Completion of the security solution in Airavata - adding some missing files from the previous commit and fixing issues found while testing.
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/f080ac26 Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/f080ac26 Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/f080ac26 Branch: refs/heads/master Commit: f080ac263c6cd1c1df98dcfbd5f3366f0734fb44 Parents: 2777476 Author: hasinitg <[email protected]> Authored: Sun Aug 16 23:44:51 2015 -0400 Committer: hasinitg <[email protected]> Committed: Sun Aug 16 23:44:51 2015 -0400 ---------------------------------------------------------------------- .../DefaultAiravataSecurityManager.java | 2 +- .../server/security/authzcache/AuthzCache.java | 4 +- .../security/authzcache/AuthzCacheEntry.java | 63 +++++++++ .../security/authzcache/AuthzCacheIndex.java | 78 +++++++++++ .../security/authzcache/AuthzCacheManager.java | 80 ++++++++++++ .../authzcache/AuthzCacheManagerFactory.java | 60 +++++++++ .../authzcache/DefaultAuthzCacheManager.java | 108 ++++++++++++++++ .../server/security/xacml/DefaultXACMLPEP.java | 129 +++++++++++++++++++ .../main/resources/airavata-server.properties | 2 +- 9 files changed, 523 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java index f42d98d..7078659 100644 --- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/DefaultAiravataSecurityManager.java @@ -148,7 +148,7 @@ public class DefaultAiravataSecurityManager implements AiravataSecurityManager { //cache the authorization decision authzCacheManager.addToAuthzCache(new AuthzCacheIndex(subject, accessToken, action), - new AuthzCacheEntry(decision, expiryTimestamp)); + new AuthzCacheEntry(decision, expiryTimestamp, System.currentTimeMillis())); return decision; } else { http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java index a563caa..8b14556 100644 --- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCache.java @@ -55,7 +55,9 @@ public class AuthzCache extends LinkedHashMap<AuthzCacheIndex, AuthzCacheEntry> @Override protected boolean removeEldestEntry(Map.Entry<AuthzCacheIndex, AuthzCacheEntry> eldest) { //TODO: following info log is for demonstration purposes. Remove it. - logger.info("Authz cache max size exceeded. Removing the old entries."); + if (size() > MAX_SIZE) { + logger.info("Authz cache max size exceeded. Removing the old entries."); + } return size() > MAX_SIZE; } } http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java new file mode 100644 index 0000000..03ca229 --- /dev/null +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheEntry.java @@ -0,0 +1,63 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.airavata.api.server.security.authzcache; + +/** + * Cache entry in the default authorization cache. + */ +public class AuthzCacheEntry { + //authorization decision for the authorization request associated with this cache entry. + private boolean decision; + //time to live value for the access token in seconds. + private long expiryTime; + //time stamp in milli seconds at the time this entry is put into the cache + private long entryTimestamp; + + public AuthzCacheEntry(boolean decision, long expiryTime, long entryTimestamp) { + this.decision = decision; + this.expiryTime = expiryTime; + this.entryTimestamp = entryTimestamp; + } + + public long getEntryTimestamp() { + return entryTimestamp; + } + + public void setEntryTimestamp(long entryTimestamp) { + this.entryTimestamp = entryTimestamp; + } + + public long getExpiryTime() { + return expiryTime; + } + + public void setExpiryTime(long timestamp) { + this.expiryTime = timestamp; + } + + public boolean getDecision() { + return decision; + } + + public void setDecision(boolean decision) { + this.decision = decision; + } +} http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java new file mode 100644 index 0000000..59667d8 --- /dev/null +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheIndex.java @@ -0,0 +1,78 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.airavata.api.server.security.authzcache; + +/** + * Cache index of the default authorization cache. + */ +public class AuthzCacheIndex { + + private String subject; + private String oauthAccessToken; + private String action; + + public AuthzCacheIndex(String userName, String accessToken, String actionString) { + this.subject = userName; + this.oauthAccessToken = accessToken; + this.action = actionString; + } + + public String getSubject() { + return subject; + } + + public void setSubject(String subject) { + this.subject = subject; + } + + public String getAction() { + return action; + } + + public void setAction(String action) { + this.action = action; + } + + public String getOauthAccessToken() { + return oauthAccessToken; + } + + public void setOauthAccessToken(String oauthAccessToken) { + this.oauthAccessToken = oauthAccessToken; + } + + /*Equals and hash code methods are overriden since this is being used as an index of a map and that containsKey method + * should return true if the values of two index objects are equal.