DefaultSecurityContext.java
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.interceptor.security;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.GroupPrincipal;
import org.apache.cxf.common.util.ReflectionUtil;
import org.apache.cxf.security.LoginSecurityContext;
/**
* SecurityContext which implements isUserInRole using the
* following approach : skip the first Subject principal, and then checks
* Groups the principal is a member of
*/
public class DefaultSecurityContext implements LoginSecurityContext {
private static final Logger LOG = LogUtils.getL7dLogger(DefaultSecurityContext.class);
private static Class<?> javaGroup;
private static Class<?> karafGroup;
private Principal p;
private Subject subject;
static {
try {
javaGroup = Class.forName("java.security.acl.Group");
} catch (Exception e) {
javaGroup = null;
}
try {
karafGroup = Class.forName("org.apache.karaf.jaas.boot.principal.Group");
} catch (Exception e) {
karafGroup = null;
}
}
public DefaultSecurityContext(Subject subject) {
this.p = findPrincipal(null, subject);
this.subject = subject;
}
public DefaultSecurityContext(String principalName, Subject subject) {
this.p = findPrincipal(principalName, subject);
this.subject = subject;
}
public DefaultSecurityContext(Principal p, Subject subject) {
this.p = p;
this.subject = subject;
if (p == null) {
this.p = findPrincipal(null, subject);
}
}
private static Principal findPrincipal(String principalName, Subject subject) {
if (subject == null) {
return null;
}
for (Principal principal : subject.getPrincipals()) {
if (!isGroupPrincipal(principal)
&& (principalName == null || principal.getName().equals(principalName))) {
return principal;
}
}
// No match for the principalName. Just return first non-Group Principal
if (principalName != null) {
for (Principal principal : subject.getPrincipals()) {
if (!isGroupPrincipal(principal)) {
return principal;
}
}
}
return null;
}
public Principal getUserPrincipal() {
return p;
}
public boolean isUserInRole(String role) {
if (subject != null) {
for (Principal principal : subject.getPrincipals()) {
if (isGroupPrincipal(principal)
&& checkGroup(principal, role)) {
return true;
} else if (p != principal
&& role.equals(principal.getName())) {
return true;
}
}
}
return false;
}
protected boolean checkGroup(Principal principal, String role) {
if (principal.getName().equals(role)) {
return true;
}
Enumeration<? extends Principal> members;
try {
Method m = ReflectionUtil.getMethod(principal.getClass(), "members");
m.setAccessible(true);
@SuppressWarnings("unchecked")
Enumeration<? extends Principal> ms = (Enumeration<? extends Principal>)m.invoke(principal);
members = ms;
} catch (Exception e) {
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Unable to invoke memebers in " + principal.getName() + ":" + e.getMessage());
}
return false;
}
while (members.hasMoreElements()) {
// this might be a plain role but could represent a group consisting of other groups/roles
Principal member = members.nextElement();
if (member.getName().equals(role)
|| isGroupPrincipal(member)
&& checkGroup((GroupPrincipal)member, role)) {
return true;
}
}
return false;
}
public Subject getSubject() {
return subject;
}
public Set<Principal> getUserRoles() {
Set<Principal> roles = new HashSet<>();
if (subject != null) {
for (Principal principal : subject.getPrincipals()) {
if (principal != p) {
roles.add(principal);
}
}
}
return roles;
}
private static boolean instanceOfGroup(Object obj) {
try {
return (javaGroup != null && javaGroup.isInstance(obj))
|| (karafGroup != null && karafGroup.isInstance(obj));
} catch (Exception ex) {
return false;
}
}
public static boolean isGroupPrincipal(Principal principal) {
return principal instanceof GroupPrincipal
|| instanceOfGroup(principal);
}
}