001 //$HeadURL: https://svn.wald.intevation.org/svn/deegree/base/branches/2.3_testing/src/org/deegree/security/owsrequestvalidator/RequestValidator.java $
002 /*----------------------------------------------------------------------------
003 This file is part of deegree, http://deegree.org/
004 Copyright (C) 2001-2009 by:
005 Department of Geography, University of Bonn
006 and
007 lat/lon GmbH
008
009 This library is free software; you can redistribute it and/or modify it under
010 the terms of the GNU Lesser General Public License as published by the Free
011 Software Foundation; either version 2.1 of the License, or (at your option)
012 any later version.
013 This library is distributed in the hope that it will be useful, but WITHOUT
014 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
015 FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
016 details.
017 You should have received a copy of the GNU Lesser General Public License
018 along with this library; if not, write to the Free Software Foundation, Inc.,
019 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
020
021 Contact information:
022
023 lat/lon GmbH
024 Aennchenstr. 19, 53177 Bonn
025 Germany
026 http://lat-lon.de/
027
028 Department of Geography, University of Bonn
029 Prof. Dr. Klaus Greve
030 Postfach 1147, 53001 Bonn
031 Germany
032 http://www.geographie.uni-bonn.de/deegree/
033
034 e-mail: info@deegree.org
035 ----------------------------------------------------------------------------*/
036 package org.deegree.security.owsrequestvalidator;
037
038 import java.util.List;
039 import java.util.Properties;
040
041 import org.deegree.framework.log.ILogger;
042 import org.deegree.framework.log.LoggerFactory;
043 import org.deegree.framework.util.StringTools;
044 import org.deegree.model.feature.Feature;
045 import org.deegree.model.feature.FeatureProperty;
046 import org.deegree.ogcwebservices.InvalidParameterValueException;
047 import org.deegree.ogcwebservices.OGCWebServiceRequest;
048 import org.deegree.security.GeneralSecurityException;
049 import org.deegree.security.UnauthorizedException;
050 import org.deegree.security.drm.SecurityAccess;
051 import org.deegree.security.drm.SecurityAccessManager;
052 import org.deegree.security.drm.WrongCredentialsException;
053 import org.deegree.security.drm.model.RightType;
054 import org.deegree.security.drm.model.SecuredObject;
055 import org.deegree.security.drm.model.User;
056 import org.deegree.security.owsproxy.Condition;
057 import org.deegree.security.owsproxy.DefaultDBConnection;
058 import org.deegree.security.owsproxy.OperationParameter;
059 import org.deegree.security.owsproxy.SecurityConfig;
060
061 /**
062 * basic class for validating OWS requests
063 *
064 * @author <a href="mailto:poth@lat-lon.de">Andreas Poth </a>
065 * @author last edited by: $Author: mschneider $
066 *
067 * @version $Revision: 18195 $, $Date: 2009-06-18 17:55:39 +0200 (Do, 18. Jun 2009) $
068 */
069
070 public abstract class RequestValidator {
071
072 private static ILogger LOG = LoggerFactory.getLogger( RequestValidator.class );
073
074 private static final String VERSION = "version";
075
076 private static final String EXCEPTION = "exception";
077
078 // message strings
079 private static final String INVALIDEXCEPTIONS = Messages.getString( "RequestValidator.INVALIDEXCEPTIONS" );
080
081 private static final String UNAUTORIZEDACCESS = Messages.getString( "RequestValidator.UNAUTORIZEDACCESS" );
082
083 protected Policy policy = null;
084
085 protected GeneralPolicyValidator gpv = null;
086
087 protected boolean userCoupled = false;
088
089 protected SecurityConfig securityConfig = null;
090
091 /**
092 * @param policy
093 */
094 public RequestValidator( Policy policy ) {
095 this.policy = policy;
096 Condition cond = policy.getGeneralCondition();
097 gpv = new GeneralPolicyValidator( cond );
098 securityConfig = policy.getSecurityConfig();
099 if ( securityConfig != null ) {
100 DefaultDBConnection db = securityConfig.getRegistryConfig().getDbConnection();
101 Properties properties = new Properties();
102 properties.setProperty( "driver", db.getDirver() );
103 properties.setProperty( "url", db.getUrl() );
104 properties.setProperty( "user", db.getUser() );
105 properties.setProperty( "password", db.getPassword() );
106 try {
107 if ( !SecurityAccessManager.isInitialized() ) {
108 SecurityAccessManager.initialize( securityConfig.getRegistryClass(), properties,
109 securityConfig.getReadWriteTimeout() * 1000 );
110 }
111 } catch ( GeneralSecurityException e1 ) {
112 LOG.logError( e1.getMessage(), e1 );
113 e1.printStackTrace();
114 }
115 }
116 }
117
118 /**
119 * @return Returns the policy.
