Index: topia-service/src/java/org/codelutin/topia/taas/TaasService.java diff -u topia-service/src/java/org/codelutin/topia/taas/TaasService.java:1.5 topia-service/src/java/org/codelutin/topia/taas/TaasService.java:1.6 --- topia-service/src/java/org/codelutin/topia/taas/TaasService.java:1.5 Fri Dec 7 16:24:37 2007 +++ topia-service/src/java/org/codelutin/topia/taas/TaasService.java Thu Dec 13 16:48:17 2007 @@ -24,48 +24,67 @@ * Created: 10 févr. 2006 * * @author Arnaud Thimel -* @version $Revision: 1.5 $ +* @version $Revision: 1.6 $ * -* Mise a jour: $Date: 2007-12-07 16:24:37 $ +* Mise a jour: $Date: 2007-12-13 16:48:17 $ * par : $Author: ruchaud $ */ + package org.codelutin.topia.taas; +import java.security.AccessController; +import java.security.Permission; import java.util.List; +import javax.security.auth.Subject; import javax.security.auth.login.Configuration; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.codelutin.topia.TopiaContext; import org.codelutin.topia.TopiaException; -import org.codelutin.topia.event.TopiaTransactionEvent; -import org.codelutin.topia.event.TopiaTransactionVetoable; +import org.codelutin.topia.TopiaNotFoundException; import org.codelutin.topia.framework.TopiaContextImplementor; import org.codelutin.topia.framework.TopiaService; +import org.codelutin.topia.persistence.TopiaDAO; +import org.codelutin.topia.persistence.TopiaEntity; +import org.codelutin.topia.persistence.TopiaId; import org.codelutin.topia.taas.entities.TaasAuthorizationImpl; import org.codelutin.topia.taas.entities.TaasPrincipalImpl; import org.codelutin.topia.taas.entities.TaasUserImpl; -import org.codelutin.topia.taas.event.TaasEntityVetoable; -import org.codelutin.topia.taas.event.TaasEntityVetoableNoLoad; +import org.codelutin.topia.taas.interceptor.TaasAccessInterceptor; import org.codelutin.topia.taas.jaas.TaasConfiguration; import org.codelutin.topia.taas.jaas.TaasLoginModule; +import org.codelutin.topia.taas.jaas.TaasPermission; import org.codelutin.topia.taas.jaas.TaasPolicy; - -public class TaasService implements TopiaService, TopiaTransactionVetoable { +/** + * Service pour la sécurité + * + * @author julien + * + */ +public class TaasService implements TopiaService { static private Log log = LogFactory.getLog(TaasService.class); public static final String CONF_KEY = "taas"; public static final String CONF_LOGIN_MODULE = TaasLoginModule.class.getName(); - - private TaasEntityVetoable entityVetoable = new TaasEntityVetoable(this); - private TaasEntityVetoableNoLoad entityVetoableNoLoad = new TaasEntityVetoableNoLoad(this); + public static final String CONF_INTERCEPTOR = "topia.service.taas.interceptor"; private TaasPolicy policy = new TaasPolicy(this); private TopiaContextImplementor rootContext; + private TopiaContextImplementor transaction; + /** + * Contructeur par défaut + */ + public TaasService() { + } + + /* + * (non-Javadoc) + * @see org.codelutin.topia.framework.TopiaService#getPersistenceClasses() + */ public Class[] getPersistenceClasses() { return new Class [] { TaasUserImpl.class, @@ -74,47 +93,106 @@ }; } - public TaasService() { - } - + /* + * (non-Javadoc) + * @see org.codelutin.topia.framework.TopiaService#getServiceName() + */ public String getServiceName() { return CONF_KEY; } - public boolean postInit(TopiaContextImplementor context) { + /* + * (non-Javadoc) + * @see org.codelutin.topia.framework.TopiaService#preInit(org.codelutin.topia.framework.TopiaContextImplementor) + */ + public boolean preInit(TopiaContextImplementor context) { rootContext = context; - - initSecurity(rootContext); + try { + org.hibernate.cfg.Configuration configuration = rootContext.getHibernateConfiguration(); + String interceptor = configuration.getProperty(CONF_INTERCEPTOR); + if(!"false".equals(interceptor)) { + configuration.setInterceptor(new TaasAccessInterceptor(this)); + } + transaction = (TopiaContextImplementor) rootContext.beginTransaction(); + } catch (TopiaException e) { + throw new SecurityException("Init security error", e); + } + return true; + } + + /* + * (non-Javadoc) + * @see org.codelutin.topia.framework.TopiaService#postInit(org.codelutin.topia.framework.TopiaContextImplementor) + */ + public boolean postInit(TopiaContextImplementor context) { policy.installPolicy(); Configuration.setConfiguration(new TaasConfiguration(CONF_KEY, this)); - return true; } - public void beginTransaction(TopiaTransactionEvent event) { - TopiaContext context = event.getTopiaContext(); - initSecurity(context); + /** + * Permet d'obtenir le context root + * @return context root + */ + public TopiaContextImplementor getRootContext() { + return rootContext; } - private void initSecurity(TopiaContext context) { - List entitiesClasses = rootContext.getPersistenceClasses(); - for (Class clazz : entitiesClasses) { - context.addTopiaEntityVetoable(clazz, entityVetoable); + /** + * Permet de vérifier les authorizations + * @param entity entité + * @param actions actions + * @throws SecurityException en cas d'erreur de sécurité + */ + public void check(TopiaEntity entity, int actions) throws SecurityException { + List permissions = getRequestPermission(entity, actions); + + Subject subject = Subject.getSubject(AccessController.getContext()); + if (subject != null) { + if(permissions == null) { + try { + AccessController.checkPermission(new TaasPermission(entity.getTopiaId(), actions)); + } catch (SecurityException se) { + throw new SecurityException("Access denied to object \"" + entity.getTopiaId() + "\" for \"" + subject + "\""); + } + } else { + for (Permission permission : permissions) { + try { + AccessController.checkPermission(permission); + break; + } catch (SecurityException se) { + throw new SecurityException("Access denied to object \"" + entity.getTopiaId() + "\" for \"" + subject + "\""); + } + } + } + } else { + throw new SecurityException("Use doAs() and login first"); } - - Class[] noLoadClasses = getPersistenceClasses(); - for (Class clazz : noLoadClasses) { - context.addTopiaEntityVetoable(clazz, entityVetoableNoLoad); - } - - context.addTopiaTransactionVetoable(this); } - public boolean preInit(TopiaContextImplementor context) { - return true; - } - - public TopiaContext getRootContext() throws TopiaException { - return rootContext; + /** + * Récupération des requests permissions dans les DAOs + * @param entity entité + * @param actions actions + * @return permissions à vérifier + */ + public List getRequestPermission(TopiaEntity entity, int actions) { + String topiaId = entity.getTopiaId(); + Class klass = null; + + try { + klass = TopiaId.getClassName(topiaId); + } catch (TopiaNotFoundException e) { + throw new SecurityException("Invalid topiaId", e); + } + + List permissions = null; + try { + TopiaDAO dao = transaction.getDAO(klass); + permissions = dao.getRequestPermission(topiaId, actions); + } catch (TopiaException e) { + throw new SecurityException("Error in getRequestPermission for " + klass.getName(), e); + } + return permissions; } }