Examples with AbstractWebAuthorizationHelper org.jboss.security.javaee.AbstractWebAuthorizationHelper used on opensource projects

Example 1 with AbstractWebAuthorizationHelper

use of org.jboss.security.javaee.AbstractWebAuthorizationHelper in project wildfly by wildfly.

the class JbossAuthorizationManager method canAccessResource.

@Override
public boolean canAccessResource(List<SingleConstraintMatch> mappedConstraints, Account account, ServletInfo servletInfo, HttpServletRequest request, Deployment deployment) {
    ServletRequestContext src = ServletRequestContext.current();
    boolean baseDecision = delegate.canAccessResource(mappedConstraints, account, servletInfo, request, deployment);
    boolean authzDecision = false;
    // if the RealmBase check has passed, then we can go to authz framework
    if (baseDecision) {
        SecurityContext sc = SecurityActions.getSecurityContext();
        Subject caller = sc.getUtil().getSubject();
        //if (caller == null) {
        //    caller = getSubjectFromRequestPrincipal(request.getPrincipal());
        //}
        Map<String, Object> contextMap = new HashMap<String, Object>();
        contextMap.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
        //TODO? What should this be?
        contextMap.put("securityConstraints", mappedConstraints);
        AbstractWebAuthorizationHelper helper = null;
        try {
            helper = SecurityHelperFactory.getWebAuthorizationHelper(sc);
        } catch (Exception e) {
            UndertowLogger.ROOT_LOGGER.noAuthorizationHelper(e);
            return false;
        }
        ArrayList<String> roles = new ArrayList<String>();
        if (account != null) {
            roles.addAll(account.getRoles());
        }
        authzDecision = helper.checkResourcePermission(contextMap, request, src.getServletResponse(), caller, PolicyContext.getContextID(), requestURI(src.getExchange()), roles);
    }
    boolean finalDecision = baseDecision && authzDecision && hasUserDataPermission(request, src.getOriginalResponse(), account, mappedConstraints);
    UndertowLogger.ROOT_LOGGER.tracef("hasResourcePermission:RealmBase says: %s ::Authz framework says: %s :final= %s", baseDecision, authzDecision, finalDecision);
    return finalDecision;
}

Example 2 with AbstractWebAuthorizationHelper

use of org.jboss.security.javaee.AbstractWebAuthorizationHelper in project wildfly by wildfly.

the class JbossAuthorizationManager method isUserInRole.

@Override
public boolean isUserInRole(String role, Account account, ServletInfo servletInfo, HttpServletRequest request, Deployment deployment) {
    boolean authzDecision = true;
    boolean baseDecision = delegate.isUserInRole(role, account, servletInfo, request, deployment);
    // if the RealmBase check has passed, then we can go to authz framework
    if (baseDecision) {
        String servletName = servletInfo.getName();
        String roleName = role;
        List<SecurityRoleRef> roleRefs = servletInfo.getSecurityRoleRefs();
        if (roleRefs != null) {
            for (SecurityRoleRef ref : roleRefs) {
                if (ref.getLinkedRole().equals(role)) {
                    roleName = ref.getRole();
                    break;
                }
            }
        }
        SecurityContext sc = SecurityActions.getSecurityContext();
        AbstractWebAuthorizationHelper helper = null;
        try {
            helper = SecurityHelperFactory.getWebAuthorizationHelper(sc);
        } catch (Exception e) {
            UndertowLogger.ROOT_LOGGER.noAuthorizationHelper(e);
            return false;
        }
        Subject callerSubject = sc.getUtil().getSubject();
        //if (callerSubject == null) {
        //    // During hasResourcePermission check, Catalina calls hasRole. But we have not established
        //    // a subject yet in the security context. So we will get the subject from the cached principal
        //    callerSubject = getSubjectFromRequestPrincipal(principal);
        //}
        authzDecision = helper.hasRole(roleName, account.getPrincipal(), servletName, getPrincipalRoles(account), PolicyContext.getContextID(), callerSubject, new ArrayList<String>(account.getRoles()));
    }
    boolean finalDecision = baseDecision && authzDecision;
    UndertowLogger.ROOT_LOGGER.tracef("hasRole:RealmBase says: %s ::Authz framework says: %s :final= %s", baseDecision, authzDecision, finalDecision);
    return finalDecision;
}

Example 3 with AbstractWebAuthorizationHelper

use of org.jboss.security.javaee.AbstractWebAuthorizationHelper in project wildfly by wildfly.

the class JbossAuthorizationManager method hasUserDataPermission.

public boolean hasUserDataPermission(HttpServletRequest request, HttpServletResponse response, Account account, List<SingleConstraintMatch> constraints) {
    Map<String, Object> map = new HashMap<String, Object>();
    map.put("securityConstraints", constraints);
    map.put(ResourceKeys.USERDATA_PERM_CHECK, Boolean.TRUE);
    SecurityContext sc = SecurityActions.getSecurityContext();
    AbstractWebAuthorizationHelper helper = null;
    try {
        helper = SecurityHelperFactory.getWebAuthorizationHelper(sc);
    } catch (Exception e) {
        UndertowLogger.ROOT_LOGGER.noAuthorizationHelper(e);
        return false;
    }
    Subject callerSubject = sc.getUtil().getSubject();
    // JBAS-6419:CallerSubject has no bearing on the user data permission check
    if (callerSubject == null) {
        callerSubject = new Subject();
    }
    ArrayList<String> roles = new ArrayList<String>();
    if (account != null) {
        roles.addAll(account.getRoles());
    }
    boolean ok = helper.hasUserDataPermission(map, request, response, PolicyContext.getContextID(), callerSubject, roles);
    //If the status of the response has already been changed (it is different from the default Response.SC_OK) we should not attempt to change it.
    if (!ok && response.getStatus() == HttpServletResponse.SC_OK) {
        try {
            response.sendError(HttpServletResponse.SC_FORBIDDEN);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
    return ok;
}