Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 00312D305 for ; Wed, 5 Sep 2012 10:58:47 +0000 (UTC) Received: (qmail 90835 invoked by uid 500); 5 Sep 2012 10:58:46 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 90599 invoked by uid 500); 5 Sep 2012 10:58:40 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 90459 invoked by uid 99); 5 Sep 2012 10:58:39 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Sep 2012 10:58:39 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Sep 2012 10:58:36 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 2999823889D7; Wed, 5 Sep 2012 10:57:52 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1381136 - in /cxf/trunk/rt/core/src: main/java/org/apache/cxf/interceptor/security/ test/java/org/apache/cxf/interceptor/security/ Date: Wed, 05 Sep 2012 10:57:51 -0000 To: commits@cxf.apache.org From: sergeyb@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120905105752.2999823889D7@eris.apache.org> Author: sergeyb Date: Wed Sep 5 10:57:51 2012 New Revision: 1381136 URL: http://svn.apache.org/viewvc?rev=1381136&view=rev Log: [CXF-4495] Update to SimpleAuthorizingInterceptor to check configured roles only, applying a patch on behalf of Andrei Shakirin Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java?rev=1381136&r1=1381135&r2=1381136&view=diff ============================================================================== --- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java (original) +++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java Wed Sep 5 10:57:51 2012 @@ -21,6 +21,7 @@ package org.apache.cxf.interceptor.secur import java.lang.reflect.Method; import java.util.Collections; import java.util.List; +import java.util.logging.Level; import java.util.logging.Logger; import org.apache.cxf.common.logging.LogUtils; @@ -45,14 +46,12 @@ public abstract class AbstractAuthorizin public void handleMessage(Message message) throws Fault { SecurityContext sc = message.get(SecurityContext.class); - if (sc == null) { - return; - } - - Method method = getTargetMethod(message); - - if (authorize(sc, method)) { - return; + if (sc != null && sc.getUserPrincipal() != null) { + Method method = getTargetMethod(message); + + if (authorize(sc, method)) { + return; + } } throw new AccessDeniedException("Unauthorized"); @@ -84,7 +83,7 @@ public abstract class AbstractAuthorizin if (isUserInRole(sc, expectedRoles, false)) { return true; } - if (sc.getUserPrincipal() != null) { + if (LOG.isLoggable(Level.FINE)) { LOG.fine(sc.getUserPrincipal().getName() + " is not authorized"); } return false; Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java?rev=1381136&r1=1381135&r2=1381136&view=diff ============================================================================== --- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java (original) +++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java Wed Sep 5 10:57:51 2012 @@ -33,10 +33,11 @@ public class SimpleAuthorizingIntercepto private Map> methodRolesMap = new HashMap>(); private Map> userRolesMap = Collections.emptyMap(); private List globalRoles = Collections.emptyList(); + private boolean checkConfiguredRolesOnly; @Override protected boolean isUserInRole(SecurityContext sc, List roles, boolean deny) { - if (!super.isUserInRole(sc, roles, deny)) { + if (!checkConfiguredRolesOnly && !super.isUserInRole(sc, roles, deny)) { return false; } // Additional check. @@ -52,7 +53,7 @@ public class SimpleAuthorizingIntercepto } return false; } else { - return true; + return !checkConfiguredRolesOnly; } } @@ -96,6 +97,10 @@ public class SimpleAuthorizingIntercepto globalRoles = Arrays.asList(roles.split(" ")); } + public void setCheckConfiguredRolesOnly(boolean checkConfiguredRolesOnly) { + this.checkConfiguredRolesOnly = checkConfiguredRolesOnly; + } + private static Map> parseRolesMap(Map rolesMap) { Map> map = new HashMap>(); for (Map.Entry entry : rolesMap.entrySet()) { Modified: cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java?rev=1381136&r1=1381135&r2=1381136&view=diff ============================================================================== --- cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java (original) +++ cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptorTest.java Wed Sep 5 10:57:51 2012 @@ -22,10 +22,10 @@ import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; - import java.lang.reflect.Method; import java.security.Principal; +import org.apache.cxf.common.security.SimplePrincipal; import org.apache.cxf.message.Exchange; import org.apache.cxf.message.ExchangeImpl; import org.apache.cxf.message.Message; @@ -109,7 +109,7 @@ public class SecureAnnotationsIntercepto private static class TestSecurityContext implements SecurityContext { public Principal getUserPrincipal() { - return null; + return new SimplePrincipal("user"); } public boolean isUserInRole(String role) { Modified: cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java?rev=1381136&r1=1381135&r2=1381136&view=diff ============================================================================== --- cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java (original) +++ cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java Wed Sep 5 10:57:51 2012 @@ -62,6 +62,18 @@ public class SimpleAuthorizingIntercepto EasyMock.replay(service, md); } + @Test(expected = AccessDeniedException.class) + public void testNoSecurityContext() { + message.put(SecurityContext.class, null); + new SimpleAuthorizingInterceptor().handleMessage(message); + } + + @Test(expected = AccessDeniedException.class) + public void testIncompleteSecurityContext() { + message.put(SecurityContext.class, new IncompleteSecurityContext()); + new SimpleAuthorizingInterceptor().handleMessage(message); + } + @Test public void testPermitWithNoRoles() { new SimpleAuthorizingInterceptor().handleMessage(message); @@ -75,6 +87,32 @@ public class SimpleAuthorizingIntercepto } @Test + public void testPermitWithMethodRolesConfigurationOnly() { + SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor(); + in.setCheckConfiguredRolesOnly(true); + in.setUserRolesMap(Collections.singletonMap("testUser", "role1")); + in.setMethodRolesMap(Collections.singletonMap("echo", "role1 role2")); + in.handleMessage(message); + } + + @Test(expected = AccessDeniedException.class) + public void testDenyWithMethodRolesConfigurationOnly() { + SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor(); + in.setCheckConfiguredRolesOnly(true); + in.setUserRolesMap(Collections.singletonMap("testUser", "role1")); + in.setMethodRolesMap(Collections.singletonMap("echo", "role2 role3")); + in.handleMessage(message); + } + + @Test(expected = AccessDeniedException.class) + public void testEmptyRolesConfigurationOnly() { + SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor(); + in.setCheckConfiguredRolesOnly(true); + in.setMethodRolesMap(Collections.singletonMap("echo", "role1 role2")); + in.handleMessage(message); + } + + @Test public void testPermitAll() { SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor(); in.setMethodRolesMap(Collections.singletonMap("echo", "*")); @@ -145,13 +183,29 @@ public class SimpleAuthorizingIntercepto } } - private static class TestSecurityContext implements SecurityContext { + private static class IncompleteSecurityContext implements SecurityContext { public Principal getUserPrincipal() { return null; } public boolean isUserInRole(String role) { + return false; + } + + } + + private static class TestSecurityContext implements SecurityContext { + + public Principal getUserPrincipal() { + return new Principal() { + public String getName() { + return "testUser"; + } + }; + } + + public boolean isUserInRole(String role) { return "testRole".equals(role); }