ontomde-demo-acegi 1.0.6

data/demo/domain/src/main/java/xmda/security/ProviderImpl.java

@@ -0,0 +1,367 @@
+package xmda.security;
+
+import java.lang.reflect.Method;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Comparator;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.Vector;
+
+import org.acegisecurity.ConfigAttributeDefinition;
+import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.GrantedAuthorityImpl;
+import org.acegisecurity.SecurityConfig;
+import org.acegisecurity.context.SecurityContextHolder;
+import org.acegisecurity.userdetails.User;
+import org.acegisecurity.userdetails.UserDetails;
+
+import xmda.security.authorization.DBAuthorizationDefinitionSource;
+import administration.ApplicationUser;
+import administration.BusinessGroup;
+import administration.SecureField;
+import administration.SecureMethod;
+import administration.SecureWebFilter;
+import administration.SecurityRole;
+
+public class ProviderImpl implements Provider {
+
+    public static final boolean GRANT_ACCESS=true;
+    public static final boolean DENY_ACCESS=false;
+	
+	private static final boolean securityIsDisabled = System
+			.getProperty("webapp.security.mode") != null
+			&& System.getProperty("webapp.security.mode").equalsIgnoreCase(
+					"disable");
+
+	public static boolean getSecurityIsDisabled() {
+		return securityIsDisabled;
+	}
+
+	private Object principalObject;
+
+	public UserDetails loadUser(String userName) {
+
+		List<administration.ApplicationUser> users = administration.ApplicationUser
+				.findAll((ApplicationUser) null);
+
+		UserDetails userToIdentify = null;
+
+		for (administration.ApplicationUser user : users) {
+
+			if (userName != null && userName.equalsIgnoreCase(user.getLogin())) {
+
+				userToIdentify = new User(user.getLogin(), user.getPassword(),
+						true, true, true, true, retrieveAuthorities(user));
+
+				break;
+
+			}
+
+		}
+
+		principalObject = userToIdentify;
+		return userToIdentify;
+	}
+
+	private static GrantedAuthority[] retrieveAuthorities(ApplicationUser user) {
+
+		GrantedAuthority[] authorities = null;
+
+		List<SecurityRole> userRoles = new ArrayList<SecurityRole>();
+
+		if (user != null && user.getUserGroup() != null) {
+
+			Set<BusinessGroup> groups = user.getUserGroup();
+
+			for (BusinessGroup group : groups) {
+
+				userRoles.addAll(group.getGroupRole());
+
+			}
+
+			authorities = new GrantedAuthority[userRoles.size()];
+
+			for (int i = 0; i < userRoles.size(); i++) {
+
+				authorities[i] = new GrantedAuthorityImpl(userRoles.get(i)
+						.getRoleName());
+
+			}
+
+		}
+
+		for (GrantedAuthority auth : authorities) {
+
+		}
+
+		return authorities;
+
+	}
+
+	public boolean hasViewRights(String fieldName) {
+
+		boolean isViewable = true;
+
+		if (!securityIsDisabled) {
+
+			principalObject = SecurityContextHolder.getContext()
+					.getAuthentication().getPrincipal();
+
+			if (principalObject instanceof UserDetails) {
+
+				UserDetails principal = (UserDetails) principalObject;
+
+				SecureField toSecure = null;
+
+				GrantedAuthority[] grantedRoles = principal.getAuthorities();
+
+				List<SecureField> fieldList = SecureField
+						.findAll((SecureField) null);
+
+				for (SecureField field : fieldList) {
+					if (field.getDefinition() == null) {
+						System.out
+								.println("Secured field skipped. missing getDefinition()");
+						continue;
+					}
+
+					String enumField = field.getDefinition().ownerClass
+							.getCanonicalName()
+							+ "." + field.getDefinition().propertyName;
+
+					if (fieldName.equalsIgnoreCase(enumField)) {
+						toSecure = field;
+						break;
+					}
+				}
+
+				if (toSecure != null) {
+
+					if (toSecure.getDefinition().isSecured) {
+						isViewable = false;
+						Set<SecurityRole> securityRoles = toSecure
+								.getSecureFieldRoles();
+						for (SecurityRole sRole : securityRoles) {
+							for (GrantedAuthority authority : grantedRoles) {
+								if (authority.getAuthority().equalsIgnoreCase(
+										sRole.getRoleName())) {
+									isViewable = true;
+								}
+							}
+
+						}
+					}
+				} else {
+
+					// Erreur, le nom du champ a �t� modifi� sur la JSP
+
+				}
+			}
+		}
+
+		return isViewable;
+
+	}
+
+    
+	/*
+	 * Method called by pointcut @Before on method annotated @Secure
+	 * Must return true for access to be granted.
+	 * @see xmda.security.Provider#hasMethodAccess(java.lang.String, java.lang.Object)
+	 * 
+	 * @param signature name of the method called
+	 * @param target object being accessed
+	 * @return true if access granted, false if access denied.
+	 */
+	public boolean hasMethodAccess(final String signature, final Object target) {
+		System.out.println("hasMethodAccess ??");
+		if (securityIsDisabled) {
+			// Server is in securityIsDisabled debug mode.
+			// Allow access
+			System.out.println("granted: WARNING SERVER IN NO SECURITY MODE");
+			return GRANT_ACCESS;
+		}
+
+		// user principal
+		principalObject = SecurityContextHolder.getContext()
+				.getAuthentication().getPrincipal();
+		if (!(principalObject instanceof UserDetails)) {
+			System.out
+					.println("denied: Access denied because of Internal error. Bad principalObject returned by principalObject");
+			return DENY_ACCESS;
+		}
+		UserDetails principal = (UserDetails) principalObject;
+
+		boolean hasAcces = false;
+
+		// Example: com.xyz.Aclass.doThat
+
+		// STEP 1: look for role granting this method.
+		boolean foundSecureMethod = false;
+		Set<SecurityRole> okRole = getGrantingRoles(target, signature);
+		if (okRole.isEmpty()) {
+			System.out
+					.println("denied: access denied because no possible role/SecureMethod grant found (foundSecureMethod="
+							+ foundSecureMethod + ")");
+			return DENY_ACCESS;
+		}
+		// STEP 2: check if SecureMethods found match user authorization.
+		filterOutNotGrantedRole(principal, okRole);
+		if (okRole.isEmpty()) {
+			System.out
+					.println("denied: access denied because user has no eligible role");
+			return DENY_ACCESS;
+		}
+		if (containsRoleNotRequiringComputedAccessControlCriteria(okRole)) {
+			System.out.println("Access granted trough role with computed criteria");
+			return GRANT_ACCESS;
+		}
+		
+		Set<GlobalComputedAccessControlCriteria> requiredGrants=getRequiredGrants(okRole);
+		
+		Set<xmda.security.GlobalComputedAccessControlCriteria> grants=getGrantedCriteria(target,principal);
+		if (grants.isEmpty()) {
+			System.out
+					.println("denied: access denied because computed grants is empty");
+			return DENY_ACCESS;
+		}		
+		grants.retainAll(requiredGrants);
+		if (grants.isEmpty()) {
+			System.out
+			.println("denied: access denied because computed grants is empty do not match required grants");
+			return DENY_ACCESS;
+		}
+		System.out.println("granted: access granted");
+		return GRANT_ACCESS;
+	}
+
+	private Set<SecurityRole> getGrantingRoles(final Object target,
+			final String signature) {
+		String completeSignature = target.getClass().getCanonicalName() + "."
+				+ signature;
+		Set<SecurityRole> okRole = new java.util.HashSet<SecurityRole>();
+		List<SecureMethod> methods = SecureMethod.findAll((SecureMethod) null);
+		for (SecureMethod method : methods) {
+			String enumMethod = method.getSignature().ownerClass
+					.getCanonicalName()
+					+ "." + method.getSignature().operationName;
+			if (completeSignature.equals(enumMethod)) {
+				okRole.addAll(method.getSecureMethodRoles());
+				break;
+			}
+		}
+		return okRole;
+	}
+
+	private void filterOutNotGrantedRole(UserDetails principal,
+			Set<SecurityRole> okRole) {
+		GrantedAuthority[] authorities = principal.getAuthorities();
+		role_loop: for (SecurityRole role : okRole) {
+			for (GrantedAuthority authority : authorities) {
+				if (authority.getAuthority().equals(role.getRoleName())) {
+					// we keep this role
+					continue role_loop;
+				}
+			}
+			// We have reach the end of the authority loop and role was not
+			// granted.
+			// Let's remove it from our ok list
+			okRole.remove(role);
+		}
+	}
+
+	private boolean containsRoleNotRequiringComputedAccessControlCriteria(
+			Set<SecurityRole> okRole) {
+		for (SecurityRole role : okRole) {
+			if (role.getRequiredComputedAccessRight() == null) {
+				// we found one role does not require computation.
+				return true;
+			}
+		}
+		return false;
+	}
+
+	public static final String COMPUTE_ACCESS_CONTROL_GRANT_METHOD_NAME = "getComputedAccessControlGrant";
+
+	private boolean containsGrantedComputedAccessControlCriteria(
+			Set<SecurityRole> okRole, Object target, UserDetails principal) {
+		return true;
+
+	}
+	private Set<xmda.security.GlobalComputedAccessControlCriteria> getRequiredGrants(Set<SecurityRole> okRole) {
+		Set<xmda.security.GlobalComputedAccessControlCriteria> grants=new java.util.HashSet<xmda.security.GlobalComputedAccessControlCriteria>();
+		for (SecurityRole role : okRole) {
+			grants.add(role.getRequiredComputedAccessRight());
+		}
+		return grants; 
+	}
+	private Set<xmda.security.GlobalComputedAccessControlCriteria> getGrantedCriteria(
+			Object target,UserDetails principal) {
+		String longClassName = target.getClass().getName();
+
+		try {
+			Class<?> targetClass = Class.forName(longClassName);
+			Method method = targetClass
+					.getMethod(COMPUTE_ACCESS_CONTROL_GRANT_METHOD_NAME,
+							UserDetails.class);
+			if (method == null) {
+				System.out.println("Missing method "
+						+ COMPUTE_ACCESS_CONTROL_GRANT_METHOD_NAME
+						+ " in class " + longClassName);
+			}
+			return (Set<xmda.security.GlobalComputedAccessControlCriteria>) method
+					.invoke(target, principal);
+		} catch (Exception e) {
+			System.out.println("ERROR" + e);
+			e.printStackTrace();
+		}
+		//deny access
+		return new java.util.HashSet<xmda.security.GlobalComputedAccessControlCriteria>();
+	}
+
+	public List getWebFiltersDefinition() {
+
+		List requestMap = new Vector();
+
+		DBAuthorizationDefinitionSource dbauth = new DBAuthorizationDefinitionSource();
+
+		int count = 0;
+
+		Set<SecureWebFilter> securedObjects = new TreeSet<SecureWebFilter>(
+				new Comparator<SecureWebFilter>() {
+
+					public int compare(SecureWebFilter o1, SecureWebFilter o2) {
+
+						return Integer.valueOf(o1.getSortOrder()).compareTo(
+								Integer.valueOf(o2.getSortOrder()));
+					}
+				});
+
+		List<SecureWebFilter> securedUrls = SecureWebFilter
+				.findAll((SecureWebFilter) null);
+
+		securedObjects.addAll(securedUrls);
+
+		ConfigAttributeDefinition def = new ConfigAttributeDefinition();
+
+		for (SecureWebFilter filterInvocation : securedObjects) {
+
+			def = new ConfigAttributeDefinition();
+			for (administration.SecurityRole role : filterInvocation
+					.getSecureURLRoles()) {
+				def.addConfigAttribute(new SecurityConfig(role.getRoleName()));
+
+				requestMap.add(count, dbauth.new EntryHolder(filterInvocation
+						.getUrl(), def));
+				count++;
+			}
+		}
+
+		return requestMap;
+
+	}
+
+}

data/demo/ear/pom.xml

@@ -0,0 +1,160 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>ontomde.sample</groupId>
+		<artifactId>projectbase</artifactId>
+		<version>1.0-SNAPSHOT</version>
+	</parent>
+	<artifactId>sample-ear</artifactId>
+	<packaging>ear</packaging>
+	<name>sample-ear</name>
+	<url>http://maven.apache.org</url>
+	<dependencies>
+
+		<dependency>
+			<groupId>ontomde</groupId>
+			<artifactId>ontomde-bpm-client</artifactId>
+			<version>${ontomde.lib.version}</version>
+			<type>ejb</type>
+		</dependency>
+
+		<dependency>
+			<groupId>${pom.groupId}</groupId>
+			<artifactId>domain</artifactId>
+			<version>${pom.version}</version>
+			<type>ejb</type>
+		</dependency>
+
+		<dependency>
+			<groupId>${pom.groupId}</groupId>
+			<artifactId>webapp</artifactId>
+			<version>${pom.version}</version>
+			<type>war</type>
+		</dependency>
+
+	</dependencies>
+
+	<!-- 4. Specify the content of generated artifact. -->
+	<build>
+
+		<!-- 4.1. Specify the final name of the artifact. -->
+		<finalName>${artifactId}</finalName>
+
+		<defaultGoal>package</defaultGoal>
+
+		<!-- 4.2. We don't want to filter for this module: "filters" section is empty. -->
+
+		<plugins>
+
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-ear-plugin</artifactId>
+				<configuration>
+					<encoding>UTF-8</encoding>
+					<version>5</version>
+					<!-- 4.5. Specify modules to include. -->
+					<modules>
+						<webModule>
+							<groupId>${pom.groupId}</groupId>
+							<artifactId>webapp</artifactId>
+							<contextRoot>/webapp</contextRoot>
+							<!-- 4.5.3.1. Only if you want different file name inside "ear" file. 
+								<bundleFileName>myBundleWebApplicationModule1FileName</bundleFileName>
+							-->
+							<!-- 4.5.3.2. Specify the context root if you need different name. -->
+							<!-- Default is: "/${pom.artifactId} -->
+						</webModule>
+						<!-- 4.5.2. Include EJB Module. -->
+						<ejbModule>
+							<groupId>ontomde</groupId>
+							<artifactId>ontomde-bpm-client</artifactId>
+						</ejbModule>
+						<ejbModule>
+							<groupId>${pom.groupId}</groupId>
+							<artifactId>domain</artifactId>
+						</ejbModule>
+					</modules>
+					<archive>
+						<addMavenDescriptor>false</addMavenDescriptor>
+					</archive>
+				</configuration>
+			</plugin>
+
+		</plugins>
+	</build>
+
+	<profiles>
+		<profile>
+			<id>JBOSS</id>
+			<activation>
+				<property>
+					<!-- a BUG avoid using ${env.JEE_SERVER} instead using mvn task -DJEE_SERVER  -->
+					<name>JEE_SERVER</name>
+					<value>JBOSS</value>
+				</property>
+			</activation>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.codehaus.mojo</groupId>
+						<artifactId>jboss-maven-plugin</artifactId>
+						<executions>
+							<execution>
+								<phase>install</phase>
+								<goals>
+									<goal>deploy</goal>
+								</goals>
+							</execution>
+						</executions>
+						<configuration>
+							<jbossHome>
+								C:\applis\AppServers\jboss-5.0.0.Beta2
+							</jbossHome>
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+		<profile>
+		
+			<id>GLASSFISH</id>
+			<activation>
+				<property>
+					<!-- a BUG avoid using ${env.JEE_SERVER} instead using mvn task -DJEE_SERVER  -->
+					<name>JEE_SERVER</name>
+					<value>GLASSFISH</value>
+				</property>
+			</activation>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>pl.sliwa.maven.plugin</groupId>
+						<artifactId>glassfish-maven-plugin</artifactId>
+						<version>1.0-SNAPSHOT</version>
+						<executions>
+							<execution>
+								<phase>install</phase>
+								<goals>
+									<goal>deploy</goal>
+								</goals>
+							</execution>
+						</executions>
+						<configuration>
+							<glassfishHome>
+								c:\applis\AppServers\glassfish-v2-b58
+							</glassfishHome>
+							<domain>runtime</domain>
+							<domaindir>
+								c:\MesProjets\agis\ejb3
+							</domaindir>
+							<port>8048</port>
+						</configuration>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+
+</project>