trunk/src/modules-core/ac/java/src/org/apache/lenya/ac/impl/DefaultAccessController.java - lenya - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  *  contributor license agreements.  See the NOTICE file distributed with
  *  this work for additional information regarding copyright ownership.
  *  The ASF licenses this file to You under the Apache License, Version 2.0
  *  (the "License"); you may not use this file except in compliance with
  *  the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  * License for the specific language governing permissions and limitations under
  * the License.
  *
  */

 package org.apache.lenya.ac.impl;

 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.regex.*;

 import org.apache.avalon.framework.activity.Disposable;
 import org.apache.avalon.framework.component.Component;
 import org.apache.avalon.framework.configuration.Configurable;
 import org.apache.avalon.framework.configuration.Configuration;
 import org.apache.avalon.framework.configuration.ConfigurationException;
 import org.apache.avalon.framework.logger.AbstractLogEnabled;
 import org.apache.avalon.framework.parameters.ParameterException;
 import org.apache.avalon.framework.parameters.Parameterizable;
 import org.apache.avalon.framework.parameters.Parameters;
 import org.apache.avalon.framework.service.ServiceException;
 import org.apache.avalon.framework.service.ServiceManager;
 import org.apache.avalon.framework.service.ServiceSelector;
 import org.apache.avalon.framework.service.Serviceable;
 import org.apache.cocoon.environment.Request;
 import org.apache.cocoon.environment.Session;
 import org.apache.lenya.ac.AccessControlException;
 import org.apache.lenya.ac.AccessController;
 import org.apache.lenya.ac.Accreditable;
 import org.apache.lenya.ac.AccreditableManager;
 import org.apache.lenya.ac.AccreditableManagerFactory;
 import org.apache.lenya.ac.Authenticator;
 import org.apache.lenya.ac.Authorizer;
 import org.apache.lenya.ac.IPRange;
 import org.apache.lenya.ac.Identity;
 import org.apache.lenya.ac.Item;
 import org.apache.lenya.ac.ItemManagerListener;
 import org.apache.lenya.ac.Machine;
 import org.apache.lenya.ac.PolicyManager;
 import org.apache.lenya.ac.Role;
 import org.apache.lenya.util.ServletHelper;

 /**
  * Default access controller implementation.
  * @version $Id: DefaultAccessController.java 563459 2007-08-07 12:00:20Z
  *          nettings $
  */
 public class DefaultAccessController extends AbstractLogEnabled implements AccessController,
         Configurable, Serviceable, Disposable, ItemManagerListener {

     protected static final String AUTHORIZER_ELEMENT = "authorizer";
     protected static final String TYPE_ATTRIBUTE = "type";
     protected static final String ACCREDITABLE_MANAGER_ELEMENT = "accreditable-manager";
     protected static final String POLICY_MANAGER_ELEMENT = "policy-manager";

     private static final String VALID_IP = "([0-9]{1,3}\\.){3}[0-9]{1,3}";
     private ServiceManager manager;
     private ServiceSelector authorizerSelector;
     private ServiceSelector policyManagerSelector;
     private AccreditableManager accreditableManager;
     private PolicyManager policyManager;
     private Map authorizers = new HashMap();
     private List authorizerKeys = new ArrayList();
     private Authenticator authenticator;

     /**
      * @see org.apache.lenya.ac.AccessController#authenticate(org.apache.cocoon.environment.Request)
      */
     public boolean authenticate(Request request) throws AccessControlException {

         assert request != null;
         boolean authenticated = getAuthenticator().authenticate(getAccreditableManager(), request);

         return authenticated;
     }

     /**
      * @see org.apache.lenya.ac.AccessController#authorize(org.apache.cocoon.environment.Request)
      */
     public boolean authorize(Request request) throws AccessControlException {
         assert request != null;

         boolean authorized = false;

         getLogger().debug("=========================================================");
         getLogger().debug("Beginning authorization.");

         resolveRoles(request);

