impl/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgrImpl.java

/*
 *   Licensed to the Apache Software Foundation (ASF) under one
 *   or more contributor license agreements.  See the NOTICE file
 *   distributed with this work for additional information
 *   regarding copyright ownership.  The ASF licenses this file
 *   to you under the Apache License, Version 2.0 (the
 *   "License"); you may not use this file except in compliance
 *   with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 *   Unless required by applicable law or agreed to in writing,
 *   software distributed under the License is distributed on an
 *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 *   KIND, either express or implied.  See the License for the
 *   specific language governing permissions and limitations
 *   under the License.
 *
 */
package org.apache.directory.fortress.realm.tomcat;

import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.realm.J2eePolicyMgr;
import org.apache.directory.fortress.realm.J2eePolicyMgrFactory;
import org.apache.directory.fortress.realm.TcPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.security.Principal;
import java.util.Arrays;
import java.util.List;

/**
 * This class runs on a URL classloader and provides Fortress runtime security services for the Tomcat container.
 *
 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
 */
public class TcAccessMgrImpl implements TcAccessMgr
{
    private static final String CLS_NM = TcAccessMgrImpl.class.getName();
    
    /** The logger for this class */
    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
    private static int count = 0;
    private J2eePolicyMgr j2eeMgr;
    // If this field gets set, use for all subsequent calls to authenticate:
    private List<String> defaultRoles;

    /**
     * Constructor for the TcAccessMgrImpl object
     */
    public TcAccessMgrImpl()
    {
        try
        {
            j2eeMgr = J2eePolicyMgrFactory.createInstance();
            LOG.info( "{} constructor <{}>", CLS_NM, incrementCtr() );
        }
        catch ( SecurityException se )
        {
            String error = CLS_NM + " constructor caught SecurityException=" + se;
            LOG.error( error );
            se.printStackTrace();
            throw new java.lang.RuntimeException( error, se );
        }
    }

    private static int incrementCtr()
    {
        return count++;
    }
    

    /**
     * Perform user authentication and evaluate password policies.
     *
     * @param userId   Contains the userid of the user signing on.
     * @param password Contains the user's password.
     * @return Principal which contains the Fortress RBAC session data.
     */
    public Principal authenticate( String userId, char[] password )
    {
        TcPrincipal principal = null;
        
        try
        {
            // If a 'default.roles' property set in config, user them
            if ( CollectionUtils.isNotEmpty( defaultRoles ) )
            {
                principal = j2eeMgr.createSession( userId, password, defaultRoles );
                LOG.debug( "{}.authenticate userId [{}], with default roles[{}], successful", CLS_NM, userId, defaultRoles );
            }
            else
            {
                principal = j2eeMgr.createSession(userId, password);
                LOG.debug( "{}.authenticate userId [{}], successful", CLS_NM, userId );
            }
        }
        catch (SecurityException se)
        {
            LOG.warn( "{}.authenticate userId <{}> caught SecurityException=", CLS_NM, userId, se );
        }
        
        return principal;
    }

    
    /**
     * Determine if given Role is contained within User's Tomcat Principal object.  This method does not need to hit
     * the ldap server as the User's activated Roles are loaded into {@link TcPrincipal#setContext(java.util.HashMap)}
     *
     * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
     * @param roleName  Maps to {@code org.apache.directory.fortress.core.model.Role#name}.
     * @return True if Role is found in TcPrincipal, false otherwise.
     */
    public boolean hasRole( Principal principal, String roleName )
    {
        boolean result = false;
        String userId = principal.getName();
        
        try
        {
            if ( j2eeMgr.hasRole( principal, roleName ) )
            {
                LOG.debug( "{}.hasRole userId [{}], role[{}], successful", CLS_NM, principal.getName(), roleName );
                result = true;
            }
            else
            {
                LOG.debug( "{}.hasRole userId [{}], role[{}], failed", CLS_NM, principal.getName(), roleName );
            }
        }
        catch ( SecurityException se )
        {
            LOG.warn( "{}.hasRole userId <{}> role <{}> caught SecurityException= {}", CLS_NM, userId, roleName, se);
        }

        return result;
    }

    /**
     * When the 'defaultRoles' parameter is set on realm proxy config (e.g. in server.xml or context.xml) it will be used to pass into
     * createSession calls into Fortress.  This will scope the roles to be considered for activation to this particular set.
     *
     * @param szDefaultRoles contains a String containing comma delimited roles names.
     */
    public void setDefaultRoles( String szDefaultRoles )
    {
        if( StringUtils.isNotEmpty( szDefaultRoles ) )
        {
            defaultRoles = Arrays.asList( szDefaultRoles.split( "\\s*,\\s*" ) );
            LOG.info( "DEFAULT ROLES: {}", defaultRoles );
        }
    }
}