rave-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From carlu...@apache.org
Subject svn commit: r1183496 - in /incubator/rave/trunk: rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/ rave-components/rave-core/src/main/java/org/apache/rave/portal/service/ rave-components/rave-core/src/test/java/org/apache/ra...
Date Fri, 14 Oct 2011 20:54:37 GMT
Author: carlucci
Date: Fri Oct 14 20:54:37 2011
New Revision: 1183496

URL: http://svn.apache.org/viewvc?rev=1183496&view=rev
Log:
Code to support RAVE-298 (unchecked page manipulations):
- implemented DefaultPagePermissionEvaluator
- protected one PageService method: getPage
- added handleAccessDeniedException to o.a.r.p.w.a.rest.PageApi
- fixed permissionEvaluator bean definition in applicationContext-security.xml to prevent
duplicate bean creation

Added:
    incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluatorTest.java
Modified:
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java
    incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java
    incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/api/rest/PageApi.java
    incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/api/rest/PageApiTest.java
    incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml

Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java?rev=1183496&r1=1183495&r2=1183496&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java
(original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluator.java
Fri Oct 14 20:54:37 2011
@@ -16,41 +16,143 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-
 package org.apache.rave.portal.security.impl;
 
 import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.List;
 import org.apache.rave.portal.model.Page;
+import org.apache.rave.portal.model.User;
+import org.apache.rave.portal.repository.PageRepository;
 import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Component;
 
 /**
  * The default implementation of the ModelPermissionEvaluator for Page objects
  * 
- * NOTE: this is temporarily a stub placeholder to allow the security framework 
- * code to be checked in and not break the autowiring code
- * 
- * TODO: implement this class
- * 
  * @author carlucci
  */
 @Component
 public class DefaultPagePermissionEvaluator extends AbstractModelPermissionEvaluator<Page>
{
-
+    private Logger log = LoggerFactory.getLogger(getClass());
+    private PageRepository pageRepository;    
+    
+    @Autowired
+    public DefaultPagePermissionEvaluator(PageRepository pageRepository) {       
+        this.pageRepository = pageRepository;
+    }
+   
     @Override
     public Class<Page> getType() {
         return Page.class;
     }
     
+    /**
+     * Checks to see if the Authentication object has the supplied Permission
+     * on the supplied Page object.  This method invokes the private hasPermission
+     * function with the trustedDomainObject parameter set to false since we don't
+     * know if the model being passed in was modified in any way from the 
+     * actual entity in the database.
+     * 
+     * @param authentication the current Authentication object
+     * @param page the Page model object
+     * @param permission the Permission to check
+     * @return true if the Authentication has the proper permission, false otherwise
+     */
     @Override
-    public boolean hasPermission(Authentication authentication, Page page, Permission permission)
{       
-        return true;
+    public boolean hasPermission(Authentication authentication, Page page, Permission permission)
{      
+        return hasPermission(authentication, page, permission, false);
     }    
 
+    /**
+     * Checks to see if the Authentication object has the supplied Permission 
+     * for the Entity represented by the targetId(entityId) and targetType(model class name).
+     * This method invokes the private hasPermission function with the 
+     * trustedDomainObject parameter set to true since we must pull the entity
+     * from the database and are guaranteed a trusted domain object,
+     * before performing our permission checks.
+     * 
+     * @param authentication the current Authentication object
+     * @param targetId the entityId of the model to check
+     * @param targetType the class of the model to check
+     * @param permission the Permission to check
+     * @return true if the Authentication has the proper permission, false otherwise
+     */
     @Override
     public boolean hasPermission(Authentication authentication, Serializable targetId, String
targetType, Permission permission) {
-        return true;
+        return hasPermission(authentication, pageRepository.get((Long)targetId), permission,
true);
     }
     
-}
+    private boolean hasPermission(Authentication authentication, Page page, Permission permission,
boolean trustedDomainObject) {       
+        // this is our container of trusted page objects that can be re-used 
+        // in this method so that the same trusted page object doesn't have to
+        // be looked up in the repository multiple times
+        List<Page> trustedPageContainer = new ArrayList<Page>();            
              
+        
+        // first execute the AbstractModelPermissionEvaluator's hasPermission function
+        // to see if it allows permission via it's "higher authority" logic             
  