         if (hasAuthorizers()) {
             Authorizer[] _authorizers = getAuthorizers();
             int i = 0;
             authorized = true;

             while ((i < _authorizers.length) && authorized) {

                 if (getLogger().isDebugEnabled()) {
                     getLogger().debug("---------------------------------------------------------");
                     getLogger().debug("Invoking authorizer [" + _authorizers[i] + "]");
                 }

                 authorized = authorized && _authorizers[i].authorize(request);

                 if (getLogger().isDebugEnabled()) {
                     getLogger().debug(
                             "Authorizer [" + _authorizers[i] + "] returned [" + authorized + "]");
                 }

                 i++;
             }
         }

         if (getLogger().isDebugEnabled()) {
             getLogger().debug("=========================================================");
             getLogger().debug("Authorization complete, result: [" + authorized + "]");
             getLogger().debug("=========================================================");
         }

         return authorized;
     }

     protected void resolveRoles(Request request) throws AccessControlException {
         String webappUrl = ServletHelper.getWebappURI(request);
         Session session = request.getSession(true);
         Identity identity = (Identity) session.getAttribute(Identity.class.getName());

         Role[] roles;
         if (identity.belongsTo(this.accreditableManager)) {
             roles = this.policyManager.getGrantedRoles(this.accreditableManager, identity, webappUrl);
         } else {
             roles = new Role[0];
             getLogger().debug(
                     "No roles resolved for identity [" + identity
                             + "] - belongs to wrong accreditable manager.");
         }
         saveRoles(request, roles);
     }

     /**
      * Saves the roles of the current identity to the request.
      * @param request The request.
      * @param roles The roles.
      */
     protected void saveRoles(Request request, Role[] roles) {
          if(getLogger().isDebugEnabled()) {
             StringBuffer rolesBuffer = new StringBuffer();
             for (int i = 0; i < roles.length; i++) {
                rolesBuffer.append(" ").append(roles[i]);
             }
             getLogger().debug("Adding roles [" + rolesBuffer + " ] to request [" + request + "]");
         }
         request.setAttribute(Role.class.getName(), Arrays.asList(roles));
     }

     /**
      * Configures or parameterizes a component, depending on the implementation
      * as Configurable or Parameterizable.
      * @param component The component.
      * @param configuration The configuration to use.
      * @throws ConfigurationException when an error occurs during configuration.
      * @throws ParameterException when an error occurs during parameterization.
      */
     public static void configureOrParameterize(Component component, Configuration configuration)
             throws ConfigurationException, ParameterException {
         if (component instanceof Configurable) {
             ((Configurable) component).configure(configuration);
         }
         if (component instanceof Parameterizable) {
             Parameters parameters = Parameters.fromConfiguration(configuration);
             ((Parameterizable) component).parameterize(parameters);
         }
     }

     /**
      * @see org.apache.avalon.framework.configuration.Configurable#configure(org.apache.avalon.framework.configuration.Configuration)
      */
     public void configure(Configuration conf) throws ConfigurationException {

         try {
             setupAccreditableManager(conf);
             setupAuthorizers(conf);
             setupPolicyManager(conf);
             setupAuthenticator();
         } catch (ConfigurationException e) {
             throw e;
         } catch (Exception e) {
             throw new ConfigurationException("Configuration failed: ", e);
         }
     }

     /**
      * Creates the accreditable manager.
      *
      * @param configuration The access controller configuration.
      * @throws ConfigurationException when the configuration failed.
      * @throws ServiceException when something went wrong.
      * @throws ParameterException when something went wrong.
      */
     protected void setupAccreditableManager(Configuration configuration)
             throws ConfigurationException, ServiceException, ParameterException {
         Configuration config = configuration.getChild(ACCREDITABLE_MANAGER_ELEMENT, false);
         if (config != null) {
             AccreditableManagerFactory factory = null;
             try {
                 factory = (AccreditableManagerFactory) this.manager
                         .lookup(AccreditableManagerFactory.ROLE);
                 this.accreditableManager = factory.getAccreditableManager(config);
                 this.accreditableManager.addItemManagerListener(this);
             } finally {
                 if (factory != null) {
                     this.manager.release(factory);
                 }
             }
         }
     }

     /**
      * Creates the authorizers.
      *
      * @param configuration The access controller configuration.
      * @throws ConfigurationException when the configuration failed.
      * @throws ServiceException when something went wrong.
      * @throws ParameterException when something went wrong.
      */
     protected void setupAuthorizers(Configuration configuration) throws ServiceException,
             ConfigurationException, ParameterException {
         Configuration[] authorizerConfigurations = configuration.getChildren(AUTHORIZER_ELEMENT);
         if (authorizerConfigurations.length > 0) {
             this.authorizerSelector = (ServiceSelector) this.manager.lookup(Authorizer.ROLE
                     + "Selector");

             for (int i = 0; i < authorizerConfigurations.length; i++) {
                 String type = authorizerConfigurations[i].getAttribute(TYPE_ATTRIBUTE);
                 if (getLogger().isDebugEnabled()) {
                     getLogger().debug("Adding authorizer [" + type + "]");
                 }

                 Authorizer authorizer = (Authorizer) this.authorizerSelector.select(type);
                 this.authorizerKeys.add(type);
                 this.authorizers.put(type, authorizer);
                 configureOrParameterize(authorizer, authorizerConfigurations[i]);
             }
         }
     }

     /**
      * Creates the policy manager.
      *
      * @param configuration The access controller configuration.
      * @throws ConfigurationException when the configuration failed.
      * @throws ServiceException when something went wrong.
      * @throws ParameterException when something went wrong.
      */
     protected void setupPolicyManager(Configuration configuration) throws ServiceException,
             ConfigurationException, ParameterException {
         Configuration policyManagerConfiguration = configuration.getChild(POLICY_MANAGER_ELEMENT,
                 false);
         if (policyManagerConfiguration != null) {
             String policyManagerType = policyManagerConfiguration.getAttribute(TYPE_ATTRIBUTE);
             if (getLogger().isDebugEnabled()) {
                 getLogger().debug("Adding policy manager type: [" + policyManagerType + "]");
             }
             this.policyManagerSelector = (ServiceSelector) this.manager.lookup(PolicyManager.ROLE
                     + "Selector");
             this.policyManager = (PolicyManager) this.policyManagerSelector
                     .select(policyManagerType);
             configureOrParameterize(this.policyManager, policyManagerConfiguration);
         }
     }

     /**
      * Sets up the authenticator.
      * @throws ServiceException when something went wrong.
      */
     protected void setupAuthenticator() throws ServiceException {
         this.authenticator = (Authenticator) this.manager.lookup(Authenticator.ROLE);
     }

     /**
      * Set the global component manager.
      *
      * @param _manager The global component manager
      * @throws ServiceException when something went wrong.
      */
     public void service(ServiceManager _manager) throws ServiceException {
         this.manager = _manager;
     }

     /**
      * Returns the service manager.
      * @return A service manager.
      */
     protected ServiceManager getManager() {
         return this.manager;
     }

     /**
      * Returns the authorizers of this action.
      * @return An array of authorizers.
      */
     public Authorizer[] getAuthorizers() {

         Authorizer[] authorizerArray = new Authorizer[this.authorizers.size()];
         for (int i = 0; i < this.authorizers.size(); i++) {
             String key = (String) this.authorizerKeys.get(i);
             authorizerArray[i] = (Authorizer) this.authorizers.get(key);
         }
         return authorizerArray;
     }

     /**
      * Returns if this action has authorizers.
      * @return A boolean value.
      */
     protected boolean hasAuthorizers() {
         return !this.authorizers.isEmpty();
     }

