Skip to content

Commit b3228b7

Browse files
author
mikehfauzy
committed
* FileBasedAccessController delegates to DefaultAccessController which delegates to FileBasedACRs
** FileBasedACRs mimics the functionality of FileBasedAccessController in AccessControl 1.0 ** removed [is|assert]AuthorizedForData(String) it was not part of the AccessController spec and makes no sense logically. * DynaBeanACRParameter and DynaBeanACRParameterLoader now support getStringArray * Improved Logging and exception messages while loading the policy file (there is still room for improvement)
1 parent 75a70ec commit b3228b7

11 files changed

Lines changed: 754 additions & 587 deletions

File tree

src/main/java/org/owasp/esapi/reference/FileBasedAccessController.java

Lines changed: 9 additions & 487 deletions
Large diffs are not rendered by default.

src/main/java/org/owasp/esapi/reference/accesscontrol/DefaultAccessController.java

Lines changed: 10 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -73,18 +73,9 @@ public void assertAuthorized(Object key, Object runtimeParameter)
7373
" runtimeParameter: " + runtimeParameter);
7474
}
7575
}
76-
77-
78-
79-
8076

8177
/**** Below this line is legacy support ****/
8278

83-
84-
85-
86-
FileBasedAccessController legacySupport = new FileBasedAccessController();
87-
8879
/**
8980
* @param action
9081
* @param data
@@ -94,18 +85,7 @@ public void assertAuthorized(Object key, Object runtimeParameter)
9485
*/
9586
public void assertAuthorizedForData(String action, Object data)
9687
throws AccessControlException {
97-
legacySupport.assertAuthorizedForData(action, data);
98-
}
99-
100-
/**
101-
* @param key
102-
* @throws AccessControlException
103-
* @see org.owasp.esapi.reference.FileBasedAccessController#assertAuthorizedForData(java.lang.String)
104-
* @deprecated
105-
*/
106-
public void assertAuthorizedForData(String key)
107-
throws AccessControlException {
108-
legacySupport.assertAuthorizedForData(key);
88+
this.assertAuthorized("AC 1.0 Data", new Object[] {action, data});
10989
}
11090

11191
/**
@@ -116,7 +96,7 @@ public void assertAuthorizedForData(String key)
11696
*/
11797
public void assertAuthorizedForFile(String filepath)
11898
throws AccessControlException {
119-
legacySupport.assertAuthorizedForFile(filepath);
99+
this.assertAuthorized("AC 1.0 File", new Object[] {filepath});
120100
}
121101

122102
/**
@@ -127,7 +107,7 @@ public void assertAuthorizedForFile(String filepath)
127107
*/
128108
public void assertAuthorizedForFunction(String functionName)
129109
throws AccessControlException {
130-
legacySupport.assertAuthorizedForFunction(functionName);
110+
this.assertAuthorized("AC 1.0 Function", new Object[] {functionName});
131111
}
132112

133113
/**
@@ -138,7 +118,7 @@ public void assertAuthorizedForFunction(String functionName)
138118
*/
139119
public void assertAuthorizedForService(String serviceName)
140120
throws AccessControlException {
141-
legacySupport.assertAuthorizedForService(serviceName);
121+
this.assertAuthorized("AC 1.0 Service", new Object[] {serviceName});
142122
}
143123

144124
/**
@@ -149,7 +129,7 @@ public void assertAuthorizedForService(String serviceName)
149129
*/
150130
public void assertAuthorizedForURL(String url)
151131
throws AccessControlException {
152-
legacySupport.assertAuthorizedForURL(url);
132+
this.assertAuthorized("AC 1.0 URL(", new Object[] {url});
153133
}
154134

155135
/**
@@ -160,17 +140,7 @@ public void assertAuthorizedForURL(String url)
160140
* @deprecated
161141
*/
162142
public boolean isAuthorizedForData(String action, Object data) {
163-
return legacySupport.isAuthorizedForData(action, data);
164-
}
165-
166-
/**
167-
* @param key
168-
* @return
169-
* @see org.owasp.esapi.reference.FileBasedAccessController#isAuthorizedForData(java.lang.String)
170-
* @deprecated
171-
*/
172-
public boolean isAuthorizedForData(String key) {
173-
return legacySupport.isAuthorizedForData(key);
143+
return this.isAuthorized("AC 1.0 Data", new Object[] {action, data});
174144
}
175145