*/ + @Override + public boolean equals(Object other) { + if (other == null || other.getClass() != getClass()) { + return false; + } + return ((this.getSubject().equals(((AuthzCacheIndex) other).getSubject())) + && (this.getOauthAccessToken().equals(((AuthzCacheIndex) other).getOauthAccessToken())) + && (this.getAction().equals(((AuthzCacheIndex) other).getAction()))); + } + + @Override + public int hashCode() { + return this.getSubject().hashCode() + this.getOauthAccessToken().hashCode() + this.getAction().hashCode(); + } +} http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java new file mode 100644 index 0000000..48cfb03 --- /dev/null +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManager.java @@ -0,0 +1,80 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.airavata.api.server.security.authzcache; + +import org.apache.airavata.security.AiravataSecurityException; + +/** + * This is the interface through which security manager accesses the underlying caching implementation + * See the DefaultAuthzCacheManager.java for an example implementation of this interface. + */ +public interface AuthzCacheManager { + /** + * Returns the status of the cache w.r.t the given authorization request which is encapsulated in + * the AuthzCacheIndex. + * + * @param authzCacheIndex + * @return + */ + public AuthzCachedStatus getAuthzCachedStatus(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException; + + /** + * Add to cache the authorization decision pertaining to a given authorization request. + * + * @param authzCacheIndex + * @param authzCacheEntry + * @throws AiravataSecurityException + */ + public void addToAuthzCache(AuthzCacheIndex authzCacheIndex, AuthzCacheEntry authzCacheEntry) throws AiravataSecurityException; + + /** + * Check if a valid decision is cached for a given authorization request. + * + * @param authzCacheIndex + * @return + */ + public boolean isAuthzDecisionCached(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException; + + /** + * Returns the AuthzCacheEntry for a given authorization request. + * + * @param authzCacheIndex + * @return + * @throws AiravataSecurityException + */ + public AuthzCacheEntry getAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException; + + /** + * Removes the authorization cache entry for a given authorization request. + * + * @param authzCacheIndex + * @throws AiravataSecurityException + */ + public void removeAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException; + + /** + * Clear the authorization cache. + * + * @return + */ + public void clearCache() throws AiravataSecurityException; + +} http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java new file mode 100644 index 0000000..b555122 --- /dev/null +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/AuthzCacheManagerFactory.java @@ -0,0 +1,60 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.airavata.api.server.security.authzcache; + +import org.apache.airavata.api.server.security.AiravataSecurityManager; +import org.apache.airavata.common.exception.ApplicationSettingsException; +import org.apache.airavata.common.utils.ServerSettings; +import org.apache.airavata.security.AiravataSecurityException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +/** + * This initializes the AuthzCacheManager implementation to be used as defined by the configuration. + */ +public class AuthzCacheManagerFactory { + private final static Logger logger = LoggerFactory.getLogger(AuthzCacheManagerFactory.class); + + public static AuthzCacheManager getAuthzCacheManager() throws AiravataSecurityException { + try { + Class authzCacheManagerImpl = Class.forName(ServerSettings.getAuthzCacheManagerClassName()); + AuthzCacheManager authzCacheManager = (AuthzCacheManager) authzCacheManagerImpl.newInstance(); + return authzCacheManager; + } catch (ClassNotFoundException e) { + String error = "Authorization Cache Manager class could not be found."; + logger.error(e.getMessage(), e); + throw new AiravataSecurityException(error); + } catch (ApplicationSettingsException e) { + String error = "Error in reading the configuration