Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support API M2 and fix warnings #38

Merged
merged 1 commit into from Mar 18, 2024
Merged

Support API M2 and fix warnings #38

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 8 additions & 8 deletions impl/pom.xml
View file
Open in desktop
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--

Copyright (c) 2021, 2023 Contributors to Eclipse Foundation.
Copyright (c) 2021, 2024 Contributors to Eclipse Foundation.
Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.

This program and the accompanying materials are made available under the
Expand Down Expand Up @@ -96,21 +96,21 @@
<dependency>
<groupId>jakarta.servlet</groupId>
<artifactId>jakarta.servlet-api</artifactId>
<version>6.1.0-M1</version>
<version>6.1.0-M2</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>jakarta.authorization</groupId>
<artifactId>jakarta.authorization-api</artifactId>
<version>3.0.0-M1</version>
<version>3.0.0-M2</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.29.2-GA</version>
<version>3.30.2-GA</version>
<scope>provided</scope>
<optional>true</optional>
</dependency>
Expand Down Expand Up @@ -178,7 +178,7 @@

<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.10.1</version>
<version>3.12.1</version>
<configuration>
<release>17</release>
</configuration>
Expand Down Expand Up @@ -286,7 +286,7 @@
</groups>
<bottom><![CDATA[
Comments to: <a href="mailto:exousia-dev@eclipse.org">exousia-dev@eclipse.org</a>.<br>
Copyright &#169; 2021, 2023 Eclipse Foundation. All rights reserved.<br>
Copyright &#169; 2021, 2024 Eclipse Foundation. All rights reserved.<br>
Use is subject to <a href="http://www.eclipse.org/legal/epl-2.0" target="_top">license terms</a>.]]>
</bottom>
</configuration>
Expand All @@ -298,7 +298,7 @@ Use is subject to <a href="http://www.eclipse.org/legal/epl-2.0" target="_top">l
<plugin>
<groupId>org.eclipse.dash</groupId>
<artifactId>license-tool-plugin</artifactId>
<version>1.0.2</version>
<version>1.1.0</version>
<executions>
<execution>
<id>license-check</id>
Expand All @@ -313,7 +313,7 @@ Use is subject to <a href="http://www.eclipse.org/legal/epl-2.0" target="_top">l
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>flatten-maven-plugin</artifactId>
<version>1.5.0</version>
<version>1.6.0</version>
<configuration>
<flattenMode>ossrh</flattenMode>
</configuration>
Expand Down
6 changes: 5 additions & 1 deletion impl/src/main/java/org/glassfish/exousia/mapping/DefaultPrincipalMapper.java
View file
Open in desktop
Expand Up @@ -40,6 +40,9 @@
import javax.security.auth.Subject;

/**
* TODO: much or all of this should be removed and/or refactored.
* The servers supported here via reflection don't support this version of authorization
* at all, and have no need to be longer supported here.
*
* @author Arjan Tijms
*/
Expand Down Expand Up @@ -74,7 +77,8 @@ private static void tryInitGeronimo() {
// Geronimo 3.0.1 contains a protection mechanism to ensure only a Geronimo policy provider is installed.
// This protection can be beat by creating an instance of GeronimoPolicyConfigurationFactory once. This instance
// will statically register itself with an internal Geronimo class
geronimoPolicyConfigurationFactoryInstance = Class.forName("org.apache.geronimo.security.jacc.mappingprovider.GeronimoPolicyConfigurationFactory").newInstance();
geronimoPolicyConfigurationFactoryInstance =
Class.forName("org.apache.geronimo.security.jacc.mappingprovider.GeronimoPolicyConfigurationFactory").getDeclaredConstructor().newInstance();
geronimoContextToRoleMapping = new ConcurrentHashMap<>();
} catch (Exception e) {
// ignore
Expand Down
78 changes: 43 additions & 35 deletions impl/src/main/java/org/glassfish/exousia/modules/def/DefaultPolicy.java
View file
Open in desktop
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2023 Contributors to the Eclipse Foundation.
* Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation.
* Copyright (c) 2019, 2021 OmniFaces. All rights reserved.
*
* This program and the accompanying materials are made available under the
Expand All @@ -16,18 +16,17 @@
*/
package org.glassfish.exousia.modules.def;

import static jakarta.security.jacc.PolicyContext.PRINCIPAL_MAPPER;
import static java.util.Collections.list;

import jakarta.security.jacc.Policy;
import jakarta.security.jacc.PolicyConfiguration;
import jakarta.security.jacc.PolicyConfigurationFactory;
import jakarta.security.jacc.PolicyContext;
import jakarta.security.jacc.PolicyContextException;
import jakarta.security.jacc.PrincipalMapper;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Principal;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
Expand All @@ -38,46 +37,55 @@
*/
public class DefaultPolicy implements Policy {

@Override
public boolean implies(Permission permissionToBeChecked, Subject subject) {
PolicyConfiguration policyConfiguration = getPolicyConfigurationFactory().getPolicyConfiguration();
PrincipalMapper roleMapper = getRoleMapper();
private PolicyConfigurationFactory policyConfigurationFactory;
private PrincipalMapper principalMapper;

if (isExcluded(policyConfiguration.getExcludedPermissions(), permissionToBeChecked)) {
// Excluded permissions cannot be accessed by anyone
return false;
}
@Override
public boolean isExcluded(Permission permissionToBeChecked) {
return isExcluded(
getPolicyConfigurationFactory().getPolicyConfiguration().getExcludedPermissions(),
permissionToBeChecked);
}

if (isUnchecked(policyConfiguration.getUncheckedPermissions(), permissionToBeChecked)) {
// Unchecked permissions are free to be accessed by everyone
return true;
}
@Override
public boolean isUnchecked(Permission permissionToBeChecked) {
return isUnchecked(
getPolicyConfigurationFactory().getPolicyConfiguration().getUncheckedPermissions(),
permissionToBeChecked);
}

@Override
public boolean impliesByRole(Permission permissionToBeChecked, Subject subject) {
if (subject == null) {
// Without a subject we can't check for roles, so we can shortcut the outcome.
return false;
}

Set<Principal> currentUserPrincipals = subject.getPrincipals();
// Get the configuration and mapper instances.
// Note that these are obtained for the current (application) context ID, and this policy could potentially
// be used for multiple context IDs. Therefore these objects should not be cached as instance data of this policy.
PolicyConfiguration policyConfiguration = getPolicyConfigurationFactory().getPolicyConfiguration();
PrincipalMapper roleMapper = getRoleMapper();

if (!roleMapper.isAnyAuthenticatedUserRoleMapped() && !currentUserPrincipals.isEmpty()) {
if (!roleMapper.isAnyAuthenticatedUserRoleMapped() && !subject.getPrincipals().isEmpty()) {
// The "any authenticated user" role is not mapped, so available to anyone and the current
// user is assumed to be authenticated (we assume that an unauthenticated user doesn't have any
// caller is assumed to be authenticated (we assume that an unauthenticated caller doesn't have any
// principals whatever they are)
if (hasAccessViaRole(policyConfiguration.getPerRolePermissions(), "**", permissionToBeChecked)) {
// Access is granted purely based/ on the user being authenticated
// (the actual roles, if any, the user has it not important)
// (the actual roles, if any, the caller has are not important)
return true;
}
}

if (hasAccessViaRoles(policyConfiguration.getPerRolePermissions(), roleMapper.getMappedRoles(subject),
permissionToBeChecked)) {
// Access is granted via role. Note that if this returns false/ it doesn't mean the permission is not granted.
// A role can only grant, not take away permissions.
return true;
}

return false;
// Check to see if access is granted via role.
// Note that if this returns false it doesn't necessarily mean the permission is not granted.
// A role can only grant, not take away permissions. Other checks (perhaps another custom policy that embeds us)
// may still grant the permission.
return hasAccessViaRoles(
policyConfiguration.getPerRolePermissions(),
roleMapper.getMappedRoles(subject),
permissionToBeChecked);
}

@Override
Expand Down Expand Up @@ -110,19 +118,19 @@ public PermissionCollection getPermissionCollection(Subject subject) {
// ### Private methods

private PolicyConfigurationFactory getPolicyConfigurationFactory() {
try {
return PolicyConfigurationFactory.getPolicyConfigurationFactory();
} catch (ClassNotFoundException | PolicyContextException e) {
throw new IllegalStateException(e);
if (policyConfigurationFactory == null) {
policyConfigurationFactory = PolicyConfigurationFactory.get();
}

return policyConfigurationFactory;
}

private PrincipalMapper getRoleMapper() {
try {
return PolicyContext.getContext(PolicyContext.PRINCIPAL_MAPPER);
} catch (PolicyContextException e) {
throw new IllegalStateException(e);
if (principalMapper == null) {
principalMapper = PolicyContext.get(PRINCIPAL_MAPPER);
}

return principalMapper;
}

private boolean isExcluded(PermissionCollection excludedPermissions, Permission permission) {
Expand Down