directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject directory-fortress-commander git commit: FC-80 - Fix logout for unauthorized users
Date Thu, 12 Mar 2015 15:30:22 GMT
Repository: directory-fortress-commander
Updated Branches:
  refs/heads/master 6c3d0cba6 -> ff708e123


FC-80 - Fix logout for unauthorized users


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/commit/ff708e12
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/tree/ff708e12
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/diff/ff708e12

Branch: refs/heads/master
Commit: ff708e123e6380c2fdbe71d58a5598abcb5e14f3
Parents: 6c3d0cb
Author: Shawn McKinney <smckinney@apache.org>
Authored: Thu Mar 12 10:30:08 2015 -0500
Committer: Shawn McKinney <smckinney@apache.org>
Committed: Thu Mar 12 10:30:08 2015 -0500

----------------------------------------------------------------------
 .../fortress/web/FortressWebBasePage.java       |   6 +-
 .../fortress/web/FtIndicatingAjaxButton.java    | 105 +++++++++++++++++++
 .../directory/fortress/web/LogoutPage.java      |  44 ++++++++
 .../apache/directory/fortress/web/SecUtils.java |  35 +++++++
 .../web/SecureIndicatingAjaxButton.java         |   2 -
 .../directory/fortress/web/LogoutPage.html      |  27 +++++
 src/main/webapp/WEB-INF/web.xml                 |  81 +++++++-------
 src/main/webapp/login/unauthorized.html         |   9 +-
 8 files changed, 264 insertions(+), 45 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java b/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java
index b78d185..46593fc 100644
--- a/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java
+++ b/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java
@@ -133,14 +133,10 @@ public abstract class FortressWebBasePage extends WebPage
             /** Default serialVersionUID */
             private static final long serialVersionUID = 1L;
 
-
             @Override
             public void onClick()
             {
-                HttpServletRequest servletReq = ( HttpServletRequest ) getRequest().getContainerRequest();
-                servletReq.getSession().invalidate();
-                getSession().invalidate();
-                setResponsePage( LaunchPage.class );
+                setResponsePage( LogoutPage.class );
             }
         };
         add( actionLink );

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/FtIndicatingAjaxButton.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/FtIndicatingAjaxButton.java b/src/main/java/org/apache/directory/fortress/web/FtIndicatingAjaxButton.java
new file mode 100644
index 0000000..eabf605
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/web/FtIndicatingAjaxButton.java
@@ -0,0 +1,105 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.web;
+
+import com.googlecode.wicket.jquery.ui.form.button.IndicatingAjaxButton;
+import org.apache.log4j.Logger;
+import org.apache.wicket.spring.injection.annot.SpringBean;
+import org.apache.directory.fortress.core.*;
+import org.apache.directory.fortress.core.rbac.Permission;
+
+
+/**
+ * ...
+ *
+ * @author Shawn McKinney
+ * @version $Rev$
+ */
+public class FtIndicatingAjaxButton extends IndicatingAjaxButton
+{
+    Permission perm;
+
+    @SpringBean
+    private AccessMgr accessMgr;
+
+    private static final Logger LOG = Logger.getLogger( SecureIndicatingAjaxButton.class.getName()
);
+
+    public FtIndicatingAjaxButton(String id)
+    {
+        super( id );
+        String[] parts = id.split( "\\." );
+        if(parts != null && parts.length > 1)
+        {
+            String objName = parts[0];
+            String opName = parts[1];
+            this.perm = new Permission(objName, opName);
+            if ( SecUtils.isFound( perm, this ) )
+            {
+                LOG.debug( "FtIndicatingAjaxButton id: " + id + ", status found" );
+            }
+            else
+            {
+                LOG.debug( "FtIndicatingAjaxButton id: " + id + ", status NOT found" );
+                setVisible( false );
+            }
+
+        }
+        else
+        {
+            throw new RuntimeException( "FtIndicatingAjaxButton Constructor ID: " + id +
", requires objectname.opname format" );
+        }
+    }
+
+    protected boolean checkAccess( )
+    {
+        boolean isAuthorized = false;
+        try
+        {
+            WicketSession session = ( WicketSession )getSession();
+            isAuthorized = accessMgr.checkAccess( session.getSession(), perm );
+            LOG.info( "Fortress checkAccess objName: " + this.perm.getObjName() + " opName:
" + this.perm.getOpName() + " userId: " + session.getSession().getUserId() + " result: " +
isAuthorized);
+        }
+        catch(org.apache.directory.fortress.core.SecurityException se)
+        {
+            String error = "Fortress SecurityException checkAccess objName: " + this.perm.getObjName()
+ " opName: " + this.perm.getOpName() + " error=" + se;
+            LOG.error( error );
+        }
+        return isAuthorized;
+    }
+
+
+    protected boolean checkAccess( String objectId )
+    {
+        boolean isAuthorized = false;
+        try
+        {
+            WicketSession session = ( WicketSession )getSession();
+            Permission finePerm = new Permission(perm.getObjName(), perm.getOpName(), objectId);
+            isAuthorized = accessMgr.checkAccess( session.getSession(), finePerm );
+            LOG.info( "Fortress checkAccess objName: " + this.perm.getObjName() + " opName:
" + this.perm.getOpName() + ", objId: " + finePerm.getObjId() + ", userId: " + session.getSession().getUserId()
+ " result: " + isAuthorized);
+        }
+        catch(org.apache.directory.fortress.core.SecurityException se)
+        {
+            String error = "Fortress SecurityException checkAccess objectName: " + this.perm.getObjName()
+ " opName: " + this.perm.getOpName() + ", objId: " + objectId + ", error=" + se;
+            LOG.error( error );
+        }
+        return isAuthorized;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/LogoutPage.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/LogoutPage.java b/src/main/java/org/apache/directory/fortress/web/LogoutPage.java
new file mode 100644
index 0000000..7132156
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/web/LogoutPage.java
@@ -0,0 +1,44 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.web;
+
+
+import org.apache.log4j.Logger;
+import org.apache.wicket.markup.html.basic.Label;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public class LogoutPage extends FortressWebBasePage
+{
+    private static final Logger LOG = Logger.getLogger( LogoutPage.class.getName() );
+    public LogoutPage()
+    {
+        HttpServletRequest servletReq = (HttpServletRequest)getRequest().getContainerRequest();
+        // invalidate the session and force the user to log back on:
+        servletReq.getSession().invalidate();
+        getSession().invalidate();
+        setResponsePage( LoginPage.class );
+        add(new Label("label1", "Select logout"));
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/SecUtils.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/SecUtils.java b/src/main/java/org/apache/directory/fortress/web/SecUtils.java
index dca3d8c..10b3161 100644
--- a/src/main/java/org/apache/directory/fortress/web/SecUtils.java
+++ b/src/main/java/org/apache/directory/fortress/web/SecUtils.java
@@ -34,6 +34,7 @@ import org.apache.directory.fortress.core.util.attr.VUtil;
 import org.apache.wicket.ajax.AjaxRequestTarget;
 
