[原创]JAAS 实现in Struts Web App，使用XMLPolicy文件，不改变VM安全文件(2)授权

本文章继续上一篇实现WebApp的授权

5. 实现XMLPolicyFile类。

public class XMLPolicyFile extends Policy implements JAASConstants {

private Document doc = null;

//private CodeSource noCertCodeSource=null;

/*

* constructor

* refresh()

*/

public XMLPolicyFile(){

refresh();

}

public PermissionCollection getPermissions(CodeSource arg0) {

// TODO Auto-generated method stub

return null;

}

/*

* Creates a DOM tree document from the default XML file or

* from the file specified by the system property,

* <code>com.ibm.resource.security.auth.policy</code>. This

* DOM tree document is then used by the

* <code>getPermissions()</code> in searching for permissions.

*

* @see javax.security.auth.Policy#refresh()

*/

public void refresh() {

FileInputStream fis = null;

try {

// Set up a DOM tree to query

fis = new FileInputStream(AUTH_SECURITY_POLICYXMLFILE);

InputSource in = new InputSource(fis);

DocumentBuilderFactory dfactory = DocumentBuilderFactory.newInstance();

dfactory.setNamespaceAware(true);

doc = dfactory.newDocumentBuilder().parse(in);

} catch (Exception e) {

e.printStackTrace();

throw new RuntimeException(e.getMessage());

} finally {

if(fis != null) {

try { fis.close(); } catch (IOException e) {}

}

}

}

public PermissionCollection getPermissions(Subject subject,CodeSource codeSource) {

ResourcePermissionCollection collection = new ResourcePermissionCollection();

try {

// Iterate through all of the subjects principals

Iterator principalIterator = subject.getPrincipals().iterator();

while(principalIterator.hasNext()){

Principal principal = (Principal)principalIterator.next();

// Set up the xpath string to retrieve all the relevant permissions

// Sample xpath string: "/policy/grant[@codebase=\"sample_actions.jar\"]/principal[@classname=\"com.fonseca.security.SamplePrincipal\"][@name=\"testUser\"]/permission"

StringBuffer xpath = new StringBuffer();

xpath.append("/policy/grant/principal[@classname=\"");

xpath.append(principal.getClass().getName());

xpath.append("\"][@name=\"");

xpath.append(principal.getName());

xpath.append("\"]/permission");

//System.out.println(xpath.toString());

NodeIterator nodeIter = XPathAPI.selectNodeIterator(doc, xpath.toString());

Node node = null;

while( (node = nodeIter.nextNode()) != null ) {

//here

CodeSource codebase=getCodebase(node.getParentNode().getParentNode());

if (codebase!=null || codebase.implies(codeSource)){

Permission permission = getPermission(node);

collection.add(permission);

}

}

}

} catch (Exception e) {

e.printStackTrace();

throw new RuntimeException(e.getMessage());

}

if(collection != null)

return collection;

else {

// If the permission is not found here then delegate it

// to the standard java Policy class instance.

Policy policy = Policy.getPolicy();

return policy.getPermissions(codeSource);

}

}

/**

* Returns a Permission instance defined by the provided

* permission Node attributes.

*/

private Permission getPermission(Node node) throws Exception {

NamedNodeMap map = node.getAttributes();

Attr attrClassname = (Attr) map.getNamedItem("classname");

Attr attrName = (Attr) map.getNamedItem("name");

Attr attrActions = (Attr) map.getNamedItem("actions");

Attr attrRelationship = (Attr) map.getNamedItem("relationship");

if(attrClassname == null)

throw new RuntimeException();

Class[] types = null;

Object[] args = null;

// Check if the name is specified

// if no name is specified then because

// the types and the args variables above

// are null the default constructor is used.

if(attrName != null) {

String name = attrName.getValue();

// Check if actions are specified

// then setup the array sizes accordingly

if(attrActions != null) {

String actions = attrActions.getValue();

// Check if a relationship is specified

// then setup the array sizes accordingly

if(attrRelationship == null) {

types = new Class[2];

args = new Object[2];

} else {

types = new Class[3];

args = new Object[3];

String relationship = attrRelationship.getValue();

types[2] = relationship.getClass();

args[2] = relationship;

}

types[1] = actions.getClass();

args[1] = actions;

} else {

types = new Class[1];

args = new Object[1];

}

types[0] = name.getClass();

args[0] = name;

}

String classname = attrClassname.getValue();

Class permissionClass = Class.forName(classname);

Constructor constructor = permissionClass.getConstructor(types);

return (Permission) constructor.newInstance(args);

}

/**

* Returns a CodeSource object defined by the provided

* grant Node attributes.

*/

private java.security.CodeSource getCodebase(Node node) throws Exception {

Certificate[] certs = null;

URL location;

if(node.getNodeName().equalsIgnoreCase("grant")) {

NamedNodeMap map = node.getAttributes();

Attr attrCodebase = (Attr) map.getNamedItem("codebase");

if(attrCodebase != null) {

String codebaseValue = attrCodebase.getValue();

location = new URL(codebaseValue);

return new CodeSource(location,certs);

}

}

return null;

}

}

6.继承Principal类PrincipalUser

public class PrincipalUser implements Principal {

private String name;

/**

*

* @param name the name for this principal.

*

* @exception InvalidParameterException if the <code>name</code>

* is <code>null</code>.

*/

public PrincipalUser(String name) {

if (name == null)

throw new InvalidParameterException("name cannot be null");

//search role of this name.

this.name = name;

}

/**

* Returns the name for this <code>PrincipalUser</code>.

*

* @return the name for this <code>PrincipalUser</code>

*/

public String getName() {

return name;

}

/**

*

*/

public int hashCode() {

return name.hashCode();

}

}

7．继承Permission和PermissionCollection类

public class ResourcePermission extends Permission {

static final public String OWNER_RELATIONSHIP = "OWNER";

static private int READ = 0x01;

static private int WRITE = 0x02;

static private int EXECUTE = 0x04;

static private int CREATE = 0x08;

static private int DELETE = 0x10;

static private int DEPLOY = 0x16;

static private int CONFIRM = 0x24;

static final public String READ_ACTION = "read";

static final public String WRITE_ACTION = "write";

static final public String EXECUTE_ACTION = "execute";

static final public String CREATE_ACTION = "create";

static final public String DELETE_ACTION = "delete";

static final public String DEPLOY_ACTION = "deploy";

static final public String CONFIRM_ACTION = "confirm";

protected int mask;

protected Resource resource;

protected Subject subject;

/**

* Constructor for ResourcePermission

*/

public ResourcePermission(String name, String actions, Resource resource, Subject subject) {

super(name);

this.resource = resource;

this.subject = subject;

parseActions(actions);

}

/**

* @see Permission#getActions()

*/

public String getActions() {

StringBuffer buf = new StringBuffer();

if( (mask & READ) == READ )

buf.append(READ_ACTION);

if( (mask & WRITE) == WRITE ) {

if(buf.length() > 0)

buf.append(", ");

buf.append(WRITE_ACTION);

}

if( (mask & EXECUTE) == EXECUTE ) {

if(buf.length() > 0)

buf.append(", ");

buf.append(EXECUTE_ACTION);

}

if( (mask & CREATE) == CREATE ) {

if(buf.length() > 0)

buf.append(", ");

buf.append(CREATE_ACTION);

}

if( (mask & DELETE) == DELETE ) {

if(buf.length() > 0)

buf.append(", ");

buf.append(DELETE_ACTION);

}

return buf.toString();

}

/**

* @see Permission#hashCode()

*/

public int hashCode() {

StringBuffer value = new StringBuffer(getName());

return value.toString().hashCode() ^ mask;

}

/**

* @see Permission#equals(Object)

*/

public boolean equals(Object object) {

if( !(object instanceof ResourcePermission) )

return false;

ResourcePermission p = (ResourcePermission) object;

return ( (p.getName().equals(getName())) && (p.mask == mask) );

}

/**

* @see Permission#implies(Permission)

*/

public boolean implies(Permission permission) {

// The permission must be an instance

// of the DefaultResourceActionPermission.

if( !(permission instanceof ResourcePermission) )

return false;

// The resource name must be the same.

if( !(permission.getName().equals(getName())) )

return false;

return true;

}

/**

* Parses the actions string. Actions are separated

* by commas or white space.

*/

private void parseActions(String actions) {

mask = 0;

if(actions != null) {

StringTokenizer tokenizer = new StringTokenizer(actions, ",\t ");

while(tokenizer.hasMoreTokens()) {

String token = tokenizer.nextToken();

if(token.equals(READ_ACTION))

mask |= READ;

else if(token.equals(WRITE_ACTION))

mask |= WRITE;

<