Bug 334649 added in directories of policy file support

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@2666 7e9141cc-0065-0410-87d8-b60c137991c4
This commit is contained in:
Jesse McConnell 2011-01-19 19:35:14 +00:00
parent 6d203a72b2
commit ff32125106
2 changed files with 92 additions and 9 deletions

View File

@ -17,7 +17,9 @@ package org.eclipse.jetty.policy;
//========================================================================
import java.io.File;
import java.io.FileFilter;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.io.PrintWriter;
import java.security.AccessControlException;
@ -45,18 +47,17 @@ import org.eclipse.jetty.util.log.Log;
/**
* Policy implementation that will load a set of policy files and manage the mapping of permissions and protection domains
*
* The reason I created this class and added this mechanism are:
* Features of JettyPolicy are:
*
* 1) I wanted a way to be able to follow the startup mechanic that jetty uses with jetty-start using OPTIONS=policy,default to be able to startup a security manager and policy implementation without have to rely on the existing JVM cli options
* 2) establish a starting point to add on further functionality to permissions based security with jetty like jmx enabled permission tweaking or runtime creation and specification of policies for specific webapps
* 3) I wanted to have support for specifying multiple policy files to source permissions from
* - we are able to follow the startup mechanic that jetty uses with jetty-start using OPTIONS=policy,default to be able to startup a security manager and policy implementation without have to rely on the existing JVM cli options
* - support for specifying multiple policy files to source permissions from
* - support for merging protection domains across multiple policy files for the same codesource
* - support for directories of policy files, just specify directory and all *.policy files will be loaded.
*
* Possible additions are:
* - directories of policy file support
* - jmx enabled a la #2 above
* - jmx reporting
* - proxying of system security policy where we can proxy access to the system policy should the jvm have been started with one, I had support for this but ripped it
* out to add in again later
* - merging of protection domains if process multiple policy files that declare permissions for the same codebase
* - an xml policy file parser, had originally added this using modello but tore it out since it would have been a
* nightmare to get its dependencies through IP validation, could do this with jvm xml parser instead sometime
* - check performance of the synch'd map I am using for the protection domain mapping
@ -91,8 +92,8 @@ public class JettyPolicy extends Policy
__RELOAD = false;
__DEBUG = false;
}
_policies = policies;
_policies = resolvePolicyFiles(policies);
_context.setProperties(properties);
}
@ -388,6 +389,66 @@ public class JettyPolicy extends Policy
return out;
}
/**
* returns the known policy files that are being tracked by this instance of JettyPolicy
* @return
*/
public Set<String> getKnownPolicyFiles()
{
return _policies;
}
/**
* resolves the initial set of policy files into the actual set of policies,
* scanning directories for .policy files as well.
* @param policyInputs
* @return
*/
private Set<String> resolvePolicyFiles( Set<String> policyInputs )
{
Set<String> policyFiles = new HashSet<String>();
try
{
for ( String policyInput : policyInputs )
{
File check = new File(policyInput);
if ( check.isDirectory() )
{
File[] foundFiles = check.listFiles(new FileFilter()
{
public boolean accept(File pathname)
{
if ( pathname.getName().toLowerCase().endsWith("policy") )
{
return true;
}
else
{
return false;
}
}
});
for( File policyFile : foundFiles )
{
policyFiles.add(policyFile.getCanonicalPath());
}
}
else
{
policyFiles.add(check.getCanonicalPath());
}
}
}
catch ( IOException ioe )
{
throw new IllegalArgumentException( "JettyPolicy: unable to resolve policy files.", ioe );
}
return policyFiles;
}
/**
* Try and log to normal logging channels and should that not be allowed
* debug to system.out

View File

@ -30,6 +30,8 @@ import java.util.HashSet;
import java.util.PropertyPermission;
import java.util.Set;
import junit.framework.Assert;
import org.junit.Before;
import org.junit.Test;
@ -297,4 +299,24 @@ public class JettyPolicyTest
}
/**
* test the resolution of the loading of the policy files
*
* @throws Exception
*/
@Test
public void testPolicyDirectories() throws Exception
{
Set<String> files = new HashSet<String>();
files.add( MavenTestingUtils.getBasedir().getAbsolutePath() + "/src/test/resources/single-codebase-file-permission.policy" );
files.add( MavenTestingUtils.getBasedir().getAbsolutePath() + "/src/test/resources/context" );
JettyPolicy ap = new JettyPolicy( files, evaluator );
Assert.assertEquals(3, ap.getKnownPolicyFiles().size());
}
}