Index: api/impl/UDDIInquiryImpl.java =================================================================== --- api/impl/UDDIInquiryImpl.java (revision 1502981) +++ api/impl/UDDIInquiryImpl.java (working copy) @@ -35,12 +35,17 @@ import org.apache.juddi.config.Property; import org.apache.juddi.mapping.MappingModelToApi; import org.apache.juddi.model.TempKey; +import org.apache.juddi.model.UddiEntityPublisher; import org.apache.juddi.query.util.FindQualifiers; +import org.apache.juddi.security.AccessControlFactory; +import org.apache.juddi.security.AccessLevel; import org.apache.juddi.v3.error.ErrorMessage; import org.apache.juddi.v3.error.InvalidKeyPassedException; import org.apache.juddi.validation.ValidateInquiry; import org.uddi.api_v3.BindingDetail; +import org.uddi.api_v3.BindingTemplate; import org.uddi.api_v3.BusinessDetail; +import org.uddi.api_v3.BusinessInfo; import org.uddi.api_v3.BusinessList; import org.uddi.api_v3.FindBinding; import org.uddi.api_v3.FindBusiness; @@ -94,9 +99,11 @@ EntityTransaction tx = em.getTransaction(); try { tx.begin(); - + UddiEntityPublisher entityPublisher=null; if (isAuthenticated()) - this.getEntityPublisher(em, body.getAuthInfo()); + { + entityPublisher = this.getEntityPublisher(em, body.getAuthInfo()); + } org.apache.juddi.query.util.FindQualifiers findQualifiers = new org.apache.juddi.query.util.FindQualifiers(); findQualifiers.mapApiFindQualifiers(body.getFindQualifiers()); @@ -121,7 +128,12 @@ tx.rollback(); long procTime = System.currentTimeMillis() - startTime; serviceCounter.update(InquiryQuery.FIND_BINDING, QueryStatus.SUCCESS, procTime); - + if (isAuthenticated() && entityPublisher!=null) + { + List FilterBindingTemplates = AccessControlFactory.getAccessControlInstance().FilterBindingTemplates(entityPublisher.getAuthorizedName(), result.getBindingTemplate()); + result.getBindingTemplate().clear(); + result.getBindingTemplate().addAll(FilterBindingTemplates); + } return result; } finally { if (tx.isActive()) { @@ -148,9 +160,12 @@ try { tx.begin(); + UddiEntityPublisher entityPublisher=null; if (isAuthenticated()) - this.getEntityPublisher(em, body.getAuthInfo()); - + { + entityPublisher = this.getEntityPublisher(em, body.getAuthInfo()); + } + org.apache.juddi.query.util.FindQualifiers findQualifiers = new org.apache.juddi.query.util.FindQualifiers(); findQualifiers.mapApiFindQualifiers(body.getFindQualifiers()); @@ -161,6 +176,13 @@ tx.rollback(); long procTime = System.currentTimeMillis() - startTime; serviceCounter.update(InquiryQuery.FIND_BUSINESS, QueryStatus.SUCCESS, procTime); + if (isAuthenticated() && entityPublisher!=null && result.getBusinessInfos()!=null) + { + List filtered = AccessControlFactory.getAccessControlInstance().FilterBusinessInfo(entityPublisher.getAuthorizedName(), result.getBusinessInfos().getBusinessInfo()); + result.getBusinessInfos().getBusinessInfo().clear(); + result.getBusinessInfos().getBusinessInfo().addAll(filtered); + //need to either update the list description or filter this data elsewhere Update(result.getListDescription()); + } return result; } finally { @@ -324,7 +346,10 @@ tx.begin(); if (isAuthenticated()) - this.getEntityPublisher(em, body.getAuthInfo()); + { + UddiEntityPublisher entityPublisher = this.getEntityPublisher(em, body.getAuthInfo()); + AccessControlFactory.getAccessControlInstance().AssertAccess(AccessLevel.READ, entityPublisher.getAuthorizedName(), body.getBindingKey()); + } BindingDetail result = new BindingDetail(); @@ -375,7 +400,10 @@ tx.begin(); if (isAuthenticated()) - this.getEntityPublisher(em, body.getAuthInfo()); + { + UddiEntityPublisher entityPublisher = this.getEntityPublisher(em, body.getAuthInfo()); + AccessControlFactory.getAccessControlInstance().AssertAccess(AccessLevel.READ, entityPublisher.getAuthorizedName(), body.getBusinessKey()); + } BusinessDetail result = new BusinessDetail(); @@ -426,7 +454,10 @@ tx.begin(); if (isAuthenticated()) - this.getEntityPublisher(em, body.getAuthInfo()); + { + UddiEntityPublisher entityPublisher = this.getEntityPublisher(em, body.getAuthInfo()); + AccessControlFactory.getAccessControlInstance().AssertAccess(AccessLevel.READ, entityPublisher.getAuthorizedName(), body.getEntityKey()); + } OperationalInfos result = new OperationalInfos(); @@ -477,7 +508,10 @@ tx.begin(); if (isAuthenticated()) - this.getEntityPublisher(em, body.getAuthInfo()); + { + UddiEntityPublisher entityPublisher = this.getEntityPublisher(em, body.getAuthInfo()); + AccessControlFactory.getAccessControlInstance().AssertAccess(AccessLevel.READ, entityPublisher.getAuthorizedName(), body.getServiceKey()); + } ServiceDetail result = new ServiceDetail(); @@ -529,7 +563,10 @@ tx.begin(); if (isAuthenticated()) - this.getEntityPublisher(em, body.getAuthInfo()); + { + UddiEntityPublisher entityPublisher = this.getEntityPublisher(em, body.getAuthInfo()); + AccessControlFactory.getAccessControlInstance().AssertAccess(AccessLevel.READ, entityPublisher.getAuthorizedName(), body.getTModelKey()); + } TModelDetail result = new TModelDetail(); Index: security/AccessControlException.java =================================================================== --- security/AccessControlException.java (revision 0) +++ security/AccessControlException.java (working copy) @@ -0,0 +1,33 @@ +/* + * Copyright 2013 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.juddi.security; + +import org.apache.juddi.v3.error.ErrorMessage; +import org.apache.juddi.v3.error.RegistryException; +import org.apache.juddi.v3.error.UDDIErrorHelper; + +/** + * + * @author Alex O'Ree + */ +public class AccessControlException extends RegistryException { + + private static final long serialVersionUID = -3459892224164959205L; + + public AccessControlException(ErrorMessage message) { + super(message, UDDIErrorHelper.buildDispositionReport(UDDIErrorHelper.E_REQUEST_DENIED)); + } +} Index: security/AccessControlFactory.java =================================================================== --- security/AccessControlFactory.java (revision 0) +++ security/AccessControlFactory.java (working copy) @@ -0,0 +1,73 @@ +/* + * Copyright 2013 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.juddi.security; + +import java.util.logging.Level; +import java.util.logging.Logger; +import org.apache.commons.configuration.ConfigurationException; +import org.apache.juddi.config.AppConfig; +import org.apache.juddi.config.Property; + +/** + * Provides an accessor to the access control mechanism + * + * @author Alex O'Ree + */ +public class AccessControlFactory { + + static final Logger log = Logger.getLogger(AccessControlFactory.class.getName()); + private static IAccessControl instance = null; + + /** + * Gets an instance of IAccessControl using the following procedure, in order
+ *
    + *
  1. Using the judiv3.properties configuration file setting Property.JUDDI_FINE_GRAIN_ACCESS_CONTROL_PROVIDER
    2. + *
  2. If the previous fails to load or is not defined, DefaultCorseAccessControlImpl
    3. + *
+ * @return should never return null or throw exceptions + * @see DefaultCorseAccessControlImpl + * @see Property + */ + public static IAccessControl getAccessControlInstance() { + if (instance != null) { + return instance; + } + String clazz = null; + try { + clazz = AppConfig.getConfiguration().getString(Property.JUDDI_ACCESS_CONTROL_PROVIDER, DefaultCorseAccessControlImpl.class.getCanonicalName()); + Class c = Class.forName(clazz); + IAccessControl ret = (IAccessControl) c.newInstance(); + log.log(Level.INFO, "Successfully loaded FineGrainedAccessControl provider {0}", clazz); + instance = ret; + return ret; + } catch (IllegalAccessException x) { + log.log(Level.WARNING, "error loading control provider " + clazz, x); + } catch (InstantiationException x) { + log.log(Level.WARNING, "error loading control provider " + clazz, x); + } catch (ExceptionInInitializerError x) { + log.log(Level.WARNING, "error loading control provider " + clazz, x); + } catch (SecurityException x) { + log.log(Level.WARNING, "error loading control provider " + clazz, x); + } catch (ClassNotFoundException x) { + log.log(Level.WARNING, "error loading control provider " + clazz, x); + } catch (ConfigurationException x) { + log.log(Level.WARNING, "error loading control provider " + clazz, x); + } catch (Exception x) { + log.log(Level.WARNING, "error loading control provider " + clazz, x); + } + return new DefaultCorseAccessControlImpl(); + } +} Index: security/AccessLevel.java =================================================================== --- security/AccessLevel.java (revision 0) +++ security/AccessLevel.java (working copy) @@ -0,0 +1,46 @@ +/* + * Copyright 2013 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.juddi.security; + +/** + * + * @author Alex O'Ree + */ +public enum AccessLevel { + /** + * No access at all + */ + NONE, + /** + * Read only access, cannot make changes + */ + READ, + /** + * Can view, read, make changes, and delete a specific entity + */ + WRITE, + /** + * Can view, read, make changes, delete a specific entity, can initiate a custody transfer, and delegate permissions + * to another user + */ + OWN, + /** + * can create new entities + */ + CREATE + +} Index: security/AllowAllAccessControlImpl.java =================================================================== --- security/AllowAllAccessControlImpl.java (revision 0) +++ security/AllowAllAccessControlImpl.java (working copy) @@ -0,0 +1,65 @@ +/* + * Copyright 2013 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.juddi.security; + +import java.util.List; +import org.uddi.api_v3.BindingTemplate; +import org.uddi.api_v3.BusinessEntity; +import org.uddi.api_v3.BusinessInfo; +import org.uddi.api_v3.BusinessService; +import org.uddi.api_v3.TModel; + +/** + * + * @author Alex O'Ree + */ +public class AllowAllAccessControlImpl implements IAccessControl{ + + public List FilterServices(String username, List services) { + return services; + } + + public List FilterBusinesses(String username, List business) { + return business; + } + + public List FilterTModels(String username, List tmodels) { + return tmodels; + } + + public List FilterBindingTemplates(String username, List bindings) { + return bindings; + } + + public boolean HasAccess(AccessLevel level, String username, List keys) { + return true; + } + + public void AssertAccess(AccessLevel level, String username, List keys) { + } + + + public boolean IsAdmin(String username) throws IllegalArgumentException { + return true; + } + + + public List FilterBusinessInfo(String username, List business) { + return business; + } + +} Index: security/DefaultCorseAccessControlImpl.java =================================================================== --- security/DefaultCorseAccessControlImpl.java (revision 0) +++ security/DefaultCorseAccessControlImpl.java (working copy) @@ -0,0 +1,71 @@ +/* + * Copyright 2013 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.juddi.security; + +import java.util.List; +import org.uddi.api_v3.BindingTemplate; +import org.uddi.api_v3.BusinessEntity; +import org.uddi.api_v3.BusinessInfo; +import org.uddi.api_v3.BusinessService; +import org.uddi.api_v3.TModel; + +/** + * + * @author Alex O'Ree + */ +public class DefaultCorseAccessControlImpl implements IAccessControl{ + + public List FilterServices(String username, List services) { + return services; + } + + public List FilterBusinesses(String username, List business) { + return business; + } + + public List FilterTModels(String username, List tmodels) { + return tmodels; + } + + public boolean HasAccess(AccessLevel level, String username, String key) { + return true; + } + + public boolean IsAdmin(String username) throws IllegalArgumentException { + return true; + } + + public List FilterBindingTemplates(String username, List bindings) { + return bindings; + } + + @Override + public boolean HasAccess(AccessLevel level, String username, List keys) { + return true; + } + + @Override + public List FilterBusinessInfo(String username, List business) { + return business; + } + + @Override + public void AssertAccess(AccessLevel level, String username, List keys) { + + } + +} Index: security/IAccessControl.java =================================================================== --- security/IAccessControl.java (revision 0) +++ security/IAccessControl.java (working copy) @@ -0,0 +1,55 @@ +/* + * Copyright 2013 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.juddi.security; + +import java.util.List; +import org.uddi.api_v3.BindingTemplate; +import org.uddi.api_v3.BusinessEntity; +import org.uddi.api_v3.BusinessInfo; +import org.uddi.api_v3.BusinessService; +import org.uddi.api_v3.TModel; + +/** + * Provides an interface for a pluggable Fine Grained Access Control mechanism for jUDDI + * @author Alex O'Ree + * @since 3.2 + * @see AccessLevel + */ +public interface IAccessControl { + + public List FilterServices(String username, List services); + + public List FilterBusinesses(String username, List business); + + public List FilterBusinessInfo(String username, List business); + + + public List FilterTModels(String username, List tmodels); + + public List FilterBindingTemplates(String username, List bindings); + + public boolean HasAccess(AccessLevel level, String username, List keys); + + public void AssertAccess(AccessLevel level, String username, List keys); + /** + * return true if and only if the specified username has administrative rights for this instance of jUDDI + * @param username + * @return + * @throws IllegalArgumentException + */ + public boolean IsAdmin(String username) throws IllegalArgumentException; +} Index: security/RoleBasedAccessControlImpl.java =================================================================== --- security/RoleBasedAccessControlImpl.java (revision 0) +++ security/RoleBasedAccessControlImpl.java (working copy) @@ -0,0 +1,79 @@ +/* + * Copyright 2013 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.juddi.security; + +import java.util.List; +import org.uddi.api_v3.BindingTemplate; +import org.uddi.api_v3.BusinessEntity; +import org.uddi.api_v3.BusinessInfo; +import org.uddi.api_v3.BusinessService; +import org.uddi.api_v3.TModel; + +/** + * RBAC functionality, to be pulled from J2EE container, such as Tomcat or Jboss + * Need to map roles to permissions via tables + * @author Alex O'Ree + */ +public class RoleBasedAccessControlImpl implements IAccessControl{ + + + public List FilterServices(String username, List services) { + throw new UnsupportedOperationException("Not supported yet."); + } + + + public List FilterBusinesses(String username, List business) { + throw new UnsupportedOperationException("Not supported yet."); + } + + + public List FilterTModels(String username, List tmodels) { + throw new UnsupportedOperationException("Not supported yet."); + } + + + + public boolean HasAccess(AccessLevel level, String username, String key) { + throw new UnsupportedOperationException("Not supported yet."); + } + + + public boolean IsAdmin(String username) throws IllegalArgumentException { + throw new UnsupportedOperationException("Not supported yet."); + } + + + public List FilterBindingTemplates(String username, List bindings) { + throw new UnsupportedOperationException("Not supported yet."); + } + + @Override + public boolean HasAccess(AccessLevel level, String username, List keys) { + throw new UnsupportedOperationException("Not supported yet."); + } + + @Override + public List FilterBusinessInfo(String username, List business) { + throw new UnsupportedOperationException("Not supported yet."); + } + + @Override + public void AssertAccess(AccessLevel level, String username, List keys) { + throw new UnsupportedOperationException("Not supported yet."); + } + +}