The Audit Utility
The audit utility (hereafter called the auditor
) begins its work by creating a Python list of the files referenced in the Permissions
section of the JAAS policy file. As I mentioned, this is a structured file, so it is possible to process it, however, it isn't as straightforward a task as parsing an XML document. I've hard-coded the path to the policy file in the sample code that accompanies the article but you could just as easily read this value from a properties file or pass it as a command line parameter.
method reads the JAAS file and then uses a regular expression to cull out the lines that specify a JAAS permission (see the sample permission file bundled with the downloadable source
). Python provides the re
regular expression library as a part of its core API, so it isn't difficult to compile a regular expression pattern so only the "Permission" lines are processed.
q = re.compile("URLPermission")
As the method reads each line of the file, it splits each line containing a JAAS permission. Each token in the line becomes an element in the plist
variable (line 3 in the code below) which is a Python list data structure. Line 6 compiles another regular expression that finds lines ending with a .shtml
extension, which is an arbitrary, pre-defined extension used in my environment to indicate a page served via the Struts framework. If you use a different extension you'll obviously have to modify this line of code.
|Editor's Note: In the code snippets in this article, some of the Python indentations have been altered to suit the formatting of this article's Web page. Double check the source code download to verify the indentations if you cut-and-paste these code snippets into your own project.
1. for line in inputfile:
2. if q.search(line):
3. plist = q.split(line)
5. if page.search(plist):
6. pageName = plist[string.rfind(plist, \
Executing the split()
method at line 3 on the line below from the sample JAAS policy file seems like it ought to result in a three-element list but Python parses it into only two. The reasons for this are outside the scope of this discussion; suffice it to say that buyFromGrainger.shtml
becomes the subscript
element of the plist
variable (see line 3 above).
What you really need though is just the page name without the extension, so line 6 takes a slice of the plist
variable culling out the text between the slash and the period. Line 7 adds the page name to the policyPages
list that will be returned by the method. The next portion of the code deals with parsing and extracting the paths from the Struts configuration file(s) and checking them against this list.