176146
/**
@@ -180,7 +150,7 @@ public boolean isAuthorizedForData(String key) {
180150
* @deprecated
181151
*/
182152
public boolean isAuthorizedForFile(String filepath) {
183-
return legacySupport.isAuthorizedForFile(filepath);
153+
return this.isAuthorized("AC 1.0 File", new Object[] {filepath});
184154
}
185155

186156
/**
@@ -190,7 +160,7 @@ public boolean isAuthorizedForFile(String filepath) {
190160
* @deprecated
191161
*/
192162
public boolean isAuthorizedForFunction(String functionName) {
193-
return legacySupport.isAuthorizedForFunction(functionName);
163+
return this.isAuthorized("AC 1.0 Function", new Object[] {functionName});
194164
}
195165

196166
/**
@@ -200,7 +170,7 @@ public boolean isAuthorizedForFunction(String functionName) {
200170
* @deprecated
201171
*/
202172
public boolean isAuthorizedForService(String serviceName) {
203-
return legacySupport.isAuthorizedForService(serviceName);
173+
return this.isAuthorized("AC 1.0 Service", new Object[] {serviceName});
204174
}
205175

206176
/**
@@ -210,6 +180,6 @@ public boolean isAuthorizedForService(String serviceName) {
210180
* @deprecated
211181
*/
212182
public boolean isAuthorizedForURL(String url) {
213-
return legacySupport.isAuthorizedForURL(url);
183+
return this.isAuthorized("AC 1.0 URL", new Object[] {url});
214184
}
215185
}

src/main/java/org/owasp/esapi/reference/accesscontrol/DelegatingACR.java

Lines changed: 41 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -2,75 +2,82 @@
22

33
import java.lang.reflect.Method;
44
import java.lang.reflect.Modifier;
5-
import java.util.StringTokenizer;
5+
import java.util.Iterator;
66
import java.util.Vector;
77

8-
import org.owasp.esapi.AccessControlRule;
9-
import org.owasp.esapi.Validator;
10-
11-
8+
import org.apache.commons.collections.iterators.ArrayListIterator;
129

1310
public class DelegatingACR extends BaseACR<DynaBeanACRParameter, Object[]> {
1411
protected Method delegateMethod;
1512
protected Object delegateInstance;
1613

1714
@Override
1815
public void setPolicyParameters(DynaBeanACRParameter policyParameter) {
19-
String delegateClassName = policyParameter.getString("delegateClass");
20-
String methodName = policyParameter.getString("delegateMethod");
21-
String parameterClassNames = policyParameter.getString("parameterClasses");
22-
16+
String delegateClassName = policyParameter.getString("delegateClass", "").trim();
17+
String methodName = policyParameter.getString("delegateMethod", "").trim();
18+
String[] parameterClassNames = policyParameter.getStringArray("parameterClasses");
19+
2320
//Convert the classNames into Classes and get the delegate method.
2421
Class delegateClass = getClass(delegateClassName, "delegate");
2522
Class parameterClasses[] = getParameters(parameterClassNames);
2623
try {
2724
this.delegateMethod = delegateClass.getMethod(methodName, parameterClasses);
2825
} catch (SecurityException e) {
29-
throw new IllegalArgumentException(e.getMessage() + " " +
30-
delegateClassName + "." + methodName + "(" + parameterClassNames +
31-
") must be public.", e);
26+
throw new IllegalArgumentException(e.getMessage() +
27+
" delegateClass.delegateMethod(parameterClasses): \"" +
28+
delegateClassName + "." + methodName + "(" + parameterClassNames +
29+
")\" must be public.", e);
3230
} catch (NoSuchMethodException e) {
33-
throw new IllegalArgumentException(e.getMessage() + " " +
31+
throw new IllegalArgumentException(e.getMessage() +
32+
" delegateClass.delegateMethod(parameterClasses): \"" +
3433
delegateClassName + "." + methodName + "(" + parameterClassNames +
35-
") does not exist.", e);
34+
")\" does not exist.", e);
3635
}
3736