+        if (super.hasPermission(authentication, page, permission)) {
+            return true;
+        }
+        
+        // perform the security logic depending on the Permission type
+        boolean hasPermission = false;                       
+        switch (permission) { 
+            case ADMINISTER:
+                // if you are here, you are not an administrator, so you can't administer
pages              
+                break;
+            case CREATE:                
+                // anyone can create a page
+                hasPermission = true;
+                break;                
+            case DELETE:
+                // users can delete their own page
+                hasPermission = isPageOwner(authentication, page, trustedPageContainer, trustedDomainObject);
               
+                break;
+            case READ:
+                // users can read their own page
+                hasPermission = isPageOwner(authentication, page, trustedPageContainer, trustedDomainObject);
    
+                break;
+            case UPDATE:
+                // users can update their own page
+                hasPermission = isPageOwner(authentication, page, trustedPageContainer, trustedDomainObject);
    
+                break;   
+            default:
+                log.warn("unknown permission: " + permission);
+                break;
+        }
+        
+        return hasPermission;
+    }       
+    
+    // returns a trusted Page object, either from the PageRepository, or the
+    // cached container list
+    private Page getTrustedPage(long pageId, List<Page> trustedPageContainer) {   
   
+        Page p = null;
+        if (trustedPageContainer.isEmpty()) {           
+            p = pageRepository.get(pageId);
+            trustedPageContainer.add(p);
+        } else {
+            p = trustedPageContainer.get(0);
+        }
+        return p;       
+    }     
+   
+    // checks to see if the Authentication object principal is the owner of the supplied
page object 
+    // if trustedDomainObject is false, pull the entity from the database first to ensure
+    // the model object is trusted and hasn't been modified
+    private boolean isPageOwner(Authentication authentication, Page page, List<Page>
trustedPageContainer, boolean trustedDomainObject) {        
+        Page trustedPage = null;
+        if (trustedDomainObject) {
+            trustedPage = page;
+        } else {
+            trustedPage = getTrustedPage(page.getEntityId(), trustedPageContainer);
+        }                  
+        
+        return ((User)authentication.getPrincipal()).getUsername().equals(trustedPage.getOwner().getUsername());
+    }             
+}
\ No newline at end of file

Modified: incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java?rev=1183496&r1=1183495&r2=1183496&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java
(original)
+++ incubator/rave/trunk/rave-components/rave-core/src/main/java/org/apache/rave/portal/service/PageService.java
Fri Oct 14 20:54:37 2011
@@ -24,7 +24,14 @@ import org.apache.rave.portal.model.Regi
 import org.apache.rave.portal.model.User;
 
 import java.util.List;
+import org.springframework.security.access.prepost.PostAuthorize;
 
+/**
+ * TODO the rest of these interface methods need to be annotated with
+ * permission security
+ * 
+ * @author carlucci
+ */
 public interface PageService {
     /**
      * Gets a page based on the id
@@ -32,6 +39,7 @@ public interface PageService {
      * @param pageId to lookup
      * @return the Page object 
      */
+    @PostAuthorize("hasPermission(returnObject, 'read')")    
     Page getPage(long pageId);
     
     /**

Added: incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluatorTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluatorTest.java?rev=1183496&view=auto
==============================================================================
--- incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluatorTest.java
(added)
+++ incubator/rave/trunk/rave-components/rave-core/src/test/java/org/apache/rave/portal/security/impl/DefaultPagePermissionEvaluatorTest.java
Fri Oct 14 20:54:37 2011
@@ -0,0 +1,262 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.rave.portal.security.impl;
+
+import java.util.ArrayList;
+import java.util.List;
+import org.apache.rave.portal.model.Page;
+import org.apache.rave.portal.model.User;
+import org.apache.rave.portal.repository.PageRepository;
+import org.apache.rave.portal.security.ModelPermissionEvaluator.Permission;
+import org.apache.rave.portal.security.util.AuthenticationUtils;
+import org.junit.Before;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import static org.easymock.EasyMock.*;
+import static org.hamcrest.CoreMatchers.*;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.GrantedAuthorityImpl;
+
+/**
+ *
+ * @author carlucci
+ */
+public class DefaultPagePermissionEvaluatorTest {
+    private DefaultPagePermissionEvaluator defaultPagePermissionEvaluator;
+    private PageRepository mockPageRepository;
+    private Authentication mockAuthentication;
+    private Page page;
+    private User user, user2;    
+    private List<GrantedAuthority> grantedAuthoritiesList;
+    
+    private final Long VALID_PAGE_ID = 3L;
+    private final String VALID_USERNAME = "john.doe";
+    private final String VALID_USERNAME2 = "jane.doe";
+    
+    @Before
+    public void setUp() {               
+        mockPageRepository = createMock(PageRepository.class);
+        mockAuthentication = createMock(Authentication.class);
+        defaultPagePermissionEvaluator = new DefaultPagePermissionEvaluator(mockPageRepository);
+        
+        user = new User();
+        user.setUsername(VALID_USERNAME);
+        user2 = new User();
+        user2.setUsername(VALID_USERNAME2);
+        page = new Page();
+        page.setEntityId(VALID_PAGE_ID);
+        page.setOwner(user);
+        grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_USER"));
+    }
+ 
+   
+    @Test
+    public void testGetType() throws ClassNotFoundException {            
+        assertThat(defaultPagePermissionEvaluator.getType().getName(), is(Page.class.getName()));
+    }
+  
+    @Test
+    public void testHasPermission_3args_administer() {                             
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);              
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.ADMINISTER), is(false));        
+        verify(mockAuthentication);
+    }
+    
+    @Test
+    public void testHasPermission_3args_administer_hasAdminRole() {                     
       
+        grantedAuthoritiesList.add(new GrantedAuthorityImpl(AuthenticationUtils.ROLE_ADMIN));
+        
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);              
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.ADMINISTER), is(true));        
+        verify(mockAuthentication);
+    }    
+    
+    @Test
+    public void testHasPermission_3args_create() {                             
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);      
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.CREATE), is(true));        
+        verify(mockAuthentication);
+    }    
+    
+    @Test
+    public void testHasPermission_3args_delete_isPageOwner() {                          
  
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.DELETE), is(true));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }        
+    
+    @Test
+    public void testHasPermission_3args_delete_notPageOwner() {                         
   
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.DELETE), is(false));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }       
+    
+    @Test
+    public void testHasPermission_3args_read_isPageOwner() {                            

+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.READ), is(true));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }       
+    
+    @Test
+    public void testHasPermission_3args_read_notPageOwner() {                           
 
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.READ), is(false));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }      
+    
+    @Test
+    public void testHasPermission_3args_update_isPageOwner() {                          
  
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.UPDATE), is(true));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }   
+    
+    @Test
+    public void testHasPermission_3args_update_notPageOwner() {                         
   
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, page,
Permission.UPDATE), is(false));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }         
+    
+    @Test
+    public void testHasPermission_4args_administer() {                             
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);              
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, VALID_PAGE_ID,
Page.class.getName(), Permission.ADMINISTER), is(false));        
+        verify(mockAuthentication);
+    }    
+    
+    @Test
+    public void testHasPermission_4args_create() {                             
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        replay(mockAuthentication);      
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, VALID_PAGE_ID,
Page.class.getName(), Permission.CREATE), is(true));        
+        verify(mockAuthentication);
+    }     
+    
+    @Test
+    public void testHasPermission_4args_delete_isPageOwner() {                          
  
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, VALID_PAGE_ID,
Page.class.getName(), Permission.DELETE), is(true));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }        
+        
+    @Test
+    public void testHasPermission_4args_delete_notPageOwner() {                         
   
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, VALID_PAGE_ID,
Page.class.getName(), Permission.DELETE), is(false));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }       
+    
+    @Test
+    public void testHasPermission_4args_read_isPageOwner() {                            

+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, VALID_PAGE_ID,
Page.class.getName(), Permission.READ), is(true));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }       
+    
+    @Test
+    public void testHasPermission_4args_read_notPageOwner() {                           
 
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, VALID_PAGE_ID,
Page.class.getName(), Permission.READ), is(false));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }      
+    
+    @Test
+    public void testHasPermission_4args_update_isPageOwner() {                          
  
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, VALID_PAGE_ID,
Page.class.getName(), Permission.UPDATE), is(true));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }   
+    
+    @Test
+    public void testHasPermission_4args_update_notPageOwner() {                         
   
+        expect(mockAuthentication.getAuthorities()).andReturn(grantedAuthoritiesList);
+        expect(mockAuthentication.getPrincipal()).andReturn(user2);
+        expect(mockPageRepository.get(VALID_PAGE_ID)).andReturn(page);
+        replay(mockAuthentication);      
+        replay(mockPageRepository);
+        assertThat(defaultPagePermissionEvaluator.hasPermission(mockAuthentication, VALID_PAGE_ID,
Page.class.getName(), Permission.UPDATE), is(false));        
+        verify(mockAuthentication);
+        verify(mockPageRepository);
+    }         
+}
\ No newline at end of file

