001 //$HeadURL: svn+ssh://rbezema@svn.wald.intevation.org/deegree/base/branches/2.2_testing/src/org/deegree/security/owsrequestvalidator/RequestValidator.java $
002 /*---------------- FILE HEADER ------------------------------------------
003
004 This file is part of deegree.
005 Copyright (C) 2001-2008 by:
006 EXSE, Department of Geography, University of Bonn
007 http://www.giub.uni-bonn.de/deegree/
008 lat/lon GmbH
009 http://www.lat-lon.de
010
011 This library is free software; you can redistribute it and/or
012 modify it under the terms of the GNU Lesser General Public
013 License as published by the Free Software Foundation; either
014 version 2.1 of the License, or (at your option) any later version.
015
016 This library is distributed in the hope that it will be useful,
017 but WITHOUT ANY WARRANTY; without even the implied warranty of
018 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
019 Lesser General Public License for more details.
020
021 You should have received a copy of the GNU Lesser General Public
022 License along with this library; if not, write to the Free Software
023 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
024
025 Contact:
026
027 Andreas Poth
028 lat/lon GmbH
029 Aennchenstr. 19
030 53115 Bonn
031 Germany
032 E-Mail: poth@lat-lon.de
033
034 Prof. Dr. Klaus Greve
035 Department of Geography
036 University of Bonn
037 Meckenheimer Allee 166
038 53115 Bonn
039 Germany
040 E-Mail: greve@giub.uni-bonn.de
041
042 ---------------------------------------------------------------------------*/
043 package org.deegree.security.owsrequestvalidator;
044
045 import java.util.List;
046 import java.util.Properties;
047
048 import org.deegree.framework.log.ILogger;
049 import org.deegree.framework.log.LoggerFactory;
050 import org.deegree.framework.util.StringTools;
051 import org.deegree.model.feature.Feature;
052 import org.deegree.ogcwebservices.InvalidParameterValueException;
053 import org.deegree.ogcwebservices.OGCWebServiceRequest;
054 import org.deegree.security.GeneralSecurityException;
055 import org.deegree.security.UnauthorizedException;
056 import org.deegree.security.drm.SecurityAccess;
057 import org.deegree.security.drm.SecurityAccessManager;
058 import org.deegree.security.drm.WrongCredentialsException;
059 import org.deegree.security.drm.model.RightType;
060 import org.deegree.security.drm.model.SecuredObject;
061 import org.deegree.security.drm.model.User;
062 import org.deegree.security.owsproxy.Condition;
063 import org.deegree.security.owsproxy.DefaultDBConnection;
064 import org.deegree.security.owsproxy.OperationParameter;
065 import org.deegree.security.owsproxy.SecurityConfig;
066
067 /**
068 * basic class for validating OWS requests
069 *
070 * @author <a href="mailto:poth@lat-lon.de">Andreas Poth </a>
071 * @author last edited by: $Author: apoth $
072 *
073 * @version $Revision: 9346 $, $Date: 2007-12-27 17:39:07 +0100 (Do, 27 Dez 2007) $
074 */
075
076 public abstract class RequestValidator {
077
078 private static ILogger LOG = LoggerFactory.getLogger( RequestValidator.class );
079
080 private static final String VERSION = "version";
081
082 private static final String EXCEPTION = "exception";
083
084 // message strings
085 private static final String INVALIDEXCEPTIONS = Messages.getString( "RequestValidator.INVALIDEXCEPTIONS" );
086
087 private static final String UNAUTORIZEDACCESS = Messages.getString( "RequestValidator.UNAUTORIZEDACCESS" );
088
089 protected Policy policy = null;
090
091 protected GeneralPolicyValidator gpv = null;
092
093 protected boolean userCoupled = false;
094
095 protected SecurityConfig securityConfig = null;
096
097 /**
098 * @param policy
099 */
100 public RequestValidator( Policy policy ) {
101 this.policy = policy;
102 Condition cond = policy.getGeneralCondition();
103 gpv = new GeneralPolicyValidator( cond );
104 securityConfig = policy.getSecurityConfig();
105 if ( securityConfig != null ) {
106 DefaultDBConnection db = securityConfig.getRegistryConfig().getDbConnection();
107 Properties properties = new Properties();
108 properties.setProperty( "driver", db.getDirver() );
109 properties.setProperty( "url", db.getUrl() );
110 properties.setProperty( "user", db.getUser() );
111 properties.setProperty( "password", db.getPassword() );
112 try {
113 if ( !SecurityAccessManager.isInitialized() ) {
114 SecurityAccessManager.initialize( securityConfig.getRegistryClass(),
115 properties,
116 securityConfig.getReadWriteTimeout() * 1000 );
117 }
118 } catch ( GeneralSecurityException e1 ) {
119 LOG.logError( e1.getMessage(), e1 );
120 e1.printStackTrace();
121 }
122 }
123 }
124
125 /**
126 * @return Returns the policy.
127 */
128 public Policy getPolicy() {
129 return policy;
130 }
131
132 /**
133 * @param policy
134 * The policy to set.
135 */
136 public void setPolicy( Policy policy ) {
137 this.policy = policy;
138 }
139
140 /**
141 * validates if the passed request itself and its content is valid against the conditions
142 * defined in the policies assigned to a <tt>OWSPolicyValidator</tt>
143 *
144 * @param request
145 * @param user
146 * @throws InvalidParameterValueException
147 * @throws UnauthorizedException
148 */
149 public abstract void validateRequest( OGCWebServiceRequest request, User user )
150 throws InvalidParameterValueException, UnauthorizedException;
151
152 /**
153 *
154 * @param condition
155 * @param version
156 * @throws InvalidParameterValueException
157 */
158 protected void validateVersion( Condition condition, String version )
159 throws InvalidParameterValueException {
160 OperationParameter op = condition.getOperationParameter( VERSION );
161
162 // version is valid because no restrictions are made
163 if ( op.isAny() ) {
164 return;
165 }
166 List list = op.getValues();
167 if ( !list.contains( version ) ) {
168 if ( !op.isUserCoupled() ) {
169 String INVALIDVERSION = Messages.format( "RequestValidator.INVALIDVERSION", version );
170 throw new InvalidParameterValueException( INVALIDVERSION );
171 }
172 userCoupled = true;
173 }
174
175 }
176
177 /**
178 * checks if the passed exceptions format is valid against the exceptions formats defined in the
179 * policy. If <tt>user</ff> != <tt>null</tt> the valid exceptions
180 * formats will be read from the user/rights repository
181 * @param condition condition containing the definition of the valid exceptions
182 * @param exceptions
183 * @throws InvalidParameterValueException
184 */
185 protected void validateExceptions( Condition condition, String exceptions )
186 throws InvalidParameterValueException {
187
188 OperationParameter op = condition.getOperationParameter( EXCEPTION );
189
190 // version is valid because no restrictions are made
191 if ( op.isAny() )
192 return;
193
194 List list = op.getValues();
195 if ( !list.contains( exceptions ) ) {
196 if ( !op.isUserCoupled() ) {
197 throw new InvalidParameterValueException( INVALIDEXCEPTIONS + exceptions );
198 }
199 userCoupled = true;
200 }
201
202 }
203
204 /**
205 * handles the validation of user coupled parameters of a request
206 *
207 * @param user
208 * @param feature
209 * @param secObjName
210 * @param secObjType
211 * @param rightType
212 * @throws UnauthorizedException
213 * @throws InvalidParameterValueException
214 */
215 protected void handleUserCoupledRules( User user, Feature feature, String secObjName,
216 String secObjType, RightType rightType )
217 throws UnauthorizedException, InvalidParameterValueException {
218 try {
219 SecurityAccessManager sam = SecurityAccessManager.getInstance();
220 SecurityAccess access = sam.acquireAccess( user );
221 SecuredObject secObj = access.getSecuredObjectByName( secObjName, secObjType );
222 if ( !user.hasRight( access, rightType, feature, secObj ) ) {
223 throw new UnauthorizedException( UNAUTORIZEDACCESS + secObjName + ':' + feature );
224 }
225 } catch ( WrongCredentialsException e ) {
226 throw new UnauthorizedException( e.getMessage() );
227 } catch ( GeneralSecurityException e ) {
228 e.printStackTrace();
229 throw new UnauthorizedException( e.getMessage() );
230 } catch ( Exception e ) {
231 throw new InvalidParameterValueException( StringTools.stackTraceToString( e ) );
232 }
233 }
234
235 }