 import javax.servlet.http.HttpServletRequest;
+import java.security.Principal;
 import java.util.List;
 
 /**
@@ -336,4 +337,38 @@ public class SecUtils
         }
         return isSuccessful;
     }
+
+    public static void enableFortress( Component component, HttpServletRequest servletReq,
J2eePolicyMgr j2eePolicyMgr, AccessMgr accessMgr )
+    {
+        // Get the principal from the container:
+        Principal principal = servletReq.getUserPrincipal();
+        // Is this a Java EE secured page && has the User successfully authenticated
already?
+        boolean isSecured = principal != null;
+        if(isSecured)
+        {
+            //linksLabel += " for " + principal.getName();
+            if( !isLoggedIn( component ) )
+            {
+                String szPrincipal = principal.toString();
+                // Pull the fortress session from the realm and assert into the Web app's
session along with user's perms:
+                SecUtils.initializeSession( component, j2eePolicyMgr, accessMgr, szPrincipal
);
+            }
+        }
+    }
+
+    /**
+     * If user has a wicket session then considered logged in.
+     *
+     * @return true if wicket session is not null
+     */
+    public static boolean isLoggedIn( Component component )
+    {
+        boolean isLoggedIn = false;
+        if ( getSession( component ) != null )
+        {
+            isLoggedIn = true;
+        }
+        return isLoggedIn;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
b/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
index 5d96066..ac548d1 100644
--- a/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
+++ b/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
@@ -79,7 +79,6 @@ public class SecureIndicatingAjaxButton extends IndicatingAjaxButton
             setVisible( false );
     }
 
-
     public SecureIndicatingAjaxButton( String id, String objName, String opName )
     {
         super( id );
@@ -87,7 +86,6 @@ public class SecureIndicatingAjaxButton extends IndicatingAjaxButton
             setVisible( false );
     }
 
-
     protected boolean checkAccess( String objectName, String opName )
     {
         boolean isAuthorized = false;

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/resources/org/apache/directory/fortress/web/LogoutPage.html
----------------------------------------------------------------------
diff --git a/src/main/resources/org/apache/directory/fortress/web/LogoutPage.html b/src/main/resources/org/apache/directory/fortress/web/LogoutPage.html
new file mode 100644
index 0000000..7e2cb4f
--- /dev/null
+++ b/src/main/resources/org/apache/directory/fortress/web/LogoutPage.html
@@ -0,0 +1,27 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+-->
+<html>
+<head></head>
+<body>
+<wicket:extend>
+    <h3>Commander Logout Page</h3>
+    <strong><span wicket:id="label1"></span></strong>
+</wicket:extend>
+</body>
+</html>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
index a32a1ca..c39f7e0 100644
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -98,46 +98,53 @@
     </error-page>
 