Modified: incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/api/rest/PageApi.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/api/rest/PageApi.java?rev=1183496&r1=1183495&r2=1183496&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/api/rest/PageApi.java
(original)
+++ incubator/rave/trunk/rave-components/rave-web/src/main/java/org/apache/rave/portal/web/api/rest/PageApi.java
Fri Oct 14 20:54:37 2011
@@ -32,6 +32,7 @@ import org.springframework.web.bind.anno
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import org.springframework.security.access.AccessDeniedException;
 
 /**
  * Handler for all services exposed under the /api/rest/page path.
@@ -68,6 +69,23 @@ public class PageApi {
         return page;
     }
 
+    /**
+     * Return a 403 response code when any org.springframework.security.access.AccessDeniedException
+     * is thrown from any of the API methods due to security restrictions
+     * 
+     * TODO: this should probably be moved up to an AbstractRestApi class since
+     * it seems common enough for all RestApi controllers
+     * 
+     * @param ex the AccessDeniedException
+     * @param request the http request
+     * @param response the http response
+     */
+    @ExceptionHandler(AccessDeniedException.class) 
+    public void handleAccessDeniedException(Exception ex, HttpServletRequest request, HttpServletResponse
response) {
+        logger.info("AccessDeniedException: " + request.getUserPrincipal().getName() + "
attempted to access resource " + request.getRequestURL(), ex);
+        response.setStatus(HttpStatus.FORBIDDEN.value());    
+    }
+    
     // TODO RAVE-240 - when we implement security we can implement different exception
     //        handlers for different errors (unauthorized, resource not found, etc)
     @ExceptionHandler(Exception.class)

Modified: incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/api/rest/PageApiTest.java
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/api/rest/PageApiTest.java?rev=1183496&r1=1183495&r2=1183496&view=diff
==============================================================================
--- incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/api/rest/PageApiTest.java
(original)
+++ incubator/rave/trunk/rave-components/rave-web/src/test/java/org/apache/rave/portal/web/api/rest/PageApiTest.java
Fri Oct 14 20:54:37 2011
@@ -18,6 +18,8 @@
  */
 package org.apache.rave.portal.web.api.rest;
 
+import java.security.Principal;
+import org.springframework.security.access.AccessDeniedException;
 import org.apache.rave.portal.model.*;
 import org.springframework.util.ClassUtils;
 import org.springframework.mock.web.MockHttpServletRequest;
@@ -98,11 +100,24 @@ public class PageApiTest {    
     }
     
     @Test
-    public void tesHandleException() {
+    public void testHandleException() {
         RuntimeException re = new RuntimeException("error");        
         String value = pageApi.handleException(re, request, response);
         
         assertThat(value, is(ClassUtils.getShortName(re.getClass())));
         assertThat(response.getStatus(), is(HttpStatus.INTERNAL_SERVER_ERROR.value())); 
 
     }
+    
+    @Test
+    public void testHandleAccessDeniedException() {
+        Principal principal = createMock(Principal.class);                
+        request.setUserPrincipal(principal);
+        AccessDeniedException ade = new AccessDeniedException("error");        
+        
+        expect(principal.getName()).andReturn("theuser");
+        replay(principal);        
+        pageApi.handleAccessDeniedException(ade, request, response);        
+        assertThat(response.getStatus(), is(HttpStatus.FORBIDDEN.value()));   
+        verify(principal);
+    }    
 }

Modified: incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml
URL: http://svn.apache.org/viewvc/incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml?rev=1183496&r1=1183495&r2=1183496&view=diff
==============================================================================
--- incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml
(original)
+++ incubator/rave/trunk/rave-portal-resources/src/main/webapp/WEB-INF/applicationContext-security.xml
Fri Oct 14 20:54:37 2011
@@ -66,8 +66,6 @@
     
     <!-- override the default permissionEvaluator bean used by Spring Security with our
custom RavePermissionEvaluator -->
     <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
-        <property name="permissionEvaluator">
-            <bean id="permissionEvaluator" class="org.apache.rave.portal.security.impl.RavePermissionEvaluator"/>
-        </property>
+        <property name="permissionEvaluator" ref="ravePermissionEvaluator" />     
      
     </bean>
 </beans>



Mime
View raw message