git-svn-id: http://svn.research-infrastructures.eu/public/d4science/gcube/trunk/Common/authorization-common-library@115226 82a268e6-3cf1-43bd-a215-b396298e98cf
This commit is contained in:
parent
9afd5b3834
commit
809fe7e592
|
|
@ -1,11 +1,14 @@
|
|||
package org.gcube.common.authorization.library;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlRootElement;
|
||||
|
||||
import org.gcube.common.authorization.library.provider.Service;
|
||||
|
||||
@XmlRootElement
|
||||
@XmlAccessorType(XmlAccessType.FIELD)
|
||||
public class AuthorizationEntry {
|
||||
|
|
@ -13,6 +16,7 @@ public class AuthorizationEntry {
|
|||
private String userName;
|
||||
private List<String> roles;
|
||||
private String scope;
|
||||
private List<Service> bannedServices = new ArrayList<Service>();
|
||||
|
||||
protected AuthorizationEntry(){}
|
||||
|
||||
|
|
@ -22,6 +26,11 @@ public class AuthorizationEntry {
|
|||
this.roles = roles;
|
||||
this.scope = scope;
|
||||
}
|
||||
|
||||
public AuthorizationEntry(String userName, List<String> roles, String scope, List<Service> bannedServices) {
|
||||
this(userName, roles, scope);
|
||||
this.bannedServices = bannedServices;
|
||||
}
|
||||
|
||||
public String getUserName() {
|
||||
return userName;
|
||||
|
|
@ -34,6 +43,14 @@ public class AuthorizationEntry {
|
|||
public String getScope() {
|
||||
return scope;
|
||||
}
|
||||
|
||||
public List<Service> getBannedServices() {
|
||||
return bannedServices;
|
||||
}
|
||||
|
||||
public void setBannedServices(List<Service> bannedServices) {
|
||||
this.bannedServices = bannedServices;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
|
|
|
|||
|
|
@ -33,22 +33,8 @@ public class AuthorizationInvocationHandler<T, I extends T> implements Invocatio
|
|||
Object[] args) throws Throwable {
|
||||
log.trace("calling proxed method "+method.getName()+" on "+handledClass);
|
||||
UserInfo info = AuthorizationProvider.instance.get();
|
||||
if(method.isAnnotationPresent(IsAllowedFor.class)){
|
||||
IsAllowedFor allowed = method.getAnnotation(IsAllowedFor.class);
|
||||
if (allowed.roles().length>0 && isOneElementContainedinRoles(info.getRoles(), allowed.roles())){
|
||||
String message = "blocking method "+method.getName()+" for user "+info.getUserName()+": only roles "+Arrays.toString(allowed.roles()) +" can access";
|
||||
log.warn(message);
|
||||
throw new SecurityException(message);
|
||||
}
|
||||
}
|
||||
if(method.isAnnotationPresent(SubjectToQuota.class)){
|
||||
Service service = new Service(resourceAuthorizationProxy.getServiceClass(), resourceAuthorizationProxy.getServiceName());
|
||||
if (info.getBannedServices().contains(service)){
|
||||
String message = "blocking method "+method.getName()+" for user "+info.getUserName()+": overquota reached";
|
||||
log.warn(message);
|
||||
throw new SecurityException(message);
|
||||
}
|
||||
}
|
||||
checkSubjectToQuota(info, method);
|
||||
checkIsAllowedFor(info, method);
|
||||
return method.invoke(obj, args);
|
||||
}
|
||||
|
||||
|
|
@ -59,4 +45,27 @@ public class AuthorizationInvocationHandler<T, I extends T> implements Invocatio
|
|||
return false;
|
||||
}
|
||||
|
||||
private void checkSubjectToQuota(UserInfo info, Method method){
|
||||
if(method.isAnnotationPresent(SubjectToQuota.class)){
|
||||
Service service = new Service(resourceAuthorizationProxy.getServiceClass(), resourceAuthorizationProxy.getServiceName());
|
||||
log.debug("subjectToQuota annotation present, checking for service {} in bannedServices {}",service, info.getBannedServices());
|
||||
if (info.getBannedServices().contains(service)){
|
||||
String message = "blocking method "+method.getName()+" for user "+info.getUserName()+": overquota reached";
