Examples of org.jboss.security.AuthorizationManager

• org.jboss.security.AuthorizationManager
  Generalized Authorization Manager Interface.
  
  Replaces the legacy RealmMapping interface @see org.jboss.security.RealmMapping @author Anil Saldhana @since Jan 2, 2006 @version $Revision: 68778 $

    @return The Set<Principal> for the application domain roles that the
    principal has been assigned.
   */
   public Set<Principal> getUserRoles(Principal principal)
   {
      AuthorizationManager am = SecurityUtil.getAuthorizationManager(securityDomain,
            SecurityConstants.JAAS_CONTEXT_ROOT);
      return am.getUserRoles(principal);
   }

      int count = Integer.getInteger("jbosstest.threadcount", 10).intValue();
      int iterations = Integer.getInteger("jbosstest.iterationcount", 5000).intValue();
      log.info("Creating "+count+" threads doing "+iterations+" iterations");
      PolicyContext.registerHandler(SecurityConstants.SUBJECT_CONTEXT_KEY,
          new SubjectPolicyContextHandler(), false);
      AuthorizationManager am = new JBossAuthorizationManager("testIdentity");
      JaasSecurityManager secMgr = new JaasSecurityManager("testIdentity", new SecurityAssociationHandler());
      TimedCachePolicy cache = new TimedCachePolicy(3, false, 100);
      cache.create();
      cache.start();
      secMgr.setCachePolicy(cache);

      }

      final Principal principal = user == null ? null : new SimplePrincipal(user);
      if (securityManagement == null)
         throw new SecurityException("SecurityManagement has not been set");
      final AuthorizationManager authorizationManager = securityManagement.getAuthorizationManager(securityDomain);
      if (authorizationManager == null)
         throw new SecurityException("AuthorizationManager is null for domain=" + securityDomain);
      boolean hasRole = AccessController.doPrivileged(new PrivilegedAction<Boolean>()
      {
         public Boolean run()
         {
             return authorizationManager.doesUserHaveRole(principal, rolePrincipals);
         }});

      if (trace)
      {
         log.trace("user " + user + (hasRole ? " is " : " is NOT ") + "authorized");

   {
      try
      {
         // first retrieve the authorization manager for the acl-domain.
         InitialContext ctx = new InitialContext();
         AuthorizationManager manager = (AuthorizationManager) ctx.lookup("java:jaas/acl-domain/authorizationMgr");

         // create a resource 1 that has resource 2 as a child.
         TestResource resource1 = new TestResource(1);
         TestResource resource2 = new TestResource(2);
         Collection<Resource> childResources = new ArrayList<Resource>();
         childResources.add(resource2);
         resource1.getMap().put(ResourceKeys.CHILD_RESOURCES, childResources);
         resource2.getMap().put(ResourceKeys.PARENT_RESOURCE, resource1);

         // retrieve the identity name from the request.
         String name = request.getParameter("identity");
         Identity identity = new SimpleIdentity(name);

         // now call the getEntitlements method using created resource and identity objects.
         EntitlementHolder<EntitlementEntry> holder = manager.getEntitlements(EntitlementEntry.class, resource1,
               identity);

         // write the results in the response (resource id : permissions)
         response.setContentType("text/html");
         PrintWriter writer = response.getWriter();

      try
      {
         // first retrieve the authorization manager for the acl-domain.
         InitialContext ctx = new InitialContext();
         AuthorizationManager manager = (AuthorizationManager) ctx.lookup("java:jaas/acl-domain/authorizationMgr");

         // create a resource 10 that has resource 11 as a child.
         TestResource resource10 = new TestResource(10);
         TestResource resource11 = new TestResource(11);
         Collection<Resource> childResources = new ArrayList<Resource>();
         childResources.add(resource11);
         resource10.getMap().put(ResourceKeys.CHILD_RESOURCES, childResources);
         resource11.getMap().put(ResourceKeys.PARENT_RESOURCE, resource10);

         // now call the getEntitlements method using created resource and identity objects.
         EntitlementHolder<EntitlementEntry> holder = manager.getEntitlements(EntitlementEntry.class, resource10,
               IdentityFactory.createIdentity(identity));

         // for each entitlement entry, put the resource id and associated permission in the map to be returned.
         for (EntitlementEntry entry : holder.getEntitled())
         {

        return new AccountImpl(id);
    }

    private Account verifyCredential(final AccountImpl account, final Object credential) {
        final AuthenticationManager authenticationManager = securityDomainContext.getAuthenticationManager();
        final AuthorizationManager authorizationManager = securityDomainContext.getAuthorizationManager();
        final SecurityContext sc = SecurityActions.getSecurityContext();
        Principal incomingPrincipal = account.getOriginalPrincipal();
        Subject subject = new Subject();
        try {
            boolean isValid = authenticationManager.isValid(incomingPrincipal, credential, subject);
            if (isValid) {
                UndertowLogger.ROOT_LOGGER.tracef("User: %s is authenticated", incomingPrincipal);
                if (sc == null) {
                    throw UndertowLogger.ROOT_LOGGER.noSecurityContext();
                }
                Principal userPrincipal = getPrincipal(subject);
                sc.getUtil().createSubjectInfo(incomingPrincipal, credential, subject);
                SecurityContextCallbackHandler scb = new SecurityContextCallbackHandler(sc);
                RoleGroup roles = authorizationManager.getSubjectRoles(subject, scb);
                Set<String> roleSet = new HashSet<>();
                for (Role role : roles.getRoles()) {
                    roleSet.add(role.getRoleName());
                }
                return new AccountImpl(userPrincipal, roleSet, credential, account.getOriginalPrincipal());

        return am;
    }

    /** {@inheritDoc} */
    public AuthorizationManager getAuthorizationManager(String securityDomain) {
        AuthorizationManager am = null;
        try {
            am = authzMgrMap.get(securityDomain);
            if (am == null) {
                am = (AuthorizationManager) lookUpJNDI(securityDomain + "/authorizationMgr");
                authzMgrMap.put(securityDomain, am);

        RunAs runAs = securityContext.getIncomingRunAs();
        if (runAs != null && runAs instanceof RunAsIdentity) {
            RunAsIdentity runAsIdentity = (RunAsIdentity) runAs;
            roleGroup = runAsIdentity.getRunAsRolesAsRoleGroup();
        } else {
            AuthorizationManager am = securityContext.getAuthorizationManager();
            SecurityContextCallbackHandler scb = new SecurityContextCallbackHandler(securityContext);

            roleGroup = am.getSubjectRoles(securityContext.getSubjectInfo().getAuthenticatedSubject(), scb);
        }

        List<Role> roles = roleGroup.getRoles();

        // TODO - Review most performant way.

    @see java.security.acl.Group;
    @see Subject#getPrincipals()
    */
   public boolean doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals)
   {
      AuthorizationManager am = SecurityUtil.getAuthorizationManager(securityDomain,
            SecurityConstants.JAAS_CONTEXT_ROOT);
      return am.doesUserHaveRole(principal, rolePrincipals);
   }

    @return The Set<Principal> for the application domain roles that the
    principal has been assigned.
   */
   public Set<Principal> getUserRoles(Principal principal)
   {
      AuthorizationManager am = SecurityUtil.getAuthorizationManager(securityDomain,
            SecurityConstants.JAAS_CONTEXT_ROOT);
      return am.getUserRoles(principal);
   }