[原创]JAAS 实现in Struts Web App,使用XMLPolicy文件,不改变VM安全文件(2)授权
本文章继续上一篇实现WebApp的授权
5. 实现XMLPolicyFile类。
public class XMLPolicyFile extends Policy implements JAASConstants {
private Document doc = null;
//private CodeSource noCertCodeSource=null;
/*
* constructor
* refresh()
*/
public XMLPolicyFile(){
refresh();
}
public PermissionCollection getPermissions(CodeSource arg0) {
// TODO Auto-generated method stub
return null;
}
/*
* Creates a DOM tree document from the default XML file or
* from the file specified by the system property,
* <code>com.ibm.resource.security.auth.policy</code>. This
* DOM tree document is then used by the
* <code>getPermissions()</code> in searching for permissions.
*
* @see javax.security.auth.Policy#refresh()
*/
public void refresh() {
FileInputStream fis = null;
try {
// Set up a DOM tree to query
fis = new FileInputStream(AUTH_SECURITY_POLICYXMLFILE);
InputSource in = new InputSource(fis);
DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();
dfactory.setNamespaceAware(true);
doc = dfactory.newDocumentBuilder().parse(in);
} catch (Exception e) {
e.printStackTrace();
throw new RuntimeException(e.getMessage());
} finally {
if(fis != null) {
try { fis.close(); } catch (IOException e) {}
}
}
}
public PermissionCollection getPermissions(Subject subject,CodeSource codeSource) {
ResourcePermissionCollection collection = new ResourcePermissionCollection();
try {
// Iterate through all of the subjects principals
Iterator principalIterator = subject.getPrincipals().iterator();
while(principalIterator.hasNext()){
Principal principal = (Principal)principalIterator.next();
// Set up the xpath string to retrieve all the relevant permissions
// Sample xpath string: "/policy/grant[@codebase=/"sample_actions.jar/"]/principal[@classname=/"com.fonseca.security.SamplePrincipal/"][@name=/"testUser/"]/permission"
StringBuffer xpath = new StringBuffer();
xpath.append("/policy/grant/principal[@classname=/"");
xpath.append(principal.getClass().getName());
xpath.append("/"][@name=/"");
xpath.append(principal.getName());
xpath.append("/"]/permission");
//System.out.println(xpath.toString());
NodeIterator nodeIter = XPathAPI.selectNodeIterator(doc, xpath.toString());
Node node = null;
while( (node = nodeIter.nextNode()) != null ) {
//here
CodeSource codebase=getCodebase(node.getParentNode().getParentNode());
if (codebase!=null || codebase.implies(codeSource)){
Permission permission = getPermission(node);
collection.add(permission);
}
}
}
} catch (Exception e) {
e.printStackTrace();
throw new RuntimeException(e.getMessage());
}
if(collection != null)
return collection;
else {
// If the permission is not found here then delegate it
// to the standard java Policy class instance.
Policy policy = Policy.getPolicy();
return policy.getPermissions(codeSource);
}
}
/**
* Returns a Permission instance defined by the provided
* permission Node attributes.
*/
private Permission getPermission(Node node) throws Exception {
NamedNodeMap map = node.getAttributes();
Attr attrClassname = (Attr) map.getNamedItem("classname");
Attr attrName = (Attr) map.getNamedItem("name");
Attr attrActions = (Attr) map.getNamedItem("actions");
Attr attrRelationship = (Attr) map.getNamedItem("relationship");
if(attrClassname == null)
throw new RuntimeException();
Class[] types = null;
Object[] args = null;
// Check if the name is specified
// if no name is specified then because
// the types and the args variables above
// are null the default constructor is used.
if(attrName != null) {
String name = attrName.getValue();
// Check if actions are specified
// then setup the array sizes accordingly
if(attrActions != null) {
String actions = attrActions.getValue();
// Check if a relationship is specified
// then setup the array sizes accordingly
if(attrRelationship == null) {
types = new Class[2];
args = new Object[2];
} else {
types = new Class[3];
args = new Object[3];
String relationship = attrRelationship.getValue();
types[2] = relationship.getClass();
args[2] = relationship;
}
types[1] = actions.getClass();
args[1] = actions;
} else {
types = new Class[1];
args = new Object[1];
}
types[0] = name.getClass();
args[0] = name;
}
String classname = attrClassname.getValue();
Class permissionClass = Class.forName(classname);
Constructor constructor = permissionClass.getConstructor(types);
return (Permission) constructor.newInstance(args);
}
/**
* Returns a CodeSource object defined by the provided
* grant Node attributes.
*/
private java.security.CodeSource getCodebase(Node node) throws Exception {
Certificate[] certs = null;
URL location;
if(node.getNodeName().equalsIgnoreCase("grant")) {
NamedNodeMap map = node.getAttributes();
Attr attrCodebase = (Attr) map.getNamedItem("codebase");
if(attrCodebase != null) {
String codebaseValue = attrCodebase.getValue();
location = new URL(codebaseValue);
return new CodeSource(location,certs);
}
}
return null;
}
}
6.继承Principal类PrincipalUser
public class PrincipalUser implements Principal {
private String name;
/**
*
* @param name the name for this principal.
*
* @exception InvalidParameterException if the <code>name</code>
* is <code>null</code>.
*/
public PrincipalUser(String name) {
if (name == null)
throw new InvalidParameterException("name cannot be null");
//search role of this name.
this.name = name;
}
/**
* Returns the name for this <code>PrincipalUser</code>.
*
* @return the name for this <code>PrincipalUser</code>
*/
public String getName() {
return name;
}
/**
*
*/
public int hashCode() {
return name.hashCode();
}
}
7.继承Permission和PermissionCollection类
public class ResourcePermission extends Permission {
static final public String OWNER_RELATIONSHIP = "OWNER";
static private int READ = 0x01;
static private int WRITE = 0x02;
static private int EXECUTE = 0x04;
static private int CREATE = 0x08;
static private int DELETE = 0x10;
static private int DEPLOY = 0x16;
static private int CONFIRM = 0x24;
static final public String READ_ACTION = "read";
static final public String WRITE_ACTION = "write";
static final public String EXECUTE_ACTION = "execute";
static final public String CREATE_ACTION = "create";
static final public String DELETE_ACTION = "delete";
static final public String DEPLOY_ACTION = "deploy";
static final public String CONFIRM_ACTION = "confirm";
protected int mask;
protected Resource resource;
protected Subject subject;
/**
* Constructor for ResourcePermission
*/
public ResourcePermission(String name, String actions, Resource resource, Subject subject) {
super(name);
this.resource = resource;
this.subject = subject;
parseActions(actions);
}
/**
* @see Permission#getActions()
*/
public String getActions() {
StringBuffer buf = new StringBuffer();
if( (mask & READ) == READ )
buf.append(READ_ACTION);
if( (mask & WRITE) == WRITE ) {
if(buf.length() > 0)
buf.append(", ");
buf.append(WRITE_ACTION);
}
if( (mask & EXECUTE) == EXECUTE ) {
if(buf.length() > 0)
buf.append(", ");
buf.append(EXECUTE_ACTION);
}
if( (mask & CREATE) == CREATE ) {
if(buf.length() > 0)
buf.append(", ");
buf.append(CREATE_ACTION);
}
if( (mask & DELETE) == DELETE ) {
if(buf.length() > 0)
buf.append(", ");
buf.append(DELETE_ACTION);
}
return buf.toString();
}
/**
* @see Permission#hashCode()
*/
public int hashCode() {
StringBuffer value = new StringBuffer(getName());
return value.toString().hashCode() ^ mask;
}
/**
* @see Permission#equals(Object)
*/
public boolean equals(Object object) {
if( !(object instanceof ResourcePermission) )
return false;
ResourcePermission p = (ResourcePermission) object;
return ( (p.getName().equals(getName())) && (p.mask == mask) );
}
/**
* @see Permission#implies(Permission)
*/
public boolean implies(Permission permission) {
// The permission must be an instance
// of the DefaultResourceActionPermission.
if( !(permission instanceof ResourcePermission) )
return false;
// The resource name must be the same.
if( !(permission.getName().equals(getName())) )
return false;
return true;
}
/**
* Parses the actions string. Actions are separated
* by commas or white space.
*/
private void parseActions(String actions) {
mask = 0;
if(actions != null) {
StringTokenizer tokenizer = new StringTokenizer(actions, ",/t ");
while(tokenizer.hasMoreTokens()) {
String token = tokenizer.nextToken();
if(token.equals(READ_ACTION))
mask |= READ;
else if(token.equals(WRITE_ACTION))
mask |= WRITE;
else if(token.equals(EXECUTE_ACTION))
mask |= EXECUTE;
else if(token.equals(CREATE_ACTION))
mask |= CREATE;
else if(token.equals(DELETE_ACTION))
mask |= DELETE;
else if(token.equals(DEPLOY_ACTION))
mask |= DEPLOY;
else if(token.equals(CONFIRM_ACTION))
mask |= CONFIRM;
else
throw new IllegalArgumentException("Unknown action: " + token);
}
}
}
/**
* Gets the resource
* @return Returns a Resource
*/
public Resource getResource() {
return resource;
}
/**
* Gets the subject
* @return Returns a Subject
*/
public Subject getSubject() {
return subject;
}
/**
* @see Permission#newPermissionCollection()
*/
public PermissionCollection newPermissionCollection() {
return new ResourcePermissionCollection();
}
/**
* @see Permission#toString()
*/
public String toString() {
return getName() + ":" + getActions();
}
}
public class ResourcePermissionCollection extends PermissionCollection {
private Hashtable permissions;
public ResourcePermissionCollection() {
permissions = new Hashtable();
}
/**
* @see PermissionCollection#elements()
*/
public Enumeration elements() {
//System.out.println("DefaultResourceActionPermissionCollection.elements()");
Hashtable list = new Hashtable();
Enumeration enum = permissions.elements();
while(enum.hasMoreElements()) {
Hashtable table = (Hashtable) enum.nextElement();
list.putAll(table);
}
return list.elements();
}
/**
* @see PermissionCollection#implies(Permission)
*/
public boolean implies(Permission permission) {
//System.out.println("DefaultResourceActionPermissionCollection.implies()");
if( !(permission instanceof ResourcePermission) )
throw new IllegalArgumentException("Wrong Permission type");
ResourcePermission rcsPermission = (ResourcePermission) permission;
Hashtable aggregate = (Hashtable) permissions.get(rcsPermission.getName());
if(aggregate == null)
return false;
Enumeration enum = aggregate.elements();
while(enum.hasMoreElements()) {
ResourcePermission p = (ResourcePermission) enum.nextElement();
if(p.implies(permission))
return true;
}
return false;
}
/**
* @see PermissionCollection#add(Permission)
*/
public void add(Permission permission) {
if(isReadOnly())
throw new IllegalArgumentException("Read only collection");
if( !(permission instanceof ResourcePermission) )
throw new IllegalArgumentException("Wrong Permission type");
// Same permission names may have different relationships.
