📄 permispdp.java
字号:
String ldapURL = (String)config.getProperty(name, SamlADF.LDAP_URL_STRING);
String ldapAC_attribute = (String)config.getProperty(name, SamlADF.LDAP_AC_ATTRIBUTE_STRING);
String uRL = (String)config.getProperty(name, SamlADF.URL_STRING);
String rootCA = (String)config.getProperty(name, SamlADF.ROOT_CA_STRING); // .pkc filename
//GridShibPERMIS
String ldapPKC_attribute = (String)config.getProperty(name, SamlADF.LDAP_PKC_ATTRIBUTE_STRING);
this.adf = getADF(soa, oid, ldapURL, uRL, ldapAC_attribute, ldapPKC_attribute, rootCA);
shibParser.setAuthTokenParsingRules(((PermisRBAC)adf).getPolicyFinder().getParsedPolicy().getAuthTokenParsingRules());
try {
Class GSPPDP = Class.forName("issrg.gt4.GridShibPermisPDP");
Class[] parameterTypes = new Class[] {javax.security.auth.Subject.class,
javax.xml.rpc.handler.MessageContext.class,
javax.xml.namespace.QName.class,
issrg.shibboleth.ShibbolethAuthTokenParser.class,
String.class,
String.class};
getCredsMethod = GSPPDP.getMethod("getCreds", parameterTypes);
} catch (ClassNotFoundException e) {
throw new InitializeException("Failed to initialize PermisPDP: "+e.getMessage(), e);
} catch (NoSuchMethodException e) {
throw new InitializeException("Failed to initialize PermisPDP: "+e.getMessage(), e);
}
}
}
public boolean isPermitted(Subject peerSubject, MessageContext context, QName operation) throws AuthorizationException {
if (this.adf==null){
throw new AuthorizationException("Cannot authorize: no policy is set");
}
logger.info("Permis PDP is called");
Element requestCtx = (Element)context.getProperty("request.context");
boolean subjectFlag = this.checkAttribute(requestCtx,"Subject");
boolean resourceFlag = this.checkAttribute(requestCtx,"Resource");
boolean actionFlag = this.checkAttribute(requestCtx,"Action");
boolean environmentFlag = this.checkAttribute(requestCtx,"Environment");
Element response = this.doc.createElement("Response");
response.setAttribute("xmlns","urn:oasis:names:tc:xacml:2.0:context:schema:os");
Element result = this.doc.createElement("Result");
result.setAttribute("ResourceId",this.permis.getId(requestCtx,"Resource"));
Element status = this.doc.createElement("Status");
Element statuscode = this.doc.createElement("StatusCode");
Element decision = this.doc.createElement("Decision");
String textCode = null;
String statusCode = null;
try {
issrg.pba.Subject subject;
if (subjectFlag) subject = this.permis.createSubject(requestCtx,this.permis.getPDP().getPolicyFinder().getPolicyOID());
else {
this.adf = this.permis.getPDP();
java.util.Vector normalisedCreds = new Vector();
Object[] Creds = null;
if (GSP_useGridShib.compareTo("true") == 0) { //GridShib authorization
if (getCredsMethod == null)
throw new AuthorizationException("Error calling GridShibPermisPDP Method: GridShibPermisPDP class is required to make a decision in this mode, but is missing");
//Call to the GridShibPermisPDP using reflections
Object[] arguments = new Object[] {peerSubject, context, operation, shibParser, IdPproviderId, GSP_ldapAC_attribute};
try {
normalisedCreds = (java.util.Vector) getCredsMethod.invoke(null, arguments);
if (normalisedCreds != null)
Creds = normalisedCreds.toArray();
} catch (IllegalAccessException e) {
throw new AuthorizationException("PermisRBAC error:"+e);
} catch (InvocationTargetException e) {
throw new AuthorizationException("PermisRBAC error:"+e);
}
}
//PERMIS authorization
String userDN=""; // assume "world" - i.e. anonymous user
if (peerSubject!=null){ // if we have a user, get his DN
Set peerPrincipals = peerSubject.getPrincipals();
if (peerPrincipals!=null && !peerPrincipals.isEmpty()){ // ok, now we have the user's identity
userDN = ((Principal)peerPrincipals.iterator().next()).getName();
}
}
logger.debug("Operation " + operation.toString() + " called by subject: " + userDN);
try {
subject = adf.getCreds(new LDAPDNPrincipal(userDN), Creds, null);
} catch (Exception re) {
throw new SubjectException(re.toString());
}
}
if (subject!=null) logger.debug("the credentails are "+subject.exportCreds().toString());
if (subject!=null) logger.info("Permis subject is created");
issrg.pba.rbac.PermisTarget target;
if (resourceFlag) target = this.permis.createTarget(requestCtx);
else {
String resource1;
try {
resource1 = ResourceContext.getResourceContext().getServiceURL().toString();
} catch (Exception re) {
throw new TargetException(re.toString());
}
// now userDN specifies the DN of the caller
// resource is the URL of the invoked service
// and action is the name of the method being invoked.
