This repository has been archived by the owner on Jan 5, 2021. It is now read-only.
forked from wildfly/wildfly
-
Notifications
You must be signed in to change notification settings - Fork 0
/
StandardRBACAuthorizer.java
106 lines (92 loc) · 4.43 KB
/
StandardRBACAuthorizer.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/*
* JBoss, Home of Professional Open Source.
* Copyright 2013, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.as.controller.access.rbac;
import java.util.LinkedHashSet;
import java.util.Set;
import org.jboss.as.controller.access.AuthorizerConfiguration;
import org.jboss.as.controller.access.Caller;
import org.jboss.as.controller.access.Environment;
import org.jboss.as.controller.access.permission.CombinationPolicy;
import org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer;
/**
* Standard {@link org.jboss.as.controller.access.Authorizer} implementation that uses a provided
* {@link RoleMapper} to construct a {@link DefaultPermissionFactory}, with that permission factory
* used for the permissions used by the {@link ManagementPermissionAuthorizer superclass implementation}.
* <p>Also supports the allowed roles being specified via a {@code roles} operation-header in the top level operation
* whose value is the name of a role or a DMR list of strings each of which is the name of a role.</p>
* <p>This operation-header based approach is only secure to the extent the clients using it are secure. To use this
* approach the client must authenticate, and the underlying.
* So, by adding the {@code roles} operation-header to the request the client can only reduce its privileges,
* not increase them.
* </p>
*
*
* @author Brian Stansberry (c) 2013 Red Hat Inc.
*/
public final class StandardRBACAuthorizer extends ManagementPermissionAuthorizer {
private static final Set<String> STANDARD_ROLES;
static {
Set<String> stdRoles = new LinkedHashSet<String>();
for (StandardRole stdRole : StandardRole.values()) {
stdRoles.add(stdRole.toString());
}
STANDARD_ROLES = stdRoles;
}
public static final AuthorizerDescription AUTHORIZER_DESCRIPTION = new AuthorizerDescription() {
@Override
public boolean isRoleBased() {
return true;
}
@Override
public Set<String> getStandardRoles() {
return STANDARD_ROLES;
}
};
public static StandardRBACAuthorizer create(AuthorizerConfiguration configuration, final RoleMapper roleMapper) {
final RunAsRoleMapper runAsRoleMapper = new RunAsRoleMapper(roleMapper);
final DefaultPermissionFactory permissionFactory = new DefaultPermissionFactory(CombinationPolicy.PERMISSIVE,
runAsRoleMapper, configuration);
return new StandardRBACAuthorizer(configuration, permissionFactory, runAsRoleMapper);
}
private final AuthorizerConfiguration configuration;
private final DefaultPermissionFactory permissionFactory;
private final RoleMapper roleMapper;
private StandardRBACAuthorizer(final AuthorizerConfiguration configuration,
final DefaultPermissionFactory permissionFactory, final RoleMapper roleMapper) {
super(permissionFactory, permissionFactory);
this.configuration = configuration;
this.permissionFactory = permissionFactory;
configuration.registerScopedRoleListener(permissionFactory);
this.roleMapper = roleMapper;
}
@Override
public Set<String> getCallerRoles(Caller caller, Environment callEnvironment, Set<String> runAsroles) {
return roleMapper.mapRoles(caller, callEnvironment, runAsroles);
}
@Override
public AuthorizerDescription getDescription() {
return AUTHORIZER_DESCRIPTION;
}
public void shutdown() {
configuration.unregisterScopedRoleListener(permissionFactory);
}
}