simplepermisacpolicyfinder.java
来自「一个完整的XACML工程,学习XACML技术的好例子!」· Java 代码 · 共 219 行
JAVA
219 行
/*
* Copyright (c) 2006, University of Kent
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* 1. Neither the name of the University of Kent nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 2. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED.
*
* 3. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* 4. YOU AGREE THAT THE EXCLUSIONS IN PARAGRAPHS 2 AND 3 ABOVE ARE REASONABLE
* IN THE CIRCUMSTANCES. IN PARTICULAR, YOU ACKNOWLEDGE (1) THAT THIS
* SOFTWARE HAS BEEN MADE AVAILABLE TO YOU FREE OF CHARGE, (2) THAT THIS
* SOFTWARE IS NOT "PRODUCT" QUALITY, BUT HAS BEEN PRODUCED BY A RESEARCH
* GROUP WHO DESIRE TO MAKE THIS SOFTWARE FREELY AVAILABLE TO PEOPLE WHO WISH
* TO USE IT, AND (3) THAT BECAUSE THIS SOFTWARE IS NOT OF "PRODUCT" QUALITY
* IT IS INEVITABLE THAT THERE WILL BE BUGS AND ERRORS, AND POSSIBLY MORE
* SERIOUS FAULTS, IN THIS SOFTWARE.
*
* 5. This license is governed, except to the extent that local laws
* necessarily apply, by the laws of England and Wales.
*/
package issrg.pba.rbac.x509;
import issrg.pba.*;
import issrg.pba.rbac.*;
import java.security.Principal;
import issrg.SAWS.*; // added for MSoD
/**
* This is a simple Policy Finder that can be instantiated from an instance of
* an X.509 Attribute Certificate. It is useful to extend from: collect the
* Attribute Certificates, then invoke initPolicyFromACArray to initialise the
* Policy Finder.
*
* @author gansen
*/
public class SimplePERMISACPolicyFinder extends PolicyFinder{
private issrg.pba.AuthTokenParser tokenParser=CustomisePERMIS.getAuthTokenParser();
protected SimplePERMISACPolicyFinder(){
super();
}
/**
* This constructor builds a Policy Finder given an AC, the identifier of
* the policy and the identity of the policy issuer. Only if the AC holds
* the required policy construction succeeds. This constructor invokes the
* initPolicyFromACArray directly, see that method description for
* additional details.
*
* @param acBinary - the array of byte arrays, each representing a
* BER-encoded or Base64 encoding of a BER-encoded X.509 AC
* @param policyID - the identifier of the policy to use
* @param SOA - the Principal naming the issuer of the policy (must be the
* Holder and Issuer of the self-signed Attribute Certificate)
* @param SV - the SignatureVerifier to use; if null, digital signatures on
* the ACs are not checked (NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS!)
*/
public SimplePERMISACPolicyFinder(byte[] acBinary, String PolicyId, Principal SOA,
SignatureVerifier SV) throws PbaException {
this();
initPolicyFromACArray(new byte[][]{acBinary}, PolicyId, SOA, SV);
}
/**
* This method looks for the right policy among an array of X.509 Attribute
* Certificates. The policy is identified by its Policy ID (OID in PERMIS
* XML) and the name of the issuer of the policy. The signatures on the
* ACs are validated using the SignatureVerifier provided, if any.
*
* @param acBinary - the array of byte arrays, each representing a
* BER-encoded or Base64 encoding of a BER-encoded X.509 AC
* @param policyID - the identifier of the policy to use
* @param SOA - the Principal naming the issuer of the policy (must be the
* Holder and Issuer of the self-signed Attribute Certificate)
* @param SV - the SignatureVerifier to use; if null, digital signatures on
* the ACs are not checked (NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS!)
*/
protected void initPolicyFromACArray(byte[][] acBinary, String policyID, Principal SOA,
SignatureVerifier SV) throws PbaException{
this.policyOID=policyID.intern();
this.sv=SV;
issrg.utils.repository.TokenLocator soaTokenLocator=new issrg.pba.repository.UserEntry(SOA);
try{
issrg.pba.PolicyParser pp = null;
Throwable lastError = null; // this variable keeps the errors encountered during parsing the attributes
String message = "No ACs have been provided";
boolean selfSignedExists = false;
boolean signatureVerified = false;
boolean policyAttrExists = false;
boolean correctPolicyOID = false;
byte[] byteAC=null;
issrg.ac.AttributeCertificate ac=null;
if (acBinary!=null && acBinary.length>0){
policy_found:
for (int i=0; i<acBinary.length; i++){
try{
byteAC=acBinary[i];
ac = issrg.ac.AttributeCertificate.guessEncoding(byteAC);
if (!(SOA.equals(new LDAPDNPrincipal(issrg.ac.Util.generalNamesToString(ac.getACInfo().getHolder().getEntityName())))
&& SOA.equals(new LDAPDNPrincipal(issrg.ac.Util.generalNamesToString(ac.getACInfo().getIssuer().getV1Form()==null?ac.getACInfo().getIssuer().getV2Form().getIssuerName():ac.getACInfo().getIssuer().getV1Form()))))){
// not self-issued and is not issued by the SOA
continue; // pick next AC
}
}catch(Exception e){
//error occurs, we just ignore and search for the next one
lastError=lastError==null ? e : new issrg.utils.ExceptionPairException(lastError, e);
continue;
}
selfSignedExists = true;
signatureVerified = false;
if (SV!=null) {
try{
if (!SV.checkSignature(ac.getToBeSignedByteArray(byteAC),
(byte[])ac.getSignatureValue().getValue(),
ac.getSignatureAlgorithm().getAlgorithm().getID(),
soaTokenLocator)) continue;
}catch(PbaException pe){
lastError=lastError==null ? (Exception)pe : (Exception)new issrg.utils.ExceptionPairException(lastError, pe);
continue;
}
}
signatureVerified = true;
policyAttrExists = false;
java.util.Vector attributes = ac.getACInfo().getAttributes();
for (int j=attributes.size(); j-->0; ){
issrg.ac.Attribute a = (issrg.ac.Attribute)attributes.get(j);
if (a.getType().intern() == issrg.ac.attributes.PMIXMLPolicy.PMI_XML_POLICY_ATTRIBUTE_OID){ // a-ha! :-)
policyAttrExists = true;
correctPolicyOID = false;
java.util.Vector values = a.getValues();
for (int k=values.size(); k-->0; ){ // looking for the needed Policy there
try{
issrg.ac.attributes.PMIXMLPolicy pmiPolicy = new issrg.ac.attributes.PMIXMLPolicy((issrg.ac.AttributeValue)values.get(k));
pp = new issrg.pba.rbac.xmlpolicy.XMLPolicyParser(removeSystemTag(pmiPolicy.getPolicy()));
if (pp.getPolicyID().intern()==policyOID){
correctPolicyOID = true;
break policy_found;
}
}catch (Throwable th){
lastError=lastError==null ? th : new issrg.utils.ExceptionPairException(lastError, th);
}
}
}
pp=null;
}
}
if (!correctPolicyOID) message = "No valid AC with a pmiXMLPolicy attribute has a policy with OID "+policyOID;
if (!policyAttrExists) message = "Found no valid AC with a pmiXMLPolicy attribute";
if (!signatureVerified) message = "Signature verification failed on all self-signed ACs";
if (!selfSignedExists) message = "Found no self-signed AC (issuer=holder=SOA)";
}
if (pp==null){ // then there was some error during processing the bunch of ACs
throw new PbaException(message, lastError);
}
this.parsedPolicy=pp;
// added for MSoD
if (pp.getMSoDSet() != null) {
RetainedADI retainedADI = new RetainedADI(); // to be initialised further by logs
sawsServer = new SAWSServer(1);
msodPolicySet = new issrg.pba.rbac.policies.MSoDPolicySet(pp.getMSoDSet(), retainedADI, sawsServer, pp);
}
allocationPolicy=new issrg.pba.rbac.policies.AllocationPolicy(pp.getAssignmentRules());
//The following was changed for MSoD ***************************
if (msodPolicySet == null)
accessPolicy = new issrg.pba.rbac.policies.AccessPolicy(pp.getAccessRules());
else
accessPolicy = new issrg.pba.rbac.policies.AccessPolicy(pp.getAccessRules(), msodPolicySet);
}catch (Throwable th){
throw new PbaException("Could not initialise", th);
}
}
}
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?