+++ /dev/null
-/*******************************************************************************\r
- * ============LICENSE_START====================================================\r
- * * org.onap.aaf\r
- * * ===========================================================================\r
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
- * * ===========================================================================\r
- * * Licensed under the Apache License, Version 2.0 (the "License");\r
- * * you may not use this file except in compliance with the License.\r
- * * You may obtain a copy of the License at\r
- * * \r
- * * http://www.apache.org/licenses/LICENSE-2.0\r
- * * \r
- * * Unless required by applicable law or agreed to in writing, software\r
- * * distributed under the License is distributed on an "AS IS" BASIS,\r
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
- * * See the License for the specific language governing permissions and\r
- * * limitations under the License.\r
- * * ============LICENSE_END====================================================\r
- * *\r
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
- * *\r
- ******************************************************************************/\r
-package org.onap.aaf.cadi;\r
-\r
-import java.security.Principal;\r
-import java.util.ArrayList;\r
-import java.util.List;\r
-\r
-import javax.servlet.http.HttpServletRequest;\r
-import javax.servlet.http.HttpServletRequestWrapper;\r
-\r
-import org.onap.aaf.cadi.Access.Level;\r
-import org.onap.aaf.cadi.filter.NullPermConverter;\r
-import org.onap.aaf.cadi.filter.PermConverter;\r
-import org.onap.aaf.cadi.lur.EpiLur;\r
-import org.onap.aaf.cadi.taf.TafResp;\r
-\r
-\r
-\r
-/**\r
- * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but\r
- * overload the key security mechanisms with CADI mechanisms\r
- * \r
- * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters)\r
- * \r
- * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may\r
- * need something similar. See AppServer specific code (i.e. tomcat) for these.\r
- * \r
- *\r
- */\r
-public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred {\r
- private Principal principal;\r
- private Lur lur;\r
- private String user; // used to set user/pass from brain-dead protocols like WSSE \r
- private byte[] password;\r
- private PermConverter pconv;\r
- private Access access; \r
- \r
- /**\r
- * Standard Wrapper constructor for Delegate pattern\r
- * @param request\r
- */\r
- public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) {\r
- super(request);\r
- principal = tafResp.getPrincipal();\r
- access = tafResp.getAccess();\r
- this.lur = lur;\r
- pconv = NullPermConverter.singleton();\r
- }\r
-\r
- /**\r
- * Standard Wrapper constructor for Delegate pattern, with PermConverter\r
- * @param request\r
- */\r
- public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) {\r
- super(request);\r
- principal = tafResp.getPrincipal();\r
- access = tafResp.getAccess();\r
- this.lur = lur;\r
- pconv = pc;\r
- }\r
-\r
-\r
- /**\r
- * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction.\r
- * CADI does this by reporting the name associated with the Principal obtained, if any.\r
- */\r
-// @Override\r
- public String getRemoteUser() {\r
- return principal==null?null:principal.getName();\r
- }\r
-\r
- /**\r
- * Part of the HTTP Security API. Return the User Principal associated with this HTTP \r
- * Transaction.\r
- */\r
-// @Override\r
- public Principal getUserPrincipal() {\r
- return principal;\r
- }\r
- \r
- /**\r
- * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user\r
- * associated with this HTTP Transaction allowed to function in this Role?\r
- * \r
- * For CADI, we pass the responsibility for determining this to the "LUR", which may be\r
- * determined by the Enterprise.\r
- * \r
- * Note: Role check is also done in "CadiRealm" in certain cases...\r
- * \r
- *\r
- */\r
-// @Override\r
- public boolean isUserInRole(String perm) {\r
- return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm);\r
- }\r
- \r
- public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) {\r
- if(principal== null) {\r
- access.log(Level.AUDIT,caller, "No Principal in Transaction");\r
- return false;\r
- } else { \r
- perm = pconv.convert(perm);\r
- if(lur.fish(principal,lur.createPerm(perm))) {\r
- access.log(Level.DEBUG,caller, principal.getName(), "has", perm);\r
- return true;\r
- } else {\r
- access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm);\r
- return false;\r
- }\r
- }\r
-\r
- }\r
-\r
- /** \r
- * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc\r
- * as implemented with lur.fishAll\r
- * \r
- * To utilize, the Request must be a "CadiWrap" object, then call.\r
- */\r
- public List<Permission> getPermissions(Principal p) {\r
- List<Permission> perms = new ArrayList<Permission>();\r
- lur.fishAll(p, perms);\r
- return perms;\r
- }\r
- /**\r
- * Allow setting of tafResp and lur after construction\r
- * \r
- * This can happen if the CadiWrap is constructed in a Valve other than CadiValve\r
- */\r
- public void set(TafResp tafResp, Lur lur) {\r
- principal = tafResp.getPrincipal();\r
- access = tafResp.getAccess();\r
- this.lur = lur;\r
- }\r
-\r
- public String getUser() {\r
- if(user==null && principal!=null) {\r
- user = principal.getName();\r
- }\r
- return user;\r
- }\r
-\r
- public byte[] getCred() {\r
- return password;\r
- }\r
-\r
- public void setUser(String user) {\r
- this.user = user;\r
- }\r
-\r
- public void setCred(byte[] passwd) {\r
- password = passwd;\r
- }\r
- \r
- public CadiWrap setPermConverter(PermConverter pc) {\r
- pconv = pc;\r
- return this;\r
- }\r
- \r
- // Add a feature\r
- public void invalidate(String id) {\r
- if(lur instanceof EpiLur) {\r
- ((EpiLur)lur).remove(id);\r
- } else if(lur instanceof CachingLur) {\r
- ((CachingLur<?>)lur).remove(id);\r
- }\r
- }\r
- \r
- public Lur getLur() {\r
- return lur;\r
- }\r
-}\r
Code Review / aaf / cadi.git / blobdiff