Repository: usergrid Updated Branches: refs/heads/hotfix-20160819 12c88bd77 -> cc6bc2aba
Database and Superuser setup can't use shiro because that relies on the database. Use traditional security context. Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/cc6bc2ab Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/cc6bc2ab Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/cc6bc2ab Branch: refs/heads/hotfix-20160819 Commit: cc6bc2aba711eae9fc079ac3ab23b10967330f21 Parents: 12c88bd Author: Michael Russo <[email protected]> Authored: Sat Sep 10 12:43:43 2016 -0700 Committer: Michael Russo <[email protected]> Committed: Sat Sep 10 12:43:43 2016 -0700 ---------------------------------------------------------------------- .../security/SecuredResourceFilterFactory.java | 10 +++- .../shiro/filters/BasicAuthSecurityFilter.java | 53 ++++++++++++++++++-- .../rest/applications/ApplicationDeleteIT.java | 2 - .../usergrid/rest/applications/SecurityIT.java | 2 - .../activities/ActivityResourceIT.java | 6 --- 5 files changed, 58 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/usergrid/blob/cc6bc2ab/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java index 0d94677..7b62514 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java @@ -397,7 +397,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature { logger.trace("SystemFilter.authorize"); } try { - if (!isServiceAdmin()) { + if (!isServiceAdmin() && !isBasicAuthServiceAdmin(request)) { if (logger.isTraceEnabled()) { logger.trace("You are not the system admin."); } @@ -543,6 +543,14 @@ public class SecuredResourceFilterFactory implements DynamicFeature { } } + + + } + + private static boolean isBasicAuthServiceAdmin(ContainerRequestContext request){ + + return request.getSecurityContext().isUserInRole( ROLE_SERVICE_ADMIN ); + } } http://git-wip-us.apache.org/repos/asf/usergrid/blob/cc6bc2ab/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java index c3efec1..1b53dd6 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java @@ -86,16 +86,22 @@ public class BasicAuthSecurityFilter extends SecurityFilter { } try { + + UserInfo userInfo = null; String rawPath = request.getUriInfo().getAbsolutePath().getRawPath(); // make sure the sysadmin can be provisioned, we've already done a user/pass check if(rawPath.contains("superuser/setup") || rawPath.contains("database/setup") || rawPath.contains("database/bootstrap")){ - management.provisionSuperuser(); - } + // this is used as a hook just to allow the system filter since the database may not be set up + request.setSecurityContext( new SysAdminRoleAuthenticator() ); + return; + + }else { - // now do a proper shiro login so permissions can be leveraged appropriately later on - UserInfo userInfo = management.verifyAdminUserPasswordCredentials(name.toLowerCase(), password); + // do a proper shiro login so permissions can be leveraged appropriately later on + userInfo = management.verifyAdminUserPasswordCredentials(name.toLowerCase(), password); + } PrincipalCredentialsToken token = PrincipalCredentialsToken .getFromAdminUserInfoAndPassword(userInfo, password, emf.getManagementAppId()); Subject subject = SubjectUtils.getSubject(); @@ -130,4 +136,43 @@ public class BasicAuthSecurityFilter extends SecurityFilter { } } + private static class SysAdminRoleAuthenticator implements SecurityContext { + + private final Principal principal; + + + SysAdminRoleAuthenticator() { + principal = new Principal() { + @Override + public String getName() { + return ROLE_SERVICE_ADMIN; + } + }; + } + + + @Override + public Principal getUserPrincipal() { + return principal; + } + + + @Override + public boolean isUserInRole( String role ) { + return role.equals( ROLE_SERVICE_ADMIN ); + } + + + @Override + public boolean isSecure() { + return false; + } + + + @Override + public String getAuthenticationScheme() { + return SecurityContext.BASIC_AUTH; + } + } + } http://git-wip-us.apache.org/repos/asf/usergrid/blob/cc6bc2ab/stack/rest/src/test/java/org/apache/usergrid/rest/applications/ApplicationDeleteIT.