List of usage examples for javax.xml.registry RegistryException getCause
public Throwable getCause()
JAXRException if there is one. From source file:it.cnr.icar.eric.server.security.authorization.AuthorizationServiceImpl.java
/** * Check if user is authorized to perform specified request using V3 * specification./*from w w w .j a v a 2 s . com*/ * <p> * Check if the specified User (requestor) is authorized to make this * request or not. The initial subject lists contains the object in the * request is a resource. The primary action is determined by the type of * request. In addition * * <ul> * <li> * <b><i>AdhocQueryRequest: </i></b> Process query as normal and then filter * out objects that should not be visible to the client.</li> * <li> * <b><i>ApproveObjectRequest: </i></b> Check if subject is authorized for * the approve action.</li> * <li> * <b><i>Deprecate/UndeprecateRequest: </i></b> Check if subject is * authorized for the deprecate/undeprecate action.</li> * <li> * <b><i>RemoveObjectRequest: </i></b> Check if subject is authorized for * the delete action.</li> * <li> * <b><i>SubmitObjectsRequest/UpdateObjectsRequest: </i></b> Check if * subject authorized for the create action. Check any referenced objects * and see if their policies allows reference action.</li> * </ul> * * @todo Do we need any new Attribute types by Extending AttributeValue * (have string URI etc.)?? * @todo Do we need any new functions?? * * @throws RegistryException */ @SuppressWarnings({ "static-access", "deprecation" }) public AuthorizationResult checkAuthorization(ServerRequestContext context) throws RegistryException { try { RegistryRequestType registryRequest = context.getCurrentRegistryRequest(); if (null == context.getUser()) { // Set context user as RegistryGuest built in context.setUser(ac.registryGuest); } String userId = context.getUser().getId(); AuthorizationResult authRes = new AuthorizationResult(userId); boolean isAdmin = context.isRegistryAdministrator(); if (isAdmin) { // Allow RegistryAdmin role all privileges return authRes; } Set<Subject> subjects = new HashSet<Subject>(); Set<Attribute> actions = new HashSet<Attribute>(); Set<Attribute> environment = new HashSet<Attribute>(); Attribute actionAttr = null; boolean readOnly = false; String action = bu.getActionFromRequest(registryRequest); actionAttr = new Attribute(new URI(ACTION_ATTRIBUTE_ID), new URI(StringAttribute.identifier), null, null, new StringAttribute(action)); // Determine the action attributes. if (registryRequest instanceof AdhocQueryRequest) { readOnly = true; } actions.add(actionAttr); // Init subject attributes HashSet<Attribute> userSubjectAttributes = new HashSet<Attribute>(); Attribute idSubjectAttr = new Attribute(new URI(SUBJECT_ATTRIBUTE_ID), new URI(AnyURIAttribute.identifier), null, null, new AnyURIAttribute(new URI(userId))); userSubjectAttributes.add(idSubjectAttr); Attribute userSubjectAttr = new Attribute(new URI(SUBJECT_ATTRIBUTE_USER), new URI(ObjectAttribute.identifier), null, null, new ObjectAttribute(context.getUser())); userSubjectAttributes.add(userSubjectAttr); Subject userSubject = new Subject(new URI(AttributeDesignator.SUBJECT_CATEGORY_DEFAULT), userSubjectAttributes); subjects.add(userSubject); // Pass RequestContext as an environment attribute Attribute requestEnvAttr = new Attribute(new URI(ENVIRONMENT_ATTRIBUTE_REQUEST_CONTEXT), new URI(ObjectAttribute.identifier), null, null, new ObjectAttribute(context)); environment.add(requestEnvAttr); // Iterate over each resource and see if action is authorized on the // resource by the subject ArrayList<String> ids = new ArrayList<String>(); if (registryRequest instanceof AdhocQueryRequest) { // For AdhocQueryRequest query is already done and result is in // queryResults. Now do access control check on queryResults. Iterator<?> iter = context.getQueryResults().iterator(); while (iter.hasNext()) { IdentifiableType ro = (IdentifiableType) iter.next(); ids.add(ro.getId()); } } else { ids.addAll(bu.getIdsFromRequest(registryRequest)); } // Optimization: Get ownersMap in a single query and cache it @SuppressWarnings("unused") HashMap<String, String> ownersMap = getOwnersMap(context, ids); Iterator<String> idsIter = ids.iterator(); while (idsIter.hasNext()) { String id = idsIter.next(); if (id != null) { if ((!readOnly) && (id.equals(idForDefaultACP))) { // Auth check for defaultACP is special and requires // that // it is submitted by RegistryAdministrator role. // Note this will be generalized when we have better // Role Based Access Control (RBAC) support if (!isAdmin) { String msg = getExceptionMessage( "message.error.authorization.allowedOnlyToAdmin.defineDefaultACP", id, context.getUser(), getActionString(actions)); throw new UnauthorizedRequestException(id, context.getUser().getId(), getActionString(actions), msg); } } else { try { checkAuthorizationForResource(context, id, subjects, actions, environment); authRes.addPermittedResource(id); } catch (UnauthorizedRequestException ure) { authRes.addDeniedResourceException(ure); } catch (RegistryException re) { if (re.getCause() instanceof UnauthorizedRequestException) { authRes.addDeniedResourceException((UnauthorizedRequestException) re.getCause()); } else { throw re; } } } } else { @SuppressWarnings("unused") int i = 0; } } log.debug("userId=" + userId + " is " + (authRes.getResult() == AuthorizationResult.PERMIT_NONE ? "not " : "") + "allowed to perform the requested operation."); return authRes; } catch (URISyntaxException e) { throw new RegistryException(e); } catch (AuthorizationException e) { throw e; } catch (JAXRException e) { throw new RegistryException(e); } }