// Therefore permissions are aggregated by relationship.
ResourcePermission rcsPermission = (ResourcePermission) permission;
Hashtable aggregate = (Hashtable) permissions.get(rcsPermission.getName());
aggregate = new Hashtable();
aggregate.put("none", rcsPermission);
permissions.put(rcsPermission.getName(), aggregate);
}
}
8.实现授权Action
package com.nova.colimas.security.actions;
import java.security.PrivilegedAction;
import com.nova.colimas.data.sql.*;
import com.nova.colimas.data.sql.SQLTBI;
public class DBTURMAction implements PrivilegedAction {
public Object run() {
//验证授权
SQLTURM sqltbi=new SQLTURM();
sqltbi.update(null);
return null;
}
}
9.授权验证SQLTURM
/*
* Created on 2005/07/01
*
* TODO To change the template for this generated file go to
* Window - Preferences - Java - Code Style - Code Templates
*/
package com.nova.colimas.security.auth;
/**
* This interface is used by implementing classes that
* want to provide class instance authorization.
*
*/
public interface Resource {
}
public class SQLTURM implements Resource{
/* (non-Javadoc)
* @see com.nova.colimas.data.sql.DAOAction#update(java.lang.Object)
*/
public boolean update(Object bean) {
//验证00001角色是否有权限对SQLTURM执行write操作。
Permission permission = new ResourcePermission("com.nova.colimas.data.sql.SQLTURM", "write", this,Subject.getSubject(java.security.AccessController.getContext()));
AccessController.checkPermission(permission);
//有权限执行下面语句。无权限则抛出异常。
return true;
}
}
10. 实现com.nova.colimas.security.auth.AccessController类获得XMLPolicyFile实例。
package com.nova.colimas.security.auth;
import java.security.AccessControlException;
import java.security.*;
public class AccessController {
public static void checkPermission(Permission permission)
throws AccessControlException{
ResourcePermission perm=(ResourcePermission)permission;
String policy_class = null;
XMLPolicyFile policy=null;
policy_class = (String)java.security.AccessController.doPrivileged(
new PrivilegedAction() {
public Object run() {
return Security.getProperty("policy.provider");
}
});
try {
policy = ( XMLPolicyFile)
Class.forName(policy_class).newInstance();
Class permclass=Class.forName(perm.getName());
ResourcePermissionCollection rpc=(ResourcePermissionCollection)policy.getPermissions(perm.getSubject(),permclass.getProtectionDomain().getCodeSource());
if(rpc.implies(perm)) return;
} catch (Exception e) {
e.printStackTrace();
}
throw new AccessControlException("Access Deny");
}
}
11.实现com.nova.colimas.web.action.LoginAction类
public class LoginAction extends Action {
LoginContext loginContext=null;
LoginForm loginForm=null;
public ActionForward execute(ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws Exception{
/**
* 1 get Login form Bean
* 2 get the value
* 3 call JAAS Login Module
*/
try {
loginForm=(LoginForm)form;
loginContext=new LoginContext(JAASConstants.AUTH_SECURITY_MODULENAME, new LoginCallbackHandler(loginForm.getUserID(),loginForm.getPassword()));
}catch(SecurityException e){
e.printStackTrace();
} catch (LoginException e) {
e.printStackTrace();
//System.exit(-1);
}
// Authenticate the user
try {
loginContext.login
//验证是否有权限运行DBTURMAction
Subject.doAs(loginContext.getSubject(),new DBTURMAction() );
System.out.println("Successfully!/n");
} catch (Exception e) {
System.out.println("Unexpected Exception - unable to continue");
e.printStackTrace();
//System.exit(-1);
return mapping.findForward("failure");
}
return mapping.findForward("success");
}
}