portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tay...@apache.org
Subject svn commit: r510438 - in /portals/jetspeed-2/trunk: applications/j2-admin/src/webapp/javascript/ components/portal/ components/portal/src/java/org/apache/jetspeed/ajax/ src/webapp/WEB-INF/ src/webapp/WEB-INF/assembly/
Date Thu, 22 Feb 2007 08:17:35 GMT
Author: taylor
Date: Thu Feb 22 00:17:32 2007
New Revision: 510438

URL: http://svn.apache.org/viewvc?view=rev&rev=510438
Log:
https://issues.apache.org/jira/browse/JS2-655

Entity Editor has been broken for a long time.
Also, the entity editor is unsecured.
Propose fixing this bug by retrofitting onto a "ajax-direct" pipeline keyed of the /ajax pipeline
mapping
Also assign a security behavior to the ajax valve to give it RBAC security, locking out all
AJAX calls not authorized by a list of trusted roles 

(Could have sworn there was a jira issue on this one, but i could not find it, sorry if i
have created a dupe)

Modified:
    portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js
    portals/jetspeed-2/trunk/components/portal/maven.xml
    portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java
    portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml

Modified: portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js (original)
+++ portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js Thu Feb 22
00:17:32 2007
@@ -53,7 +53,7 @@
      }
   }
   
-  var requestCaller = new XMLHttpRequestCaller(applicationRoot+"/ajax/portlet_apps.ajax?ajax_service=portletRegistry.getPortletApplications"
,this); 
+  var requestCaller = new XMLHttpRequestCaller(applicationRoot+"/ajax?ajax_service=portletRegistry.getPortletApplications"
,this); 
   requestCaller.serviceRequest();
 }
 
@@ -78,7 +78,7 @@
   this.load = function(appName)
   {
      this.appName = appName;
-     var requestCaller = new XMLHttpRequestCaller(applicationRoot+"/ajax/portlet_definitions.ajax?ajax_service=portletRegistry.getPortletApplication&ajax_param_0_str="+appName
,this); 
+     var requestCaller = new XMLHttpRequestCaller(applicationRoot+"/ajax?ajax_service=portletRegistry.getPortletApplication&ajax_param_0_str="+appName
,this); 
      requestCaller.serviceRequest();
   }
 }
@@ -111,7 +111,7 @@
   
   this.load = function(portletName)
   {
-      var requestCaller = new XMLHttpRequestCaller(applicationRoot+"/ajax/portlet_entities.ajax?ajax_service=entityAccess.getPortletEntities&ajax_param_0_str="+portletName
,this); 
+      var requestCaller = new XMLHttpRequestCaller(applicationRoot+"/ajax?ajax_service=entityAccess.getPortletEntities&ajax_param_0_str="+portletName
,this); 
       requestCaller.serviceRequest();
   }
 }
@@ -157,7 +157,7 @@
   
   this.load = function(entityName)
   {
-      var requestCaller = new XMLHttpRequestCaller(applicationRoot+"/ajax/portlet_entity.ajax?ajax_service=entityAccess.getPortletEntity&ajax_param_0_str="+entityName,this);

+      var requestCaller = new XMLHttpRequestCaller(applicationRoot+"/ajax?ajax_service=entityAccess.getPortletEntity&ajax_param_0_str="+entityName,this);

       requestCaller.serviceRequest();
   }
 

Modified: portals/jetspeed-2/trunk/components/portal/maven.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/maven.xml?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/components/portal/maven.xml (original)
+++ portals/jetspeed-2/trunk/components/portal/maven.xml Thu Feb 22 00:17:32 2007
@@ -17,6 +17,6 @@
 <project default="java:jar" xmlns:j="jelly:core" xmlns:define="jelly:define" xmlns:maven="jelly:maven">
 
     <!-- Target of maven test:single test -->
-    <property name='testcase' value='org.apache.jetspeed.aggregator.TestAggregator2' />
+    <property name='testcase' value='org.apache.jetspeed.decoration.TestDecorations' />
 
 </project>

Modified: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java
(original)
+++ portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java
Thu Feb 22 00:17:32 2007
@@ -19,12 +19,16 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
+import java.io.StringWriter;
 import java.lang.reflect.Method;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletResponse;
+
 import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.context.Context;
@@ -41,8 +45,8 @@
  */
 public class AJAXServiceImpl implements AJAXService, BeanFactoryAware
 {
-
     private Map serviceToBeans;
+    private Map serviceToTemplates;
 
     private BeanFactory beanFactory;
     private VelocityEngine engine;
@@ -52,10 +56,11 @@
         this.serviceToBeans = serviceToBeans;        
     }
 