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/applications/ApplicationDeleteIT.java b/stack/rest/src/test/java/org/apache/usergrid/rest/applications/ApplicationDeleteIT.java index b85637d..6416cff 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/applications/ApplicationDeleteIT.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/applications/ApplicationDeleteIT.java @@ -19,7 +19,6 @@ package org.apache.usergrid.rest.applications; import com.fasterxml.jackson.databind.JsonNode; -import net.jcip.annotations.NotThreadSafe; import org.apache.usergrid.rest.test.resource.AbstractRestIT; import org.apache.usergrid.rest.test.resource.endpoints.mgmt.ManagementResponse; import org.apache.usergrid.rest.test.resource.model.ApiResponse; @@ -44,7 +43,6 @@ import static org.junit.Assert.fail; import static org.apache.usergrid.rest.management.organizations.applications .ApplicationResource.CONFIRM_APPLICATION_IDENTIFIER; -@NotThreadSafe public class ApplicationDeleteIT extends AbstractRestIT { private static final Logger logger = LoggerFactory.getLogger(ApplicationDeleteIT.class); http://git-wip-us.apache.org/repos/asf/usergrid/blob/cc6bc2ab/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java b/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java index 48fbf12..510e245 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/applications/SecurityIT.java @@ -17,7 +17,6 @@ package org.apache.usergrid.rest.applications; -import net.jcip.annotations.NotThreadSafe; import org.apache.usergrid.rest.test.resource.AbstractRestIT; import org.apache.usergrid.rest.test.resource.model.ApiResponse; import org.apache.usergrid.rest.test.resource.model.Entity; @@ -35,7 +34,6 @@ import static org.junit.Assert.fail; * These tests will execute requests against certain paths (with or without credentials) to ensure access is being * allowed according to the REST and Services permissions defined for the resource. */ -@NotThreadSafe public class SecurityIT extends AbstractRestIT { public SecurityIT() throws Exception {} http://git-wip-us.apache.org/repos/asf/usergrid/blob/cc6bc2ab/stack/rest/src/test/java/org/apache/usergrid/rest/applications/collection/activities/ActivityResourceIT.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/test/java/org/apache/usergrid/rest/applications/collection/activities/ActivityResourceIT.java b/stack/rest/src/test/java/org/apache/usergrid/rest/applications/collection/activities/ActivityResourceIT.java index 88b593c..c7f39b2 100644 --- a/stack/rest/src/test/java/org/apache/usergrid/rest/applications/collection/activities/ActivityResourceIT.java +++ b/stack/rest/src/test/java/org/apache/usergrid/rest/applications/collection/activities/ActivityResourceIT.java @@ -17,8 +17,6 @@ package org.apache.usergrid.rest.applications.collection.activities; -import net.jcip.annotations.NotThreadSafe; -import org.apache.usergrid.persistence.index.utils.MapUtils; import org.apache.usergrid.rest.test.resource.AbstractRestIT; import org.apache.usergrid.rest.test.resource.endpoints.CollectionEndpoint; import org.apache.usergrid.rest.test.resource.model.*; @@ -27,8 +25,6 @@ import org.junit.Test; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.apache.usergrid.utils.UUIDUtils; - import javax.ws.rs.ClientErrorException; import static org.junit.Assert.assertEquals; @@ -36,7 +32,6 @@ import static org.junit.Assert.assertTrue; /** @author tnine */ -@NotThreadSafe public class ActivityResourceIT extends AbstractRestIT { private static final Logger log = LoggerFactory.getLogger( ActivityResourceIT.class ); @@ -44,7 +39,6 @@ public class ActivityResourceIT extends AbstractRestIT { private static final String USER = "edanuff"; - private static boolean groupCreated = false; private CollectionEndpoint groupsResource; private CollectionEndpoint groupActivityResource; private CollectionEndpoint usersResource;