related to Authorization Cache Manager class."; + logger.error(e.getMessage(), e); + throw new AiravataSecurityException(error); + } catch (InstantiationException e) { + String error = "Error in instantiating the Authorization Cache Manager class."; + logger.error(e.getMessage(), e); + throw new AiravataSecurityException(error); + } catch (IllegalAccessException e) { + String error = "Error in instantiating the Authorization Cache Manager class."; + logger.error(e.getMessage(), e); + throw new AiravataSecurityException(error); + + } + } + +} http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java new file mode 100644 index 0000000..232908d --- /dev/null +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/authzcache/DefaultAuthzCacheManager.java @@ -0,0 +1,108 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.airavata.api.server.security.authzcache; + +import org.apache.airavata.common.exception.ApplicationSettingsException; +import org.apache.airavata.security.AiravataSecurityException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.Date; + +public class DefaultAuthzCacheManager implements AuthzCacheManager { + + private final static Logger logger = LoggerFactory.getLogger(DefaultAuthzCacheManager.class); + + @Override + public AuthzCachedStatus getAuthzCachedStatus(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException { + if (isAuthzDecisionCached(authzCacheIndex)) { + AuthzCacheEntry cacheEntry = getAuthzCacheEntry(authzCacheIndex); + long expiryTime = cacheEntry.getExpiryTime(); + long currentTime = System.currentTimeMillis(); + long timePassed = (currentTime - cacheEntry.getEntryTimestamp()) / 1000; + if (expiryTime > timePassed) { + //access token is still valid. Hence, return the cached decision + if (cacheEntry.getDecision()) { + return AuthzCachedStatus.AUTHORIZED; + } else { + return AuthzCachedStatus.NOT_AUTHORIZED; + } + } else { + //access token has been expired. Hence, remove the entry and return. + removeAuthzCacheEntry(authzCacheIndex); + return AuthzCachedStatus.NOT_CACHED; + } + } else { + return AuthzCachedStatus.NOT_CACHED; + } + } + + @Override + public void addToAuthzCache(AuthzCacheIndex authzCacheIndex, AuthzCacheEntry authzCacheEntry) throws AiravataSecurityException { + try { + AuthzCache.getInstance().put(authzCacheIndex, authzCacheEntry); + } catch (ApplicationSettingsException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in obtaining the authorization cache instance."); + } + } + + @Override + public boolean isAuthzDecisionCached(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException { + try { + return AuthzCache.getInstance().containsKey(authzCacheIndex); + } catch (ApplicationSettingsException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in obtaining the authorization cache instance."); + } + } + + @Override + public AuthzCacheEntry getAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException { + try { + return AuthzCache.getInstance().get(authzCacheIndex); + } catch (ApplicationSettingsException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in obtaining the authorization cache instance."); + } + } + + @Override + public void removeAuthzCacheEntry(AuthzCacheIndex authzCacheIndex) throws AiravataSecurityException { + try { + AuthzCache.getInstance().remove(authzCacheIndex); + } catch (ApplicationSettingsException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in obtaining the authorization cache instance."); + } + } + + @Override + public void clearCache() throws AiravataSecurityException { + try { + AuthzCache.getInstance().clear(); + } catch (ApplicationSettingsException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in obtaining the authorization cache instance."); + + } + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java new file mode 100644 index 0000000..42328d1 --- /dev/null +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/security/xacml/DefaultXACMLPEP.java @@ -0,0 +1,129 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ +package org.apache.airavata.api.server.security.xacml; + +import org.apache.airavata.common.utils.Constants; +import org.apache.airavata.model.security.AuthzToken; +import org.apache.airavata.security.AiravataSecurityException; +import org.apache.axis2.AxisFault; +import org.apache.axis2.context.ConfigurationContext; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3c.dom.Document; +import org.w3c.dom.Node; +import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceStub; +import org.wso2.carbon.identity.entitlement.stub.EntitlementServiceException; +import