cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1381136 - in /cxf/trunk/rt/core/src: main/java/org/apache/cxf/interceptor/security/ test/java/org/apache/cxf/interceptor/security/
Date Wed, 05 Sep 2012 10:57:51 GMT
Author: sergeyb
Date: Wed Sep  5 10:57:51 2012
New Revision: 1381136

URL: http://svn.apache.org/viewvc?rev=1381136&view=rev
Log:
[CXF-4495] Update to SimpleAuthorizingInterceptor to check configured roles only, applying
a patch on behalf of Andrei Shakirin

Modified:
    cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
    cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
    cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java
    cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java

Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java?rev=1381136&r1=1381135&r2=1381136&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
(original)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
Wed Sep  5 10:57:51 2012
@@ -21,6 +21,7 @@ package org.apache.cxf.interceptor.secur
 import java.lang.reflect.Method;
 import java.util.Collections;
 import java.util.List;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import org.apache.cxf.common.logging.LogUtils;
@@ -45,14 +46,12 @@ public abstract class AbstractAuthorizin
     
     public void handleMessage(Message message) throws Fault {
         SecurityContext sc = message.get(SecurityContext.class);
-        if (sc == null) {
-            return;
-        }
-        
-        Method method = getTargetMethod(message);
-        
-        if (authorize(sc, method)) {
-            return;
+        if (sc != null && sc.getUserPrincipal() != null) {
+            Method method = getTargetMethod(message);
+            
+            if (authorize(sc, method)) {
+                return;
+            }
         }
         
         throw new AccessDeniedException("Unauthorized");
@@ -84,7 +83,7 @@ public abstract class AbstractAuthorizin
         if (isUserInRole(sc, expectedRoles, false)) {
             return true;
         }
-        if (sc.getUserPrincipal() != null) {
+        if (LOG.isLoggable(Level.FINE)) {
             LOG.fine(sc.getUserPrincipal().getName() + " is not authorized");
         }
         return false;

Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java?rev=1381136&r1=1381135&r2=1381136&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
(original)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
Wed Sep  5 10:57:51 2012
@@ -33,10 +33,11 @@ public class SimpleAuthorizingIntercepto
     private Map<String, List<String>> methodRolesMap = new HashMap<String,
List<String>>();
     private Map<String, List<String>> userRolesMap = Collections.emptyMap();
     private List<String> globalRoles = Collections.emptyList();
+    private boolean checkConfiguredRolesOnly;
     
     @Override 
     protected boolean isUserInRole(SecurityContext sc, List<String> roles, boolean
deny) {
-        if (!super.isUserInRole(sc, roles, deny)) {
+        if (!checkConfiguredRolesOnly && !super.isUserInRole(sc, roles, deny)) {
             return false;
         }
         // Additional check.
@@ -52,7 +53,7 @@ public class SimpleAuthorizingIntercepto
             }
             return false;
         } else {
-            return true;
+            return !checkConfiguredRolesOnly;
         }
     }
     
@@ -96,6 +97,10 @@ public class SimpleAuthorizingIntercepto
         globalRoles = Arrays.asList(roles.split(" "));
     }
     
+    public void setCheckConfiguredRolesOnly(boolean checkConfiguredRolesOnly) {
+        this.checkConfiguredRolesOnly = checkConfiguredRolesOnly;
+    }
+    
     private static Map<String, List<String>> parseRolesMap(Map<String, String>
rolesMap) {
         Map<String, List<String>> map = new HashMap<String, List<String>>();
         for (Map.Entry<String, String> entry : rolesMap.entrySet()) {

Modified: cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java?rev=1381136&r1=1381135&r2=1381136&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java
(original)
+++ cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java
Wed Sep  5 10:57:51 2012
@@ -22,10 +22,10 @@ import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
-
 import java.lang.reflect.Method;
 import java.security.Principal;
 
+import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.message.Exchange;
 import org.apache.cxf.message.ExchangeImpl;
 import org.apache.cxf.message.Message;
@@ -109,7 +109,7 @@ public class SecureAnnotationsIntercepto
     private static class TestSecurityContext implements SecurityContext {
 
         public Principal getUserPrincipal() {
-            return null;
+            return new SimplePrincipal("user");
         }
 
         public boolean isUserInRole(String role) {

Modified: cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java?rev=1381136&r1=1381135&r2=1381136&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
(original)
+++ cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
Wed Sep  5 10:57:51 2012
@@ -62,6 +62,18 @@ public class SimpleAuthorizingIntercepto
         EasyMock.replay(service, md);
     }
     
+    @Test(expected = AccessDeniedException.class)
+    public void testNoSecurityContext() {
+        message.put(SecurityContext.class, null);
+        new SimpleAuthorizingInterceptor().handleMessage(message);
+    }
+    
+    @Test(expected = AccessDeniedException.class)
+    public void testIncompleteSecurityContext() {
+        message.put(SecurityContext.class, new IncompleteSecurityContext());
+        new SimpleAuthorizingInterceptor().handleMessage(message);    
+    }
+    
     @Test
     public void testPermitWithNoRoles() {
         new SimpleAuthorizingInterceptor().handleMessage(message);    
@@ -75,6 +87,32 @@ public class SimpleAuthorizingIntercepto
     }
     
     @Test
+    public void testPermitWithMethodRolesConfigurationOnly() {
+        SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+        in.setCheckConfiguredRolesOnly(true);
+        in.setUserRolesMap(Collections.singletonMap("testUser", "role1"));
+        in.setMethodRolesMap(Collections.singletonMap("echo", "role1 role2"));
+        in.handleMessage(message);    
+    }
+    
+    @Test(expected = AccessDeniedException.class)
+    public void testDenyWithMethodRolesConfigurationOnly() {
+        SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+        in.setCheckConfiguredRolesOnly(true);
+        in.setUserRolesMap(Collections.singletonMap("testUser", "role1"));
+        in.setMethodRolesMap(Collections.singletonMap("echo", "role2 role3"));
+        in.handleMessage(message);    
+    }
+    
+    @Test(expected = AccessDeniedException.class)
+    public void testEmptyRolesConfigurationOnly() {
+        SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+        in.setCheckConfiguredRolesOnly(true);
+        in.setMethodRolesMap(Collections.singletonMap("echo", "role1 role2"));
+        in.handleMessage(message);    
+    }
+    
+    @Test
     public void testPermitAll() {
         SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
         in.setMethodRolesMap(Collections.singletonMap("echo", "*"));
@@ -145,13 +183,29 @@ public class SimpleAuthorizingIntercepto
         }
     }
     
-    private static class TestSecurityContext implements SecurityContext {
+    private static class IncompleteSecurityContext implements SecurityContext {
 
         public Principal getUserPrincipal() {
             return null;
         }
 
         public boolean isUserInRole(String role) {
+            return false;
+        }
+        
+    }
+    
+    private static class TestSecurityContext implements SecurityContext {
+
+        public Principal getUserPrincipal() {
+            return new Principal() {
+                public String getName() {
+                    return "testUser";
+                }
+            };
+        }
+
+        public boolean isUserInRole(String role) {
             return "testRole".equals(role);
         }
         



Mime
View raw message