.getClass().getName());
writer.writeEndElement();
}
}
if (!authorization.isDefaultRoles()) {
writer.writeStartMap(Element.ROLES);
for (Role role : authorization.roles().values()) {
writer.writeMapItem(Element.ROLE, Attribute.NAME, role.getName());
writeCollectionAsAttribute(writer, Attribute.PERMISSIONS, role.getPermissions());
writer.writeEndMapItem();
}
writer.writeEndMap();
}
writer.writeEndElement();
writer.writeEndElement();
}
}
Aggregations