2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi;
24 import java.security.Principal;
25 import java.util.ArrayList;
26 import java.util.List;
28 import javax.servlet.http.HttpServletRequest;
29 import javax.servlet.http.HttpServletRequestWrapper;
31 import org.onap.aaf.cadi.Access.Level;
32 import org.onap.aaf.cadi.filter.NullPermConverter;
33 import org.onap.aaf.cadi.filter.PermConverter;
34 import org.onap.aaf.cadi.lur.EpiLur;
35 import org.onap.aaf.cadi.principal.TaggedPrincipal;
36 import org.onap.aaf.cadi.taf.TafResp;
37 import org.onap.aaf.cadi.util.Timing;
42 * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but
43 * overload the key security mechanisms with CADI mechanisms
45 * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters)
47 * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may
48 * need something similar. See AppServer specific code (i.e. tomcat) for these.
53 public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred {
54 private TaggedPrincipal principal;
56 private String user; // used to set user/pass from brain-dead protocols like WSSE
57 private byte[] password;
58 private PermConverter pconv;
59 private Access access;
62 * Standard Wrapper constructor for Delegate pattern
65 public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) {
67 principal = tafResp.getPrincipal();
68 access = tafResp.getAccess();
70 pconv = NullPermConverter.singleton();
74 * Standard Wrapper constructor for Delegate pattern, with PermConverter
77 public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) {
79 principal = tafResp.getPrincipal();
80 access = tafResp.getAccess();
87 * Part of the HTTP Security API. Declare the User associated with this HTTP Transaction.
88 * CADI does this by reporting the name associated with the Principal obtained, if any.
91 public String getRemoteUser() {
92 return principal==null?null:principal.getName();
96 * Part of the HTTP Security API. Return the User Principal associated with this HTTP
100 public Principal getUserPrincipal() {
105 * This is the key API call for AUTHZ in J2EE. Given a Role (String passed in), is the user
106 * associated with this HTTP Transaction allowed to function in this Role?
108 * For CADI, we pass the responsibility for determining this to the "LUR", which may be
109 * determined by the Enterprise.
111 * Note: Role check is also done in "CadiRealm" in certain cases...
116 public boolean isUserInRole(String perm) {
117 return perm==null?false:checkPerm(access,"isUserInRole",principal,pconv,lur,perm);
120 public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) {
121 if(principal== null) {
122 access.log(Level.AUDIT,caller, "No Principal in Transaction");
125 final long start = System.nanoTime();
126 perm = pconv.convert(perm);
127 if(lur.fish(principal,lur.createPerm(perm))) {
128 access.printf(Level.DEBUG,"%s: %s has %s, %f ms", caller, principal.getName(), perm, Timing.millis(start));
131 access.printf(Level.DEBUG,"%s: %s does not have %s, %f ms", caller, principal.getName(), perm, Timing.millis(start));
139 * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc
140 * as implemented with lur.fishAll
142 * To utilize, the Request must be a "CadiWrap" object, then call.
144 public List<Permission> getPermissions(Principal p) {
145 List<Permission> perms = new ArrayList<>();
146 lur.fishAll(p, perms);
150 * Allow setting of tafResp and lur after construction
152 * This can happen if the CadiWrap is constructed in a Valve other than CadiValve
154 public void set(TafResp tafResp, Lur lur) {
155 principal = tafResp.getPrincipal();
156 access = tafResp.getAccess();
160 public String getUser() {
161 if(user==null && principal!=null) {
162 user = principal.getName();
167 public byte[] getCred() {
171 public void setUser(String user) {
175 public void setCred(byte[] passwd) {
179 public CadiWrap setPermConverter(PermConverter pc) {
185 public void invalidate(String id) {
186 if(lur instanceof EpiLur) {
187 ((EpiLur)lur).remove(id);
188 } else if(lur instanceof CachingLur) {
189 ((CachingLur<?>)lur).remove(id);
193 public Lur getLur() {
197 public Access access() {
Code Review / aaf / authz.git / blob