     /**
      * @see org.apache.avalon.framework.activity.Disposable#dispose()
      */
     public void dispose() {

        if (this.accreditableManager != null) {
             this.accreditableManager.removeItemManagerListener(this);
         }

         if (this.policyManagerSelector != null) {
             if (this.policyManager != null) {
                 this.policyManagerSelector.release(this.policyManager);
             }
             getManager().release(this.policyManagerSelector);
         }

         if (this.authorizerSelector != null) {
             Authorizer[] _authorizers = getAuthorizers();
             for (int i = 0; i < _authorizers.length; i++) {
                 this.authorizerSelector.release(_authorizers[i]);
             }
             getManager().release(this.authorizerSelector);
         }

         if (this.authenticator != null) {
             getManager().release(this.authenticator);
         }

         if (getLogger().isDebugEnabled()) {
             getLogger().debug("Disposing [" + this + "]");
         }
     }

     /**
      * Returns the accreditable manager.
      * @return An accreditable manager.
      */
     public AccreditableManager getAccreditableManager() {
         return this.accreditableManager;
     }

     /**
      * Returns the policy manager.
      * @return A policy manager.
      */
     public PolicyManager getPolicyManager() {
         return this.policyManager;
     }

     /**
      * Returns the authenticator.
      * @return The authenticator.
      */
     public Authenticator getAuthenticator() {
         return this.authenticator;
     }

     /**
      * Checks if this identity was initialized by this access controller.
      *
      * @param identity An identity.
      * @return A boolean value.
      * @throws AccessControlException when something went wrong.
      */
     public boolean ownsIdenity(Identity identity) throws AccessControlException {
         return identity.belongsTo(getAccreditableManager());
     }

     /**
      * @see org.apache.lenya.ac.AccessController#setupIdentity(org.apache.cocoon.environment.Request)
      */
     public void setupIdentity(Request request) throws AccessControlException {
         Session session = request.getSession(true);
         if (!hasValidIdentity(session)) {
             Identity identity = new Identity(getLogger());
             identity.initialize();
             String remoteAddress = request.getRemoteAddr();
             String clientAddress = request.getHeader("x-forwarded-for");

             if (clientAddress != null) {
                 Pattern p = Pattern.compile(VALID_IP);
                 Matcher m = p.matcher(clientAddress);

                 if (m.find()) {
                     remoteAddress = m.group();
                 }
             }

             getLogger().info("Remote Address to use: [" + remoteAddress + "]");

             Machine machine = new Machine(remoteAddress);
             IPRange[] ranges = this.accreditableManager.getIPRangeManager().getIPRanges();
             for (int i = 0; i < ranges.length; i++) {
                 if (ranges[i].contains(machine)) {
                     machine.addIPRange(ranges[i]);
                 }
             }

             identity.addIdentifiable(machine);
             session.setAttribute(Identity.class.getName(), identity);
         }
     }

     /**
      * Checks if the session contains an identity that is not null and belongs
      * to the used access controller.
      *
      * @param session The current session.
      * @return A boolean value.
      * @throws AccessControlException when something went wrong.
      */
     protected boolean hasValidIdentity(Session session) throws AccessControlException {
         boolean valid = true;
         Identity identity = (Identity) session.getAttribute(Identity.class.getName());
         if (identity == null || !ownsIdenity(identity)) {
             valid = false;
         }
         return valid;
     }

     /**
      * @see org.apache.lenya.ac.ItemManagerListener#itemAdded(org.apache.lenya.ac.Item)
      */
     public void itemAdded(Item item) throws AccessControlException {
         if (getLogger().isDebugEnabled()) {
             getLogger().debug("Item was added: [" + item + "]");
             getLogger().debug("Notifying policy manager");
         }
         if (item instanceof Accreditable) {
             getPolicyManager().accreditableAdded(getAccreditableManager(), (Accreditable) item);
         }
     }

     /**
      * @see org.apache.lenya.ac.ItemManagerListener#itemRemoved(org.apache.lenya.ac.Item)
      */
     public void itemRemoved(Item item) throws AccessControlException {
         if (getLogger().isDebugEnabled()) {
             getLogger().debug("Item was removed: [" + item + "]");
             getLogger().debug("Notifying policy manager");
         }

         if (!(item instanceof Role)) {
             getPolicyManager().accreditableRemoved(getAccreditableManager(), (Accreditable) item);
         }
     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
	* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
	* License for the specific language governing permissions and limitations under
	* the License.
	*
	*/

	package org.apache.lenya.ac.impl;

	import java.util.ArrayList;
	import java.util.Arrays;
	import java.util.HashMap;
	import java.util.List;
	import java.util.Map;
	import java.util.regex.*;

	import org.apache.avalon.framework.activity.Disposable;
	import org.apache.avalon.framework.component.Component;
	import org.apache.avalon.framework.configuration.Configurable;
	import org.apache.avalon.framework.configuration.Configuration;
	import org.apache.avalon.framework.configuration.ConfigurationException;
	import org.apache.avalon.framework.logger.AbstractLogEnabled;
	import org.apache.avalon.framework.parameters.ParameterException;
	import org.apache.avalon.framework.parameters.Parameterizable;
	import org.apache.avalon.framework.parameters.Parameters;
	import org.apache.avalon.framework.service.ServiceException;
	import org.apache.avalon.framework.service.ServiceManager;
	import org.apache.avalon.framework.service.ServiceSelector;
	import org.apache.avalon.framework.service.Serviceable;
	import org.apache.cocoon.environment.Request;
	import org.apache.cocoon.environment.Session;
	import org.apache.lenya.ac.AccessControlException;
	import org.apache.lenya.ac.AccessController;
	import org.apache.lenya.ac.Accreditable;
	import org.apache.lenya.ac.AccreditableManager;
	import org.apache.lenya.ac.AccreditableManagerFactory;
	import org.apache.lenya.ac.Authenticator;
	import org.apache.lenya.ac.Authorizer;
	import org.apache.lenya.ac.IPRange;
	import org.apache.lenya.ac.Identity;
	import org.apache.lenya.ac.Item;
	import org.apache.lenya.ac.ItemManagerListener;
	import org.apache.lenya.ac.Machine;
	import org.apache.lenya.ac.PolicyManager;
	import org.apache.lenya.ac.Role;
	import org.apache.lenya.util.ServletHelper;

	/**
	* Default access controller implementation.
	* @version $Id: DefaultAccessController.java 563459 2007-08-07 12:00:20Z
	* nettings $
	*/
	public class DefaultAccessController extends AbstractLogEnabled implements AccessController,
	Configurable, Serviceable, Disposable, ItemManagerListener {

	protected static final String AUTHORIZER_ELEMENT = "authorizer";
	protected static final String TYPE_ATTRIBUTE = "type";
	protected static final String ACCREDITABLE_MANAGER_ELEMENT = "accreditable-manager";
	protected static final String POLICY_MANAGER_ELEMENT = "policy-manager";

	private static final String VALID_IP = "([0-9]{1,3}\\.){3}[0-9]{1,3}";
	private ServiceManager manager;
	private ServiceSelector authorizerSelector;
	private ServiceSelector policyManagerSelector;
	private AccreditableManager accreditableManager;
	private PolicyManager policyManager;
	private Map authorizers = new HashMap();
	private List authorizerKeys = new ArrayList();
	private Authenticator authenticator;

	/**
	* @see org.apache.lenya.ac.AccessController#authenticate(org.apache.cocoon.environment.Request)
	*/
	public boolean authenticate(Request request) throws AccessControlException {

	assert request != null;
	boolean authenticated = getAuthenticator().authenticate(getAccreditableManager(), request);

	return authenticated;
	}

	/**
	* @see org.apache.lenya.ac.AccessController#authorize(org.apache.cocoon.environment.Request)
	*/
	public boolean authorize(Request request) throws AccessControlException {
	assert request != null;

	boolean authorized = false;

	getLogger().debug("=========================================================");
	getLogger().debug("Beginning authorization.");

	resolveRoles(request);

	if (hasAuthorizers()) {
	Authorizer[] _authorizers = getAuthorizers();
	int i = 0;
	authorized = true;

	while ((i < _authorizers.length) && authorized) {

	if (getLogger().isDebugEnabled()) {
	getLogger().debug("---------------------------------------------------------");
	getLogger().debug("Invoking authorizer [" + _authorizers[i] + "]");
	}

	authorized = authorized && _authorizers[i].authorize(request);

	if (getLogger().isDebugEnabled()) {
	getLogger().debug(
	"Authorizer [" + _authorizers[i] + "] returned [" + authorized + "]");
	}

	i++;
	}
	}

	if (getLogger().isDebugEnabled()) {
	getLogger().debug("=========================================================");
	getLogger().debug("Authorization complete, result: [" + authorized + "]");
	getLogger().debug("=========================================================");
	}

	return authorized;
	}

	protected void resolveRoles(Request request) throws AccessControlException {
	String webappUrl = ServletHelper.getWebappURI(request);
	Session session = request.getSession(true);
	Identity identity = (Identity) session.getAttribute(Identity.class.getName());

	Role[] roles;
	if (identity.belongsTo(this.accreditableManager)) {
	roles = this.policyManager.getGrantedRoles(this.accreditableManager, identity, webappUrl);
	} else {
	roles = new Role[0];
	getLogger().debug(
	"No roles resolved for identity [" + identity
	+ "] - belongs to wrong accreditable manager.");
	}
	saveRoles(request, roles);
	}

	/**
	* Saves the roles of the current identity to the request.
	* @param request The request.
	* @param roles The roles.
	*/
	protected void saveRoles(Request request, Role[] roles) {
	if(getLogger().isDebugEnabled()) {
	StringBuffer rolesBuffer = new StringBuffer();
	for (int i = 0; i < roles.length; i++) {
	rolesBuffer.append(" ").append(roles[i]);
	}
	getLogger().debug("Adding roles [" + rolesBuffer + " ] to request [" + request + "]");
	}
	request.setAttribute(Role.class.getName(), Arrays.asList(roles));
	}

	/**
	* Configures or parameterizes a component, depending on the implementation
	* as Configurable or Parameterizable.
	* @param component The component.
	* @param configuration The configuration to use.
	* @throws ConfigurationException when an error occurs during configuration.
	* @throws ParameterException when an error occurs during parameterization.
	*/
	public static void configureOrParameterize(Component component, Configuration configuration)
	throws ConfigurationException, ParameterException {
	if (component instanceof Configurable) {
	((Configurable) component).configure(configuration);
	}
	if (component instanceof Parameterizable) {
	Parameters parameters = Parameters.fromConfiguration(configuration);
	((Parameterizable) component).parameterize(parameters);
	}
	}

	/**
	* @see org.apache.avalon.framework.configuration.Configurable#configure(org.apache.avalon.framework.configuration.Configuration)
	*/
	public void configure(Configuration conf) throws ConfigurationException {

	try {
	setupAccreditableManager(conf);
	setupAuthorizers(conf);
	setupPolicyManager(conf);
	setupAuthenticator();
	} catch (ConfigurationException e) {
	throw e;
	} catch (Exception e) {
	throw new ConfigurationException("Configuration failed: ", e);
	}
	}

	/**
	* Creates the accreditable manager.
	*
	* @param configuration The access controller configuration.
	* @throws ConfigurationException when the configuration failed.
	* @throws ServiceException when something went wrong.
	* @throws ParameterException when something went wrong.
	*/
	protected void setupAccreditableManager(Configuration configuration)
	throws ConfigurationException, ServiceException, ParameterException {
	Configuration config = configuration.getChild(ACCREDITABLE_MANAGER_ELEMENT, false);
	if (config != null) {
	AccreditableManagerFactory factory = null;
	try {
	factory = (AccreditableManagerFactory) this.manager
	.lookup(AccreditableManagerFactory.ROLE);
	this.accreditableManager = factory.getAccreditableManager(config);
	this.accreditableManager.addItemManagerListener(this);
	} finally {
	if (factory != null) {
	this.manager.release(factory);
	}
	}
	}
	}

	/**
	* Creates the authorizers.
	*
	* @param configuration The access controller configuration.
	* @throws ConfigurationException when the configuration failed.
	* @throws ServiceException when something went wrong.
	* @throws ParameterException when something went wrong.
	*/
	protected void setupAuthorizers(Configuration configuration) throws ServiceException,
	ConfigurationException, ParameterException {
	Configuration[] authorizerConfigurations = configuration.getChildren(AUTHORIZER_ELEMENT);
	if (authorizerConfigurations.length > 0) {
	this.authorizerSelector = (ServiceSelector) this.manager.lookup(Authorizer.ROLE
	+ "Selector");

	for (int i = 0; i < authorizerConfigurations.length; i++) {
	String type = authorizerConfigurations[i].getAttribute(TYPE_ATTRIBUTE);
	if (getLogger().isDebugEnabled()) {
	getLogger().debug("Adding authorizer [" + type + "]");
	}

	Authorizer authorizer = (Authorizer) this.authorizerSelector.select(type);
	this.authorizerKeys.add(type);
	this.authorizers.put(type, authorizer);
	configureOrParameterize(authorizer, authorizerConfigurations[i]);
	}
	}
	}

	/**
	* Creates the policy manager.
	*
	* @param configuration The access controller configuration.
	* @throws ConfigurationException when the configuration failed.
	* @throws ServiceException when something went wrong.
	* @throws ParameterException when something went wrong.
	*/
	protected void setupPolicyManager(Configuration configuration) throws ServiceException,
	ConfigurationException, ParameterException {
	Configuration policyManagerConfiguration = configuration.getChild(POLICY_MANAGER_ELEMENT,
	false);
	if (policyManagerConfiguration != null) {
	String policyManagerType = policyManagerConfiguration.getAttribute(TYPE_ATTRIBUTE);
	if (getLogger().isDebugEnabled()) {
	getLogger().debug("Adding policy manager type: [" + policyManagerType + "]");
	}
	this.policyManagerSelector = (ServiceSelector) this.manager.lookup(PolicyManager.ROLE
	+ "Selector");
	this.policyManager = (PolicyManager) this.policyManagerSelector
	.select(policyManagerType);
	configureOrParameterize(this.policyManager, policyManagerConfiguration);
	}
	}

	/**
	* Sets up the authenticator.
	* @throws ServiceException when something went wrong.
	*/
	protected void setupAuthenticator() throws ServiceException {
	this.authenticator = (Authenticator) this.manager.lookup(Authenticator.ROLE);
	}

	/**
	* Set the global component manager.
	*
	* @param _manager The global component manager
	* @throws ServiceException when something went wrong.
	*/
	public void service(ServiceManager _manager) throws ServiceException {
	this.manager = _manager;
	}

	/**
	* Returns the service manager.
	* @return A service manager.
	*/
	protected ServiceManager getManager() {
	return this.manager;
	}

	/**
	* Returns the authorizers of this action.
	* @return An array of authorizers.
	*/
	public Authorizer[] getAuthorizers() {

	Authorizer[] authorizerArray = new Authorizer[this.authorizers.size()];
	for (int i = 0; i < this.authorizers.size(); i++) {
	String key = (String) this.authorizerKeys.get(i);
	authorizerArray[i] = (Authorizer) this.authorizers.get(key);
	}
	return authorizerArray;
	}

	/**
	* Returns if this action has authorizers.
	* @return A boolean value.
	*/
	protected boolean hasAuthorizers() {
	return !this.authorizers.isEmpty();
	}

	/**
	* @see org.apache.avalon.framework.activity.Disposable#dispose()
	*/
	public void dispose() {

	if (this.accreditableManager != null) {
	this.accreditableManager.removeItemManagerListener(this);
	}

	if (this.policyManagerSelector != null) {
	if (this.policyManager != null) {
	this.policyManagerSelector.release(this.policyManager);
	}
	getManager().release(this.policyManagerSelector);
	}

	if (this.authorizerSelector != null) {
	Authorizer[] _authorizers = getAuthorizers();
	for (int i = 0; i < _authorizers.length; i++) {
	this.authorizerSelector.release(_authorizers[i]);
	}
	getManager().release(this.authorizerSelector);
	}

	if (this.authenticator != null) {
	getManager().release(this.authenticator);
	}

	if (getLogger().isDebugEnabled()) {
	getLogger().debug("Disposing [" + this + "]");
	}
	}

	/**
	* Returns the accreditable manager.
	* @return An accreditable manager.
	*/
	public AccreditableManager getAccreditableManager() {
	return this.accreditableManager;
	}

	/**
	* Returns the policy manager.
	* @return A policy manager.
	*/
	public PolicyManager getPolicyManager() {
	return this.policyManager;
	}

	/**
	* Returns the authenticator.
	* @return The authenticator.
	*/
	public Authenticator getAuthenticator() {
	return this.authenticator;
	}

	/**
	* Checks if this identity was initialized by this access controller.
	*
	* @param identity An identity.
	* @return A boolean value.
	* @throws AccessControlException when something went wrong.
	*/
	public boolean ownsIdenity(Identity identity) throws AccessControlException {
	return identity.belongsTo(getAccreditableManager());
	}

	/**
	* @see org.apache.lenya.ac.AccessController#setupIdentity(org.apache.cocoon.environment.Request)
	*/
	public void setupIdentity(Request request) throws AccessControlException {
	Session session = request.getSession(true);
	if (!hasValidIdentity(session)) {
	Identity identity = new Identity(getLogger());
	identity.initialize();
	String remoteAddress = request.getRemoteAddr();
	String clientAddress = request.getHeader("x-forwarded-for");

	if (clientAddress != null) {
	Pattern p = Pattern.compile(VALID_IP);
	Matcher m = p.matcher(clientAddress);

	if (m.find()) {
	remoteAddress = m.group();
	}
	}

	getLogger().info("Remote Address to use: [" + remoteAddress + "]");

	Machine machine = new Machine(remoteAddress);
	IPRange[] ranges = this.accreditableManager.getIPRangeManager().getIPRanges();
	for (int i = 0; i < ranges.length; i++) {
	if (ranges[i].contains(machine)) {
	machine.addIPRange(ranges[i]);
	}
	}

	identity.addIdentifiable(machine);
	session.setAttribute(Identity.class.getName(), identity);
	}
	}

	/**
	* Checks if the session contains an identity that is not null and belongs
	* to the used access controller.
	*
	* @param session The current session.
	* @return A boolean value.
	* @throws AccessControlException when something went wrong.
	*/
	protected boolean hasValidIdentity(Session session) throws AccessControlException {
	boolean valid = true;
	Identity identity = (Identity) session.getAttribute(Identity.class.getName());
	if (identity == null \|\| !ownsIdenity(identity)) {
	valid = false;
	}
	return valid;
	}

	/**
	* @see org.apache.lenya.ac.ItemManagerListener#itemAdded(org.apache.lenya.ac.Item)
	*/
	public void itemAdded(Item item) throws AccessControlException {
	if (getLogger().isDebugEnabled()) {
	getLogger().debug("Item was added: [" + item + "]");
	getLogger().debug("Notifying policy manager");
	}
	if (item instanceof Accreditable) {
	getPolicyManager().accreditableAdded(getAccreditableManager(), (Accreditable) item);
	}
	}

	/**
	* @see org.apache.lenya.ac.ItemManagerListener#itemRemoved(org.apache.lenya.ac.Item)
	*/
	public void itemRemoved(Item item) throws AccessControlException {
	if (getLogger().isDebugEnabled()) {
	getLogger().debug("Item was removed: [" + item + "]");
	getLogger().debug("Notifying policy manager");
	}

	if (!(item instanceof Role)) {
	getPolicyManager().accreditableRemoved(getAccreditableManager(), (Accreditable) item);
	}
	}

	}