2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi;
24 import java.security.Principal;
25 import java.util.ArrayList;
26 import java.util.List;
28 import javax.servlet.http.HttpServletRequest;
29 import javax.servlet.http.HttpServletRequestWrapper;
31 import org.onap.aaf.cadi.Access.Level;
32 import org.onap.aaf.cadi.filter.NullPermConverter;
33 import org.onap.aaf.cadi.filter.PermConverter;
34 import org.onap.aaf.cadi.lur.EpiLur;
35 import org.onap.aaf.cadi.principal.TaggedPrincipal;
36 import org.onap.aaf.cadi.taf.TafResp;
41 * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but
42 * overload the key security mechanisms with CADI mechanisms
44 * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters)
46 * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may
47 * need something similar. See AppServer specific code (i.e. tomcat) for these.
52 public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred {
53 private TaggedPrincipal principal;
55 private String user; // used to set user/pass from brain-dead protocols like WSSE
56 private byte[] password;
57 private PermConverter pconv;
58 private Access access;
61 * Standard Wrapper constructor for Delegate pattern
64 public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) {
66 principal = tafResp.getPrincipal();
67 access = tafResp.getAccess();
69 pconv = NullPermConverter.singleton();
73 * Standard Wrapper constructor for Delegate pattern, with PermConverter
76 public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) {
78 principal = tafResp.getPrincipal();
79 access = tafResp.getAccess();
86 * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction.
87 * CADI does this by reporting the name associated with the Principal obtained, if any.
90 public String getRemoteUser() {
91 return principal==null?null:principal.getName();
95 * Part of the HTTP Security API. Return the User Principal associated with this HTTP
99 public Principal getUserPrincipal() {
104 * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user
105 * associated with this HTTP Transaction allowed to function in this Role?
107 * For CADI, we pass the responsibility for determining this to the "LUR", which may be
108 * determined by the Enterprise.
110 * Note: Role check is also done in "CadiRealm" in certain cases...
115 public boolean isUserInRole(String perm) {
116 return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm);
119 public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) {
120 if(principal== null) {
121 access.log(Level.AUDIT,caller, "No Principal in Transaction");
124 perm = pconv.convert(perm);
125 if(lur.fish(principal,lur.createPerm(perm))) {
126 access.log(Level.DEBUG,caller, principal.getName(), "has", perm);
129 access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm);
137 * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc
138 * as implemented with lur.fishAll
140 * To utilize, the Request must be a "CadiWrap" object, then call.
142 public List<Permission> getPermissions(Principal p) {
143 List<Permission> perms = new ArrayList<Permission>();
144 lur.fishAll(p, perms);
148 * Allow setting of tafResp and lur after construction
150 * This can happen if the CadiWrap is constructed in a Valve other than CadiValve
152 public void set(TafResp tafResp, Lur lur) {
153 principal = tafResp.getPrincipal();
154 access = tafResp.getAccess();
158 public String getUser() {
159 if(user==null && principal!=null) {
160 user = principal.getName();
165 public byte[] getCred() {
169 public void setUser(String user) {
173 public void setCred(byte[] passwd) {
177 public CadiWrap setPermConverter(PermConverter pc) {
183 public void invalidate(String id) {
184 if(lur instanceof EpiLur) {
185 ((EpiLur)lur).remove(id);
186 } else if(lur instanceof CachingLur) {
187 ((CachingLur<?>)lur).remove(id);
191 public Lur getLur() {
195 public Access access() {