|
||||
log.warn(message);
|
||||
throw new SecurityException(message);
|
||||
}
|
||||
} else log.debug("is subjectToQuota not present in "+method.getName());
|
||||
}
|
||||
|
||||
private void checkIsAllowedFor(UserInfo info, Method method){
|
||||
if(method.isAnnotationPresent(IsAllowedFor.class)){
|
||||
IsAllowedFor allowed = method.getAnnotation(IsAllowedFor.class);
|
||||
if (allowed.roles().length>0 && !isOneElementContainedinRoles(info.getRoles(), allowed.roles())){
|
||||
String message = "blocking method "+method.getName()+" for user "+info.getUserName()+": only roles "+Arrays.toString(allowed.roles()) +" can access";
|
||||
log.warn(message);
|
||||
throw new SecurityException(message);
|
||||
}
|
||||
} else log.debug("is allowedFor not present in "+method.getName());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,36 @@
|
|||
package org.gcube.common.authorization.library;
|
||||
|
||||
import java.util.Calendar;
|
||||
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlRootElement;
|
||||
|
||||
import org.gcube.common.authorization.library.provider.Service;
|
||||
|
||||
@XmlRootElement
|
||||
@XmlAccessorType(XmlAccessType.FIELD)
|
||||
public class BannedService {
|
||||
|
||||
private Service service;
|
||||
private Calendar banTime;
|
||||
|
||||
protected BannedService() {
|
||||
super();
|
||||
}
|
||||
|
||||
public BannedService(Service service, Calendar banTime) {
|
||||
super();
|
||||
this.service = service;
|
||||
this.banTime = banTime;
|
||||
}
|
||||
public Service getService() {
|
||||
return service;
|
||||
}
|
||||
public Calendar getCreationTime() {
|
||||
return banTime;
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
package org.gcube.common.authorization.library;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlRootElement;
|
||||
|
||||
@XmlRootElement
|
||||
@XmlAccessorType(XmlAccessType.FIELD)
|
||||
public class BannedServices {
|
||||
|
||||
private List<BannedService> services;
|
||||
|
||||
protected BannedServices(){}
|
||||
|
||||
public BannedServices(List<BannedService> services) {
|
||||
super();
|
||||
this.services = services;
|
||||
}
|
||||
|
||||
|
||||
|
||||
public List<BannedService> get() {
|
||||
return services;
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
@ -3,7 +3,6 @@ package org.gcube.common.authorization.library;
|
|||
import java.lang.reflect.Proxy;
|
||||
|
||||
public class GenericProxyFactory {
|
||||
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
public static <T, I extends T> T getProxy(Class<T> intf,
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ public class Service {
|
|||
private String serviceClass;
|
||||
private String serviceName;
|
||||
|
||||
protected Service(){}
|
||||
|
||||
public Service(String serviceClass, String serviceName) {
|
||||
super();
|
||||
this.serviceClass = serviceClass;
|
||||
|
|
@ -56,6 +58,13 @@ public class Service {
|
|||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "Service [serviceClass=" + serviceClass + ", serviceName="
|
||||
+ serviceName + "]";
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -35,6 +35,10 @@ public class UserInfo {
|
|||
return bannedServices;
|
||||
}
|
||||
|
||||
public boolean isTokenBannedForService(Service service){
|
||||
return (bannedServices.contains(service));
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
final int prime = 31;
|
||||
|
|
@ -44,7 +48,7 @@ public class UserInfo {
|
|||
+ ((userName == null) ? 0 : userName.hashCode());
|
||||
return result;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public boolean equals(Object obj) {
|
||||
if (this == obj)
|
||||
|
|
|
|||
Loading…
Reference in New Issue