Skip to content

Commit 8a50069

Browse files
author
planetlevel
committed
Move DefaultAccessController to main reference package to hide new design a bit until it's complete.
1 parent 8e00c97 commit 8a50069

8 files changed

Lines changed: 202 additions & 33 deletions

File tree

src/main/java/org/owasp/esapi/AccessController.java

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -151,7 +151,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
151151
*
152152
* @return
153153
* true, if is authorized for URL
154-
* @deprecated
155154
*/
156155
boolean isAuthorizedForURL(String url);
157156

@@ -166,7 +165,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
166165
*
167166
* @return
168167
* true, if is authorized for function
169-
* @deprecated
170168
*/
171169
boolean isAuthorizedForFunction(String functionName);
172170

@@ -186,7 +184,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
186184
*
187185
* @return
188186
* true, if is authorized for the data
189-
* @deprecated
190187
*/
191188
boolean isAuthorizedForData(String action, Object data);
192189

@@ -201,7 +198,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
201198
*
202199
* @return
203200
* true, if is authorized for the file
204-
* @deprecated
205201
*/
206202
boolean isAuthorizedForFile(String filepath);
207203

@@ -217,7 +213,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
217213
*
218214
* @return
219215
* true, if is authorized for the service
220-
* @deprecated
221216
*/
222217
boolean isAuthorizedForService(String serviceName);
223218

@@ -246,7 +241,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
246241
*
247242
* @throws AccessControlException
248243
* if access is not permitted
249-
* @deprecated
250244
*/
251245
void assertAuthorizedForURL(String url) throws AccessControlException;
252246

@@ -275,7 +269,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
275269
*
276270
* @throws AccessControlException
277271
* if access is not permitted
278-
* @deprecated
279272
*/
280273
void assertAuthorizedForFunction(String functionName) throws AccessControlException;
281274

@@ -305,7 +298,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
305298
*
306299
* @throws AccessControlException
307300
* if access is not permitted
308-
* @deprecated
309301
*/
310302
void assertAuthorizedForData(String action, Object data) throws AccessControlException;
311303

@@ -331,7 +323,6 @@ public void assertAuthorized(Object key, Object runtimeParameter)
331323
* @param filepath
332324
* Path to the file to be checked
333325
* @throws AccessControlException if access is denied
334-
* @deprecated
335326
*/
336327
void assertAuthorizedForFile(String filepath) throws AccessControlException;
337328

@@ -359,9 +350,7 @@ public void assertAuthorized(Object key, Object runtimeParameter)
359350
*
360351
* @throws AccessControlException
361352
* if access is not permitted
362-
* @deprecated
363353
*/
364354
void assertAuthorizedForService(String serviceName) throws AccessControlException;
365355

366-
367356
}

src/main/java/org/owasp/esapi/HTTPUtilities.java

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -253,16 +253,22 @@ public interface HTTPUtilities {
253253
HttpServletResponse getCurrentResponse();
254254

255255
/**
256-
* Calls getFileUploads with the *current* request.
256+
* Calls getFileUploads with the *current* request, default upload directory, and default allowed file extensions
257257
* @see {@link HTTPUtilities#setCurrentHTTP(HttpServletRequest, HttpServletResponse)}
258258
*/
259259
List getFileUploads() throws ValidationException;
260260

261261
/**
262-
* Parse a multipart HTTP request and extract any files therein.
262+
* Call getFileUploads with the specified request, default upload directory, and default allowed file extensions
263263
*/
264264
List getFileUploads(HttpServletRequest request) throws ValidationException;
265265

266+
/**
267+
* Call getFileUploads with the specified request, specified upload directory, and default allowed file extensions
268+
*/
269+
List getFileUploads(HttpServletRequest request, File finalDir ) throws ValidationException;
270+
271+
266272
/**
267273
* Extract uploaded files from a multipart HTTP requests. Implementations must check the content to ensure that it
268274
* is safe before making a permanent copy on the local filesystem. Checks should include length and content checks,
@@ -279,7 +285,7 @@ public interface HTTPUtilities {
279285
* @throws ValidationException
280286
* if the file fails validation
281287
*/
282-
List getFileUploads(HttpServletRequest request, File destinationDir) throws ValidationException;
288+
List getFileUploads(HttpServletRequest request, File destinationDir, List allowedExtensions) throws ValidationException;
283289

284290

285291
/**

src/main/java/org/owasp/esapi/reference/accesscontrol/DefaultAccessController.java renamed to src/main/java/org/owasp/esapi/reference/DefaultAccessController.java

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
package org.owasp.esapi.reference.accesscontrol;
1+
package org.owasp.esapi.reference;
22

33
import java.util.Map;
44

@@ -18,6 +18,7 @@ public class DefaultAccessController implements AccessController {
1818
public DefaultAccessController(Map ruleMap) {
1919
this.ruleMap = ruleMap;
2020
}
21+
2122
public DefaultAccessController() throws AccessControlException {
2223
ACRPolicyFileLoader policyDescriptor = new ACRPolicyFileLoader();
2324
PolicyDTO policyDTO = policyDescriptor.load();
@@ -73,14 +74,11 @@ public void assertAuthorized(Object key, Object runtimeParameter)
7374
}
7475
}
7576

