/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
* and Distribution License("CDDL") (collectively, the "License"). You
* may not use this file except in compliance with the License. You can
* obtain a copy of the License at
* https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
* or packager/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at packager/legal/LICENSE.txt.
*
* GPL Classpath Exception:
* Oracle designates this particular file as subject to the "Classpath"
* exception as provided by Oracle in the GPL Version 2 section of the License
* file that accompanied this code.
*
* Modifications:
* If applicable, add the following below the License Header, with the fields
* enclosed by brackets [] replaced by your own identifying information:
* "Portions Copyright [year] [name of copyright owner]"
*
* Contributor(s):
* If you wish your version of this file to be governed by only the CDDL or
* only the GPL Version 2, indicate your decision by adding "[Contributor]
* elects to include this software in this distribution under the [CDDL or GPL
* Version 2] license." If you don't indicate a single choice of license, a
* recipient has the option to distribute your version of this file under
* either the CDDL, the GPL Version 2 or to extend the choice of license to
* its licensees as provided above. However, if you add GPL Version 2 code
* and therefore, elected the GPL Version 2 license, then the option applies
* only if the new code is made subject to such option by the copyright
* holder.
*/
package org.glassfish.security.services.impl.authorization;
import java.net.URI;
import java.security.AccessController;
import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.jvnet.hk2.annotations.Service;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.hk2.api.ServiceLocator;
import org.glassfish.security.services.api.authorization.AzAttributeResolver;
import org.glassfish.security.services.api.authorization.AzResource;
import org.glassfish.security.services.api.authorization.AzSubject;
import org.glassfish.security.services.api.authorization.RoleMappingService;
import org.glassfish.security.services.common.PrivilegedLookup;
import org.glassfish.security.services.common.Secure;
import org.glassfish.security.services.config.SecurityConfiguration;
import org.glassfish.security.services.config.SecurityProvider;
import org.glassfish.security.services.impl.ServiceFactory;
import org.glassfish.security.services.impl.ServiceLogging;
import org.glassfish.security.services.spi.authorization.RoleMappingProvider;
import com.sun.enterprise.config.serverbeans.Domain;
import com.sun.enterprise.util.LocalStringManagerImpl;
import org.glassfish.logging.annotation.LogMessageInfo;
/**
* <code>RoleMappingServiceImpl</code> implements
* <code>{@link org.glassfish.security.services.api.authorization.RoleMappingService}</code>
* by delegating role mapping decisions to configured
* <code>{@link org.glassfish.security.services.spi.RoleMappingProvider}</code>
* instances.
*/
@Service
@Singleton
@Secure(accessPermissionName="security/service/rolemapper")
public final class RoleMappingServiceImpl implements RoleMappingService, PostConstruct {
private static final Level DEBUG_LEVEL = Level.FINER;
private static final Logger logger =
Logger.getLogger(ServiceLogging.SEC_SVCS_LOGGER,ServiceLogging.SHARED_LOGMESSAGE_RESOURCE);
private static LocalStringManagerImpl localStrings =
new LocalStringManagerImpl(RoleMappingServiceImpl.class);
@Inject
private Domain domain;
@Inject
private ServiceLocator serviceLocator;
// Role Mapping Service Configuration Information
private org.glassfish.security.services.config.RoleMappingService config;
private RoleMappingProvider provider;
// Service lifecycle
enum InitializationState {
NOT_INITIALIZED,
SUCCESS_INIT,
FAILED_INIT
}
private volatile InitializationState initialized = InitializationState.NOT_INITIALIZED;
private volatile String reasonInitFailed =
localStrings.getLocalString("service.role.not_config","The Role Mapping Service was not configured properly.");
final InitializationState getInitializationState() {
return initialized;
}
final String getReasonInitializationFailed() {
return reasonInitFailed;
}
final void checkServiceAvailability() {
if (InitializationState.SUCCESS_INIT != getInitializationState()) {
throw new IllegalStateException(
localStrings.getLocalString("service.role.not_avail","The Role Mapping Service is not available.")
+ getReasonInitializationFailed());
}
}
private final List<AzAttributeResolver> attributeResolvers =
Collections.synchronizedList(new java.util.ArrayList<AzAttributeResolver>());
private boolean isDebug() {
return logger.isLoggable(DEBUG_LEVEL);
}
// Helpers
private AzSubject makeAzSubject(final Subject subject) {
AzSubject azs = new AzSubjectImpl(subject);
return azs;
}
private AzResource makeAzResource(final URI resource) {
AzResource azr = new AzResourceImpl(resource);
return azr;
}
/**
* Initialize the Role Mapping service with the configured role mapping provider.
