cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1050097 - in /cxf/branches/2.3.x-fixes: ./ rt/core/src/main/java/org/apache/cxf/interceptor/security/ rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/ systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/ systes...
Date Thu, 16 Dec 2010 19:00:34 GMT
Author: sergeyb
Date: Thu Dec 16 19:00:34 2010
New Revision: 1050097

URL: http://svn.apache.org/viewvc?rev=1050097&view=rev
Log:
Merged revisions 1050095 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1050095 | sergeyb | 2010-12-16 18:57:02 +0000 (Thu, 16 Dec 2010) | 1 line
  
  [CXF-3195,CXF-3172] Updatig SecureAnnotationsInterceptor to check interfaces and JAASAuthenticationFilter
to redirect to context-based addresses by default
........

Modified:
    cxf/branches/2.3.x-fixes/   (props changed)
    cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java
    cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java
    cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java
    cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
    cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java
    cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java
    cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml
    cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml

Propchange: cxf/branches/2.3.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Dec 16 19:00:34 2010
@@ -1 +1 @@
-/cxf/trunk:1041183,1041790,1041993,1042346,1042571,1042724,1042805,1042821,1043225,1043229,1043902,1043907,1043954,1044085,1044238-1044305,1045024,1048915,1048919,1048930,1049078,1049937,1050005,1050021
+/cxf/trunk:1041183,1041790,1041993,1042346,1042571,1042724,1042805,1042821,1043225,1043229,1043902,1043907,1043954,1044085,1044238-1044305,1045024,1048915,1048919,1048930,1049078,1049937,1050005,1050021,1050095

Propchange: cxf/branches/2.3.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java?rev=1050097&r1=1050096&r2=1050097&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java
(original)
+++ cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java
Thu Dec 16 19:00:34 2010
@@ -27,6 +27,7 @@ import java.util.Map;
 import java.util.Set;
 
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.common.util.ClassHelper;
 
 
 public class SecureAnnotationsInterceptor extends SimpleAuthorizingInterceptor {
@@ -54,10 +55,17 @@ public class SecureAnnotationsIntercepto
     }
     
     public void setSecuredObject(Object object) {
-        Class<?> cls = object.getClass();
-        String classRolesAllowed = getRoles(cls.getAnnotations(), annotationClassName);
-        
+        Class<?> cls = ClassHelper.getRealClass(object);
         Map<String, String> rolesMap = new HashMap<String, String>();
+        findRoles(cls, rolesMap);
+        super.setMethodRolesMap(rolesMap);
+    }
+
+    protected void findRoles(Class<?> cls, Map<String, String> rolesMap) {
+        if (cls == null || cls == Object.class) {
+            return;
+        }
+        String classRolesAllowed = getRoles(cls.getAnnotations(), annotationClassName);
         for (Method m : cls.getMethods()) {
             if (SKIP_METHODS.contains(m.getName())) {
                 continue;
@@ -68,10 +76,21 @@ public class SecureAnnotationsIntercepto
                 rolesMap.put(m.getName(), theRoles);
             }
         }
-        super.setMethodRolesMap(rolesMap);
+        if (!rolesMap.isEmpty()) {
+            return;
+        }
+        
+        findRoles(cls.getSuperclass(), rolesMap);
+        
+        if (!rolesMap.isEmpty()) {
+            return;
+        }
         
+        for (Class<?> interfaceCls : cls.getInterfaces()) {
+            findRoles(interfaceCls, rolesMap);
+        }
     }
-
+    
     private String getRoles(Annotation[] anns, String annName) {
         for (Annotation ann : anns) {
             if (ann.annotationType().getName().equals(annName)) {

Modified: cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java?rev=1050097&r1=1050096&r2=1050097&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java
(original)
+++ cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java
Thu Dec 16 19:00:34 2010
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.jaxrs.security;
 
+import java.net.URI;
 import java.util.Arrays;
 import java.util.List;
 
@@ -26,6 +27,7 @@ import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.ResponseBuilder;
+import javax.ws.rs.core.UriBuilder;
 
 import org.apache.cxf.interceptor.security.AuthenticationException;
 import org.apache.cxf.interceptor.security.JAASLoginInterceptor;
@@ -33,6 +35,7 @@ import org.apache.cxf.interceptor.securi
 import org.apache.cxf.jaxrs.ext.RequestHandler;
 import org.apache.cxf.jaxrs.impl.HttpHeadersImpl;
 import org.apache.cxf.jaxrs.model.ClassResourceInfo;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
 
@@ -42,8 +45,9 @@ public class JAASAuthenticationFilter im
     private static final List<MediaType> HTML_MEDIA_TYPES = 
         Arrays.asList(MediaType.APPLICATION_XHTML_XML_TYPE, MediaType.TEXT_HTML_TYPE);
     
-    private String redirectURI;
+    private URI redirectURI;
     private String realmName;
+    private boolean ignoreBasePath = true;
     
     private JAASLoginInterceptor interceptor = new JAASLoginInterceptor() {
         protected CallbackHandler getCallbackHandler(String name, String password) {
@@ -51,6 +55,10 @@ public class JAASAuthenticationFilter im
         }    
     };
     
+    public void setIgnoreBasePath(boolean ignore) {
+        this.ignoreBasePath = ignore;
+    }
+    
     public void setContextName(String name) {
         interceptor.setContextName(name);
     }
@@ -60,7 +68,7 @@ public class JAASAuthenticationFilter im
     }
     
     public void setRedirectURI(String uri) {
-        this.redirectURI = uri;
+        this.redirectURI = URI.create(uri);
     }
     
     public void setRealmName(String name) {
@@ -76,14 +84,32 @@ public class JAASAuthenticationFilter im
             interceptor.handleMessage(m);
             return null;
         } catch (AuthenticationException ex) {
-            return handleSecurityException(ex, new HttpHeadersImpl(m));
+            return handleAuthenticationException(ex, m);
         }
     }
 
-    protected Response handleSecurityException(SecurityException ex, HttpHeaders headers)
{
+    protected Response handleAuthenticationException(AuthenticationException ex, Message
m) {
+        HttpHeaders headers = new HttpHeadersImpl(m);
         if (redirectURI != null && isRedirectPossible(headers)) {
+            
+            URI finalRedirectURI = null;
+     
+            if (!redirectURI.isAbsolute()) {
+                String endpointAddress = HttpUtils.getEndpointAddress(m);
+                Object basePathProperty = m.get(Message.BASE_PATH);
+                if (ignoreBasePath && basePathProperty != null && !"/".equals(basePathProperty))
{
+                    int index = endpointAddress.lastIndexOf(basePathProperty.toString());
+                    if (index != -1) {
+                        endpointAddress = endpointAddress.substring(0, index);
+                    }
+                }
+                finalRedirectURI = UriBuilder.fromUri(endpointAddress).path(redirectURI.toString()).build();
+            } else {
+                finalRedirectURI = redirectURI;
+            }
+            
             return Response.status(getRedirectStatus()).
-                    header(HttpHeaders.LOCATION, redirectURI).build();
+                    header(HttpHeaders.LOCATION, finalRedirectURI).build();
         } else {
             ResponseBuilder builder = Response.status(Response.Status.UNAUTHORIZED);
             

Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java?rev=1050097&r1=1050096&r2=1050097&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java
(original)
+++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java
Thu Dec 16 19:00:34 2010
@@ -47,14 +47,14 @@ public class JAXRSJaasSecurityTest exten
     @Test
     public void testJaasInterceptorAuthenticationFailure() throws Exception {
         String endpointAddress =
-            "http://localhost:" + PORT + "/jaas/bookstorestorage/thosebooks/123"; 
+            "http://localhost:" + PORT + "/service/jaas/bookstorestorage/thosebooks/123";

         getBook(endpointAddress, "foo", "bar1", 401);
     }
     
     @Test
     public void testGetBookUserAdminJaasInterceptor() throws Exception {
         String endpointAddress =
-            "http://localhost:" + PORT + "/jaas/bookstorestorage/thosebooks/123"; 
+            "http://localhost:" + PORT + "/service/jaas/bookstorestorage/thosebooks/123";

         getBook(endpointAddress, "foo", "bar", 403);
         getBook(endpointAddress, "bob", "bobspassword", 200);
     }
@@ -62,7 +62,7 @@ public class JAXRSJaasSecurityTest exten
     @Test
     public void testJaasFilterAuthenticationFailure() throws Exception {
         String endpointAddress =
-            "http://localhost:" + PORT + "/jaas2/bookstorestorage/thosebooks/123"; 
+            "http://localhost:" + PORT + "/service/jaas2/bookstorestorage/thosebooks/123";

         WebClient wc = WebClient.create(endpointAddress);
         wc.accept("text/xml");
         wc.header(HttpHeaders.AUTHORIZATION, 
@@ -77,7 +77,7 @@ public class JAXRSJaasSecurityTest exten
     @Test
     public void testJaasFilterAuthenticationFailureWithRedirection() throws Exception {
         String endpointAddress =
-            "http://localhost:" + PORT + "/jaas2/bookstorestorage/thosebooks/123"; 
+            "http://localhost:" + PORT + "/service/jaas2/bookstorestorage/thosebooks/123";

         WebClient wc = WebClient.create(endpointAddress);
         wc.accept("text/xml,text/html");
         wc.header(HttpHeaders.AUTHORIZATION, 
@@ -86,14 +86,14 @@ public class JAXRSJaasSecurityTest exten
         assertEquals(307, r.getStatus());
         Object locationHeader = r.getMetadata().getFirst(HttpHeaders.LOCATION);
         assertNotNull(locationHeader);
-        assertEquals("http://localhost:" + PORT + "/jaas2/login.jsp",
+        assertEquals("http://localhost:" + PORT + "/service/login.jsp",
                      locationHeader.toString());
     }
     
     @Test
     public void testGetBookUserAdminJaasFilter() throws Exception {
         String endpointAddress =
-            "http://localhost:" + PORT + "/jaas2/bookstorestorage/thosebooks/123"; 
+            "http://localhost:" + PORT + "/service/jaas2/bookstorestorage/thosebooks/123";

         getBook(endpointAddress, "foo", "bar", 403);
         getBook(endpointAddress, "bob", "bobspassword", 200);
     }

Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java?rev=1050097&r1=1050096&r2=1050097&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
(original)
+++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
Thu Dec 16 19:00:34 2010
@@ -56,6 +56,14 @@ public class JAXRSSimpleSecurityTest ext
     }
     
     @Test
+    public void testGetBookUserAdminWithAnnotationsInterface() throws Exception {
+        String endpointAddress =
+            "http://localhost:" + PORT + "/security5/bookstorestorage/thosebooks"; 
+        getBook(endpointAddress, "foo", "bar", 403);
+        getBook(endpointAddress, "bob", "bobspassword", 200);
+    }
+    
+    @Test
     public void testGetBookUserAdminWithAnnotationsFilter() throws Exception {
         String endpointAddress =
             "http://localhost:" + PORT + "/security4/bookstorestorage/thebook/123"; 

Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java?rev=1050097&r1=1050096&r2=1050097&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java
(original)
+++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java
Thu Dec 16 19:00:34 2010
@@ -46,7 +46,7 @@ public interface SecureBookInterface {
     @GET
     @Path("/thosebooks")
     @Produces("application/xml")
-    @Secured("ROLE_ADMIN")
+    @Secured({"ROLE_ADMIN", "ROLE_BOOK_OWNER" })
     Book getThatBook() throws BookNotFoundFault;
     
     @Path("/subresource")

Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java?rev=1050097&r1=1050096&r2=1050097&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java
(original)
+++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java
Thu Dec 16 19:00:34 2010
@@ -66,7 +66,8 @@ public class SecureBookStore implements 
     }
     
     public Book getThatBook() throws BookNotFoundFault {
-        if (securityContext.isUserInRole("ROLE_ADMIN")
+        if ((securityContext.isUserInRole("ROLE_ADMIN")
+            || securityContext.isUserInRole("ROLE_BOOK_OWNER"))
             && !securityContext.isUserInRole("ROLE_BAZ")) {
             return books.get(123L);
         }

Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml?rev=1050097&r1=1050096&r2=1050097&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml
(original)
+++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml
Thu Dec 16 19:00:34 2010
@@ -44,7 +44,7 @@
 
 	<servlet-mapping>
 		<servlet-name>CXFServlet</servlet-name>
-		<url-pattern>/*</url-pattern>
+		<url-pattern>/service/*</url-pattern>
 	</servlet-mapping>
 </web-app>
 <!-- END SNIPPET: webxml -->

Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml?rev=1050097&r1=1050096&r2=1050097&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml
(original)
+++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml
Thu Dec 16 19:00:34 2010
@@ -80,6 +80,20 @@ http://cxf.apache.org/schemas/jaxrs.xsd"
     </jaxrs:providers>
   </jaxrs:server>
   
+  
+  <jaxrs:server id="bookservice5"
+		        address="/security5">
+    <jaxrs:serviceBeans>
+       <ref bean="securedObjectWithInterface"/>
+    </jaxrs:serviceBeans>		   
+    <jaxrs:inInterceptors>
+        <ref bean="annotationsInterceptor2"/>
+    </jaxrs:inInterceptors>
+    <jaxrs:outFaultInterceptors>
+        <bean class="org.apache.cxf.systest.jaxrs.security.SecurityOutFaultInterceptor"/>
+    </jaxrs:outFaultInterceptors>
+  </jaxrs:server>
+  
   <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
         <property name="methodRolesMap" ref="rolesMap"/>
   </bean>
@@ -88,7 +102,15 @@ http://cxf.apache.org/schemas/jaxrs.xsd"
        <property name="securedObject" ref="securedObject"/>
   </bean>
   
+  <bean id="annotationsInterceptor2" 
+        class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
+        <property name="annotationClassName" 
+                  value="org.springframework.security.annotation.Secured"/>
+        <property name="securedObject" ref="securedObjectWithInterface"/>
+  </bean>
+  
   <bean id="securedObject" class="org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoInterface"/>
+  <bean id="securedObjectWithInterface" class="org.apache.cxf.systest.jaxrs.security.SecureBookStore"/>
   
   <bean id="authorizationFilter" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
         <property name="methodRolesMap" ref="rolesMap"/>



Mime
View raw message