Classes in this File | Line Coverage | Branch Coverage | Complexity | ||||
AuthorizedHelloWorldService |
|
| 5.5;5.5 |
1 | /* | |
2 | * Copyright (c) 2009, Swiss Federal Department of Defence Civil Protection and Sport | |
3 | * (http://www.vbs.admin.ch) | |
4 | * Copyright (c) 2009, Ergon Informatik AG (http://www.ergon.ch) | |
5 | * All rights reserved. | |
6 | * | |
7 | * Licensed under the Open Permis License which accompanies this distribution, | |
8 | * and is available at http://www.openpermis.org/BSDlicenceKent.txt | |
9 | */ | |
10 | package org.openpermis.examples.ldap; | |
11 | ||
12 | import java.net.URI; | |
13 | import java.net.URISyntaxException; | |
14 | import java.util.ArrayList; | |
15 | import java.util.List; | |
16 | ||
17 | import org.openpermis.AuthorizationService; | |
18 | import org.openpermis.AuthorizationServiceException; | |
19 | import org.openpermis.Subject; | |
20 | import org.openpermis.policy.AccessDecision; | |
21 | ||
22 | ||
23 | /** | |
24 | * An implementation of the HelloWorld service that controls access with the help of | |
25 | * a policy decision point (PDP). It serves as a policy enforcement point for the | |
26 | * HelloWorld application. | |
27 | * @since 0.1.0 | |
28 | */ | |
29 | public class AuthorizedHelloWorldService | |
30 | implements HelloWorldService | |
31 | { | |
32 | ||
33 | //---- Static | |
34 | ||
35 | /** | |
36 | * @since 0.1.0 | |
37 | */ | |
38 | 1 | protected static final URI TARGET_RESOURCE_URI = URI.create("cn=letterbox,o=post,c=ch"); |
39 | ||
40 | /** | |
41 | * @since 0.1.0 | |
42 | */ | |
43 | protected static final String ACTION_NAME = "collectLetters"; | |
44 | ||
45 | //---- State | |
46 | ||
47 | /** | |
48 | * The injected authorization service. | |
49 | * @since 0.3.0 | |
50 | */ | |
51 | private final AuthorizationService authorizationService; | |
52 | ||
53 | /** | |
54 | * The actual service implementation to which we forward authorized requests. | |
55 | * @since 0.1.0 | |
56 | */ | |
57 | private final HelloWorldService delegate; | |
58 | ||
59 | //---- Constructors | |
60 | ||
61 | /** | |
62 | * Creates an authorized HelloWorld service that uses the specified policy decision | |
63 | * context for retrieving roles and making access decisions. | |
64 | * @param authorizationService a {@link AuthorizationService}. | |
65 | * @param delegate the real service implementation to which authorized requests are forwarded. | |
66 | * @since 0.1.0 | |
67 | */ | |
68 | public AuthorizedHelloWorldService ( | |
69 | AuthorizationService authorizationService, | |
70 | HelloWorldService delegate | |
71 | 2 | ) { |
72 | 2 | this.authorizationService = authorizationService; |
73 | 2 | this.delegate = delegate; |
74 | 2 | } |
75 | ||
76 | //---- HelloWorldService | |
77 | ||
78 | /** | |
79 | * @since 0.1.0 | |
80 | */ | |
81 | // TODO Any Example should be named according to the postman example. | |
82 | public String getHelloMessage (String name) | |
83 | throws HelloWorldException | |
84 | { | |
85 | // Find out who wants to access the service and which roles he has. | |
86 | // In an authenticated application you would get a java.net.Principal from an | |
87 | // authentication service and determine an identity from its name. | |
88 | // In a stateful application you would cache the retrieved subject in the current | |
89 | // session context to avoid repeated role lookups. | |
90 | final URI identity; | |
91 | try { | |
92 | 2 | identity = new URI(name); |
93 | 0 | } catch (URISyntaxException e) { |
94 | 0 | throw new HelloWorldException("Invalid name " + name, e); |
95 | 2 | } |
96 | ||
97 | final Subject subject; | |
98 | try { | |
99 | 2 | subject = this.authorizationService.retrieveSubject(identity); |
100 | 0 | } catch (AuthorizationServiceException e) { |
101 | 0 | throw new HelloWorldException("Cannot retrieve subject for " + name, e); |
102 | 2 | } |
103 | ||
104 | // Identify the resource to protect. This could be a service URL. | |
105 | 2 | final URI resource = TARGET_RESOURCE_URI; |
106 | ||
107 | // Identify the action to perform on the protected resource. | |
108 | 2 | final String actionName = ACTION_NAME; |
109 | 2 | final List<Object> arguments = new ArrayList<Object>(); |
110 | ||
111 | ||
112 | try { | |
113 | // Ask the authorization service for an access decision. | |
114 | 2 | final AccessDecision decision = this.authorizationService.getAccessDecision( |
115 | subject, resource, actionName, arguments | |
116 | ); | |
117 | ||
118 | 2 | if (decision.isAccessGranted()) { |
119 | // We are authorized to proceed, but still have to check obligations in the future. | |
120 | 1 | return this.delegate.getHelloMessage(name); |
121 | } | |
122 | ||
123 | // The decision is negative. We must inform the caller that he is not authorized. | |
124 | 1 | throw new HelloWorldException("Access denied for " + name); |
125 | ||
126 | 0 | } catch (AuthorizationServiceException e) { |
127 | 0 | throw new HelloWorldException("Cannot get access decision for " + name, e); |
128 | } | |
129 | } | |
130 | ||
131 | } |