cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5864] Optional support for anonymous users
Date Wed, 09 Jul 2014 13:35:21 GMT
Repository: cxf
Updated Branches:
  refs/heads/2.7.x-fixes 18f7085cb -> beb6b97ae


[CXF-5864] Optional support for anonymous users


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/beb6b97a
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/beb6b97a
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/beb6b97a

Branch: refs/heads/2.7.x-fixes
Commit: beb6b97aecc306b60225256f6c053fa2c5181c3d
Parents: 18f7085
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Wed Jul 9 14:24:18 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Wed Jul 9 14:34:17 2014 +0100

----------------------------------------------------------------------
 .../AbstractAuthorizingInInterceptor.java       | 18 ++++++++++++++--
 .../OperationInfoAuthorizingInterceptor.java    | 15 ++++++++++---
 .../SimpleAuthorizingInterceptorTest.java       | 22 ++++++++++++++++++--
 3 files changed, 48 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/beb6b97a/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
b/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
index 11f6b31..d4f22f1 100644
--- a/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
+++ b/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
@@ -38,21 +38,24 @@ public abstract class AbstractAuthorizingInInterceptor extends AbstractPhaseInte
 
     private static final Logger LOG = LogUtils.getL7dLogger(AbstractAuthorizingInInterceptor.class);
     private static final String ALL_ROLES = "*";
-    
+    private boolean allowAnonymousUsers = true;
     
     public AbstractAuthorizingInInterceptor() {
         super(Phase.PRE_INVOKE);
     }
     
     public void handleMessage(Message message) throws Fault {
+        Method method = getTargetMethod(message);
         SecurityContext sc = message.get(SecurityContext.class);
         if (sc != null && sc.getUserPrincipal() != null) {
-            Method method = getTargetMethod(message);
             if (authorize(sc, method)) {
                 return;
             }
+        } else if (!isMethodProtected(method) && isAllowAnonymousUsers()) {
+            return;
         }
         
+        
         throw new AccessDeniedException("Unauthorized");
     }
     
@@ -87,6 +90,9 @@ public abstract class AbstractAuthorizingInInterceptor extends AbstractPhaseInte
         }
         return false;
     }
+    protected boolean isMethodProtected(Method method) {
+        return !getExpectedRoles(method).isEmpty() || !getDenyRoles(method).isEmpty();
+    }
     
     protected boolean isUserInRole(SecurityContext sc, List<String> roles, boolean
deny) {
         
@@ -118,5 +124,13 @@ public abstract class AbstractAuthorizingInInterceptor extends AbstractPhaseInte
     protected List<String> getDenyRoles(Method method) {
         return Collections.emptyList();
     }
+
+    public boolean isAllowAnonymousUsers() {
+        return allowAnonymousUsers;
+    }
+
+    public void setAllowAnonymousUsers(boolean allowAnonymousUsers) {
+        this.allowAnonymousUsers = allowAnonymousUsers;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/beb6b97a/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
b/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
index b7e496c..f0dbaa0 100755
--- a/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
+++ b/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
@@ -39,13 +39,15 @@ public class OperationInfoAuthorizingInterceptor extends SimpleAuthorizingInterc
 
     @Override
     public void handleMessage(Message message) throws Fault {
+        OperationInfo opinfo = getTargetOperationInfo(message);
         SecurityContext sc = message.get(SecurityContext.class);
         if (sc != null && sc.getUserPrincipal() != null) {
-            OperationInfo opinfo = getTargetOperationInfo(message);
-            if (opinfo != null && opinfo.getName() != null
+            if (opinfo.getName() != null
                 && authorize(sc, opinfo.getName().getLocalPart())) {
                 return;
             }
+        } else if (!isMethodProtected(opinfo.getName().getLocalPart()) && isAllowAnonymousUsers())
{
+            return;
         }
         
         throw new AccessDeniedException("Unauthorized");
@@ -70,7 +72,10 @@ public class OperationInfoAuthorizingInterceptor extends SimpleAuthorizingInterc
 
     protected OperationInfo getTargetOperationInfo(Message message) {
         BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
-        return bop != null ? bop.getOperationInfo() : null;
+        if (bop != null) {
+            return bop.getOperationInfo();
+        }
+        throw new AccessDeniedException("OperationInfo is not available : Unauthorized");
     }
 
     protected List<String> getExpectedRoles(String key) {
@@ -84,4 +89,8 @@ public class OperationInfoAuthorizingInterceptor extends SimpleAuthorizingInterc
     protected List<String> getDenyRoles(String key) {
         return Collections.emptyList();    
     }
+    
+    protected boolean isMethodProtected(String key) {
+        return !getExpectedRoles(key).isEmpty() || !getDenyRoles(key).isEmpty();
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/beb6b97a/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
b/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
index c54c71f..ad9b5c0 100644
--- a/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
+++ b/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
@@ -84,13 +84,31 @@ public class SimpleAuthorizingInterceptorTest extends Assert {
     @Test(expected = AccessDeniedException.class)
     public void testNoSecurityContext() {
         message.put(SecurityContext.class, null);
-        createSimpleAuthorizingInterceptor().handleMessage(message);
+        SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
+        in.setAllowAnonymousUsers(false);
+        in.handleMessage(message);
+    }
+    
+    @Test(expected = AccessDeniedException.class)
+    public void testNoSecurityContextAnonymousUserRoles() {
+        message.put(SecurityContext.class, null);
+        SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
+        in.setMethodRolesMap(Collections.singletonMap("echo", "role1 testRole"));
+        in.handleMessage(message);
+    }
+    @Test
+    public void testNoSecurityContextAnonymousUserUnprotectedMethod() {
+        message.put(SecurityContext.class, null);
+        SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
+        in.handleMessage(message);
     }
     
     @Test(expected = AccessDeniedException.class)
     public void testIncompleteSecurityContext() {
         message.put(SecurityContext.class, new IncompleteSecurityContext());
-        createSimpleAuthorizingInterceptor().handleMessage(message);    
+        SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
+        in.setAllowAnonymousUsers(false);
+        in.handleMessage(message);
     }
     
     @Test


Mime
View raw message