📄 securityverifier.java
字号:
private final String printPermissionTest( Permission permission, Principal principal, int cols ) { StringBuffer s = new StringBuffer(); if ( permission == null ) { s.append( " <td colspan=\"" + cols + "\" align=\"center\" title=\"N/A\">" ); s.append( " </td>\n" ); } else { boolean allowed = verifyStaticPermission( principal, permission ); s.append( " <td colspan=\"" + cols + "\" align=\"center\" title=\"" ); s.append( allowed ? "ALLOW: " : "DENY: " ); s.append( permission.getClass().getName() ); s.append( " "" ); s.append( permission.getName() ); s.append( """ ); if ( permission.getName() != null ) { s.append( ","" ); s.append( permission.getActions() ); s.append( """ ); } s.append( " " ); s.append( principal.getClass().getName() ); s.append( " "" ); s.append( principal.getName() ); s.append( """ ); s.append( "\"" ); s.append( allowed ? BG_GREEN + ">" : BG_RED + ">" ); s.append( " </td>\n" ); } return s.toString(); } /** * Formats and returns an HTML table containing the roles the web container * is aware of, and whether each role maps to particular JSPs. This method * throws an {@link IllegalStateException} if the authorizer is not of type * {@link com.ecyrd.jspwiki.auth.authorize.WebContainerAuthorizer} * @return the formatted HTML table containing the result of the tests * @throws WikiException if tests fail for unexpected reasons */ public final String containerRoleTable() throws WikiException { AuthorizationManager authorizationManager = m_engine.getAuthorizationManager(); Authorizer authorizer = authorizationManager.getAuthorizer(); // If authorizer not WebContainerAuthorizer, print error message if ( !( authorizer instanceof WebContainerAuthorizer ) ) { throw new IllegalStateException( "Authorizer should be WebContainerAuthorizer" ); } // Now, print a table with JSP pages listed on the left, and // an evaluation of each pages' constraints for each role // we discovered StringBuffer s = new StringBuffer(); Principal[] roles = authorizer.getRoles(); s.append( "<table class=\"wikitable\" border=\"1\">\n" ); s.append( "<thead>\n" ); s.append( " <tr>\n" ); s.append( " <th rowspan=\"2\">Action</th>\n" ); s.append( " <th rowspan=\"2\">Page</th>\n" ); s.append( " <th colspan=\"" + roles.length + 1 + "\">Roles</th>\n" ); s.append( " </tr>\n" ); s.append( " <tr>\n" ); s.append( " <th>Anonymous</th>\n" ); for( Principal role : roles ) { s.append( " <th>" + role.getName() + "</th>\n" ); } s.append( "</tr>\n" ); s.append( "</thead>\n" ); s.append( "<tbody>\n" ); try { WebContainerAuthorizer wca = (WebContainerAuthorizer) authorizer; for( int i = 0; i < CONTAINER_ACTIONS.length; i++ ) { String action = CONTAINER_ACTIONS[i]; String jsp = CONTAINER_JSPS[i]; // Print whether the page is constrained for each role boolean allowsAnonymous = !wca.isConstrained( jsp, Role.ALL ); s.append( " <tr>\n" ); s.append( " <td>" + action + "</td>\n" ); s.append( " <td>" + jsp + "</td>\n" ); s.append( " <td title=\"" ); s.append( allowsAnonymous ? "ALLOW: " : "DENY: " ); s.append( jsp ); s.append( " Anonymous" ); s.append( "\"" ); s.append( allowsAnonymous ? BG_GREEN + ">" : BG_RED + ">" ); s.append( " </td>\n" ); for( Principal role : roles ) { boolean allowed = allowsAnonymous || wca.isConstrained( jsp, (Role)role ); s.append( " <td title=\"" ); s.append( allowed ? "ALLOW: " : "DENY: " ); s.append( jsp ); s.append( " " ); s.append( role.getClass().getName() ); s.append( " "" ); s.append( role.getName() ); s.append( """ ); s.append( "\"" ); s.append( allowed ? BG_GREEN + ">" : BG_RED + ">" ); s.append( " </td>\n" ); } s.append( " </tr>\n" ); } } catch( JDOMException e ) { // If we couldn't evaluate constraints it means // there's some sort of IO mess or parsing issue LOG.error( "Malformed XML in web.xml", e ); throw new InternalWikiException( e.getClass().getName() + ": " + e.getMessage() ); } s.append( "</tbody>\n" ); s.append( "</table>\n" ); return s.toString(); } /** * Returns <code>true</code> if the Java security policy is configured * correctly, and it verifies as valid. * @return the result of the configuration check */ public final boolean isSecurityPolicyConfigured() { return m_isSecurityPolicyConfigured; } /** * If the active Authorizer is the WebContainerAuthorizer, returns the roles * it knows about; otherwise, a zero-length array. * @return the roles parsed from <code>web.xml</code>, or a zero-length array * @throws WikiException if the web authorizer cannot obtain the list of roles */ public final Principal[] webContainerRoles() throws WikiException { Authorizer authorizer = m_engine.getAuthorizationManager().getAuthorizer(); if ( authorizer instanceof WebContainerAuthorizer ) { return ( (WebContainerAuthorizer) authorizer ).getRoles(); } return new Principal[0]; } /** * Verifies that the roles given in the security policy are reflected by the * container <code>web.xml</code> file. * @throws WikiException if the web authorizer cannot verify the roles */ protected final void verifyPolicyAndContainerRoles() throws WikiException { Authorizer authorizer = m_engine.getAuthorizationManager().getAuthorizer(); Principal[] containerRoles = authorizer.getRoles(); boolean missing = false; for( Principal principal : m_policyPrincipals ) { if ( principal instanceof Role ) { Role role = (Role) principal; boolean isContainerRole = ArrayUtils.contains( containerRoles, role ); if ( !Role.isBuiltInRole( role ) && !isContainerRole ) { m_session.addMessage( ERROR_ROLES, "Role '" + role.getName() + "' is defined in security policy but not in web.xml." ); missing = true; } } } if ( !missing ) { m_session.addMessage( INFO_ROLES, "Every non-standard role defined in the security policy was also found in web.xml." ); } } /** * Verifies that the group datbase was initialized properly, and that * user add and delete operations work as they should. */ protected final void verifyGroupDatabase() { GroupManager mgr = m_engine.getGroupManager(); GroupDatabase db = null; try { db = m_engine.getGroupManager().getGroupDatabase(); } catch ( WikiSecurityException e ) { m_session.addMessage( ERROR_GROUPS, "Could not retrieve GroupManager: " + e.getMessage() ); } // Check for obvious error conditions if ( mgr == null || db == null ) { if ( mgr == null ) { m_session.addMessage( ERROR_GROUPS, "GroupManager is null; JSPWiki could not " + "initialize it. Check the error logs." ); } if ( db == null ) { m_session.addMessage( ERROR_GROUPS, "GroupDatabase is null; JSPWiki could not " + "initialize it. Check the error logs." ); } return; } // Everything initialized OK... // Tell user what class of database this is. m_session.addMessage( INFO_GROUPS, "GroupDatabase is of type '" + db.getClass().getName() + "'. It appears to be initialized properly." ); // Now, see how many groups we have. int oldGroupCount = 0; try { Group[] groups = db.groups(); oldGroupCount = groups.length; m_session.addMessage( INFO_GROUPS, "The group database contains " + oldGroupCount + " groups." ); } catch ( WikiSecurityException e ) { m_session.addMessage( ERROR_GROUPS, "Could not obtain a list of current groups: " + e.getMessage() ); return; } // Try adding a bogus group with random name String name = "TestGroup" + String.valueOf( System.currentTimeMillis() ); Group group = null; try { // Create dummy test group group = mgr.parseGroup( name, "", true ); Principal user = new WikiPrincipal( "TestUser" ); group.add( user ); db.save( group, new WikiPrincipal("SecurityVerifier") ); // Make sure the group saved successfully if ( db.groups().length == oldGroupCount ) { m_session.addMessage( ERROR_GROUPS, "Could not add a test group to the database." ); return; } m_session.addMessage( INFO_GROUPS, "The group database allows new groups to be created, as it should." ); } catch ( WikiSecurityException e ) { m_session.addMessage( ERROR_GROUPS, "Could not add a group to the database: " + e.getMessage() ); return; } // Now delete the group; should be back to old count try { db.delete( group ); if ( db.groups().length != oldGroupCount ) { m_session.addMessage( ERROR_GROUPS, "Could not delete a test group from the database." ); return; } m_session.addMessage( INFO_GROUPS, "The group database allows groups to be deleted, as it should." ); } catch ( WikiSecurityException e ) { m_session.addMessage( ERROR_GROUPS, "Could not delete a test group from the database: " + e.getMessage() ); return; } m_session.addMessage( INFO_GROUPS, "The group database configuration looks fine." ); } /** * Verfies the JAAS configuration. The configuration is valid if value of the * <code>jspwiki.properties<code> property * {@value com.ecyrd.jspwiki.auth.AuthenticationManager#PROP_LOGIN_MODULE} * resolves to a valid class on the classpath. */ protected final void verifyJaas() { // See if JAAS is on AuthorizationManager authMgr = m_engine.getAuthorizationManager(); if ( !authMgr.isJAASAuthorized() ) { m_session.addMessage( ERROR_JAAS, "JSPWiki's JAAS-based authentication " + "and authorization system is turned off (your jspwiki.properties file " + "contains the setting 'jspwiki.security = container'. This " + "setting disables authorization checks and is meant for testing " + "and troubleshooting only. The test results on this page will not " + "be reliable as a result. You should set this to 'jaas' " + "so that security works properly." ); } // Verify that the specified JAAS moduie corresponds to a class we can load successfully. String jaasClass = m_engine.getWikiProperties().getProperty( AuthenticationManager.PROP_LOGIN_MODULE );⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -