svn commit: r899045 - in /ofbiz/branches/executionconte
Locked
 
|
Author: adrianc
Date: Thu Jan 14 03:23:33 2010 New Revision: 899045 URL: http://svn.apache.org/viewvc?rev=899045&view=rev Log: Added security audit capability. Added: ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java (with props) Modified: ofbiz/branches/executioncontext20091231/BranchReadMe.txt ofbiz/branches/executioncontext20091231/framework/api/config/api.properties ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml Modified: ofbiz/branches/executioncontext20091231/BranchReadMe.txt URL: http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/BranchReadMe.txt?rev=899045&r1=899044&r2=899045&view=diff ============================================================================== --- ofbiz/branches/executioncontext20091231/BranchReadMe.txt (original) +++ ofbiz/branches/executioncontext20091231/BranchReadMe.txt Thu Jan 14 03:23:33 2010 @@ -12,6 +12,11 @@ The exception that is thrown exposes a flaw in the findparty.ftl file. +I added security audit capability. This was not in the +design document, but it was simple to implement and might be +useful. An artifact can be flagged as audited. Any denied +attempts to use the artifact will be logged. + --------------------------------------------------- 2010-01-11: The ExecutionContext implementation is fairly complete. Modified: ofbiz/branches/executioncontext20091231/framework/api/config/api.properties URL: http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/api/config/api.properties?rev=899045&r1=899044&r2=899045&view=diff ============================================================================== --- ofbiz/branches/executioncontext20091231/framework/api/config/api.properties (original) +++ ofbiz/branches/executioncontext20091231/framework/api/config/api.properties Thu Jan 14 03:23:33 2010 @@ -21,12 +21,15 @@ # Apache OFBiz Framework API Settings #### -# Class name of the ExecutionContext implementation +# Class name of the ExecutionContext implementation. executionContext.class=org.ofbiz.context.ExecutionContextImpl -# Class name of the AuthorizationManager implementation +# Class name of the AuthorizationManager implementation. authorizationManager.class=org.ofbiz.context.AuthorizationManagerImpl +# Enable security auditing. +securityAudit.enabled=false + #-- The following properties are for development only, they will be removed #-- when the security-aware artifact implementation is complete. Modified: ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java URL: http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java?rev=899045&r1=899044&r2=899045&view=diff ============================================================================== --- ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java (original) +++ ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AccessControllerImpl.java Thu Jan 14 03:23:33 2010 @@ -44,6 +44,10 @@ public static final String module = AccessControllerImpl.class.getName(); + protected static boolean securityAuditEnabled() { + return "true".equals(UtilProperties.getPropertyValue("api.properties", "securityAudit.enabled")); + } + /** * The root node of the current user's permission tree. */ @@ -151,6 +155,9 @@ if (gatheredPermissions.implies(permission) && this.hasServicePermission(gatheredPermissions)) { return; } + if (securityAuditEnabled()) { + AuthorizationManagerImpl.logIncident(permission); + } throw new AccessControlException(ThreadContext.getUserLogin().getString("userLoginId") + "@" + artifactPath + "[" + permission + "]"); } Added: ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java URL: http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java?rev=899045&view=auto ============================================================================== --- ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java (added) +++ ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java Thu Jan 14 03:23:33 2010 @@ -0,0 +1,53 @@ +/******************************************************************************* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + *******************************************************************************/ +package org.ofbiz.context; + +import org.ofbiz.context.PathNode.BranchNode; +import org.ofbiz.api.context.ArtifactPath; + +public class AuditedArtifactFinder extends TreeWalker { + + protected boolean artifactFound = false; + + public AuditedArtifactFinder(PathNode node) { + super(node); + } + + public boolean find(ArtifactPath artifactPath) { + this.artifactFound = false; + super.walkTree(artifactPath); + return this.artifactFound; + } + + @Override + public void visit(BranchNode node) { + if (!this.artifactPath.hasNext()) { + this.artifactFound = true; + return; + } + super.visit(node); + } + + @Override + protected void visitChildNode(PathNode node, String key) { + if (!this.artifactFound) { + super.visitChildNode(node, key); + } + } +} Propchange: ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java ------------------------------------------------------------------------------ svn:keywords = Date Rev Author URL Id Propchange: ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuditedArtifactFinder.java ------------------------------------------------------------------------------ svn:mime-type = text/plain Modified: ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java URL: http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java?rev=899045&r1=899044&r2=899045&view=diff ============================================================================== --- ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java (original) +++ ofbiz/branches/executioncontext20091231/framework/context/src/org/ofbiz/context/AuthorizationManagerImpl.java Thu Jan 14 03:23:33 2010 @@ -18,7 +18,9 @@ *******************************************************************************/ package org.ofbiz.context; +import java.security.AccessControlException; import java.security.Permission; +import java.sql.Timestamp; import java.util.List; import org.ofbiz.api.authorization.AccessController; @@ -26,12 +28,14 @@ import org.ofbiz.api.authorization.AuthorizationManagerException; import org.ofbiz.api.authorization.BasicPermissions; import org.ofbiz.api.context.ArtifactPath; +import org.ofbiz.base.util.Debug; import org.ofbiz.base.util.UtilMisc; import org.ofbiz.base.util.cache.UtilCache; import org.ofbiz.entity.Delegator; import org.ofbiz.entity.GenericEntityException; import org.ofbiz.entity.GenericValue; import org.ofbiz.entity.condition.EntityCondition; +import org.ofbiz.entity.util.EntityUtil; import org.ofbiz.security.OFBizSecurity; import org.ofbiz.service.ThreadContext; @@ -75,6 +79,30 @@ return accessController; } + public static void logIncident(Permission permission) throws AccessControlException { + try { + ThreadContext.runUnprotected(); + PathNode node = PathNode.getInstance(ArtifactPath.PATH_ROOT); + TreeBuilder builder = new TreeBuilder(node); + Delegator delegator = ThreadContext.getDelegator(); + List<GenericValue> auditedArtifacts = EntityUtil.filterByDate(delegator.findList("AuditedArtifact", null, null, null, null, true)); + for (GenericValue auditedArtifact : auditedArtifacts) { + builder.build(new ArtifactPath(auditedArtifact.getString("artifactPath"))); + } + AuditedArtifactFinder finder = new AuditedArtifactFinder(node); + if (finder.find(ThreadContext.getExecutionPath())) { + Timestamp currentTime = new Timestamp(System.currentTimeMillis()); + String userLoginId = ThreadContext.getUserLogin().getString("userLoginId"); + GenericValue auditValue = delegator.makeValidValue("SecurityAuditLog", UtilMisc.toMap("userLoginId", userLoginId, "artifactPath", ThreadContext.getExecutionPathAsString(), "incidentDate", currentTime, "requestedAccess", permission.toString())); + auditValue.create(); + } + } catch (GenericEntityException e) { + throw new AccessControlException(e.getMessage()); + } finally { + ThreadContext.endRunUnprotected(); + } + } + protected static void processGroupPermissions(String groupId, PathNode node, Delegator delegator) throws AuthorizationManagerException { try { // Process this group's memberships first Modified: ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml URL: http://svn.apache.org/viewvc/ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml?rev=899045&r1=899044&r2=899045&view=diff ============================================================================== --- ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml (original) +++ ofbiz/branches/executioncontext20091231/framework/security/entitydef/entitymodel.xml Thu Jan 14 03:23:33 2010 @@ -358,4 +358,28 @@ </relation> </entity> + <entity entity-name="AuditedArtifact" + package-name="org.ofbiz.security.artifactsecurity" + default-resource-name="SecurityEntityLabels" + title="Security Component - Audited Artifact Entity"> + <field name="artifactPath" type="id-vlong-ne"/> + <field name="fromDate" type="date-time"></field> + <field name="thruDate" type="date-time"></field> + <!-- Maybe add a temporal expression ID field so audits can be scheduled --> + <prim-key field="artifactPath"/> + </entity> + + <entity entity-name="SecurityAuditLog" + package-name="org.ofbiz.security.artifactsecurity" + default-resource-name="SecurityEntityLabels" + title="Security Component - Security Audit Log Entity"> + <field name="userLoginId" type="id-vlong-ne"></field> + <field name="artifactPath" type="id-vlong-ne"/> + <field name="incidentDate" type="date-time"></field> + <field name="requestedAccess" type="description"/> + <prim-key field="userLoginId"/> + <prim-key field="artifactPath"/> + <prim-key field="incidentDate"/> + </entity> + </entitymodel> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |