001 /*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements. See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License. You may obtain a copy of the License at
008 *
009 * http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017 package org.apache.servicemix.jbi.security;
018
019 import java.security.Principal;
020 import java.util.Set;
021
022 import javax.jbi.JBIException;
023 import javax.jbi.messaging.MessageExchange;
024 import javax.jbi.messaging.MessageExchange.Role;
025 import javax.jbi.servicedesc.ServiceEndpoint;
026 import javax.security.auth.Subject;
027
028 import org.apache.commons.logging.Log;
029 import org.apache.commons.logging.LogFactory;
030 import org.apache.servicemix.jbi.messaging.MessageExchangeImpl;
031 import org.apache.servicemix.jbi.nmr.DefaultBroker;
032 import org.apache.servicemix.jbi.security.acl.AuthorizationMap;
033
034 /**
035 *
036 * @author gnodet
037 * @org.apache.xbean.XBean
038 */
039 public class SecuredBroker extends DefaultBroker {
040
041 private static final Log LOG = LogFactory.getLog(SecuredBroker.class);
042 private AuthorizationMap authorizationMap;
043
044 public SecuredBroker() {
045 }
046
047 public SecuredBroker(AuthorizationMap authorizationMap) {
048 this.authorizationMap = authorizationMap;
049 }
050
051 /**
052 * @return the authorizationMap
053 */
054 public AuthorizationMap getAuthorizationMap() {
055 return authorizationMap;
056 }
057
058 /**
059 * @param authorizationMap the authorizationMap to set
060 */
061 public void setAuthorizationMap(AuthorizationMap authorizationMap) {
062 this.authorizationMap = authorizationMap;
063 }
064
065 public void sendExchangePacket(MessageExchange me) throws JBIException {
066 LOG.debug("send exchange with secure broker");
067 MessageExchangeImpl exchange = (MessageExchangeImpl) me;
068 if (exchange.getRole() == Role.PROVIDER && exchange.getDestinationId() == null) {
069 resolveAddress(exchange);
070 ServiceEndpoint se = exchange.getEndpoint();
071 if (se != null) {
072 LOG.debug("service name :" + se.getServiceName());
073 LOG.debug("operation name :" + me.getOperation());
074 Set<Principal> acls = authorizationMap.getAcls(se, me.getOperation());
075 if (!acls.contains(GroupPrincipal.ANY)) {
076 Subject subject = exchange.getMessage("in").getSecuritySubject();
077 if (subject == null) {
078 throw new SecurityException("User not authenticated");
079 }
080 LOG.debug("authorization for " + subject);
081 acls.retainAll(subject.getPrincipals());
082 if (acls.size() == 0) {
083 throw new SecurityException("Endpoint is not authorized for this user");
084 }
085 }
086 }
087 }
088 super.sendExchangePacket(me);
089 }
090
091 }