3837
//static methods do not need a delegateInstance. Non-static methods do.
3938
if(!Modifier.isStatic(this.delegateMethod.getModifiers())) {
4039
try {
4140
this.delegateInstance = delegateClass.newInstance();
4241
} catch (InstantiationException ex) {
43-
throw new IllegalArgumentException(ex.getMessage() +
44-
" Delegate class " + delegateClassName +
45-
" must be concrete, because method " +
42+
throw new IllegalArgumentException(
43+
" Delegate class \"" + delegateClassName +
44+
"\" must be concrete, because method " +
4645
delegateClassName + "." + methodName + "(" + parameterClassNames +
4746
") is not static.", ex);
4847
} catch (IllegalAccessException ex) {
49-
new IllegalArgumentException(ex.getMessage() +
50-
" Delegate class " + delegateClassName +
51-
" must must have a zero-argument constructor, because method " +
48+
new IllegalArgumentException(
49+
" Delegate class \"" + delegateClassName +
50+
"\" must must have a zero-argument constructor, because " +
51+
"method delegateClass.delegateMethod(parameterClasses): \"" +
5252
delegateClassName + "." + methodName + "(" + parameterClassNames +
53-
") is not static.", ex);
53+
")\" is not static.", ex);
5454
}
5555
} else {
5656
this.delegateInstance = null;
5757
}
5858
}
59-
60-
protected final Class[] getParameters(String parameterClassNames) {
61-
if(parameterClassNames == null || "".equals(parameterClassNames.trim())) {
59+
/**
60+
* Convert an array of fully qualified class names into an array of Class objects
61+
* @param parameterClassNames
62+
* @return
63+
*/
64+
protected final Class[] getParameters(String[] parameterClassNames) {
65+
if(parameterClassNames == null) {
6266
return new Class[0];
6367
}
64-
65-
StringTokenizer stok = new StringTokenizer(parameterClassNames, ",", false);
66-
int numberOfCommas = stok.countTokens();
67-
Vector<Class> classes = new Vector<Class>(numberOfCommas+1);
68-
while(stok.hasMoreTokens()) {
69-
classes.add(getClass(stok.nextToken(), "parameter"));
68+
Vector<Class> classes = new Vector<Class>();
69+
Iterator<String> classNames = new ArrayListIterator(parameterClassNames);
70+
while(classNames.hasNext()) {
71+
classes.add(getClass(classNames.next(), "parameter"));
7072
}
7173
return classes.toArray(new Class[classes.size()]);
7274
}
73-
75+
/**
76+
* Convert a single fully qualified class name into a Class object
77+
* @param className
78+
* @param purpose
79+
* @return
80+
*/
7481
protected final Class getClass(String className, String purpose) {
7582
try {
7683
Class theClass = Class.forName(className);
@@ -81,11 +88,12 @@ protected final Class getClass(String className, String purpose) {
8188
" must be in the classpath", ex);
8289
}
8390
}
84-
91+
/**
92+
* Delegates to the method specified in setPolicyParameters
93+
*/
8594
public boolean isAuthorized(Object[] runtimeParameters) throws Exception {
8695
return ((Boolean)delegateMethod.invoke(delegateInstance, runtimeParameters)).booleanValue();
8796
}
88-
8997
}
9098

9199

src/main/java/org/owasp/esapi/reference/accesscontrol/DynaBeanACRParameter.java

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
import java.math.BigDecimal;
44
import java.math.BigInteger;
55
import java.util.Date;
6+
import java.util.Iterator;
67

78
import org.apache.commons.beanutils.*;
89
import org.owasp.esapi.reference.accesscontrol.policyloader.PolicyParameters;
@@ -125,6 +126,15 @@ public Date getTime(String key) {
125126
public String getString(String key) {
126127
return (String)get(key);
127128
}
129+
130+
public String getString(String key, String defaultValue) {
131+
return (String)get(key) == null ? defaultValue : (String)get(key);
132+
}
133+
134+
public String[] getStringArray(String key) {
135+
return (String[])get(key);
136+
}
137+
128138
/**
129139
* Convenience method to avoid common casts.
130140
* @param key
@@ -158,4 +168,19 @@ public void lock() {
158168
policyProperties.setRestricted(true);
159169
}
160170

171+
public String toString() {
172+
StringBuffer stringBuffer = new StringBuffer();
173+
Iterator keys = policyProperties.getMap().keySet().iterator();
174+
String currentKey;
175+
while(keys.hasNext()) {
176+
currentKey = (String)keys.next();
177+
stringBuffer.append(currentKey);
178+
stringBuffer.append("=");
179+
stringBuffer.append(policyProperties.get(currentKey));
180+
if(keys.hasNext()) {
181+
stringBuffer.append(",");
182+
}
183+
}
184+
return stringBuffer.toString();
185+
}
161186
}

0 commit comments

Comments
 (0)