001    /**
002     *  Licensed to the Apache Software Foundation (ASF) under one or more
003     *  contributor license agreements.  See the NOTICE file distributed with
004     *  this work for additional information regarding copyright ownership.
005     *  The ASF licenses this file to You under the Apache License, Version 2.0
006     *  (the "License"); you may not use this file except in compliance with
007     *  the License.  You may obtain a copy of the License at
008     *
009     *     http://www.apache.org/licenses/LICENSE-2.0
010     *
011     *  Unless required by applicable law or agreed to in writing, software
012     *  distributed under the License is distributed on an "AS IS" BASIS,
013     *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014     *  See the License for the specific language governing permissions and
015     *  limitations under the License.
016     */
017    package org.apache.geronimo.security.jacc;
018    
019    import java.security.Permission;
020    import java.security.PermissionCollection;
021    import java.security.Policy;
022    import java.util.Enumeration;
023    import java.util.HashMap;
024    import java.util.Map;
025    
026    import javax.security.auth.Subject;
027    import javax.security.auth.login.LoginException;
028    import javax.security.jacc.PolicyConfiguration;
029    import javax.security.jacc.PolicyConfigurationFactory;
030    import javax.security.jacc.PolicyContextException;
031    
032    import org.apache.geronimo.gbean.GBeanInfo;
033    import org.apache.geronimo.gbean.GBeanInfoBuilder;
034    import org.apache.geronimo.gbean.GBeanLifecycle;
035    import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
036    import org.apache.geronimo.security.ContextManager;
037    import org.apache.geronimo.security.IdentificationPrincipal;
038    import org.apache.geronimo.security.SubjectId;
039    import org.apache.geronimo.security.credentialstore.CredentialStore;
040    import org.apache.geronimo.security.deploy.SubjectInfo;
041    
042    /**
043     * @version $Rev: 547163 $ $Date: 2007-06-14 04:06:30 -0400 (Thu, 14 Jun 2007) $
044     */
045    public class ApplicationPolicyConfigurationManager implements GBeanLifecycle, RunAsSource {
046    
047        private final Map<String, PolicyConfiguration> contextIdToPolicyConfigurationMap = new HashMap<String, PolicyConfiguration>();
048        private final Map<String, Subject> roleDesignates = new HashMap<String, Subject>();
049        private final Subject defaultSubject;
050        private final PrincipalRoleMapper principalRoleMapper;
051    
052        public ApplicationPolicyConfigurationManager(Map<String, ComponentPermissions> contextIdToPermissionsMap, SubjectInfo defaultSubjectInfo, Map<String, SubjectInfo> roleDesignates, ClassLoader cl, CredentialStore credentialStore, PrincipalRoleMapper principalRoleMapper) throws PolicyContextException, ClassNotFoundException, LoginException {
053            if (credentialStore == null && (!roleDesignates.isEmpty() || defaultSubjectInfo != null)) {
054                throw new NullPointerException("No CredentialStore supplied to resolve default and run-as subjects");
055            }
056            this.principalRoleMapper = principalRoleMapper;
057            Thread currentThread = Thread.currentThread();
058            ClassLoader oldClassLoader = currentThread.getContextClassLoader();
059            currentThread.setContextClassLoader(cl);
060            PolicyConfigurationFactory policyConfigurationFactory;
061            try {
062                policyConfigurationFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
063            } finally {
064                currentThread.setContextClassLoader(oldClassLoader);
065            }
066    
067            for (Map.Entry<String, ComponentPermissions> entry : contextIdToPermissionsMap.entrySet()) {
068                String contextID = entry.getKey();
069                ComponentPermissions componentPermissions = entry.getValue();
070    
071                PolicyConfiguration policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(contextID, true);
072                contextIdToPolicyConfigurationMap.put(contextID, policyConfiguration);
073                policyConfiguration.addToExcludedPolicy(componentPermissions.getExcludedPermissions());
074                policyConfiguration.addToUncheckedPolicy(componentPermissions.getUncheckedPermissions());
075                for (Map.Entry<String, PermissionCollection> roleEntry : componentPermissions.getRolePermissions().entrySet()) {
076                    String roleName = roleEntry.getKey();
077                    PermissionCollection rolePermissions = roleEntry.getValue();
078                    for (Enumeration permissions = rolePermissions.elements(); permissions.hasMoreElements();) {
