JAAS 实现in Struts Web App

内容: 5. 实现XMLPolicyFile类。public class XMLPolicyFile extends Policy implements JAASConstants { private Document doc = null; //private CodeSource noCertCodeSource=null; /* * constructor * refresh() */ public XMLPolicyFile(){ refresh(); } public PermissionCollection getPermissions(CodeSource arg0) { // TODO Auto-generated method stub return null; } /* * Creates a DOM tree document from the default XML file or * from the file specified by the system property, * com.ibm.resource.security.auth.policy. This * DOM tree document is then used by the * getPermissions() in searching for permissions. * * @see javax.security.auth.Policy#refresh() */ public void refresh() { FileInputStream fis = null; try { // Set up a DOM tree to query fis = new FileInputStream(AUTH_SECURITY_POLICYXMLFILE); InputSource in = new InputSource(fis); DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance(); dfactory.setNamespaceAware(true); doc = dfactory.newDocumentBuilder().parse(in); } catch (Exception e) { e.printStackTrace(); throw new RuntimeException(e.getMessage()); } finally { if(fis != null) {try { fis.close(); } catch (IOException e) {} } } } public PermissionCollection getPermissions(Subject subject,CodeSource codeSource) { ResourcePermissionCollection collection = new ResourcePermissionCollection(); try { // Iterate through all of the subjects principals Iterator principalIterator = subject.getPrincipals().iterator(); while(principalIterator.hasNext()){ Principal principal = (Principal)principalIterator.next(); // Set up the xpath string to retrieve all the relevant permissions // Sample xpath string: '/policy/grant[@codebase='sample_actions.jar']/principal[@classname='com.fonseca.security.SamplePrincipal'][@name='testUser']/permission' StringBuffer xpath = new StringBuffer(); xpath.append('/policy/grant/principal[@classname=''); xpath.append(principal.getClass().getName()); xpath.append(''][@name=''); xpath.append(principal.getName());xpath.append('']/permission');//System.out.println(xpath.toString());NodeIterator nodeIter = XPathAPI.selectNodeIterator(doc, xpath.toString());Node node = null;while( (node = nodeIter.nextNode()) != null ) {//here CodeSource codebase=getCodebase(node.getParentNode().getParentNode());if (codebase!=null || codebase.implies(codeSource)){ Permission permission = getPermission(node); collection.add(permission);}} } } catch (Exception e) { e.printStackTrace(); throw new RuntimeException(e.getMessage()); } if(collection != null)return collection; else {// If the permission is not found here then delegate it// to the standard java Policy class instance.Policy policy = Policy.getPolicy();return policy.getPermissions(codeSource); } } /** * Returns a Permission instance defined by the provided * permission Node attributes. */ private Permission getPermission(Node node) throws Exception { NamedNodeMap map = node.getAttributes(); Attr attrClassname = (Attr) map.getNamedItem('classname'); Attr attrName = (Attr) map.getNamedItem('name'); Attr attrActions = (Attr) map.getNamedItem('actions'); Attr attrRelationship = (Attr) map.getNamedItem('relationship'); if(attrClassname == null) throw new RuntimeException(); Class[] types = null; Object[] args = null; // Check if the name is specified // if no name is specified then because // the types and the args variables above // are null the default constructor is used. if(attrName != null) { String name = attrName.getValue(); // Check if actions are specified // then setup the array sizes accordingly if(attrActions != null) {String actions = attrActions.getValue(); // Check if a relationship is specified // then setup the array sizes accordinglyif(attrRelationship == null) {types = new Class[2];args = new Object[2];} else {types = new Class[3];args = new Object[3];String relationship = attrRelationship.getValue();types[2] = relationship.getClass();args[2] = relationship;} types[1] = actions.getClass(); args[1] = actions; } else {types = new Class[1];args = new Object[1]; } types[0] = name.getClass(); args[0] = name; } String classname = attrClassname.getValue(); Class permissionClass = Class.forName(classname); Constructor constructor = permissionClass.getConstructor(types); return (Permission) constructor.newInstance(args); } /** * Returns a CodeSource object defined by the provided * grant Node attributes. */ private java.security.CodeSource getCodebase(Node node) throws Exception { Certificate[] certs = null; URL location; if(node.getNodeName().equalsIgnoreCase('grant')) { NamedNodeMap map = node.getAttributes(); Attr attrCodebase = (Attr) map.getNamedItem('codebase'); if(attrCodebase != null) {String codebaseValue = attrCodebase.getValue();location = new URL(codebaseValue);return new CodeSource(location,certs); } } return null; } }6.