76-
/**** Below this line is legacy support ****/
77-
7877
/**
7978
* @param action
8079
* @param data
8180
* @throws AccessControlException
8281
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForData(java.lang.String, java.lang.Object)
83-
* @deprecated
8482
*/
8583
public void assertAuthorizedForData(String action, Object data)
8684
throws AccessControlException {
@@ -102,7 +100,6 @@ public void assertAuthorizedForFile(String filepath)
102100
* @param functionName
103101
* @throws AccessControlException
104102
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForFunction(java.lang.String)
105-
* @deprecated
106103
*/
107104
public void assertAuthorizedForFunction(String functionName)
108105
throws AccessControlException {
@@ -113,7 +110,6 @@ public void assertAuthorizedForFunction(String functionName)
113110
* @param serviceName
114111
* @throws AccessControlException
115112
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForService(java.lang.String)
116-
* @deprecated
117113
*/
118114
public void assertAuthorizedForService(String serviceName)
119115
throws AccessControlException {
@@ -124,7 +120,6 @@ public void assertAuthorizedForService(String serviceName)
124120
* @param url
125121
* @throws AccessControlException
126122
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForURL(java.lang.String)
127-
* @deprecated
128123
*/
129124
public void assertAuthorizedForURL(String url)
130125
throws AccessControlException {
@@ -136,7 +131,6 @@ public void assertAuthorizedForURL(String url)
136131
* @param data
137132
* @return
138133
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForData(java.lang.String, java.lang.Object)
139-
* @deprecated
140134
*/
141135
public boolean isAuthorizedForData(String action, Object data) {
142136
return this.isAuthorized("AC 1.0 Data", new Object[] {action, data});
@@ -146,7 +140,6 @@ public boolean isAuthorizedForData(String action, Object data) {
146140
* @param filepath
147141
* @return
148142
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForFile(java.lang.String)
149-
* @deprecated
150143
*/
151144
public boolean isAuthorizedForFile(String filepath) {
152145
return this.isAuthorized("AC 1.0 File", new Object[] {filepath});
@@ -156,7 +149,6 @@ public boolean isAuthorizedForFile(String filepath) {
156149
* @param functionName
157150
* @return
158151
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForFunction(java.lang.String)
159-
* @deprecated
160152
*/
161153
public boolean isAuthorizedForFunction(String functionName) {
162154
return this.isAuthorized("AC 1.0 Function", new Object[] {functionName});
@@ -166,7 +158,6 @@ public boolean isAuthorizedForFunction(String functionName) {
166158
* @param serviceName
167159
* @return
168160
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForService(java.lang.String)
169-
* @deprecated
170161
*/
171162
public boolean isAuthorizedForService(String serviceName) {
172163
return this.isAuthorized("AC 1.0 Service", new Object[] {serviceName});
@@ -176,7 +167,6 @@ public boolean isAuthorizedForService(String serviceName) {
176167
* @param url
177168
* @return
178169
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForURL(java.lang.String)
179-
* @deprecated
180170
*/
181171
public boolean isAuthorizedForURL(String url) {
182172
return this.isAuthorized("AC 1.0 URL", new Object[] {url});

src/main/java/org/owasp/esapi/reference/accesscontrol/ExperimentalAccessController.java

Lines changed: 184 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,184 @@
1+
package org.owasp.esapi.reference.accesscontrol;
2+
3+
import java.util.Map;
4+
5+
import org.owasp.esapi.AccessControlRule;
6+
import org.owasp.esapi.AccessController;
7+
import org.owasp.esapi.ESAPI;
8+
import org.owasp.esapi.Logger;
9+
import org.owasp.esapi.errors.AccessControlException;
10+
import org.owasp.esapi.reference.accesscontrol.policyloader.ACRPolicyFileLoader;
11+
import org.owasp.esapi.reference.accesscontrol.policyloader.PolicyDTO;
12+
13+
public class ExperimentalAccessController implements AccessController {
14+
private Map ruleMap;
15+
16+
protected final Logger logger = ESAPI.getLogger("DefaultAccessController");
17+
18+
public ExperimentalAccessController(Map ruleMap) {
19+
this.ruleMap = ruleMap;
20+
}
21+
public ExperimentalAccessController() throws AccessControlException {
22+
ACRPolicyFileLoader policyDescriptor = new ACRPolicyFileLoader();
23+
PolicyDTO policyDTO = policyDescriptor.load();
24+
ruleMap = policyDTO.getAccessControlRules();
25+
}
26+
27+
public boolean isAuthorized(Object key, Object runtimeParameter) {
28+
try {
29+
AccessControlRule rule = (AccessControlRule)ruleMap.get(key);
30+
if(rule == null) {
31+
throw new AccessControlException("Access Denied",
32+
"AccessControlRule was not found for key: " + key);
33+
}
34+
if(logger.isDebugEnabled()){ logger.debug(Logger.EVENT_SUCCESS, "Evaluating Authorization Rule \"" + key + "\" Using class: " + rule.getClass().getCanonicalName()); }
35+
return rule.isAuthorized(runtimeParameter);
36+
} catch(Exception e) {
37+
try {
38+
//Log the exception by throwing and then catching it.
39+
//TODO figure out what which string goes where.
40+
throw new AccessControlException("Access Denied",
41+
"An unhandled Exception was " +
42+
"caught, so access is denied.",
43+
e);
44+
} catch(AccessControlException ace) {
45+
//the exception was just logged. There's nothing left to do.
46+
}
47+
return false; //fail closed
48+
}
49+
}
50+
51+
public void assertAuthorized(Object key, Object runtimeParameter)
52+
throws AccessControlException {
53+
boolean isAuthorized = false;
54+
try {
55+
AccessControlRule rule = (AccessControlRule)ruleMap.get(key);
56+
if(rule == null) {
57+
throw new AccessControlException("Access Denied",
58+
"AccessControlRule was not found for key: " + key);
59+
}
60+
if(logger.isDebugEnabled()){ logger.debug(Logger.EVENT_SUCCESS, "Asserting Authorization Rule \"" + key + "\" Using class: " + rule.getClass().getCanonicalName()); }
61+
isAuthorized = rule.isAuthorized(runtimeParameter);
62+
} catch(Exception e) {
63+
//TODO figure out what which string goes where.
64+
throw new AccessControlException("Access Denied", "An unhandled Exception was " +
65+
"caught, so access is denied." +
66+
"AccessControlException.",
67+
e);
68+
}
69+
if(!isAuthorized) {
70+
throw new AccessControlException("Access Denied",
71+
"Access Denied for key: " + key +
72+
" runtimeParameter: " + runtimeParameter);
73+
}
74+
}
75+
76+
/**** Below this line is legacy support ****/
77+
78+
/**
79+
* @param action
80+
* @param data
81+
* @throws AccessControlException
82+
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForData(java.lang.String, java.lang.Object)
83+
* @deprecated
84+
*/
85+
public void assertAuthorizedForData(String action, Object data)
86+
throws AccessControlException {
87+
this.assertAuthorized("AC 1.0 Data", new Object[] {action, data});
88+
}
89+
90+
/**
91+
* @param filepath
92+
* @throws AccessControlException
93+
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForFile(java.lang.String)
94+
* @deprecated
95+
*/
96+
public void assertAuthorizedForFile(String filepath)
97+
throws AccessControlException {
98+
this.assertAuthorized("AC 1.0 File", new Object[] {filepath});
99+
}
100+
101+
/**
102+
* @param functionName
103+
* @throws AccessControlException
104+
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForFunction(java.lang.String)
105+
* @deprecated
106+
*/
107+
public void assertAuthorizedForFunction(String functionName)
108+
throws AccessControlException {
109+
this.assertAuthorized("AC 1.0 Function", new Object[] {functionName});
110+
}
111+
112+
/**
113+
* @param serviceName
114+
* @throws AccessControlException
115+
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForService(java.lang.String)
116+
* @deprecated
117+
*/
118+
public void assertAuthorizedForService(String serviceName)
119+
throws AccessControlException {
120+
this.assertAuthorized("AC 1.0 Service", new Object[] {serviceName});
121+
}
122+
123+
/**
124+
* @param url
125+
* @throws AccessControlException
126+
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForURL(java.lang.String)
127+
* @deprecated
128+
*/
129+
public void assertAuthorizedForURL(String url)
130+
throws AccessControlException {
131+
this.assertAuthorized("AC 1.0 URL", new Object[] {url});
132+
}
133+
134+
/**
135+
* @param action
136+
* @param data
137+
* @return
138+
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForData(java.lang.String, java.lang.Object)
139+
* @deprecated
140+
*/
141+
public boolean isAuthorizedForData(String action, Object data) {
142+
return this.isAuthorized("AC 1.0 Data", new Object[] {action, data});
143+
}
144+
145+
/**
146+
* @param filepath
147+
* @return
148+
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForFile(java.lang.String)
149+
* @deprecated
150+
*/
151+
public boolean isAuthorizedForFile(String filepath) {
152+
return this.isAuthorized("AC 1.0 File", new Object[] {filepath});
153+
}
154+
155+
/**
156+
* @param functionName
157+
* @return
158+
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForFunction(java.lang.String)
159+
* @deprecated
160+
*/
161+
public boolean isAuthorizedForFunction(String functionName) {
162+
return this.isAuthorized("AC 1.0 Function", new Object[] {functionName});
163+
}
164+
165+
/**
166+
* @param serviceName
167+
* @return
168+
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForService(java.lang.String)
169+
* @deprecated
170+
*/
171+
public boolean isAuthorizedForService(String serviceName) {
172+
return this.isAuthorized("AC 1.0 Service", new Object[] {serviceName});
173+
}
174+
175+
/**
176+
* @param url
177+
* @return
178+
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForURL(java.lang.String)
179+
* @deprecated
180+
*/
181+
public boolean isAuthorizedForURL(String url) {
182+
return this.isAuthorized("AC 1.0 URL", new Object[] {url});
183+
}
184+
}

0 commit comments

Comments
 (0)