     <!-- Begin JAVA EE Security configs: -->
-    <!-- Begin JAVA EE Security configs: -->
-        <security-constraint>
-            <display-name>Commander Security Constraint</display-name>
-            <web-resource-collection>
-                <web-resource-name>Protected Area</web-resource-name>
-                <!-- Define the context-relative URL(s) to be protected -->
-                <url-pattern>/wicket/*</url-pattern>
-                <!-- If you list http methods, only those methods are protected -->
-                <!--http-method>GET</http-method-->
-            </web-resource-collection>
-            <auth-constraint>
-                <!-- Anyone with one of the listed roles may access this area -->
-                <role-name>ROLE_ADMIN</role-name>
-                <role-name>ROLE_USERS</role-name>
-                <role-name>ROLE_ROLES</role-name>
-                <role-name>ROLE_PERMS</role-name>
-                <role-name>ROLE_SSDS</role-name>
-                <role-name>ROLE_DSDS</role-name>
-                <role-name>ROLE_POLICIES</role-name>
-                <role-name>ROLE_PERMOBJS</role-name>
-                <role-name>ROLE_USEROUS</role-name>
-                <role-name>ROLE_PERMOUS</role-name>
-                <role-name>ROLE_ADMINROLES</role-name>
-                <role-name>ROLE_ADMINOBJS</role-name>
-                <role-name>ROLE_ADMINPERMS</role-name>
-                <role-name>ROLE_AUDIT_AUTHZS</role-name>
-                <role-name>ROLE_AUDIT_MODS</role-name>
-                <role-name>ROLE_AUDIT_BINDS</role-name>
-            </auth-constraint>
-        </security-constraint>
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>app</web-resource-name>
+            <url-pattern>/wicket/bookmarkable/org.apache.directory.fortress.web.LogoutPage</url-pattern>
+        </web-resource-collection>
+        <!-- OMIT auth-constraint -->
+    </security-constraint>
+
+    <security-constraint>
+        <display-name>Commander Security Constraint</display-name>
+        <web-resource-collection>
+            <web-resource-name>Protected Area</web-resource-name>
+            <!-- Define the context-relative URL(s) to be protected -->
+            <url-pattern>/wicket/*</url-pattern>
+            <!-- If you list http methods, only those methods are protected -->
+            <!--http-method>GET</http-method-->
+        </web-resource-collection>
+        <auth-constraint>
+            <!-- Anyone with one of the listed roles may access this area -->
+            <role-name>ROLE_ADMIN</role-name>
+            <role-name>ROLE_USERS</role-name>
+            <role-name>ROLE_ROLES</role-name>
+            <role-name>ROLE_PERMS</role-name>
+            <role-name>ROLE_SSDS</role-name>
+            <role-name>ROLE_DSDS</role-name>
+            <role-name>ROLE_POLICIES</role-name>
+            <role-name>ROLE_PERMOBJS</role-name>
+            <role-name>ROLE_USEROUS</role-name>
+            <role-name>ROLE_PERMOUS</role-name>
+            <role-name>ROLE_ADMINROLES</role-name>
+            <role-name>ROLE_ADMINOBJS</role-name>
+            <role-name>ROLE_ADMINPERMS</role-name>
+            <role-name>ROLE_AUDIT_AUTHZS</role-name>
+            <role-name>ROLE_AUDIT_MODS</role-name>
+            <role-name>ROLE_AUDIT_BINDS</role-name>
+        </auth-constraint>
+    </security-constraint>
 
     <!-- Default login configuration uses form-based authentication -->
-<!--
-        <login-config>
-            <auth-method>BASIC</auth-method>
-            <realm-name>SentrySecurityRealm</realm-name>
-        </login-config>
--->
+    <!--
+            <login-config>
+                <auth-method>BASIC</auth-method>
+                <realm-name>SentrySecurityRealm</realm-name>
+            </login-config>
+    -->
     <login-config>
-		<auth-method>FORM</auth-method>
+        <auth-method>FORM</auth-method>
         <realm-name>SentrySecurityRealm</realm-name>
         <form-login-config>
             basedir

http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/webapp/login/unauthorized.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/login/unauthorized.html b/src/main/webapp/login/unauthorized.html
index 3fcd181..e567f1b 100644
--- a/src/main/webapp/login/unauthorized.html
+++ b/src/main/webapp/login/unauthorized.html
@@ -26,10 +26,17 @@
 <body>
 <h3>Unauthorized access attempt detected</h3>
 
-<FORM METHOD=POST ACTION="/fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.LaunchPage">
+<FORM METHOD=POST ACTION="org.apache.directory.fortress.web.LaunchPage">
     <p>
         <font size="2">Click the button to return to home page.</font>
         <BR><BR>
+        <input type="submit" name="restart" value="return">
+    </p>
+</form>
+<FORM METHOD=POST ACTION="org.apache.directory.fortress.web.LogoutPage">
+    <p>
+        <font size="2">Click the button to relogin.</font>
+        <BR><BR>
         <input type="submit" name="relogin" value="return">
     </p>
 </form>


Mime
View raw message