继承Principal类PrincipalUserpublic class PrincipalUser implements Principal { private String name; /** * * @param name the name for this principal. * * @exception InvalidParameterException if the name * is null. */ public PrincipalUser(String name) { if (name == null) throw new InvalidParameterException('name cannot be null'); //search role of this name. this.name = name; } /** * Returns the name for this PrincipalUser. * * @return the name for this PrincipalUser */ public String getName() { return name; } /** * */ public int hashCode() { return name.hashCode(); } }7．继承Permission和PermissionCollection类public class ResourcePermission extends Permission { static final public String OWNER_RELATIONSHIP = 'OWNER'; static private int READ = 0x01; static private int WRITE = 0x02; static private int EXECUTE = 0x04; static private int CREATE = 0x08; static private int DELETE = 0x10; static private int DEPLOY = 0x16; static private int CONFIRM = 0x24; static final public String READ_ACTION = 'read'; static final public String WRITE_ACTION = 'write'; static final public String EXECUTE_ACTION = 'execute'; static final public String CREATE_ACTION = 'create'; static final public String DELETE_ACTION = 'delete'; static final public String DEPLOY_ACTION = 'deploy'; static final public String CONFIRM_ACTION = 'confirm'; protected int mask; protected Resource resource; protected Subject subject; /** * Constructor for ResourcePermission */ public ResourcePermission(String name, String actions, Resource resource, Subject subject) { super(name); this.resource = resource; this.subject = subject; parseActions(actions); } /** * @see Permission#getActions() */ public String getActions() { StringBuffer buf = new StringBuffer(); if( (mask & READ) == READ ) buf.append(READ_ACTION); if( (mask & WRITE) == WRITE ) { if(buf.length() > 0)buf.append(', '); buf.append(WRITE_ACTION); } if( (mask & EXECUTE) == EXECUTE ) { if(buf.length() > 0)buf.append(', '); buf.append(EXECUTE_ACTION); } if( (mask & CREATE) == CREATE ) { if(buf.length() > 0)buf.append(', '); buf.append(CREATE_ACTION); } if( (mask & DELETE) == DELETE ) { if(buf.length() > 0)buf.append(', '); buf.append(DELETE_ACTION); } return buf.toString(); } /** * @see Permission#hashCode() */ public int hashCode() { StringBuffer value = new StringBuffer(getName()); return value.toString().hashCode() ^ mask; } /** * @see Permission#equals(Object) */ public boolean equals(Object object) { if( !(object instanceof ResourcePermission) ) return false; ResourcePermission p = (ResourcePermission) object; return ( (p.getName().equals(getName())) && (p.mask == mask) ); } /** * @see Permission#implies(Permission) */ public boolean implies(Permission permission) { // The permission must be an instance // of the DefaultResourceActionPermission. if( !(permission instanceof ResourcePermission) ) return false; // The resource name must be the same. if( !(permission.getName().equals(getName())) ) return false; return true; } /** * Parses the actions string. Actions are separated * by commas or white space. */ private void parseActions(String actions) { mask = 0; if(actions != null) { StringTokenizer tokenizer = new StringTokenizer(actions, ',t '); while(tokenizer.hasMoreTokens()) {String token = tokenizer.nextToken();if(token.equals(READ_ACTION))mask |= READ;else if(token.equals(WRITE_ACTION))mask |= WRITE;else if(token.equals(EXECUTE_ACTION))mask |= EXECUTE;else if(token.equals(CREATE_ACTION))mask |= CREATE;else if(token.equals(DELETE_ACTION))mask |= DELETE;else if(token.equals(DEPLOY_ACTION))mask |= DEPLOY;else if(token.equals(CONFIRM_ACTION))mask |= CONFIRM;elsethrow new IllegalArgumentException('Unknown action: ' + token); } } } /** * Gets the resource * @return Returns a Resource */ public Resource getResource() { return resource; } /** * Gets the subject * @return Returns a Subject */ public Subject getSubject() { return subject; } /** * @see Permission#newPermissionCollection() */ public PermissionCollection newPermissionCollection() { return new ResourcePermissionCollection(); } /** * @see Permission#toString() */ public String toString() { return getName() + ':' + getActions(); }}public class ResourcePermissionCollection extends PermissionCollection { private Hashtable permissions; public ResourcePermissionCollection() { permissions = new Hashtable(); } /** * @see PermissionCollection#elements() */ public Enumeration elements() { //System.out.println('DefaultResourceActionPermissionCollection.elements()'); Hashtable list = new Hashtable(); Enumeration enum = permissions.elements(); while(enum.hasMoreElements()) { Hashtable table = (Hashtable) enum.nextElement(); list.putAll(table); } return list.elements(); } /** * @see PermissionCollection#implies(Permission) */ public boolean implies(Permission permission) { //System.out.println('DefaultResourceActionPermissionCollection.implies()'); if( !