org.wso2.carbon.utils.CarbonUtils; +import org.xml.sax.SAXException; + +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.UnsupportedEncodingException; +import java.rmi.RemoteException; +import java.util.Map; + +/** + * This enforces XACML based fine grained authorization on the API calls, by authorizing the API calls + * through default PDP which is WSO2 Identity Server. + */ +public class DefaultXACMLPEP { + + private final static Logger logger = LoggerFactory.getLogger(DefaultXACMLPEP.class); + private EntitlementServiceStub entitlementServiceStub; + + public DefaultXACMLPEP(String auhorizationServerURL, String username, String password, + ConfigurationContext configCtx) throws AiravataSecurityException { + try { + + String PDPURL = auhorizationServerURL + "EntitlementService"; + entitlementServiceStub = new EntitlementServiceStub(configCtx, PDPURL); + CarbonUtils.setBasicAccessSecurityHeaders(username, password, true, entitlementServiceStub._getServiceClient()); + } catch (AxisFault e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error initializing XACML PEP client."); + } + + } + + /** + * Send the XACML authorization request to XAML PDP and return the authorization decision. + * + * @param authzToken + * @param metaData + * @return + */ + public boolean getAuthorizationDecision(AuthzToken authzToken, Map<String, String> metaData) throws AiravataSecurityException { + String decision; + try { + String subject = authzToken.getClaimsMap().get(Constants.USER_NAME); + String action = "/airavata/" + metaData.get(Constants.API_METHOD_NAME); + String decisionString = entitlementServiceStub.getDecisionByAttributes(subject, null, action, null); + //parse the XML decision string and obtain the decision + decision = parseDecisionString(decisionString); + if (Constants.PERMIT.equals(decision)) { + return true; + } else { + logger.error("Authorization decision is: " + decision); + return false; + } + } catch (RemoteException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in authorizing the user."); + } catch (EntitlementServiceException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in authorizing the user."); + } + } + + /** + * This parses the XML based authorization response by the PDP and returns the decision string. + * + * @param decisionString + * @return + * @throws AiravataSecurityException + */ + private String parseDecisionString(String decisionString) throws AiravataSecurityException { + try { + DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); + InputStream inputStream = new ByteArrayInputStream(decisionString.getBytes("UTF-8")); + Document doc = docBuilderFactory.newDocumentBuilder().parse(inputStream); + Node resultNode = doc.getDocumentElement().getFirstChild(); + Node decisionNode = resultNode.getFirstChild(); + String decision = decisionNode.getTextContent(); + return decision; + } catch (ParserConfigurationException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in parsing XACML authorization response."); + } catch (UnsupportedEncodingException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in parsing XACML authorization response."); + } catch (SAXException e) { + logger.error(e.getMessage(), e); + throw new AiravataSecurityException("Error in parsing XACML authorization response."); + } catch (IOException e) { + logger.error("Error in parsing XACML authorization response."); + throw new AiravataSecurityException("Error in parsing XACML authorization response."); + } + } +} http://git-wip-us.apache.org/repos/asf/airavata/blob/f080ac26/modules/configuration/server/src/main/resources/airavata-server.properties ---------------------------------------------------------------------- diff --git a/modules/configuration/server/src/main/resources/airavata-server.properties b/modules/configuration/server/src/main/resources/airavata-server.properties index fb57382..d45e3d9 100644 --- a/modules/configuration/server/src/main/resources/airavata-server.properties +++ b/modules/configuration/server/src/main/resources/airavata-server.properties @@ -245,7 +245,7 @@ remote.oauth.authorization.server=https://localhost:9443/services/ authorization.policy=airavata-default-xacml-policy #### authorization cache related configuration #### authz.cache.enabled=true -authz.cache.manager.class=org.apache.airavata.api.server.security.cache.DefaultAuthzCacheManager +authz.cache.manager.class=org.apache.airavata.api.server.security.authzcache.DefaultAuthzCacheManager in.memory.cache.size=1000 #### admin user credentials of authorization server #### admin.user.name=admin
