http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java ---------------------------------------------------------------------- diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java new file mode 100644 index 0000000..c4226f6 --- /dev/null +++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java @@ -0,0 +1,37 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.geode.rest.internal.web.security; + +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.authority.AuthorityUtils; + +class GeodeAuthentication extends UsernamePasswordAuthenticationToken { + /** + * This constructor should only be used by <code>AuthenticationManager</code> or <code>AuthenticationProvider</code> + * implementations that are satisfied with producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>) + * authentication token. + * @param principal + * @param credentials + */ + public GeodeAuthentication(final Object principal, + final Object credentials) { + super(principal, credentials, AuthorityUtils.NO_AUTHORITIES); + } + +}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java new file mode 100644 index 0000000..c482047 --- /dev/null +++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.geode.rest.internal.web.security; + +import org.apache.shiro.subject.Subject; +import org.springframework.security.authentication.AuthenticationProvider; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.AuthenticationException; +import org.springframework.stereotype.Component; + +import org.apache.geode.internal.security.IntegratedSecurityService; +import org.apache.geode.security.AuthenticationFailedException; + + +@Component +public class GeodeAuthenticationProvider implements AuthenticationProvider { + + @Override + public Authentication authenticate(Authentication authentication) throws AuthenticationException { + String username = authentication.getName(); + String password = authentication.getCredentials().toString(); + + try { + Subject subject = IntegratedSecurityService.getSecurityService().login(username, password); + if (subject != null) { + return new GeodeAuthentication(subject.getPrincipal(), authentication.getCredentials()); + } + } catch (AuthenticationFailedException authFailedEx) { + throw new BadCredentialsException("Invalid username or password"); + } + return authentication; + } + + @Override + public boolean supports(Class<?> authentication) { + return authentication.equals(UsernamePasswordAuthenticationToken.class); + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java ---------------------------------------------------------------------- diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java new file mode 100644 index 0000000..fd21628 --- /dev/null +++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java @@ -0,0 +1,47 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.geode.rest.internal.web.security; + +import org.springframework.security.core.GrantedAuthority; + +public class GeodeAuthority implements GrantedAuthority { + + private String authority; + + GeodeAuthority(String authority) { + this.authority = authority; + } + + /** + * If the <code>GrantedAuthority</code> can be represented as a <code>String</code> and that + * <code>String</code> is sufficient in precision to be relied upon for an access control decision by an {@link + * AccessDecisionManager} (or delegate), this method should return such a <code>String</code>. + * <p> + * If the <code>GrantedAuthority</code> cannot be expressed with sufficient precision as a <code>String</code>, + * <code>null</code> should be returned. Returning <code>null</code> will require an + * <code>AccessDecisionManager</code> (or delegate) to specifically support the <code>GrantedAuthority</code> + * implementation, so returning <code>null</code> should be avoided unless actually required. + * @return a representation of the granted authority (or <code>null</code> if the granted authority cannot be + * expressed as a <code>String</code> with sufficient precision). + */ + @Override + public String getAuthority() { + return authority; + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java ---------------------------------------------------------------------- diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java new file mode 100644 index 0000000..f3b5c4d --- /dev/null +++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package org.apache.geode.rest.internal.web.security; + +import org.apache.geode.internal.security.IntegratedSecurityService; +import org.apache.geode.internal.security.SecurityService; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.ComponentScan; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.config.http.SessionCreationPolicy; + +@Configuration +@EnableWebSecurity +@EnableGlobalMethodSecurity(prePostEnabled = true) +@ComponentScan("org.apache.geode.rest.internal.web") +public class RestSecurityConfiguration extends WebSecurityConfigurerAdapter { + + private SecurityService securityService = IntegratedSecurityService.getSecurityService(); + + @Autowired + private GeodeAuthenticationProvider authProvider; + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth.authenticationProvider(authProvider); + } + + @Bean + @Override + public AuthenticationManager authenticationManagerBean() throws Exception { + return super.authenticationManagerBean(); + } + + protected void configure(HttpSecurity http) throws Exception { + http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) + .and() + .authorizeRequests() + .antMatchers("/ping").permitAll() + .anyRequest().authenticated() + .and() + .formLogin() + .and() + .csrf().disable(); + + if(securityService.isIntegratedSecurity()) { + http.httpBasic(); + } + else{ + http + .authorizeRequests() + .anyRequest().permitAll(); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml ---------------------------------------------------------------------- diff --git a/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml b/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml index c24e74a..c75d975 100644 --- a/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml +++ b/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml @@ -30,20 +30,13 @@ limitations under the License. http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd "> <context:annotation-config /> - <context:component-scan base-package="org.apache.geode.rest.internal.web"/> - + <mvc:annotation-driven content-negotiation-manager="contentNegotiationManager"> <mvc:message-converters register-defaults="false"> <bean class="org.springframework.http.converter.ByteArrayHttpMessageConverter"/> <bean class="org.springframework.http.converter.ResourceHttpMessageConverter"/> <bean class="org.springframework.http.converter.StringHttpMessageConverter"/> - <!-- bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" p:objectMapper-ref="objectMapper"/--> <bean class="org.apache.geode.rest.internal.web.http.converter.CustomMappingJackson2HttpMessageConverter" p:objectMapper-ref="objectMapper"/> - <!--bean class="org.gopivotal.app.http.converter.json.JsonToPdxInstanceHttpMessageConverter"/--> - <!--bean class="org.springframework.http.converter.xml.Jaxb2RootElementHttpMessageConverter"/--> - <!--bean class="org.springframework.http.converter.xml.MarshallingHttpMessageConverter" p:marshaller-ref="jaxb2Marshaller" p:unmarshaller-ref="jaxb2Marshaller"/--> - <!--bean class="org.springframework.http.converter.xml.MarshallingHttpMessageConverter" p:marshaller-ref="xstreamMarshaller" p:unmarshaller-ref="xstreamMarshaller"/--> - <!--bean class="org.springframework.http.converter.xml.SourceHttpMessageConverter"/--> </mvc:message-converters> </mvc:annotation-driven> @@ -62,7 +55,6 @@ limitations under the License. </property> </bean> - <!-- bean id="objectMapper" class="org.apache.geode.rest.internal.web.config.CustomObjectMapper" factory-method="newObjectMapper"></bean--> <bean id="objectMapper" class="org.springframework.http.converter.json.Jackson2ObjectMapperFactoryBean" p:failOnEmptyBeans="true" p:indentOutput="true" @@ -82,4 +74,5 @@ limitations under the License. </property> </bean> + <bean class="org.apache.geode.rest.internal.web.security.RestSecurityConfiguration" /> </beans> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/webapp/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/geode-web-api/src/main/webapp/WEB-INF/web.xml b/geode-web-api/src/main/webapp/WEB-INF/web.xml index 956294a..f1f93c7 100644 --- a/geode-web-api/src/main/webapp/WEB-INF/web.xml +++ b/geode-web-api/src/main/webapp/WEB-INF/web.xml @@ -25,27 +25,17 @@ limitations under the License. <description> Web deployment descriptor declaring the developer REST API for GemFire. </description> - - <!-- context-param> - <param-name>contextConfigLocation</param-name> - <param-value>/META-INF/cache-config.xml</param-value> - </context-param --> - + <filter> - <filter-name>httpPutFilter</filter-name> - <filter-class>org.springframework.web.filter.HttpPutFormContentFilter</filter-class> - <async-supported>true</async-supported> + <filter-name>springSecurityFilterChain</filter-name> + <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> - <filter-name>httpPutFilter</filter-name> + <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - <!-- listener> - <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> - </listener--> - <servlet> <description> The Spring DispatcherServlet (FrontController) handling all HTTP requests to the Developer REST API @@ -61,5 +51,5 @@ limitations under the License. <servlet-name>geode</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> - + </web-app> http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/gradle/dependency-versions.properties ---------------------------------------------------------------------- diff --git a/gradle/dependency-versions.properties b/gradle/dependency-versions.properties index 0abe690..65fd2ee 100644 --- a/gradle/dependency-versions.properties +++ b/gradle/dependency-versions.properties @@ -88,13 +88,13 @@ powermock.version = 1.6.4 quartz.version = 2.2.1 scala.version = 2.10.0 selenium.version=2.53.1 -shiro.version=1.2.4 +shiro.version=1.3.0 slf4j-api.version = 1.7.7 snappy-java.version=0.4 spring-hateoas.version = 0.16.0.RELEASE spring-shell.version = 1.1.0.RELEASE spring-ldap-core.version = 1.3.2.RELEASE -spring-security.version = 3.1.7.RELEASE +spring-security.version = 3.2.7.RELEASE spring-tx.version = 3.2.12.RELEASE springframework.version = 4.2.4.RELEASE stephenc-findbugs.version = 1.3.9-1