120 */
121 public Policy getPolicy() {
122 return policy;
123 }
124
125 /**
126 * @param policy
127 * The policy to set.
128 */
129 public void setPolicy( Policy policy ) {
130 this.policy = policy;
131 }
132
133 /**
134 * validates if the passed request itself and its content is valid against the conditions defined in the policies
135 * assigned to a <tt>OWSPolicyValidator</tt>
136 *
137 * @param request
138 * @param user
139 * @throws InvalidParameterValueException
140 * @throws UnauthorizedException
141 */
142 public abstract void validateRequest( OGCWebServiceRequest request, User user )
143 throws InvalidParameterValueException, UnauthorizedException;
144
145 /**
146 *
147 * @param condition
148 * @param version
149 * @throws InvalidParameterValueException
150 */
151 protected void validateVersion( Condition condition, String version )
152 throws InvalidParameterValueException {
153 OperationParameter op = condition.getOperationParameter( VERSION );
154
155 // version is valid because no restrictions are made
156 if ( op.isAny() ) {
157 return;
158 }
159 List list = op.getValues();
160 if ( !list.contains( version ) ) {
161 if ( !op.isUserCoupled() ) {
162 String INVALIDVERSION = Messages.format( "RequestValidator.INVALIDVERSION", version );
163 throw new InvalidParameterValueException( INVALIDVERSION );
164 }
165 userCoupled = true;
166 }
167
168 }
169
170 /**
171 * checks if the passed exceptions format is valid against the exceptions formats defined in the policy. If
172 * <tt>user</ff> != <tt>null</tt> the valid exceptions formats will be read from the user/rights repository
173 *
174 * @param condition
175 * condition containing the definition of the valid exceptions
176 * @param exceptions
177 * @throws InvalidParameterValueException
178 */
179 protected void validateExceptions( Condition condition, String exceptions )
180 throws InvalidParameterValueException {
181
182 OperationParameter op = condition.getOperationParameter( EXCEPTION );
183
184 // version is valid because no restrictions are made
185 if ( op.isAny() )
186 return;
187
188 List list = op.getValues();
189 if ( !list.contains( exceptions ) ) {
190 if ( !op.isUserCoupled() ) {
191 throw new InvalidParameterValueException( INVALIDEXCEPTIONS + exceptions );
192 }
193 userCoupled = true;
194 }
195
196 }
197
198 /**
199 * handles the validation of user coupled parameters of a request
200 *
201 * @param user
202 * @param feature
203 * @param secObjName
204 * @param secObjType
205 * @param rightType
206 * @throws UnauthorizedException
207 * @throws InvalidParameterValueException
208 */
209 protected void handleUserCoupledRules( User user, Feature feature, String secObjName, String secObjType,
210 RightType rightType )
211 throws UnauthorizedException, InvalidParameterValueException {
212 try {
213 SecurityAccessManager sam = SecurityAccessManager.getInstance();
214 SecurityAccess access = sam.acquireAccess( user );
215 SecuredObject secObj = access.getSecuredObjectByName( secObjName, secObjType );
216
217 if ( LOG.isDebug() ) {
218 LOG.logDebug( "Checking rule for", secObjName + " -> " + secObjType );
219 LOG.logDebug( "Right type is", rightType.getName() );
220 for ( FeatureProperty p : feature.getProperties() ) {
221 LOG.logDebug( "Feature property name: " + p.getName().getPrefixedName() );
222 LOG.logDebug( "Feature property value: ", p.getValue() );
223 }
224 LOG.logDebug( "For user", user );
225 }
226
227 if ( !user.hasRight( access, rightType, feature, secObj ) ) {
228 if ( securityConfig.getProxiedUrl() != null ) {
229 String name = secObjName.substring( secObjName.indexOf( "]" ) + 1 );
230 throw new UnauthorizedException( UNAUTORIZEDACCESS + name + ':' + feature );
231 }
232 throw new UnauthorizedException( UNAUTORIZEDACCESS + secObjName + ':' + feature );
233 }
234 } catch ( WrongCredentialsException e ) {
235 throw new UnauthorizedException( e.getMessage() );
236 } catch ( GeneralSecurityException e ) {
237 e.printStackTrace();
238 throw new UnauthorizedException( e.getMessage() );
239 } catch ( Exception e ) {
240 throw new InvalidParameterValueException( StringTools.stackTraceToString( e ) );
241 }
242 }
243
244 }