Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Jakarta Authorization 3.0 implementation #29832

Merged
merged 1 commit into from
Oct 16, 2024
Merged

Update Jakarta Authorization 3.0 implementation #29832

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ...acc.ejb/src/com/ibm/ws/security/authorization/jacc/ejb/impl/EJBSecurityValidatorImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ public Boolean run() throws javax.security.jacc.PolicyContextException {
PolicyContext.setHandlerData(handlerObjects);
if (tc.isDebugEnabled())
Tr.debug(tc, "Calling JACC implies. subject : " + subject);
return policyProxy.implies(subject, permission);
return policyProxy.implies(contextId, subject, permission);
}
});
return result.booleanValue();
Expand Down
4 changes: 2 additions & 2 deletions ...acc.web/src/com/ibm/ws/security/authorization/jacc/web/impl/WebSecurityValidatorImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ public Boolean run() throws javax.security.jacc.PolicyContextException {
PolicyContext.setHandlerData(handlerObjects);
if (tc.isDebugEnabled())
Tr.debug(tc, "Calling JACC implies");
return Boolean.valueOf(policyProxy.implies(null, wudp));
return Boolean.valueOf(policyProxy.implies(contextId, null, wudp));
}
});

Expand Down Expand Up @@ -145,7 +145,7 @@ public Boolean run() throws javax.security.jacc.PolicyContextException {
PolicyContext.setHandlerData(handlerObjects);
if (tc.isDebugEnabled())
Tr.debug(tc, "Calling JACC implies. Subject : " + subject);
return policyProxy.implies(subject, permission);
return policyProxy.implies(contextId, subject, permission);
}
});
return result.booleanValue();
Expand Down
2 changes: 1 addition & 1 deletion ...ity.authorization.jacc/src/com/ibm/ws/security/authorization/jacc/common/PolicyProxy.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,5 @@ public interface PolicyProxy {

public void setPolicy();

public boolean implies(Subject subject, Permission permission);
public boolean implies(String contextId, Subject subject, Permission permission);
}
2 changes: 1 addition & 1 deletion .../src/io/openliberty/security/authorization/jacc/internal/proxy/JavaSePolicyProxyImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ public void setPolicy() {
}

@Override
public boolean implies(Subject subject, Permission permission) {
public boolean implies(String contextId, Subject subject, Permission permission) {
ProtectionDomain pd = null;
if (subject != null && subject.getPrincipals().size() > 0) {
Principal[] principalArray = subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()]);
Expand Down
8 changes: 4 additions & 4 deletions ...tion.internal.jacc.3.0/src/com/ibm/wsspi/security/authorization/jacc/ProviderService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,18 @@

package com.ibm.wsspi.security.authorization.jacc;

import jakarta.security.jacc.Policy;
import jakarta.security.jacc.PolicyConfigurationFactory;
import jakarta.security.jacc.PolicyFactory;

public interface ProviderService {

/**
* Returns the instance representing the provider-specific implementation
* of the jakarta.security.jacc.Policy abstract class.
* of the jakarta.security.jacc.PolicyFactory abstract class.
*
* @return An instance which implements Policy class.
* @return An instance which implements the PolicyFactory class.
*/
public Policy getPolicy();
public PolicyFactory getPolicyFactory();

/**
* Returns the instance representing the provider-specific implementation
Expand Down
24 changes: 14 additions & 10 deletions ...nternal/proxy/JakartaPolicyProxyImpl.java → .../proxy/JakartaPolicyFactoryProxyImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,34 +10,38 @@
package io.openliberty.security.authorization.jacc.internal.proxy;

import java.security.Permission;
import java.security.PermissionCollection;

import javax.security.auth.Subject;

import com.ibm.ws.security.authorization.jacc.common.PolicyProxy;

import jakarta.security.jacc.Policy;
import jakarta.security.jacc.PolicyFactory;

public class JakartaPolicyProxyImpl implements PolicyProxy {
public class JakartaPolicyFactoryProxyImpl implements PolicyProxy {

private final Policy policy;

JakartaPolicyProxyImpl(Policy p) {
policy = p;
JakartaPolicyFactoryProxyImpl(PolicyFactory policyFactory) {
PolicyFactory.setPolicyFactory(policyFactory);
}

@Override
public void refresh() {
policy.refresh();
}

@Override
public void setPolicy() {
}

@Override
public boolean implies(Subject subject, Permission permission) {
PermissionCollection permCollection = policy.getPermissionCollection(subject);
return permCollection.implies(permission);
public boolean implies(String contextId, Subject subject, Permission permission) {
PolicyFactory policyFactory = PolicyFactory.getPolicyFactory();
if (policyFactory == null) {
return false;
}
Policy policy = policyFactory.getPolicy(contextId);
if (policy == null) {
return false;
}
return policy.implies(permission, subject);
}
}
54 changes: 13 additions & 41 deletions ...c/io/openliberty/security/authorization/jacc/internal/proxy/ProviderServiceProxyImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,19 +23,15 @@
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.security.authorization.jacc.ProviderService;

import jakarta.security.jacc.Policy;
import jakarta.security.jacc.PolicyConfigurationFactory;
import jakarta.security.jacc.PolicyFactory;

@Component(service = ProviderServiceProxy.class, immediate = true, name = "io.openliberty.security.authorization.jacc.provider.proxy",
configurationPolicy = ConfigurationPolicy.IGNORE, property = { "service.vendor=IBM" })
public class ProviderServiceProxyImpl implements ProviderServiceProxy {

private static final TraceComponent tc = Tr.register(ProviderServiceProxyImpl.class);

private static final String JACC_FACTORY = "javax.security.jacc.PolicyConfigurationFactory.provider";
private static final String JACC_FACTORY_EE9 = "jakarta.security.jacc.PolicyConfigurationFactory.provider";
private static final String JACC_POLICY_PROVIDER = "javax.security.jacc.policy.provider";
private static final String JACC_POLICY_PROVIDER_EE9 = "jakarta.security.jacc.policy.provider";
static final String KEY_JACC_PROVIDER_SERVICE = "jaccProviderService";
private final AtomicServiceReference<ProviderService> jaccProviderService = new AtomicServiceReference<ProviderService>(KEY_JACC_PROVIDER_SERVICE);

Expand All @@ -62,8 +58,8 @@ public PolicyProxy getPolicyProxy() {
if (providerService == null) {
return null;
}
Policy policy = providerService.getPolicy();
return policy == null ? null : new JakartaPolicyProxyImpl(policy);
PolicyFactory policyFactory = providerService.getPolicyFactory();
return policyFactory == null ? null : new JakartaPolicyFactoryProxyImpl(policyFactory);
}

@Override
Expand Down Expand Up @@ -97,50 +93,31 @@ protected void deactivate(ComponentContext cc) {
}

private void initializeSystemProperties(ServiceReference<ProviderService> reference) {
Object obj = reference.getProperty(JACC_POLICY_PROVIDER);
Object obj = reference.getProperty(PolicyFactory.FACTORY_NAME);
if (obj != null && obj instanceof String) {
policyName = (String) obj;
}
if (policyName == null) {
obj = reference.getProperty(JACC_POLICY_PROVIDER_EE9);
if (obj != null && obj instanceof String) {
policyName = (String) obj;
}
}

obj = reference.getProperty(JACC_FACTORY);
obj = reference.getProperty(PolicyConfigurationFactory.FACTORY_NAME);
if (obj != null && obj instanceof String) {
factoryName = (String) obj;
}
if (factoryName == null) {
obj = reference.getProperty(JACC_FACTORY_EE9);
if (obj != null && obj instanceof String) {
factoryName = (String) obj;
}
}
if (tc.isDebugEnabled())
Tr.debug(tc, "Meta data : policyName : " + policyName + " factoryName : " + factoryName);

originalSystemPolicyName = null;
originalSystemFactoryName = null;

String systemPolicyName = System.getProperty(JACC_POLICY_PROVIDER);
if (systemPolicyName == null) {
systemPolicyName = System.getProperty(JACC_POLICY_PROVIDER_EE9);
}
String systemPolicyName = System.getProperty(PolicyFactory.FACTORY_NAME);

String systemFactoryName = System.getProperty(JACC_FACTORY);
if (systemFactoryName == null) {
systemFactoryName = System.getProperty(JACC_FACTORY_EE9);
}
String systemFactoryName = System.getProperty(PolicyConfigurationFactory.FACTORY_NAME);

if (tc.isDebugEnabled()) {
Tr.debug(tc, "System properties : policyName : " + systemPolicyName + " factoryName : " + systemFactoryName);
}
if (systemPolicyName == null) {
if (policyName != null) {
System.setProperty(JACC_POLICY_PROVIDER, policyName);
System.setProperty(JACC_POLICY_PROVIDER_EE9, policyName);
System.setProperty(PolicyFactory.FACTORY_NAME, policyName);
} else if (policyName == null) {
Tr.error(tc, "JACC_POLICY_IS_NOT_SET");
return;
Expand All @@ -150,15 +127,13 @@ private void initializeSystemProperties(ServiceReference<ProviderService> refere
policyName = systemPolicyName;
} else if (!systemPolicyName.equals(policyName)) {
Tr.warning(tc, "JACC_INCONSISTENT_POLICY_CLASS", new Object[] { systemPolicyName, policyName });
System.setProperty(JACC_POLICY_PROVIDER, policyName);
System.setProperty(JACC_POLICY_PROVIDER_EE9, policyName);
System.setProperty(PolicyFactory.FACTORY_NAME, policyName);
originalSystemPolicyName = systemPolicyName;
}
}
if (systemFactoryName == null) {
if (factoryName != null) {
System.setProperty(JACC_FACTORY, factoryName);
System.setProperty(JACC_FACTORY_EE9, factoryName);
System.setProperty(PolicyConfigurationFactory.FACTORY_NAME, factoryName);
} else if (factoryName == null) {
Tr.error(tc, "JACC_FACTORY_IS_NOT_SET");
return;
Expand All @@ -168,24 +143,21 @@ private void initializeSystemProperties(ServiceReference<ProviderService> refere
factoryName = systemFactoryName;
} else if (!systemFactoryName.equals(factoryName)) {
Tr.warning(tc, "JACC_INCONSISTENT_FACTORY_CLASS", new Object[] { systemFactoryName, factoryName });
System.setProperty(JACC_FACTORY, factoryName);
System.setProperty(JACC_FACTORY_EE9, factoryName);
System.setProperty(PolicyConfigurationFactory.FACTORY_NAME, factoryName);
originalSystemFactoryName = systemFactoryName;
}
}
}

private void restoreSystemProperties() {
if (originalSystemPolicyName != null) {
System.setProperty(JACC_POLICY_PROVIDER, originalSystemPolicyName);
System.setProperty(JACC_POLICY_PROVIDER_EE9, originalSystemPolicyName);
System.setProperty(PolicyFactory.FACTORY_NAME, originalSystemPolicyName);
if (tc.isDebugEnabled()) {
Tr.debug(tc, "PolicyName system property is restored by : " + originalSystemPolicyName);
}
}
if (originalSystemFactoryName != null) {
System.setProperty(JACC_FACTORY, originalSystemFactoryName);
System.setProperty(JACC_FACTORY_EE9, originalSystemFactoryName);
System.setProperty(PolicyConfigurationFactory.FACTORY_NAME, originalSystemFactoryName);
if (tc.isDebugEnabled()) {
Tr.debug(tc, "PolicyName system property is restored by : " + originalSystemFactoryName);
}
Expand Down
73 changes: 62 additions & 11 deletions ...acc.testprovider/src/com/ibm/ws/security/authorization/jacc/provider/JaccPolicyProxy.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,6 @@
* http://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*
* Contributors:
* IBM Corporation - initial API and implementation
*******************************************************************************/

package com.ibm.ws.security.authorization.jacc.provider;
Expand All @@ -28,7 +25,6 @@
import jakarta.security.jacc.EJBMethodPermission;
import jakarta.security.jacc.EJBRoleRefPermission;
import jakarta.security.jacc.Policy;
import jakarta.security.jacc.PolicyContext;
import jakarta.security.jacc.PolicyContextException;
import jakarta.security.jacc.WebResourcePermission;
import jakarta.security.jacc.WebRoleRefPermission;
Expand All @@ -37,6 +33,7 @@
public class JaccPolicyProxy implements Policy {
private JaccProvider jaccProvider = null;
private static final TraceComponent tc = Tr.register(JaccPolicyProxy.class);
private final String contextID;

static {
/**
Expand Down Expand Up @@ -64,8 +61,63 @@ public class JaccPolicyProxy implements Policy {
c.getName(); // Use c to prevent compile warnings
}