(permission instanceof ResourcePermission) ) throw new IllegalArgumentException('Wrong Permission type'); ResourcePermission rcsPermission = (ResourcePermission) permission; Hashtable aggregate = (Hashtable) permissions.get(rcsPermission.getName()); if(aggregate == null) return false; Enumeration enum = aggregate.elements(); while(enum.hasMoreElements()) { ResourcePermission p = (ResourcePermission) enum.nextElement(); if(p.implies(permission))return true; } return false; } /** * @see PermissionCollection#add(Permission) */ public void add(Permission permission) { if(isReadOnly()) throw new IllegalArgumentException('Read only collection'); if( !(permission instanceof ResourcePermission) ) throw new IllegalArgumentException('Wrong Permission type'); // Same permission names may have different relationships. // Therefore permissions are aggregated by relationship. ResourcePermission rcsPermission = (ResourcePermission) permission; Hashtable aggregate = (Hashtable) permissions.get(rcsPermission.getName()); aggregate = new Hashtable(); aggregate.put('none', rcsPermission); permissions.put(rcsPermission.getName(), aggregate); }}8．实现授权Actionpackage com.nova.colimas.security.actions;import java.security.PrivilegedAction;import com.nova.colimas.data.sql.*;import com.nova.colimas.data.sql.SQLTBI;public class DBTURMAction implements PrivilegedAction { public Object run() { //验证授权 SQLTURM sqltbi=new SQLTURM(); sqltbi.update(null); return null; }}9.授权验证SQLTURM/* * Created on 2005/07/01 * * TODO To change the template for this generated file go to * Window - Preferences - Java - Code Style - Code Templates */package com.nova.colimas.security.auth;/** * This interface is used by implementing classes that * want to provide class instance authorization. * */public interface Resource { }public class SQLTURM implements Resource{ /* (non-Javadoc) * @see com.nova.colimas.data.sql.DAOAction#update(java.lang.Object) */ public boolean update(Object bean) {//验证00001角色是否有权限对SQLTURM执行write操作。 Permission permission = new ResourcePermission('com.nova.colimas.data.sql.SQLTURM', 'write', this,Subject.getSubject(java.security.AccessController.getContext())); AccessController.checkPermission(permission); //有权限执行下面语句。无权限则抛出异常。 return true; }}10. 实现com.nova.colimas.security.auth.AccessController类获得XMLPolicyFile实例。package com.nova.colimas.security.auth;import java.security.AccessControlException;import java.security.*;public class AccessController { public static void checkPermission(Permission permission) throws AccessControlException{ ResourcePermission perm=(ResourcePermission)permission; String policy_class = null; XMLPolicyFile policy=null; policy_class = (String)java.security.AccessController.doPrivileged(new PrivilegedAction() {public Object run() { return Security.getProperty('policy.provider');}}); try { policy = ( XMLPolicyFile) Class.forName(policy_class).newInstance(); Class permclass=Class.forName(perm.getName()); ResourcePermissionCollection rpc=(ResourcePermissionCollection)policy.getPermissions(perm.getSubject(),permclass.getProtectionDomain().getCodeSource()); if(rpc.implies(perm)) return; } catch (Exception e) { e.printStackTrace(); } throw new AccessControlException('Access Deny'); }}11.实现com.nova.colimas.web.action.LoginAction类public class LoginAction extends Action { LoginContext loginContext=null; LoginForm loginForm=null; public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception{ /** * 1 get Login form Bean * 2 get the value * 3 call JAAS Login Module */ try { loginForm=(LoginForm)form; loginContext=new LoginContext(JAASConstants.AUTH_SECURITY_MODULENAME, new LoginCallbackHandler(loginForm.getUserID(),loginForm.getPassword())); }catch(SecurityException e){ e.printStackTrace(); } catch (LoginException e) { e.printStackTrace(); //System.exit(-1); } // Authenticate the user try { loginContext.login();//先运行ColimasLoginModule的initialize(Subject, CallbackHandler, Map, Map)方法，然后运行ColimasLoginModule的login() System.out.println('nCreating a new UserProfile...'); //验证是否有权限运行DBTURMAction Subject.doAs(loginContext.getSubject(),new DBTURMAction() ); System.out.println('Successfully!n'); } catch (Exception e) { System.out.println('Unexpected Exception - unable to continue'); e.printStackTrace(); //System.exit(-1); return mapping.findForward('failure'); } return mapping.findForward('success'); }}Java, java, J2SE, j2se, J2EE, j2ee, J2ME, j2me, ejb, ejb3, JBOSS, jboss, spring, hibernate, jdo, struts, webwork, ajax, AJAX, mysql, MySQL, Oracle, Weblogic, Websphere, scjp, scjd