[JBoss-user] [Security & JAAS/JBoss] - Re: Need to programatically check access to a URL.

Wed, 04 Jan 2006 08:30:08 -0800 

Right. After wading through the source code of JaccAuthorizationRealm, I have 
the following test working:


  | import java.util.Set;
  | import java.security.Policy;
  | import java.security.Principal;
  | import java.security.AccessController;
  | import java.security.CodeSource;
  | import java.security.ProtectionDomain;
  | import javax.security.auth.Subject;
  | import javax.security.jacc.PolicyContext;
  | import javax.security.jacc.WebResourcePermission;
  | import org.jboss.web.tomcat.security.JaccContextValve;
  | 

...


  |     private static final String SUBJECT_CONTEXT_KEY = 
"javax.security.auth.Subject.container";
  | 


...


  |     Subject caller = null;
  |     try
  |     {
  |             caller = (Subject)PolicyContext.getContext(SUBJECT_CONTEXT_KEY);
  |     }
  |     catch  (Exception e)
  |     {
  |             System.out.println("Failed to get subject from PolicyContext\n" 
+ e);
  |     }
  |     if (caller == null)
  |     {
  |             System.out.println("Access to /restricted/test.jsp is denied");
  |     }
  |     else
  |     {
  |             WebResourcePermission perm = new 
WebResourcePermission("/restricted/test.jsp", "");
  |             Policy policy = Policy.getPolicy();
  | 
  |             Set principalsSet = caller.getPrincipals();
  |             Principal[] principals = new Principal[principalsSet.size()];
  |             principalsSet.toArray(principals);
  | 
  |             CodeSource webCS = (CodeSource)JaccContextValve.activeCS.get();
  |             ProtectionDomain pd = new ProtectionDomain(webCS, null, null, 
principals);
  |             boolean allowed = policy.implies(pd, perm);
  |             if (allowed)
  |                     System.out.println("Access to /restricted/test.jsp is 
permitted");
  |             else
  |                     System.out.println("Access to /restricted/test.jsp is 
NOT permitted");
  |     }
  | 

There should be a standard way of doing this.

View the original post : 
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3915559#3915559

Reply to the post : 
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3915559


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to