Author: sergeyb
Date: Thu Dec 16 18:57:02 2010
New Revision: 1050095
URL: http://svn.apache.org/viewvc?rev=1050095&view=rev
Log:
[CXF-3195,CXF-3172] Updatig SecureAnnotationsInterceptor to check interfaces
and JAASAuthenticationFilter to redirect to context-based addresses by default
Modified:
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml
Modified:
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java?rev=1050095&r1=1050094&r2=1050095&view=diff
==============================================================================
---
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java
(original)
+++
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java
Thu Dec 16 18:57:02 2010
@@ -27,6 +27,7 @@ import java.util.Map;
import java.util.Set;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.common.util.ClassHelper;
public class SecureAnnotationsInterceptor extends SimpleAuthorizingInterceptor
{
@@ -54,10 +55,17 @@ public class SecureAnnotationsIntercepto
}
public void setSecuredObject(Object object) {
- Class<?> cls = object.getClass();
- String classRolesAllowed = getRoles(cls.getAnnotations(),
annotationClassName);
-
+ Class<?> cls = ClassHelper.getRealClass(object);
Map<String, String> rolesMap = new HashMap<String, String>();
+ findRoles(cls, rolesMap);
+ super.setMethodRolesMap(rolesMap);
+ }
+
+ protected void findRoles(Class<?> cls, Map<String, String> rolesMap) {
+ if (cls == null || cls == Object.class) {
+ return;
+ }
+ String classRolesAllowed = getRoles(cls.getAnnotations(),
annotationClassName);
for (Method m : cls.getMethods()) {
if (SKIP_METHODS.contains(m.getName())) {
continue;
@@ -68,10 +76,21 @@ public class SecureAnnotationsIntercepto
rolesMap.put(m.getName(), theRoles);
}
}
- super.setMethodRolesMap(rolesMap);
+ if (!rolesMap.isEmpty()) {
+ return;
+ }
+
+ findRoles(cls.getSuperclass(), rolesMap);
+
+ if (!rolesMap.isEmpty()) {
+ return;
+ }
+ for (Class<?> interfaceCls : cls.getInterfaces()) {
+ findRoles(interfaceCls, rolesMap);
+ }
}
-
+
private String getRoles(Annotation[] anns, String annName) {
for (Annotation ann : anns) {
if (ann.annotationType().getName().equals(annName)) {
Modified:
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java?rev=1050095&r1=1050094&r2=1050095&view=diff
==============================================================================
---
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java
(original)
+++
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java
Thu Dec 16 18:57:02 2010
@@ -18,6 +18,7 @@
*/
package org.apache.cxf.jaxrs.security;
+import java.net.URI;
import java.util.Arrays;
import java.util.List;
@@ -26,6 +27,7 @@ import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.ResponseBuilder;
+import javax.ws.rs.core.UriBuilder;
import org.apache.cxf.interceptor.security.AuthenticationException;
import org.apache.cxf.interceptor.security.JAASLoginInterceptor;
@@ -33,6 +35,7 @@ import org.apache.cxf.interceptor.securi
import org.apache.cxf.jaxrs.ext.RequestHandler;
import org.apache.cxf.jaxrs.impl.HttpHeadersImpl;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
@@ -42,8 +45,9 @@ public class JAASAuthenticationFilter im
private static final List<MediaType> HTML_MEDIA_TYPES =
Arrays.asList(MediaType.APPLICATION_XHTML_XML_TYPE,
MediaType.TEXT_HTML_TYPE);
- private String redirectURI;
+ private URI redirectURI;
private String realmName;
+ private boolean ignoreBasePath = true;
private JAASLoginInterceptor interceptor = new JAASLoginInterceptor() {
protected CallbackHandler getCallbackHandler(String name, String
password) {
@@ -51,6 +55,10 @@ public class JAASAuthenticationFilter im
}
};
+ public void setIgnoreBasePath(boolean ignore) {
+ this.ignoreBasePath = ignore;
+ }
+
public void setContextName(String name) {
interceptor.setContextName(name);
}
@@ -60,7 +68,7 @@ public class JAASAuthenticationFilter im
}
public void setRedirectURI(String uri) {
- this.redirectURI = uri;
+ this.redirectURI = URI.create(uri);
}
public void setRealmName(String name) {
@@ -76,14 +84,32 @@ public class JAASAuthenticationFilter im
interceptor.handleMessage(m);
return null;
} catch (AuthenticationException ex) {
- return handleSecurityException(ex, new HttpHeadersImpl(m));
+ return handleAuthenticationException(ex, m);
}
}
- protected Response handleSecurityException(SecurityException ex,
HttpHeaders headers) {
+ protected Response handleAuthenticationException(AuthenticationException
ex, Message m) {
+ HttpHeaders headers = new HttpHeadersImpl(m);
if (redirectURI != null && isRedirectPossible(headers)) {
+
+ URI finalRedirectURI = null;
+
+ if (!redirectURI.isAbsolute()) {
+ String endpointAddress = HttpUtils.getEndpointAddress(m);
+ Object basePathProperty = m.get(Message.BASE_PATH);
+ if (ignoreBasePath && basePathProperty != null &&
!"/".equals(basePathProperty)) {
+ int index =
endpointAddress.lastIndexOf(basePathProperty.toString());
+ if (index != -1) {
+ endpointAddress = endpointAddress.substring(0, index);
+ }
+ }
+ finalRedirectURI =
UriBuilder.fromUri(endpointAddress).path(redirectURI.toString()).build();
+ } else {
+ finalRedirectURI = redirectURI;
+ }
+
return Response.status(getRedirectStatus()).
- header(HttpHeaders.LOCATION, redirectURI).build();
+ header(HttpHeaders.LOCATION, finalRedirectURI).build();
} else {
ResponseBuilder builder =
Response.status(Response.Status.UNAUTHORIZED);
Modified:
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java?rev=1050095&r1=1050094&r2=1050095&view=diff
==============================================================================
---
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java
(original)
+++
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java
Thu Dec 16 18:57:02 2010
@@ -47,14 +47,14 @@ public class JAXRSJaasSecurityTest exten
@Test
public void testJaasInterceptorAuthenticationFailure() throws Exception {
String endpointAddress =
- "http://localhost:"; + PORT +
"/jaas/bookstorestorage/thosebooks/123";
+ "http://localhost:"; + PORT +
"/service/jaas/bookstorestorage/thosebooks/123";
getBook(endpointAddress, "foo", "bar1", 401);
}
@Test
public void testGetBookUserAdminJaasInterceptor() throws Exception {
String endpointAddress =
- "http://localhost:"; + PORT +
"/jaas/bookstorestorage/thosebooks/123";
+ "http://localhost:"; + PORT +
"/service/jaas/bookstorestorage/thosebooks/123";
getBook(endpointAddress, "foo", "bar", 403);
getBook(endpointAddress, "bob", "bobspassword", 200);
}
@@ -62,7 +62,7 @@ public class JAXRSJaasSecurityTest exten
@Test
public void testJaasFilterAuthenticationFailure() throws Exception {
String endpointAddress =
- "http://localhost:"; + PORT +
"/jaas2/bookstorestorage/thosebooks/123";
+ "http://localhost:"; + PORT +
"/service/jaas2/bookstorestorage/thosebooks/123";
WebClient wc = WebClient.create(endpointAddress);
wc.accept("text/xml");
wc.header(HttpHeaders.AUTHORIZATION,
@@ -77,7 +77,7 @@ public class JAXRSJaasSecurityTest exten
@Test
public void testJaasFilterAuthenticationFailureWithRedirection() throws
Exception {
String endpointAddress =
- "http://localhost:"; + PORT +
"/jaas2/bookstorestorage/thosebooks/123";
+ "http://localhost:"; + PORT +
"/service/jaas2/bookstorestorage/thosebooks/123";
WebClient wc = WebClient.create(endpointAddress);
wc.accept("text/xml,text/html");
wc.header(HttpHeaders.AUTHORIZATION,
@@ -86,14 +86,14 @@ public class JAXRSJaasSecurityTest exten
assertEquals(307, r.getStatus());
Object locationHeader = r.getMetadata().getFirst(HttpHeaders.LOCATION);
assertNotNull(locationHeader);
- assertEquals("http://localhost:"; + PORT + "/jaas2/login.jsp",
+ assertEquals("http://localhost:"; + PORT + "/service/login.jsp",
locationHeader.toString());
}
@Test
public void testGetBookUserAdminJaasFilter() throws Exception {
String endpointAddress =
- "http://localhost:"; + PORT +
"/jaas2/bookstorestorage/thosebooks/123";
+ "http://localhost:"; + PORT +
"/service/jaas2/bookstorestorage/thosebooks/123";
getBook(endpointAddress, "foo", "bar", 403);
getBook(endpointAddress, "bob", "bobspassword", 200);
}
Modified:
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java?rev=1050095&r1=1050094&r2=1050095&view=diff
==============================================================================
---
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
(original)
+++
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java
Thu Dec 16 18:57:02 2010
@@ -56,6 +56,14 @@ public class JAXRSSimpleSecurityTest ext
}
@Test
+ public void testGetBookUserAdminWithAnnotationsInterface() throws
Exception {
+ String endpointAddress =
+ "http://localhost:"; + PORT +
"/security5/bookstorestorage/thosebooks";
+ getBook(endpointAddress, "foo", "bar", 403);
+ getBook(endpointAddress, "bob", "bobspassword", 200);
+ }
+
+ @Test
public void testGetBookUserAdminWithAnnotationsFilter() throws Exception {
String endpointAddress =
"http://localhost:"; + PORT +
"/security4/bookstorestorage/thebook/123";
Modified:
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java?rev=1050095&r1=1050094&r2=1050095&view=diff
==============================================================================
---
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java
(original)
+++
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java
Thu Dec 16 18:57:02 2010
@@ -46,7 +46,7 @@ public interface SecureBookInterface {
@GET
@Path("/thosebooks")
@Produces("application/xml")
- @Secured("ROLE_ADMIN")
+ @Secured({"ROLE_ADMIN", "ROLE_BOOK_OWNER" })
Book getThatBook() throws BookNotFoundFault;
@Path("/subresource")
Modified:
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java?rev=1050095&r1=1050094&r2=1050095&view=diff
==============================================================================
---
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java
(original)
+++
cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java
Thu Dec 16 18:57:02 2010
@@ -66,7 +66,8 @@ public class SecureBookStore implements
}
public Book getThatBook() throws BookNotFoundFault {
- if (securityContext.isUserInRole("ROLE_ADMIN")
+ if ((securityContext.isUserInRole("ROLE_ADMIN")
+ || securityContext.isUserInRole("ROLE_BOOK_OWNER"))
&& !securityContext.isUserInRole("ROLE_BAZ")) {
return books.get(123L);
}
Modified:
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml?rev=1050095&r1=1050094&r2=1050095&view=diff
==============================================================================
---
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml
(original)
+++
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml
Thu Dec 16 18:57:02 2010
@@ -44,7 +44,7 @@
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
- <url-pattern>/*</url-pattern>
+ <url-pattern>/service/*</url-pattern>
</servlet-mapping>
</web-app>
<!-- END SNIPPET: webxml -->
Modified:
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml?rev=1050095&r1=1050094&r2=1050095&view=diff
==============================================================================
---
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml
(original)
+++
cxf/trunk/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml
Thu Dec 16 18:57:02 2010
@@ -80,6 +80,20 @@ http://cxf.apache.org/schemas/jaxrs.xsd";
</jaxrs:providers>
</jaxrs:server>
+
+ <jaxrs:server id="bookservice5"
+ address="/security5">
+ <jaxrs:serviceBeans>
+ <ref bean="securedObjectWithInterface"/>
+ </jaxrs:serviceBeans>
+ <jaxrs:inInterceptors>
+ <ref bean="annotationsInterceptor2"/>
+ </jaxrs:inInterceptors>
+ <jaxrs:outFaultInterceptors>
+ <bean
class="org.apache.cxf.systest.jaxrs.security.SecurityOutFaultInterceptor"/>
+ </jaxrs:outFaultInterceptors>
+ </jaxrs:server>
+
<bean id="authorizationInterceptor"
class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
<property name="methodRolesMap" ref="rolesMap"/>
</bean>
@@ -88,7 +102,15 @@ http://cxf.apache.org/schemas/jaxrs.xsd";
<property name="securedObject" ref="securedObject"/>
</bean>
+ <bean id="annotationsInterceptor2"
+
class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
+ <property name="annotationClassName"
+ value="org.springframework.security.annotation.Secured"/>
+ <property name="securedObject" ref="securedObjectWithInterface"/>
+ </bean>
+
<bean id="securedObject"
class="org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoInterface"/>
+ <bean id="securedObjectWithInterface"
class="org.apache.cxf.systest.jaxrs.security.SecureBookStore"/>
<bean id="authorizationFilter"
class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
<property name="methodRolesMap" ref="rolesMap"/>
