/**
* Returns collection of permissions allowed for the codesource according to the policy. The
* evaluation assumes that current principals are undefined.
*/
public PermissionCollection getPermissions(CodeSource cs) {
if (!initialized) {
synchronized (this) {
if (!initialized) {
refresh();
}
}
}
Collection<Permission> pc = cache.get(cs);
if (pc == null) {
// have to synchronize to exclude cache pollution after refresh
synchronized (cache) {
// double check in case value has been put to cache
// while we've been awaiting monitor
pc = cache.get(cs);
if (pc == null) {
pc = new HashSet<Permission>();
Iterator<PolicyEntry> it = grants.iterator();
while (it.hasNext()) {
PolicyEntry ge = (PolicyEntry) it.next();
if (ge.impliesPrincipals(null) && ge.impliesCodeSource(cs)) {
pc.addAll(ge.getPermissions());
}
}
cache.put(cs, pc);
}
}
}
return PolicyUtils.toPermissionCollection(pc);
}
/**
* Creates an instance of an XmlDocument for storage in the database.
*
* @param name the name of the document (policy)
* @param document the document data as a String
* @return the XmlDocument instance
* @throws XmlException
* @throws PolicyStoreException
*/
private XmlDocument makeDocument(String name, String document)
throws XmlException, PolicyIndexException {
Map<String, String> metadata = m_utils.getDocumentMetadata(document.getBytes());
XmlDocument doc = m_dbXmlManager.manager.createDocument();
String docName = name;
if (docName == null || docName.isEmpty()) {
docName = metadata.get("PolicyId");
}
if (docName == null || docName.isEmpty()) {
throw new PolicyIndexException("Could not extract PolicyID from document.");
}
doc.setMetaData("metadata", "PolicyId", new XmlValue(XmlValue.STRING, docName));
doc.setContent(document);
doc.setName(docName);
// FIXME:
// this is probably redundant as the xpath queries now directly query the policy
// for the "any" scenarios
String item = null;
item = metadata.get("anySubject");
if (item != null) {
doc.setMetaData("metadata", "anySubject", new XmlValue(XmlValue.STRING, item));
}
item = metadata.get("anyResource");
if (item != null) {
doc.setMetaData("metadata", "anyResource", new XmlValue(XmlValue.STRING, item));
}
item = metadata.get("anyAction");
if (item != null) {
doc.setMetaData("metadata", "anyAction", new XmlValue(XmlValue.STRING, item));
}
item = metadata.get("anyEnvironment");
if (item != null) {
doc.setMetaData("metadata", "anyEnvironment", new XmlValue(XmlValue.STRING, item));
}
return doc;
}
/**
* Gets fresh list of locations and tries to load all of them in sequence; failed loads are
* ignored. After processing all locations, old policy settings are discarded and new ones come
* into force. <br>
* This method is declared synchronized to avoid concurrent reloading.
*
* @see PolicyUtils#getPolicyURLs(Properties, String, String)
*/
public synchronized void refresh() {
Set<PolicyEntry> fresh = new HashSet<PolicyEntry>();
Properties system = new Properties(AccessController.doPrivileged(new PolicyUtils.SystemKit()));
system.setProperty("/", File.separator); // $NON-NLS-1$
URL[] policyLocations =
PolicyUtils.getPolicyURLs(system, JAVA_SECURITY_POLICY, POLICY_URL_PREFIX);
for (int i = 0; i < policyLocations.length; i++) {
try {
// TODO debug log
// System.err.println("Parsing policy file: " + policyLocations[i]);
fresh.addAll(parser.parse(policyLocations[i], system));
} catch (Exception e) {
// TODO log warning
// System.err.println("Ignoring policy file: "
// + policyLocations[i] + ". Reason:\n"+ e);
}
}
// XXX: what if new policy is empty - provide some default??
// we could safely replace references instead of
// synchronizing access:
// <pre>
// grants = fresh;
// cache = new WeakHashMap();
// </pre>
// but there is possibility that concurrent thread will put
// old data to cache right after we finish refresh(),
// thus synchronization is added in getPermissions() methods...
synchronized (cache) {
grants.clear();
grants.addAll(fresh);
cache.clear();
}
initialized = true;
}
/**
* 对设备进行合规性检测 将设备信息发送至服务器,由服务器进行检测
*
* @param context
* @return null通过。"字符串"-未通过某条策略
* @throws Exception
*/
public static String isDeviceComplianced(Context context) throws Exception {
return PolicyUtils.checkPolicy(context);
}
protected void handle(Message msg) {
if (MessageUtils.isRequestor(msg)) {
LOG.fine("Is a requestor.");
return;
}
Exchange exchange = msg.getExchange();
assert null != exchange;
BindingOperationInfo boi = exchange.get(BindingOperationInfo.class);
if (null == boi) {
LOG.fine("No binding operation info.");
return;
}
Endpoint e = exchange.get(Endpoint.class);
if (null == e) {
LOG.fine("No endpoint.");
return;
}
EndpointInfo ei = e.getEndpointInfo();
Bus bus = exchange.get(Bus.class);
PolicyEngine pe = bus.getExtension(PolicyEngine.class);
if (null == pe) {
return;
}
Destination destination = exchange.getDestination();
Exception ex = exchange.get(Exception.class);
List<Interceptor<? extends Message>> faultInterceptors =
new ArrayList<Interceptor<? extends Message>>();
Collection<Assertion> assertions = new ArrayList<Assertion>();
// 1. Check overridden policy
Policy p = (Policy) msg.getContextualProperty(PolicyConstants.POLICY_OVERRIDE);
if (p != null) {
EndpointPolicyImpl endpi = new EndpointPolicyImpl(p);
EffectivePolicyImpl effectivePolicy = new EffectivePolicyImpl();
effectivePolicy.initialise(endpi, (PolicyEngineImpl) pe, false, true);
PolicyUtils.logPolicy(
LOG, Level.FINEST, "Using effective policy: ", effectivePolicy.getPolicy());
faultInterceptors.addAll(effectivePolicy.getInterceptors());
assertions.addAll(effectivePolicy.getChosenAlternative());
} else {
// 2. Process effective server policy
BindingFaultInfo bfi = getBindingFaultInfo(msg, ex, boi);
if (bfi == null
&& msg.get(FaultMode.class) != FaultMode.UNCHECKED_APPLICATION_FAULT
&& msg.get(FaultMode.class) != FaultMode.CHECKED_APPLICATION_FAULT) {
return;
}
EffectivePolicy effectivePolicy = pe.getEffectiveServerFaultPolicy(ei, boi, bfi, destination);
if (effectivePolicy != null) {
faultInterceptors.addAll(effectivePolicy.getInterceptors());
assertions.addAll(effectivePolicy.getChosenAlternative());
}
}
// add interceptors into message chain
for (Interceptor<? extends Message> oi : faultInterceptors) {
msg.getInterceptorChain().add(oi);
LOG.log(Level.FINE, "Added interceptor of type {0}", oi.getClass().getSimpleName());
}
// insert assertions of the chosen alternative into the message
if (null != assertions && !assertions.isEmpty()) {
msg.put(AssertionInfoMap.class, new AssertionInfoMap(assertions));
}
}
