Skip to content

Commit

Permalink
Merge pull request #34 from arjantijms/authorization_service
Browse files Browse the repository at this point in the history 
Update authorization service to always get policy from factory.
  • Loading branch information
@arjantijms
arjantijms committed Feb 7, 2024
2 parents 34b47b0 + 83307cf commit 08422a0
Showing 1 changed file with 43 additions and 19 deletions.
62 changes: 43 additions & 19 deletions impl/src/main/java/org/glassfish/exousia/AuthorizationService.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2023 Contributors to the Eclipse Foundation.
* Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation.
* Copyright (c) 2019, 2021 OmniFaces. All rights reserved.
*
* This program and the accompanying materials are made available under the
Expand Down Expand Up @@ -78,6 +78,7 @@ public class AuthorizationService {
* request.
*/
private final Policy policy;
private final PolicyFactory policyFactory;
private final PolicyConfigurationFactory factory;
private final PolicyConfiguration policyConfiguration;
private final Map<String, jakarta.security.jacc.PrincipalMapper> principalMapper = new ConcurrentHashMap<>();
Expand Down Expand Up @@ -110,19 +111,19 @@ public AuthorizationService(

public AuthorizationService(
Class<?> factoryClass, Class<? extends Policy> policyClass, String contextId,
Supplier<Subject> subjectSupplier, Supplier<PrincipalMapper> principalMapperSupplierr) {
Supplier<Subject> subjectSupplier, Supplier<PrincipalMapper> principalMapperSupplier) {

this(
installFactory(factoryClass), installPolicy(policyClass), contextId,
subjectSupplier, principalMapperSupplierr);
subjectSupplier, principalMapperSupplier);
}

public AuthorizationService(
String contextId,
Supplier<Subject> subjectSupplier, Supplier<PrincipalMapper> principalMapperSupplier) {

this(
getConfigurationFactory(), getPolicy(), contextId,
getConfigurationFactory(), null, contextId,
subjectSupplier, principalMapperSupplier);
}

Expand All @@ -134,7 +135,7 @@ public AuthorizationService(
this.policyConfiguration = factory.getPolicyConfiguration(contextId, false);
this.policy = policy;
this.contextId = contextId;

this.policyFactory = PolicyFactory.getPolicyFactory();

// Sets the context Id (aka application Id), which may be used by authorization modules to get the right
// authorization config
Expand Down Expand Up @@ -263,7 +264,7 @@ public void removeStatementsFromPolicy(Set<String> declaredRoles) {
// Refresh policy if the context was in service
if (inService) {
// TODO: is this needed? refresh seems to do no nothing
policy.refresh();
getPolicy().refresh();
}
} catch (PolicyContextException e) {
throw new IllegalStateException(e);
Expand Down Expand Up @@ -347,7 +348,7 @@ public void commitPolicy() {
logger.log(FINE, () -> "Jakarta Authorization: committed policy for context: " + contextId);
}

policy.refresh();
getPolicy().refresh();
} catch (PolicyContextException pce) {
throw new IllegalStateException(pce);
}
Expand Down Expand Up @@ -376,7 +377,7 @@ public void refresh() {
// Refresh policy if the context was in service
try {
if (factory.inService(contextId)) {
policy.refresh();
getPolicy().refresh();
}
} catch (PolicyContextException e) {
throw new IllegalStateException(e);
Expand Down Expand Up @@ -418,16 +419,24 @@ public boolean checkPublicWebResourcePermission(HttpServletRequest request) {

public boolean checkWebResourcePermission(HttpServletRequest request) {
try {
Subject subject = (Subject) PolicyContext.getContext(SUBJECT);
Subject subject = PolicyContext.getContext(SUBJECT);

return checkWebResourcePermission(
request,
subject == null? null : subject.getPrincipals());
subject);
} catch (PolicyContextException e) {
throw new IllegalStateException(e);
}
}

public boolean checkWebResourcePermission(HttpServletRequest request, Subject subject) {
return checkPermission(
new WebResourcePermission(
getConstrainedURI(request),
request.getMethod()),
subject);
}

public boolean checkWebResourcePermission(HttpServletRequest request, Set<Principal> principals) {
return checkPermission(
new WebResourcePermission(
Expand All @@ -438,17 +447,23 @@ public boolean checkWebResourcePermission(HttpServletRequest request, Set<Princi

public boolean checkWebRoleRefPermission(String servletName, String role) {
try {
Subject subject = (Subject) PolicyContext.getContext(SUBJECT);
Subject subject = PolicyContext.getContext(SUBJECT);

return checkWebRoleRefPermission(
servletName,
role,
subject == null? null : subject.getPrincipals());
subject);
} catch (PolicyContextException e) {
throw new IllegalStateException(e);
}
}

public boolean checkWebRoleRefPermission(String servletName, String role, Subject subject) {
return checkPermission(
new WebRoleRefPermission(servletName, role),
subject);
}

public boolean checkWebRoleRefPermission(String servletName, String role, Set<Principal> principals) {
return checkPermission(
new WebRoleRefPermission(servletName, role),
Expand Down Expand Up @@ -500,7 +515,7 @@ public void deletePolicy() {

// Only do refresh policy if the deleted context was in service
if (wasInService) {
policy.refresh();
getPolicy().refresh();
}

} catch (PolicyContextException pce) {
Expand Down Expand Up @@ -529,19 +544,23 @@ public static void deletePolicy(String contextId) {


boolean checkPermission(Permission permissionToBeChecked) {
return policy.implies(permissionToBeChecked);
return getPolicy().implies(permissionToBeChecked);
}

boolean checkPermission(Permission permissionToBeChecked, Subject subject) {
return getPolicy().implies(permissionToBeChecked, subject != null? subject : new Subject());
}

boolean checkPermission(Permission permissionToBeChecked, Set<Principal> principals) {
return policy.implies(permissionToBeChecked, principals != null? principals : emptySet());
return getPolicy().implies(permissionToBeChecked, principals != null? principals : emptySet());
}

boolean checkPermissionScoped(Permission permissionToBeChecked, Set<Principal> principals) {
String oldContextId = null;
try {
oldContextId = setThreadContextId(contextId);

return policy.implies(permissionToBeChecked, principals);
return getPolicy().implies(permissionToBeChecked, principals);
} catch (Throwable t) {
logger.log(SEVERE, "jacc_is_caller_in_role_exception", t);
} finally {
Expand Down Expand Up @@ -574,7 +593,7 @@ private static Policy installPolicy(Class<? extends Policy> policyClass) {
try {
PolicyFactory.getPolicyFactory().setPolicy(policyClass.getConstructor().newInstance());

return getPolicy();
return PolicyFactory.getPolicyFactory().getPolicy();
} catch (ReflectiveOperationException | IllegalArgumentException | SecurityException e) {
throw new IllegalStateException(e);
}
Expand All @@ -588,8 +607,13 @@ private static PolicyConfigurationFactory getConfigurationFactory() {
}
}

private static Policy getPolicy() {
return PolicyFactory.getPolicyFactory().getPolicy();
private Policy getPolicy() {
if (policy != null) {
return policy;
}

// (or obtain once and cache?)
return policyFactory.getPolicy(contextId);
}

private String getConstrainedURI(HttpServletRequest request) {
Expand Down

0 comments on commit 08422a0

Please sign in to comment.