*/
@Override
public void initialize(SecurityConfiguration securityServiceConfiguration) {
if (InitializationState.NOT_INITIALIZED != initialized) {
return;
}
try {
// Get the Role Mapping Service configuration
config = (org.glassfish.security.services.config.RoleMappingService) securityServiceConfiguration;
if (config != null) {
// Get the role mapping provider configuration
// Consider only one provider for now and take the first provider found!
List<SecurityProvider> providersConfig = config.getSecurityProviders();
SecurityProvider roleProviderConfig = null;
if (providersConfig != null) roleProviderConfig = providersConfig.get(0);
if (roleProviderConfig != null) {
// Get the provider
String providerName = roleProviderConfig.getName();
if (isDebug()) {
logger.log(DEBUG_LEVEL, "Attempting to get Role Mapping Provider \"{0}\".", providerName );
}
provider = AccessController.doPrivileged(
new PrivilegedLookup<RoleMappingProvider>(serviceLocator, RoleMappingProvider.class, providerName) );
if (provider == null) {
throw new IllegalStateException(localStrings.getLocalString("service.role.not_provider",
"Role Mapping Provider {0} not found.", providerName));
}
// Initialize the provider
provider.initialize(roleProviderConfig);
// Service setup complete
initialized = InitializationState.SUCCESS_INIT;
reasonInitFailed = null;
// Log initialized
logger.log(Level.INFO, ROLEMAPSVC_INITIALIZED);
}
}
} catch (Exception e) {
String eMsg = e.getMessage();
String eClass = e.getClass().getName();
reasonInitFailed = localStrings.getLocalString("service.role.init_failed",
"Role Mapping Service initialization failed, exception {0}, message {1}", eClass, eMsg);
logger.log(Level.WARNING, ROLEMAPSVC_INIT_FAILED, new Object[] {eClass, eMsg});
throw new RuntimeException(reasonInitFailed, e);
} finally {
if (InitializationState.SUCCESS_INIT != initialized) {
initialized = InitializationState.FAILED_INIT;
}
}
}
/**
* Determine the user's role by converting arguments into security authorization data types.
*
* @see <code>{@link org.glassfish.security.services.api.authorization.RoleMappingService}</code>
*/
@Override
public boolean isUserInRole(String appContext, Subject subject, URI resource, String role) {
// Validate inputs
if (subject == null) throw new IllegalArgumentException(
localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
if (resource == null) throw new IllegalArgumentException(
localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
// Convert arguments
return isUserInRole(appContext, makeAzSubject(subject), makeAzResource(resource), role);
}
/**
* Determine if the user's is in the specified role.
*
* @see <code>{@link org.glassfish.security.services.api.authorization.RoleMappingService}</code>
*/
@Override
public boolean isUserInRole(String appContext, AzSubject subject, AzResource resource, String role) {
boolean result = false;
// Validate inputs
if (subject == null) throw new IllegalArgumentException(
localStrings.getLocalString("service.subject_null", "The supplied Subject is null."));
if (resource == null) throw new IllegalArgumentException(
localStrings.getLocalString("service.resource_null", "The supplied Resource is null."));
// Make sure provider and config have been setup...
checkServiceAvailability();
// Call provider - AzEnvironment and AzAttributeResolver are placeholders
result = provider.isUserInRole(appContext, subject, resource, role, new AzEnvironmentImpl(), attributeResolvers);
// Display and return results
if (isDebug()) {
logger.log(DEBUG_LEVEL, "Role Mapping Service result {0}"
+ " for role {1} with resource {2} using subject {3} in context {4}.",
new String[]{ Boolean.toString(result), role,
resource.toString(), subject.toString(), appContext});
}
return result;
}
/**
* Find an existing <code>RoleDeploymentContext</code>, or create a new one if one does not
* already exist for the specified application context.
*
* @see <code>{@link org.glassfish.security.services.api.authorization.RoleMappingService}</code>
*/
@Override
public RoleMappingService.RoleDeploymentContext findOrCreateDeploymentContext(String appContext) {
checkServiceAvailability();
return provider.findOrCreateDeploymentContext(appContext);
}
/**
* Handle lookup of role mapping service configuration and initialization.
* If no service or provider is configured the service run-time will throw exceptions.
*
* Addresses alternate configuration handling until adopt @Proxiable support.
*/
@Override
public void postConstruct() {
org.glassfish.security.services.config.RoleMappingService roleConfiguration =
ServiceFactory.getSecurityServiceConfiguration(
domain, org.glassfish.security.services.config.RoleMappingService.class);
initialize(roleConfiguration);
}
//
// Log Messages
//
@LogMessageInfo(
message = "Role Mapping Service has successfully initialized.",
level = "INFO")
private static final String ROLEMAPSVC_INITIALIZED = "SEC-SVCS-00150";
@LogMessageInfo(
message = "Role Mapping Service initialization failed, exception {0}, message {1}",
level = "WARNING")
private static final String ROLEMAPSVC_INIT_FAILED = "SEC-SVCS-00151";
}