target = new PermisTarget(resource1);
}
if (target!=null) logger.debug("the target is "+target.getName());
if (target!=null) logger.info("Permis target is created");
issrg.pba.Action act = this.permis.createAction(requestCtx);
if (act!=null) logger.info("Permis action is created");
Hashtable env = this.permis.createEnvironment(requestCtx);
if (env!=null) logger.info("Permis environment is created");
if (target!=null) result.setAttribute("ResourceId",target.getName());
issrg.pba.Response res = this.permis.getPDP().response(subject,act,target,env);
logger.info("Permis authorisation decision is made");
if (res.isAuthorised()) {
textCode = "Permit";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:ok";
Text text = this.doc.createTextNode(textCode);
decision.appendChild(text);
result.appendChild(decision);
statuscode.setAttribute("Value",statusCode);
status.appendChild(statuscode);
result.appendChild(status);
issrg.pba.Obligations obls = res.getObligations();
if (obls!=null) {
String obligations = obls.toString();
Text obl = this.doc.createTextNode(obligations);
result.appendChild(obl);
}
} else {
textCode = "Deny";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:ok";
Text text = this.doc.createTextNode(textCode);
decision.appendChild(text);
result.appendChild(decision);
statuscode.setAttribute("Value",statusCode);
status.appendChild(statuscode);
result.appendChild(status);
}
response.appendChild(result);
String responseText = new EncodeXML().encode(response,0);
XMLParser parser = new XMLParser(responseText);
try {
Element msg = parser.getXmlElement();
this.response = msg;
} catch (PermisWebServiceException pe) {
logger.debug("invalid response context");
return false;
}
if (res.isAuthorised()) return true;
else return false;
} catch (PbaException pe) {
logger.debug(pe.getMessage());
if (pe.getMessage().equals("Target is out of target domain")) {
textCode = "NotApplicable";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:ok";
} else if (pe.getMessage().equals("Subject, Action and Target should not be null")) {
textCode = "Indeterminate";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:missing-attribute";
} else if (pe.getMessage().equals("Cannot use the subject: created by a different object")) {
textCode = "Indeterminate";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:processing-error";
} else if (pe.getMessage().equals("Unacceptable Action for this policy")) {
textCode = "NotApplicable";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:ok";
} else if (pe.getMessage().equals("Unacceptable Action for this policy")) {
textCode = "NotApplicable";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:ok";
} else if (pe.getMessage().startsWith("Unacceptable Action for this Policy:")) {
textCode = "NotAppicable";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:ok";
} else if (pe.getMessage().equals("Cannot make a decision: some obligation must be enforced")) {
textCode = "Indeterminate";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:processing-error";
} else {
textCode = "Indeterminate";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:processing-error";
}
Text text = this.doc.createTextNode(textCode);
decision.appendChild(text);
result.appendChild(decision);
statuscode.setAttribute("Value",statusCode);
status.appendChild(statuscode);
result.appendChild(status);
response.appendChild(result);
this.response = response;
return false;
} catch (SubjectException se) {
logger.debug(se.getMessage());
textCode = "Indeterminate";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:processing-error";
Text text = this.doc.createTextNode(textCode);
decision.appendChild(text);
result.appendChild(decision);
statuscode.setAttribute("Value",statusCode);
status.appendChild(statuscode);
result.appendChild(status);
response.appendChild(result);
this.response = response;
return false;
} catch (TargetException te) {
logger.debug(te.getMessage());
textCode = "Indeterminate";
Text text = this.doc.createTextNode(textCode);
decision.appendChild(text);
result.appendChild(decision);
if (te.getMessage().equals("bad URL") || te.getMessage().equals("syntax error")) {
statusCode = "urn:oasis:names:tc:xacml:1.0:status:syntax-error";
} else {
statusCode = "urn:oasis:names:tc:xacml:1.0:status:missing-attribute";
}
statuscode.setAttribute("Value", statusCode);
status.appendChild(statuscode);
result.appendChild(status);
response.appendChild(result);
this.response = response;
return false;
} catch (ActionException ae) {
logger.debug(ae.getMessage());
textCode = "Indeterminate";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:syntax-error";
Text text = this.doc.createTextNode(textCode);
decision.appendChild(text);
result.appendChild(decision);
statuscode.setAttribute("Value",statusCode);
status.appendChild(statuscode);
result.appendChild(status);
response.appendChild(result);
this.response = response;
return false;
} catch (EnvironmentException ee) {
logger.debug(ee.getMessage());
textCode = "Indeterminate";
statusCode = "urn:oasis:names:tc:xacml:1.0:status:syntax-error";
Text text = this.doc.createTextNode(textCode);
decision.appendChild(text);
result.appendChild(decision);
statuscode.setAttribute("Value",statusCode);
status.appendChild(statuscode);
result.appendChild(status);
response.appendChild(result);
this.response = response;
return false;
}
}
public Element getResponse() {
return this.response;
}
public Element getAttributes() throws InitializeException {
try {
return this.permis.getAttributes();
} catch (PermisWebServiceException pe) {
throw new InitializeException("the actual Permis PDP fails to return environmental attributes");
}
}
private boolean checkAttribute(Element reqCtx, String type) {
if (reqCtx==null) return false;
else {
NodeList list = reqCtx.getElementsByTagName(type);
for (int i=0; i<list.getLength(); i++) {
Node node = list.item(i);
NodeList list1 = node.getChildNodes();
for (int j=0; j<list1.getLength(); j++) {
Node node1 = list1.item(j);
if (Text.class.isAssignableFrom(node1.getClass())) continue;
if (node1.getNodeName().equals("Attribute")) return true;
}
}
return false;
}
}
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -