📄 authorizationmanager.java
字号:
/* JSPWiki - a JSP-based WikiWiki clone. Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */package com.ecyrd.jspwiki.auth;import java.io.File;import java.net.URL;import java.security.*;import java.security.cert.Certificate;import java.util.Map;import java.util.Properties;import java.util.WeakHashMap;import org.apache.log4j.Logger;import org.freshcookies.security.policy.LocalPolicy;import org.freshcookies.security.policy.PolicyException;import com.ecyrd.jspwiki.NoRequiredPropertyException;import com.ecyrd.jspwiki.WikiEngine;import com.ecyrd.jspwiki.WikiException;import com.ecyrd.jspwiki.WikiPage;import com.ecyrd.jspwiki.WikiSession;import com.ecyrd.jspwiki.auth.acl.Acl;import com.ecyrd.jspwiki.auth.acl.AclEntry;import com.ecyrd.jspwiki.auth.acl.UnresolvedPrincipal;import com.ecyrd.jspwiki.auth.authorize.Role;import com.ecyrd.jspwiki.auth.permissions.AllPermission;import com.ecyrd.jspwiki.auth.permissions.PagePermission;import com.ecyrd.jspwiki.auth.user.UserDatabase;import com.ecyrd.jspwiki.auth.user.UserProfile;import com.ecyrd.jspwiki.event.WikiEventListener;import com.ecyrd.jspwiki.event.WikiEventManager;import com.ecyrd.jspwiki.event.WikiSecurityEvent;import com.ecyrd.jspwiki.util.ClassUtil;/** * <p>Manages all access control and authorization; determines what authenticated * users are allowed to do.</p> * <p>Privileges in JSPWiki are expressed as Java-standard {@link java.security.Permission} * classes. There are two types of permissions:</p> * <ul> * <li>{@link com.ecyrd.jspwiki.auth.permissions.WikiPermission} - privileges that apply * to an entire wiki instance: <em>e.g.,</em> editing user profiles, creating pages, creating groups</li> * <li>{@link com.ecyrd.jspwiki.auth.permissions.PagePermission} - privileges that apply * to a single wiki page or range of pages: <em>e.g.,</em> reading, editing, renaming * </ul> * <p>Calling classes determine whether they are entitled to perform a particular action * by constructing the appropriate permission first, then passing it and the current * {@link com.ecyrd.jspwiki.WikiSession} to the * {@link #checkPermission(WikiSession, Permission)} method. If the session's * Subject possesses the permission, the action is allowed.</p> * <p>For WikiPermissions, the decision criteria is relatively simple: the caller either * possesses the permission, as granted by the wiki security policy -- or not.</p> * <p>For PagePermissions, the logic is exactly the same if the page being checked * does not have an access control list. However, if the page does have an ACL, the * authorization decision is made based the <em>union</em> of the permissions * granted in the ACL and in the security policy. In other words, the user must * be named in the ACL (or belong to a group or role that is named in the ACL) * <em>and</em> be granted (at least) the same permission in the security policy. We * do this to prevent a user from gaining more permissions than they already * have, based on the security policy.</p> * <p>See the {@link #checkPermission(WikiSession, Permission)} and * {@link #hasRoleOrPrincipal(WikiSession, Principal)} methods for more information * on the authorization logic.</p> * @author Andrew Jaquith * @since 2.3 * @see AuthenticationManager */public final class AuthorizationManager{ private static final Logger log = Logger.getLogger( AuthorizationManager.class ); /** * The default external Authorizer is the {@link com.ecyrd.jspwiki.auth.authorize.WebContainerAuthorizer} */ public static final String DEFAULT_AUTHORIZER = "com.ecyrd.jspwiki.auth.authorize.WebContainerAuthorizer"; /** Property that supplies the security policy file name, in WEB-INF. */ protected static final String POLICY = "jspwiki.policy.file"; /** Name of the default security policy file, in WEB-INF. */ protected static final String DEFAULT_POLICY = "jspwiki.policy"; /** * The property name in jspwiki.properties for specifying the external {@link Authorizer}. */ public static final String PROP_AUTHORIZER = "jspwiki.authorizer"; private Authorizer m_authorizer = null; /** Cache for storing ProtectionDomains used to evaluate the local policy. */ private Map<Principal, ProtectionDomain> m_cachedPds = new WeakHashMap<Principal, ProtectionDomain>(); private WikiEngine m_engine = null; private LocalPolicy m_localPolicy = null; private boolean m_useJAAS = true; /** * Constructs a new AuthorizationManager instance. */ public AuthorizationManager() { } /** * Returns <code>true</code> or <code>false</code>, depending on * whether a Permission is allowed for the Subject associated with * a supplied WikiSession. The access control algorithm works this way: * <ol> * <li>The {@link com.ecyrd.jspwiki.auth.acl.Acl} for the page is obtained</li> * <li>The Subject associated with the current * {@link com.ecyrd.jspwiki.WikiSession} is obtained</li> * <li>If the Subject's Principal set includes the Role Principal that is * the administrator group, always allow the Permission</li> * <li>For all permissions, check to see if the Permission is allowed according * to the default security policy. If it isn't, deny the permission and halt * further processing.</li> * <li>If there is an Acl, get the list of Principals assigned this * Permission in the Acl: these will be role, group or user Principals, or * {@link com.ecyrd.jspwiki.auth.acl.UnresolvedPrincipal}s (see below). * Then iterate through the Subject's Principal set and determine whether * the user (Subject) posesses any one of these specified Roles or * Principals. The matching process delegates to * {@link #hasRoleOrPrincipal(WikiSession, Principal)}. * </ol> * <p> * Note that when iterating through the Acl's list of authorized Principals, * it is possible that one or more of the Acl's Principal entries are of * type <code>UnresolvedPrincipal</code>. This means that the last time * the ACL was read, the Principal (user, built-in Role, authorizer Role, or * wiki Group) could not be resolved: the Role was not valid, the user * wasn't found in the UserDatabase, or the Group wasn't known to (e.g., * cached) in the GroupManager. If an <code>UnresolvedPrincipal</code> is * encountered, this method will attempt to resolve it first <em>before</em> * checking to see if the Subject possesses this principal, by calling * {@link #resolvePrincipal(String)}. If the (re-)resolution does not * succeed, the access check for the principal will fail by definition (the * Subject should never contain UnresolvedPrincipals). * </p> * <p> * If security not set to JAAS, will return true. * </p> * @param session the current wiki session * @param permission the Permission being checked * @see #hasRoleOrPrincipal(WikiSession, Principal) * @return the result of the Permission check */ public final boolean checkPermission( WikiSession session, Permission permission ) { if( !m_useJAAS ) { // // Nobody can login, if JAAS is turned off. // if( permission == null || "login".equals( permission.getActions() ) ) return false; return true; } // // A slight sanity check. // if ( session == null || permission == null ) { fireEvent( WikiSecurityEvent.ACCESS_DENIED, null, permission ); return false; } Principal user = session.getLoginPrincipal(); // Always allow the action if user has AllPermission Permission allPermission = new AllPermission( m_engine.getApplicationName() ); boolean hasAllPermission = checkStaticPermission( session, allPermission ); if ( hasAllPermission ) { fireEvent( WikiSecurityEvent.ACCESS_ALLOWED, user, permission ); return true; } // If the user doesn't have *at least* the permission // granted by policy, return false. boolean hasPolicyPermission = checkStaticPermission( session, permission ); if ( !hasPolicyPermission ) { fireEvent( WikiSecurityEvent.ACCESS_DENIED, user, permission ); return false; } // If this isn't a PagePermission, it's allowed if ( ! ( permission instanceof PagePermission ) ) { fireEvent( WikiSecurityEvent.ACCESS_ALLOWED, user, permission ); return true; } // // If the page or ACL is null, it's allowed. // String pageName = ((PagePermission)permission).getPage(); WikiPage page = m_engine.getPage( pageName ); Acl acl = ( page == null) ? null : m_engine.getAclManager().getPermissions( page ); if ( page == null || acl == null || acl.isEmpty() ) { fireEvent( WikiSecurityEvent.ACCESS_ALLOWED, user, permission ); return true; } // // Next, iterate through the Principal objects assigned // this permission. If the context's subject possesses // any of these, the action is allowed. Principal[] aclPrincipals = acl.findPrincipals( permission ); log.debug( "Checking ACL entries..." ); log.debug( "Acl for this page is: " + acl ); log.debug( "Checking for principal: " + String.valueOf( aclPrincipals ) ); log.debug( "Permission: " + permission ); for( Principal aclPrincipal : aclPrincipals ) { // If the ACL principal we're looking at is unresolved, // try to resolve it here & correct the Acl if ( aclPrincipal instanceof UnresolvedPrincipal ) { AclEntry aclEntry = acl.getEntry( aclPrincipal ); aclPrincipal = resolvePrincipal( aclPrincipal.getName() ); if ( aclEntry != null && !( aclPrincipal instanceof UnresolvedPrincipal ) ) { aclEntry.setPrincipal( aclPrincipal ); } } if ( hasRoleOrPrincipal( session, aclPrincipal ) ) { fireEvent( WikiSecurityEvent.ACCESS_ALLOWED, user, permission ); return true; } } fireEvent( WikiSecurityEvent.ACCESS_DENIED, user, permission ); return false; } /** * <p>Determines if the Subject associated with a * supplied WikiSession contains a desired Role or GroupPrincipal. * The algorithm simply checks to see if the Subject possesses * the Role or GroupPrincipal it in its Principal set. Note that * any user (anyonymous, asserted, authenticated) can possess * a built-in role. But a user <em>must</em> be authenticated to * possess a role other than one of the built-in ones. * We do this to prevent privilege escalation.</p> * <p>For all other cases, this method returns <code>false</code>.</p> * <p>Note that this method does <em>not</em> consult the external * Authorizer or GroupManager; it relies on the Principals that * have been injected into the user's Subject at login time, or * after group creation/modification/deletion.</p> * @param session the current wiki session, which must be non-null. If null, * the result of this method always returns <code>false</code> * @param principal the Principal (role or group principal) to look * for, which must be non-<cor>null</code>. If <code>null</code>, * the result of this method always returns <code>false</code> * @return <code>true</code> if the Subject supplied with the WikiContext * posesses the Role or GroupPrincipal, <code>false</code> otherwise */ public final boolean isUserInRole( WikiSession session, Principal principal ) { if ( session == null || principal == null || AuthenticationManager.isUserPrincipal( principal ) ) { return false; } // Any type of user can possess a built-in role if ( principal instanceof Role && Role.isBuiltInRole( (Role)principal ) ) { return session.hasPrincipal( principal ); } // Only authenticated users can posssess groups or custom roles if ( session.isAuthenticated() && AuthenticationManager.isRolePrincipal( principal ) ) { return session.hasPrincipal( principal ); } return false; } /** * Returns the current external {@link Authorizer} in use. This method * is guaranteed to return a properly-initialized Authorizer, unless * it could not be initialized. In that case, this method throws * a {@link com.ecyrd.jspwiki.auth.WikiSecurityException}. * @throws com.ecyrd.jspwiki.auth.WikiSecurityException if the Authorizer could * not be initialized * @return the current Authorizer */ public final Authorizer getAuthorizer() throws WikiSecurityException { if ( m_authorizer != null ) { return m_authorizer; } throw new WikiSecurityException( "Authorizer did not initialize properly. Check the logs." ); } /** * <p>Determines if the Subject associated with a supplied WikiSession contains * a desired user Principal or built-in Role principal, OR is a member a * Group or external Role. The rules are as follows:</p> * <ol> * <li>First, if desired Principal is a Role or GroupPrincipal, delegate to * {@link #isUserInRole(WikiSession, Principal)} and * return the result.</li> * <li>Otherwise, we're looking for a user Principal, * so iterate through the Principal set and see if * any share the same name as the one we are looking for.</li> * </ol> * <p><em>Note: if the Principal parameter is a user principal, the session * must be authenticated in order for the user to "possess it". Anonymous * or asserted sessions will never posseess a named user principal.</em></p> * @param session the current wiki session, which must be non-null. If null, * the result of this method always returns <code>false</code> * @param principal the Principal (role, group, or user principal) to look⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -