From: <bsc...@us...> - 2008-01-28 15:19:48
|
Revision: 2237 http://unicore.svn.sourceforge.net/unicore/?rev=2237&view=rev Author: bschuller Date: 2008-01-28 07:19:45 -0800 (Mon, 28 Jan 2008) Log Message: ----------- allow XACML policies refer to the consignor of the current request Modified Paths: -------------- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/ETDTrustDelegationInHandler.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityManager.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityTokens.java unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/util/RequestBuilder.java Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/ETDTrustDelegationInHandler.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/ETDTrustDelegationInHandler.java 2008-01-28 14:38:37 UTC (rev 2236) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/ETDTrustDelegationInHandler.java 2008-01-28 15:19:45 UTC (rev 2237) @@ -170,6 +170,7 @@ //ok now check if TD is valid and store a flag for later policy check boolean validTD = checkDelegation(securityTokens, tdTokens); securityTokens.setValidTrustDelegation(validTD); + logger.finer("Trust delegation valid: "+validTD); } Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityManager.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityManager.java 2008-01-28 14:38:37 UTC (rev 2236) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityManager.java 2008-01-28 15:19:45 UTC (rev 2237) @@ -250,6 +250,13 @@ //no security info at all -> can't authorise throw new AuthorisationException("Can't authorise: no user cert available, no trust delegation found, no consignor cert."); } + + //store consignor in client + if(tokens.getConsignorCertificate()!=null){ + String consignor=tokens.getConsignorCertificate().getSubjectX500Principal().getName(); + client.getAttributes().put(SecurityTokens.ATTRIBUTE_CONSIGNOR,consignor); + } + if(!isServer(client)){ Map<String,String> map=authorise(tokens); client.setAttributes(map); Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityTokens.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityTokens.java 2008-01-28 14:38:37 UTC (rev 2236) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/SecurityTokens.java 2008-01-28 15:19:45 UTC (rev 2237) @@ -106,6 +106,11 @@ public static final String ATTRIBUTE_PROJECT="project"; /** + * "consignor" attribute + */ + public static final String ATTRIBUTE_CONSIGNOR="consignor"; + + /** * SOAP action being invoked */ public static final String SOAP_ACTION="REQUEST.soapAction"; Modified: unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/util/RequestBuilder.java =================================================================== --- unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/util/RequestBuilder.java 2008-01-28 14:38:37 UTC (rev 2236) +++ unicorex/uas-core/trunk/src/main/java/de/fzj/unicore/uas/security/util/RequestBuilder.java 2008-01-28 15:19:45 UTC (rev 2237) @@ -47,6 +47,7 @@ import com.sun.xacml.ctx.RequestCtx; import com.sun.xacml.ctx.Subject; +import de.fzj.unicore.uas.security.SecurityTokens; import de.fzj.unicore.xnjs.aaa.Client; /** @@ -99,6 +100,14 @@ null, null, new StringAttribute(c.getRole().getName()))); + //... and the consignor DN + String consignor=c.getAttributes().get(SecurityTokens.ATTRIBUTE_CONSIGNOR); + if(consignor!=null){ + attributes.add(new Attribute(new URI("consignor"), + null, null, + new StringAttribute(consignor))); + } + // bundle the attributes in a Subject with the default category subjects.add(new Subject(attributes)); @@ -146,10 +155,7 @@ null, null, new X500NameAttribute(new X500Principal(res.owner)))); } - else{ - } - This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |