1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.cadi;
\r
26 import java.security.Principal;
\r
27 import java.util.ArrayList;
\r
28 import java.util.List;
\r
30 import javax.servlet.http.HttpServletRequest;
\r
31 import javax.servlet.http.HttpServletRequestWrapper;
\r
33 import com.att.cadi.Access.Level;
\r
34 import com.att.cadi.filter.NullPermConverter;
\r
35 import com.att.cadi.filter.PermConverter;
\r
36 import com.att.cadi.lur.EpiLur;
\r
37 import com.att.cadi.taf.TafResp;
\r
42 * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but
\r
43 * overload the key security mechanisms with CADI mechanisms
\r
45 * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters)
\r
47 * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may
\r
48 * need something similar. See AppServer specific code (i.e. tomcat) for these.
\r
52 public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred {
\r
53 private Principal principal;
\r
55 private String user; // used to set user/pass from brain-dead protocols like WSSE
\r
56 private byte[] password;
\r
57 private PermConverter pconv;
\r
58 private Access access;
\r
61 * Standard Wrapper constructor for Delegate pattern
\r
64 public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) {
\r
66 principal = tafResp.getPrincipal();
\r
67 access = tafResp.getAccess();
\r
69 pconv = NullPermConverter.singleton();
\r
73 * Standard Wrapper constructor for Delegate pattern, with PermConverter
\r
76 public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) {
\r
78 principal = tafResp.getPrincipal();
\r
79 access = tafResp.getAccess();
\r
86 * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction.
\r
87 * CADI does this by reporting the name associated with the Principal obtained, if any.
\r
90 public String getRemoteUser() {
\r
91 return principal==null?null:principal.getName();
\r
95 * Part of the HTTP Security API. Return the User Principal associated with this HTTP
\r
99 public Principal getUserPrincipal() {
\r
104 * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user
\r
105 * associated with this HTTP Transaction allowed to function in this Role?
\r
107 * For CADI, we pass the responsibility for determining this to the "LUR", which may be
\r
108 * determined by the Enterprise.
\r
110 * Note: Role check is also done in "CadiRealm" in certain cases...
\r
115 public boolean isUserInRole(String perm) {
\r
116 return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm);
\r
119 public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) {
\r
120 if(principal== null) {
\r
121 access.log(Level.AUDIT,caller, "No Principal in Transaction");
\r
124 perm = pconv.convert(perm);
\r
125 if(lur.fish(principal,lur.createPerm(perm))) {
\r
126 access.log(Level.DEBUG,caller, principal.getName(), "has", perm);
\r
129 access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm);
\r
137 * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc
\r
138 * as implemented with lur.fishAll
\r
140 * To utilize, the Request must be a "CadiWrap" object, then call.
\r
142 public List<Permission> getPermissions(Principal p) {
\r
143 List<Permission> perms = new ArrayList<Permission>();
\r
144 lur.fishAll(p, perms);
\r
148 * Allow setting of tafResp and lur after construction
\r
150 * This can happen if the CadiWrap is constructed in a Valve other than CadiValve
\r
152 public void set(TafResp tafResp, Lur lur) {
\r
153 principal = tafResp.getPrincipal();
\r
154 access = tafResp.getAccess();
\r
158 public String getUser() {
\r
159 if(user==null && principal!=null) {
\r
160 user = principal.getName();
\r
165 public byte[] getCred() {
\r
169 public void setUser(String user) {
\r
173 public void setCred(byte[] passwd) {
\r
177 public CadiWrap setPermConverter(PermConverter pc) {
\r
183 public void invalidate(String id) {
\r
184 if(lur instanceof EpiLur) {
\r
185 ((EpiLur)lur).remove(id);
\r
186 } else if(lur instanceof CachingLur) {
\r
187 ((CachingLur<?>)lur).remove(id);
\r
191 public Lur getLur() {
\r