Author: adrianc
Date: Thu Jan 14 03:23:33 2010
New Revision: 899045
URL: http://svn.apache.org/viewvc?rev=899045&view=rev
Log:
Added security audit capability.
Added:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java
(with props)
Modified:
ofbiz/branches/executioncontext20091231/BranchReadMe.txt
ofbiz/branches/executioncontext20091231/framework/api/config/api.properties
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml
Modified: ofbiz/branches/executioncontext20091231/BranchReadMe.txt
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/BranchReadMe.txt?rev=899045&r1=899044&r2=899045&view=diff
==============================================================================
--- ofbiz/branches/executioncontext20091231/BranchReadMe.txt (original)
+++ ofbiz/branches/executioncontext20091231/BranchReadMe.txt Thu Jan 14
03:23:33 2010
@@ -12,6 +12,11 @@
The exception that is thrown exposes a flaw in the
findparty.ftl file.
+I added security audit capability. This was not in the
+design document, but it was simple to implement and might be
+useful. An artifact can be flagged as audited. Any denied
+attempts to use the artifact will be logged.
+
---------------------------------------------------
2010-01-11: The ExecutionContext implementation is fairly complete.
Modified:
ofbiz/branches/executioncontext20091231/framework/api/config/api.properties
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/api/config/api.properties?rev=899045&r1=899044&r2=899045&view=diff
==============================================================================
--- ofbiz/branches/executioncontext20091231/framework/api/config/api.properties
(original)
+++ ofbiz/branches/executioncontext20091231/framework/api/config/api.properties
Thu Jan 14 03:23:33 2010
@@ -21,12 +21,15 @@
# Apache OFBiz Framework API Settings
####
-# Class name of the ExecutionContext implementation
+# Class name of the ExecutionContext implementation.
executionContext.class=org.ofbiz.context.ExecutionContextImpl
-# Class name of the AuthorizationManager implementation
+# Class name of the AuthorizationManager implementation.
authorizationManager.class=org.ofbiz.context.AuthorizationManagerImpl
+# Enable security auditing.
+securityAudit.enabled=false
+
#-- The following properties are for development only, they will be removed
#-- when the security-aware artifact implementation is complete.
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java?rev=899045&r1=899044&r2=899045&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java
Thu Jan 14 03:23:33 2010
@@ -44,6 +44,10 @@
public static final String module = AccessControllerImpl.class.getName();
+ protected static boolean securityAuditEnabled() {
+ return "true".equals(UtilProperties.getPropertyValue("api.properties",
"securityAudit.enabled"));
+ }
+
/**
* The root node of the current user's permission tree.
*/
@@ -151,6 +155,9 @@
if (gatheredPermissions.implies(permission) &&
this.hasServicePermission(gatheredPermissions)) {
return;
}
+ if (securityAuditEnabled()) {
+ AuthorizationManagerImpl.logIncident(permission);
+ }
throw new
AccessControlException(ThreadContext.getUserLogin().getString("userLoginId") +
"@" + artifactPath + "[" + permission + "]");
}
Added:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java?rev=899045&view=auto
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java
(added)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java
Thu Jan 14 03:23:33 2010
@@ -0,0 +1,53 @@
+/*******************************************************************************
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+
*******************************************************************************/
+package org.ofbiz.context;
+
+import org.ofbiz.context.PathNode.BranchNode;
+import org.ofbiz.api.context.ArtifactPath;
+
+public class AuditedArtifactFinder extends TreeWalker {
+
+ protected boolean artifactFound = false;
+
+ public AuditedArtifactFinder(PathNode node) {
+ super(node);
+ }
+
+ public boolean find(ArtifactPath artifactPath) {
+ this.artifactFound = false;
+ super.walkTree(artifactPath);
+ return this.artifactFound;
+ }
+
+ @Override
+ public void visit(BranchNode node) {
+ if (!this.artifactPath.hasNext()) {
+ this.artifactFound = true;
+ return;
+ }