079                        Permission permission = (Permission) permissions.nextElement();
080                        policyConfiguration.addToRole(roleName, permission);
081    
082                    }
083                }
084            }
085    
086            if (principalRoleMapper != null) {
087                principalRoleMapper.install(contextIdToPermissionsMap.keySet());
088            }
089    
090            //link everything together
091            for (PolicyConfiguration policyConfiguration : contextIdToPolicyConfigurationMap.values()) {
092                for (PolicyConfiguration policyConfiguration2 : contextIdToPolicyConfigurationMap.values()) {
093                    if (policyConfiguration != policyConfiguration2) {
094                        policyConfiguration.linkConfiguration(policyConfiguration2);
095                    }
096                }
097            }
098    
099            //commit
100            for (PolicyConfiguration policyConfiguration : contextIdToPolicyConfigurationMap.values()) {
101                policyConfiguration.commit();
102            }
103    
104            //refresh policy
105            Policy policy = Policy.getPolicy();
106            policy.refresh();
107    
108            if (defaultSubjectInfo == null) {
109                defaultSubject = ContextManager.EMPTY;
110            } else {
111                defaultSubject = credentialStore.getSubject(defaultSubjectInfo.getRealm(), defaultSubjectInfo.getId());
112                registerSubject(defaultSubject);
113            }
114    
115            for (Map.Entry<String, SubjectInfo> entry : roleDesignates.entrySet()) {
116                String role = entry.getKey();
117                SubjectInfo subjectInfo = entry.getValue();
118                if (subjectInfo == null || credentialStore == null) {
119                    throw new NullPointerException("No subjectInfo for role " + role);
120                }
121                Subject roleDesignate = credentialStore.getSubject(subjectInfo.getRealm(), subjectInfo.getId());
122                registerSubject(roleDesignate);
123                this.roleDesignates.put(role, roleDesignate);
124            }
125        }
126    
127        private void registerSubject(Subject subject) {
128            ContextManager.registerSubject(subject);
129            SubjectId id = ContextManager.getSubjectId(subject);
130            subject.getPrincipals().add(new IdentificationPrincipal(id));
131        }
132    
133        public Subject getDefaultSubject() {
134            return defaultSubject;
135        }
136    
137        public Subject getSubjectForRole(String role) {
138            return roleDesignates.get(role);
139        }
140    
141        public void doStart() throws Exception {
142    
143        }
144    
145        public void doStop() throws Exception {
146            for (Map.Entry<String, Subject> entry : roleDesignates.entrySet()) {
147                Subject roleDesignate = entry.getValue();
148                ContextManager.unregisterSubject(roleDesignate);
149            }
150            if (defaultSubject != ContextManager.EMPTY) {
151                ContextManager.unregisterSubject(defaultSubject);
152            }
153    
154            if (principalRoleMapper != null) {
155                principalRoleMapper.uninstall();
156            }
157    
158            for (PolicyConfiguration policyConfiguration : contextIdToPolicyConfigurationMap.values()) {
159                policyConfiguration.delete();
160            }
161        }
162    
163        public void doFail() {
164    
165        }
166    
167        public static final GBeanInfo GBEAN_INFO;
168    
169        static {
170            GBeanInfoBuilder infoBuilder = GBeanInfoBuilder.createStatic(ApplicationPolicyConfigurationManager.class, NameFactory.JACC_MANAGER);
171            infoBuilder.addAttribute("contextIdToPermissionsMap", Map.class, true);
172            infoBuilder.addAttribute("defaultSubjectInfo", SubjectInfo.class, true);
173            infoBuilder.addAttribute("roleDesignates", Map.class, true);
174            infoBuilder.addAttribute("classLoader", ClassLoader.class, false);
175            infoBuilder.addReference("CredentialStore", CredentialStore.class, NameFactory.GERONIMO_SERVICE);
176            infoBuilder.addReference("PrincipalRoleMapper", PrincipalRoleMapper.class, NameFactory.JACC_MANAGER);
177            infoBuilder.setConstructor(new String[] {"contextIdToPermissionsMap", "defaultSubjectInfo", "roleDesignates", "classLoader", "CredentialStore", "PrincipalRoleMapper"});
178            GBEAN_INFO = infoBuilder.getBeanInfo();
179        }
180    
181        public static GBeanInfo getGBeanInfo() {
182            return GBEAN_INFO;
183        }
184    }