List of usage examples for org.apache.shiro.authz Permission implies
boolean implies(Permission p);
From source file:com.caricah.iotracah.bootstrap.security.realm.state.IOTRole.java
License:Apache License
public boolean isPermitted(Permission p) { Collection<Permission> perms = getPermissions(); if (perms != null && !perms.isEmpty()) { for (Permission perm : perms) { if (perm.implies(p)) { return true; }//from w w w . j ava 2 s .c o m } } return false; }
From source file:com.freedomotic.security.User.java
License:Open Source License
public boolean isPermitted(String perm) { for (Permission p : this.getObjectPermissions()) { if (p.implies(new WildcardPermission(perm))) { return true; }/*from www . j av a2s.co m*/ } return false; }
From source file:com.gemstone.gemfire.management.internal.security.TestCommand.java
License:Apache License
public static List<TestCommand> getPermittedCommands(Permission permission) { List<TestCommand> result = new ArrayList<>(); for (TestCommand testCommand : testCommands) { GeodePermission cPerm = testCommand.getPermission(); if (cPerm != null && permission.implies(cPerm)) { result.add(testCommand);/*from w w w . j a va 2 s .co m*/ } } return result; }
From source file:com.jaredjstewart.SampleSecurityManager.java
License:Apache License
@Override public boolean authorize(final Object principal, final ResourcePermission context) { if (principal == null) return false; User user = this.userNameToUser.get(principal.toString()); if (user == null) return false; // this user is not authorized to do anything // check if the user has this permission defined in the context for (Role role : this.userNameToUser.get(user.name).roles) { for (Permission permitted : role.permissions) { if (permitted.implies(context)) { return true; }/*from ww w. j a v a 2 s . c om*/ } } return false; }
From source file:ddf.security.pdp.realm.AuthzRealm.java
License:Open Source License
/** * Checks if the corresponding Subject/user contained within the AuthorizationInfo object implies * the given Permission./*from w ww. j ava 2 s.co m*/ * * @param permission the permission being checked. * @param authorizationInfo the application-specific subject/user identifier. * @return true if the user is permitted */ private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) { Collection<Permission> perms = getPermissions(authorizationInfo); String curUser = "<user>"; if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) { curUser = subjectPrincipal.getPrimaryPrincipal().toString(); } if (!CollectionUtils.isEmpty(perms)) { if (permission instanceof KeyValuePermission) { permission = new KeyValueCollectionPermission(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission); LOGGER.debug( "Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action."); } if (permission != null && permission instanceof KeyValueCollectionPermission) { KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission; List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList(); List<KeyValuePermission> matchOnePermissions = new ArrayList<>(); List<KeyValuePermission> matchAllPermissions = new ArrayList<>(); List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>(); for (KeyValuePermission keyValuePermission : keyValuePermissions) { String metacardKey = keyValuePermission.getKey(); // user specified this key in the match all list - remap key if (matchAllMap.containsKey(metacardKey)) { KeyValuePermission kvp = new KeyValuePermission(matchAllMap.get(metacardKey), keyValuePermission.getValues()); matchAllPermissions.add(kvp); // user specified this key in the match one list - remap key } else if (matchOneMap.containsKey(metacardKey)) { KeyValuePermission kvp = new KeyValuePermission(matchOneMap.get(metacardKey), keyValuePermission.getValues()); matchOnePermissions.add(kvp); // this key was not specified in either - default to match all with the // same key value } else { // creating a KeyValuePermission list to try to quick match all of these permissions // if that fails, then XACML will try to match them // this covers the case where attributes on the user match up perfectly with the // permissions being implied // this also allows the xacml permissions to run through the policy extensions matchAllPreXacmlPermissions.add(keyValuePermission); } } CollectionPermission subjectAllCollection = new CollectionPermission( CollectionPermission.UNKNOWN_ACTION, perms); KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPermissions); KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermission( kvcp.getAction(), matchAllPreXacmlPermissions); KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchOnePermissions); matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection, kvcp); matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection, kvcp); matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection, kvcp); MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms); boolean matchAll = subjectAllCollection.implies(matchAllCollection); boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection); boolean matchOne = subjectOneCollection.implies(matchOneCollection); if (!matchAll || !matchOne) { SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied."); } // if we weren't able to automatically imply these permissions, call out to XACML if (!matchAllXacml) { KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermission( kvcp.getAction(), matchAllPreXacmlPermissions); matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions); if (!matchAllXacml) { SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML."); } } return matchAll && matchOne && matchAllXacml; } for (Permission perm : perms) { if (permission != null && perm.implies(permission)) { return true; } } } SecurityLogger.audit( PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied."); return false; }
From source file:ddf.security.pdp.realm.SimpleAuthzRealm.java
License:Open Source License
/** * Checks if the corresponding Subject/user contained within the AuthorizationInfo object * implies the given Permission.// w ww . j a v a 2 s . c o m * * @param permission * the permission being checked. * @param info * the application-specific subject/user identifier. * @return true if the user is permitted */ private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo info) { Collection<Permission> perms = getPermissions(info); String curUser = "<user>"; if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) { curUser = subjectPrincipal.getPrimaryPrincipal().toString(); } if (SecurityLogger.isDebugEnabled()) { SecurityLogger.logDebug("Starting permissions check for user [" + curUser + "]"); } if (perms != null && !perms.isEmpty()) { if (permission instanceof KeyValuePermission) { permission = new KeyValueCollectionPermission((KeyValuePermission) permission); } if (permission != null && permission instanceof KeyValueCollectionPermission) { List<KeyValuePermission> metacardPermissions = ((KeyValueCollectionPermission) permission) .getKeyValuePermissionList(); List<KeyValuePermission> matchOnePermissions = new ArrayList<KeyValuePermission>(); List<KeyValuePermission> matchAllPermissions = new ArrayList<KeyValuePermission>(); for (KeyValuePermission metacardPermission : metacardPermissions) { String metacardKey = metacardPermission.getKey(); // user specificied this metacard key in the match all list - remap key if (matchAllMap.containsKey(metacardKey)) { if (SecurityLogger.isDebugEnabled()) { SecurityLogger.logDebug( "Mapping metacard key " + metacardKey + " to " + matchAllMap.get(metacardKey)); } KeyValuePermission kvp = new KeyValuePermission(matchAllMap.get(metacardKey), metacardPermission.getValues()); matchAllPermissions.add(kvp); } // user specified this metacard key in the match one list - remap key else if (matchOneMap.containsKey(metacardKey)) { if (SecurityLogger.isDebugEnabled()) { SecurityLogger.logDebug( "Mapping metacard key " + metacardKey + " to " + matchOneMap.get(metacardKey)); } KeyValuePermission kvp = new KeyValuePermission(matchOneMap.get(metacardKey), metacardPermission.getValues()); matchOnePermissions.add(kvp); } // this metacard key was not specified in either - default to match all with the // same key value else { matchAllPermissions.add(metacardPermission); } } KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermission( matchAllPermissions); KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermission( matchOnePermissions); CollectionPermission subjectAllCollection = new CollectionPermission(perms); MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms); boolean matchAll = subjectAllCollection.implies(matchAllCollection); boolean matchOne = subjectOneCollection.implies(matchOneCollection); if (SecurityLogger.isDebugEnabled()) { if (matchAll && matchOne) { SecurityLogger.logDebug(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is implied."); } else { SecurityLogger.logDebug(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied."); } } return (matchAll && matchOne); } for (Permission perm : perms) { if (permission instanceof ActionPermission && isPermitted((ActionPermission) permission, info)) { if (SecurityLogger.isDebugEnabled()) { SecurityLogger.logDebug(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is implied."); } return true; } else if (permission != null && perm.implies(permission)) { if (SecurityLogger.isDebugEnabled()) { SecurityLogger.logDebug(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is implied."); } return true; } } } else if (permission instanceof ActionPermission && isPermitted((ActionPermission) permission, info)) { if (SecurityLogger.isDebugEnabled()) { SecurityLogger.logDebug( PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is implied."); } return true; } if (SecurityLogger.isDebugEnabled()) { SecurityLogger.logDebug( PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied."); } return false; }
From source file:ddf.security.permission.CollectionPermission.java
License:Open Source License
/** * Returns {@code true} if this current instance <em>implies</em> all the functionality and/or * resource access described by the specified {@code Permission} argument, {@code false} * otherwise./*from w ww .ja va 2s. c o m*/ * * <p> * * <p>That is, this current instance must be exactly equal to or a <em>superset</em> of the * functionalty and/or resource access described by the given {@code Permission} argument. Yet * another way of saying this would be: * * <p> * * <p>If "permission1 implies permission2", i.e. <code>permission1.implies(permission2) * </code> , then any Subject granted {@code permission1} would have ability greater than or equal * to that defined by {@code permission2}. * * @param p the permission to check for behavior/functionality comparison. * @return {@code true} if this current instance <em>implies</em> all the functionality and/or * resource access described by the specified {@code Permission} argument, {@code false} * otherwise. */ @Override public boolean implies(Permission p) { if (permissionList.isEmpty()) { return false; } if (p instanceof CollectionPermission) { for (Permission perm : ((CollectionPermission) p).getPermissionList()) { boolean result = false; for (Permission ourPerm : permissionList) { if (ourPerm.implies(perm)) { result = true; break; } } if (!result) { return false; } } return true; } for (Permission permission : permissionList) { if (permission.implies(p)) { return true; } } return false; }
From source file:ddf.security.permission.MatchOneCollectionPermission.java
License:Open Source License
/** * Overrides the implies method to handle checking for the existence of one attribute - the "match * one" scenario rather than the "match all" behavior of the overridden classes. Specifically, * this permission will imply another permission if that permission matches at least one of our * permission attributes./*from w w w . j a v a 2s . co m*/ * * @param p the permission to check for behavior/functionality comparison. * @return {@code true} if this current instance <em>implies</em> the specified {@code Permission} * argument, {@code false} otherwise. */ @Override public boolean implies(Permission p) { if (permissionList.isEmpty()) { return false; } if (p instanceof CollectionPermission) { for (Permission perm : ((CollectionPermission) p).getPermissionList()) { boolean result = false; for (Permission ourPerm : permissionList) { // we only care about the key value permission here, because that one can have // multiple values // mapped to a single key. In the case of "match one" we only need one of those // values to satisfy // the permission. if (ourPerm instanceof KeyValuePermission) { for (String value : ((KeyValuePermission) ourPerm).getValues()) { // Since this is "match one" we know that only one of these values needs // to match in order // for the entire permission at that key to be implied // So here we loop through all of the values assigned to that key and // create new // single valued key value permissions KeyValuePermission kvp = new KeyValuePermission( ((KeyValuePermission) ourPerm).getKey()); kvp.addValue(value); if (perm.implies(kvp)) { result = true; break; } } // Currently we use key value permissions for everything. However, we still need // to be able to handle // permissions other than KV, so this else block will serve as the catch all for // everything else. } else { // Shiro permissions are always a "match all" condition so we need to flip // the implies to make it match one if (perm.implies(ourPerm)) { result = true; break; } } } if (!result) { return false; } } return true; } // default catch all permission check for (Permission permission : permissionList) { // Shiro permissions are always a "match all" condition so we need to flip the implies // to make it match one if (p.implies(permission)) { return true; } } return false; }
From source file:net.swigg.security.authorization.AuthorizingRealm.java
License:Open Source License
@Override public boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission) { Collection<PrincipalIdentity> identities = subjectPrincipal.byType(PrincipalIdentity.class); for (Permission p : permissionFetcher().fetchPermissions(identities, permission)) { if (p.implies(permission)) { return true; }/*from www. j a va2 s. c o m*/ } return false; }
From source file:net.swigg.security.authorization.PermissionSpeedTest.java
License:Open Source License
@Test public void testShiroWildcardPermission() throws Exception { DateTime startDate = DateTime.now(); for (int x = 0; x < 100000; x++) { Permission p1 = new org.apache.shiro.authz.permission.WildcardPermission("*:*:*"); Permission p2 = new org.apache.shiro.authz.permission.WildcardPermission("domain:*:*"); Permission p3 = new org.apache.shiro.authz.permission.WildcardPermission("domain:action1:*"); Permission p4 = new org.apache.shiro.authz.permission.WildcardPermission("domain:action1:instance1"); Permission p5 = new org.apache.shiro.authz.permission.WildcardPermission("domain:action1,action2:*"); Permission p6 = new org.apache.shiro.authz.permission.WildcardPermission( "domain:action1:instance1,instance2"); List<Permission> permissions = Lists.newArrayList(p1, p2, p3, p4, p5, p6); for (Permission perm1 : permissions) { for (Permission perm2 : permissions) { perm1.implies(perm2); perm2.implies(perm1);/*from ww w. ja v a 2 s . c o m*/ } } } DateTime endDate = DateTime.now(); System.out.println( String.format("ShiroWildcardPermission took %s", new Interval(startDate, endDate).toPeriod())); }