+ super.visit(node);
+ }
+
+ @Override
+ protected void visitChildNode(PathNode node, String key) {
+ if (!this.artifactFound) {
+ super.visitChildNode(node, key);
+ }
+ }
+}
Propchange:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified:
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java?rev=899045&r1=899044&r2=899045&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
(original)
+++
ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java
Thu Jan 14 03:23:33 2010
@@ -18,7 +18,9 @@
*******************************************************************************/
package org.ofbiz.context;
+import java.security.AccessControlException;
import java.security.Permission;
+import java.sql.Timestamp;
import java.util.List;
import org.ofbiz.api.authorization.AccessController;
@@ -26,12 +28,14 @@
import org.ofbiz.api.authorization.AuthorizationManagerException;
import org.ofbiz.api.authorization.BasicPermissions;
import org.ofbiz.api.context.ArtifactPath;
+import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.UtilMisc;
import org.ofbiz.base.util.cache.UtilCache;
import org.ofbiz.entity.Delegator;
import org.ofbiz.entity.GenericEntityException;
import org.ofbiz.entity.GenericValue;
import org.ofbiz.entity.condition.EntityCondition;
+import org.ofbiz.entity.util.EntityUtil;
import org.ofbiz.security.OFBizSecurity;
import org.ofbiz.service.ThreadContext;
@@ -75,6 +79,30 @@
return accessController;
}
+ public static void logIncident(Permission permission) throws
AccessControlException {
+ try {
+ ThreadContext.runUnprotected();
+ PathNode node = PathNode.getInstance(ArtifactPath.PATH_ROOT);
+ TreeBuilder builder = new TreeBuilder(node);
+ Delegator delegator = ThreadContext.getDelegator();
+ List<GenericValue> auditedArtifacts =
EntityUtil.filterByDate(delegator.findList("AuditedArtifact", null, null, null,
null, true));
+ for (GenericValue auditedArtifact : auditedArtifacts) {
+ builder.build(new
ArtifactPath(auditedArtifact.getString("artifactPath")));
+ }
+ AuditedArtifactFinder finder = new AuditedArtifactFinder(node);
+ if (finder.find(ThreadContext.getExecutionPath())) {
+ Timestamp currentTime = new
Timestamp(System.currentTimeMillis());
+ String userLoginId =
ThreadContext.getUserLogin().getString("userLoginId");
+ GenericValue auditValue =
delegator.makeValidValue("SecurityAuditLog", UtilMisc.toMap("userLoginId",
userLoginId, "artifactPath", ThreadContext.getExecutionPathAsString(),
"incidentDate", currentTime, "requestedAccess", permission.toString()));
+ auditValue.create();
+ }
+ } catch (GenericEntityException e) {
+ throw new AccessControlException(e.getMessage());
+ } finally {
+ ThreadContext.endRunUnprotected();
+ }
+ }
+
protected static void processGroupPermissions(String groupId, PathNode
node, Delegator delegator) throws AuthorizationManagerException {
try {
// Process this group's memberships first
Modified:
ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml?rev=899045&r1=899044&r2=899045&view=diff
==============================================================================
---
ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml
(original)
+++
ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml
Thu Jan 14 03:23:33 2010
@@ -358,4 +358,28 @@
</relation>
</entity>
+ <entity entity-name="AuditedArtifact"
+ package-name="org.ofbiz.security.artifactsecurity"
+ default-resource-name="SecurityEntityLabels"
+ title="Security Component - Audited Artifact Entity">
+ <field name="artifactPath" type="id-vlong-ne"/>
+ <field name="fromDate" type="date-time"></field>
+ <field name="thruDate" type="date-time"></field>
+ <!-- Maybe add a temporal expression ID field so audits can be scheduled
-->
+ <prim-key field="artifactPath"/>
+ </entity>
+
+ <entity entity-name="SecurityAuditLog"
+ package-name="org.ofbiz.security.artifactsecurity"
+ default-resource-name="SecurityEntityLabels"
+ title="Security Component - Security Audit Log Entity">
+ <field name="userLoginId" type="id-vlong-ne"></field>
+ <field name="artifactPath" type="id-vlong-ne"/>
+ <field name="incidentDate" type="date-time"></field>
+ <field name="requestedAccess" type="description"/>
+ <prim-key field="userLoginId"/>
+ <prim-key field="artifactPath"/>
+ <prim-key field="incidentDate"/>
+ </entity>
+
</entitymodel>