-    public AJAXServiceImpl(Map serviceToBeans, VelocityEngine engine)
+    public AJAXServiceImpl(Map serviceToBeans, VelocityEngine engine, Map serviceToTemplates)
     {
         this.serviceToBeans = serviceToBeans; 
         this.engine = engine;
+        this.serviceToTemplates = serviceToTemplates;
     }
 
     public AJAXResponse processRequest(AJAXRequest request)
@@ -63,7 +68,7 @@
     {
         final String serviceName = request.getServiceName();
         final String methodName = request.getMethodName();
-        final String templateName = request.getServletRequest().getServletPath();
+ //       final String templateName = request.getServletRequest().getServletPath();
 
         final String mappedServiceName = (serviceName+"."+methodName).trim();
         try
@@ -92,7 +97,8 @@
             Context context = new VelocityContext();
             context.put("ajaxRequest", request);
             context.put("result", result);            
-            
+   
+            String templateName =  ((String)serviceToTemplates.get(mappedServiceName)).trim();
             final InputStream templateResource = request.getContext().getResourceAsStream(templateName);
             
             if(templateResource == null)
@@ -102,7 +108,21 @@
             }
             Reader template = new InputStreamReader(templateResource);
             
-            return new AJAXResponseImpl(context, engine, template, request.getServletResponse().getWriter());
+            StringWriter stringWriter = new StringWriter();
+
+            AJAXResponse ajaxResponse = new AJAXResponseImpl(context, engine, template, stringWriter);
           
+            ajaxResponse.complete();
+    
+            String buffer = stringWriter.getBuffer().toString();
+            System.out.println("debug: " + buffer);
+            //log.debug("output from AjaxService:" + buffer);
+
+            // Put the response XML on the response object            
+            HttpServletResponse response = request.getServletResponse();
+            ServletOutputStream sos = response.getOutputStream();
+            sos.print(buffer);
+            sos.flush();
+            return ajaxResponse;
         }
         catch(AJAXException ae)
         {

Modified: portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java
(original)
+++ portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java
Thu Feb 22 00:17:32 2007
@@ -15,8 +15,9 @@
  */
 package org.apache.jetspeed.ajax;
 
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.jetspeed.layout.PortletActionSecurityBehavior;
 import org.apache.jetspeed.pipeline.PipelineException;
 import org.apache.jetspeed.pipeline.valve.AbstractValve;
 import org.apache.jetspeed.pipeline.valve.ValveContext;
@@ -30,27 +31,48 @@
  */
 public class AJAXValve extends AbstractValve
 {
-    private static final Log log = LogFactory.getLog( AJAXValve.class );
-    private AjaxRequestService ajaxService;
+    private AJAXService ajaxService;
+    private PortletActionSecurityBehavior securityBehavior;
     
-    public AJAXValve(AJAXService service)
+    public AJAXValve(AJAXService service, PortletActionSecurityBehavior securityBehavior)
     {
         super();
+        this.ajaxService = service;
+        this.securityBehavior = securityBehavior;
     }
         
     public void invoke( RequestContext request, ValveContext context )
         throws PipelineException
     {
+        HttpServletResponse response = request.getResponse(); 
         try
         {
-            ajaxService.process(request);
+            response.setContentType("text/xml");  
+            if (!securityBehavior.checkAccess(request, "edit"))
+            {
+                throw new AJAXException("Access Denied.");
+            }
+            AJAXRequest ajaxRequest = new AJAXRequestImpl(request.getRequest(), response,
request.getConfig().getServletContext());
+            ajaxService.processRequest(ajaxRequest);
+        }
+        catch (AJAXException e)
+        {
+            try
+            {
+                response.sendError(500, e.getMessage());
+            }
+            catch (Exception e2)
+            {
+                throw new PipelineException(e2.getMessage(), e2);
+            }
         }
-        catch (Exception e)
+        catch(Exception e)
         {
-            throw new PipelineException(e.toString(), e);
+            throw new PipelineException(e.getMessage(), e);
         }
+        
         // Pass control to the next Valve in the Pipeline
-        context.invokeNext( request );
+        context.invokeNext(request);
     }
 
     public String toString()

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml Thu Feb 22 00:17:32 2007
@@ -58,6 +58,22 @@
         <property name="overrideLogging"><value>false</value></property>
       </bean>
     </constructor-arg>
+  <constructor-arg>
+      <map>
+		<entry key="portletRegistry.getPortletApplications">
+			<value>/ajax/portlet_apps.ajax</value>
+		</entry>
+		<entry key="portletRegistry.getPortletApplication">
+			<value>/ajax/portlet_definitions.ajax</value>
+		</entry>
+		<entry key="entityAccess.getPortletEntities">
+			<value>/ajax/portlet_entities.ajax</value>
+		</entry>
+		<entry key="entityAccess.getPortletEntity">
+			<value>/ajax/portlet_entity.ajax</value>
+		</entry>
+	  </map>
+    </constructor-arg>    
   </bean>  
 	
 </beans>

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml Thu Feb 22 00:17:32
2007
@@ -231,8 +231,11 @@
         init-method="initialize"
   >
    <constructor-arg>
-       <ref bean="AJAXService"/>
+       <ref bean="AJAXService"/>     
    </constructor-arg>
+    <constructor-arg>
+        <ref bean="RolesSecurityBehavior"/>        
+    </constructor-arg>    	
   </bean> 
   
   <bean id="DecorationValve"
@@ -378,12 +381,32 @@
         <ref bean="localizationValve"/>
         <ref bean="profilerValve"/>                        
         <ref bean="containerValve"/>
-        <!-- TODO: replace layout valve with Ajax valve -->
+        <!--  this is the standard Jetspeed API entry point -->
         <ref bean="layoutValve"/>
     </list>
     </constructor-arg>
   </bean> 
 
+  <bean id="ajax-direct-pipeline"
+        class="org.apache.jetspeed.pipeline.JetspeedPipeline"
+        init-method="initialize"
+  >
+   <constructor-arg>
+       <value>AjaxDirectPipeline</value>
+   </constructor-arg>
+   <constructor-arg>
+    <list>
+        <ref bean="capabilityValve"/>
+        <ref bean="portalURLValve"/>                
+        <ref bean="securityValve"/>                
+        <ref bean="localizationValve"/>
+        <ref bean="profilerValve"/>                        
+        <ref bean="containerValve"/>
+        <ref bean="AJAXValve"/>
+    </list>
+    </constructor-arg>
+  </bean> 
+
   <bean id="fileserver-pipeline"
         class="org.apache.jetspeed.pipeline.JetspeedPipeline"
         init-method="initialize"
@@ -449,6 +472,9 @@
             <entry key='/action'>
                 <value>desktop-action-pipeline</value>
             </entry>                                                
+            <entry key='/ajax'>
+                <value>ajax-direct-pipeline</value>
+            </entry>
         </map>        
     </constructor-arg>        
   </bean>

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml Thu Feb 22 00:17:32 2007
@@ -30,12 +30,7 @@
     <param-name>log4j.config.webApplicationRoot.key</param-name>
     <param-value>applicationRoot</param-value>
   </context-param>
-  
-  <filter>
-    <filter-name>AJAXFilter</filter-name>
-    <filter-class>org.apache.jetspeed.ajax.AJAXFilter</filter-class>   
-  </filter>
-    
+      
   <filter>
       <filter-name>staticResourceCachingFilter</filter-name>
       <filter-class>org.apache.jetspeed.engine.servlet.StaticResourceCachingFilter</filter-class>
@@ -55,10 +50,6 @@
     <filter-class>org.apache.jetspeed.login.filter.PortalFilter</filter-class>
  
   </filter>
   -->
-  <filter-mapping>
-    <filter-name>AJAXFilter</filter-name>
-    <url-pattern>*.ajax</url-pattern>    
-  </filter-mapping>  
 <!--      
     
   <filter-mapping>
@@ -180,6 +171,14 @@
        </servlet-name>
        <url-pattern>
          /ajaxapi/*
+       </url-pattern>
+    </servlet-mapping>            
+    <servlet-mapping>
+       <servlet-name>
+          jetspeed
+       </servlet-name>
+       <url-pattern>
+         /ajax/*
        </url-pattern>
     </servlet-mapping>            
     <servlet-mapping>



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message