// This is called during startup - only one thread is active
public JaccPolicyProxy() {
public JaccPolicyProxy(String contextId) {
this.contextID = contextId;
}

@Override
public boolean impliesByRole(Permission p, Subject subject) {
if (p instanceof WebResourcePermission) {
Set<Principal> principals = subject == null ? null : subject.getPrincipals();
if (principals != null && principals.size() > 0) {
WSPolicyConfigurationImpl pc = getPolicyConfiguration();
if (pc != null) {
if (tc.isDebugEnabled())
Tr.debug(tc, "Checking the role list");
return jaccProvider.checkRolePerm(pc, p, contextID);
}
}
} else if (p instanceof WebRoleRefPermission || p instanceof EJBRoleRefPermission || p instanceof EJBMethodPermission) {
WSPolicyConfigurationImpl pc = getPolicyConfiguration();
if (pc != null) {
if (tc.isDebugEnabled())
Tr.debug(tc, "Checking the role list");
return jaccProvider.checkRolePerm(pc, p, contextID);
}
}
return false;
}

@Override
public boolean isExcluded(Permission p) {
if (p instanceof WebResourcePermission || p instanceof WebUserDataPermission || p instanceof EJBMethodPermission) {
WSPolicyConfigurationImpl pc = getPolicyConfiguration();
if (pc != null) {
if (tc.isDebugEnabled())
Tr.debug(tc, "Checking the excluded list");

return jaccProvider.checkExcludedPerm(pc, p);
}
}
return false;
}

@Override
public boolean isUnchecked(Permission p) {
if (p instanceof WebResourcePermission || p instanceof WebUserDataPermission || p instanceof EJBMethodPermission) {
WSPolicyConfigurationImpl pc = getPolicyConfiguration();
if (pc != null) {
if (tc.isDebugEnabled())
Tr.debug(tc, "Checking the unchecked list");
if (jaccProvider.checkUncheckedPerm(pc, p)) {
return true;
}
if (p instanceof WebResourcePermission) {
return jaccProvider.isEveryoneGranted(pc, p, contextID);
}
}
}
return false;
}

@Override
Expand All @@ -74,7 +126,6 @@ public void refresh() {

private WSPolicyConfigurationImpl getPolicyConfiguration() {
//get contextID;
String contextID = PolicyContext.getContextID();
WSPolicyConfigurationImpl pc = null;
pc = AllPolicyConfigs.getInstance().getPolicyConfig(contextID);

Expand Down Expand Up @@ -143,7 +194,7 @@ public boolean implies(Permission p) {
if (jaccProvider.checkUncheckedPerm(pc, p)) {
return true;
} else {
return jaccProvider.isEveryoneGranted(pc, p, PolicyContext.getContextID());
return jaccProvider.isEveryoneGranted(pc, p, contextID);
}
} else {
if (tc.isDebugEnabled())
Expand All @@ -153,7 +204,7 @@ public boolean implies(Permission p) {
} else {
if (tc.isDebugEnabled())
Tr.debug(tc, "Checking the role list");
return jaccProvider.checkRolePerm(pc, p, PolicyContext.getContextID());
return jaccProvider.checkRolePerm(pc, p, contextID);
}
}
} else if (p instanceof WebUserDataPermission) {
Expand All @@ -177,7 +228,7 @@ public boolean implies(Permission p) {
}
if (tc.isDebugEnabled())
Tr.debug(tc, "Checking the role list");
return jaccProvider.checkRolePerm(pc, p, PolicyContext.getContextID());
return jaccProvider.checkRolePerm(pc, p, contextID);
} else if (p instanceof EJBMethodPermission) {
WSPolicyConfigurationImpl pc = getPolicyConfiguration();
if (pc == null) {
Expand All @@ -193,7 +244,7 @@ public boolean implies(Permission p) {
if (jaccProvider.checkUncheckedPerm(pc, p)) {
return true;
} else {
return jaccProvider.checkRolePerm(pc, p, PolicyContext.getContextID());
return jaccProvider.checkRolePerm(pc, p, contextID);
}
}
}
Expand Down
Loading