I'll see how I can refactor this.. the code for authentication & authorization in RepositoryServlet is actually in the ArchivaDavSessionProvider, not in the servlet itself.
Thanks, Deng On Fri, May 9, 2008 at 11:36 AM, Joakim Erdfelt <[EMAIL PROTECTED]> wrote: > Can we create a AbstractSecuredServlet base for those two servlets to use? > > - Joakim > > > [EMAIL PROTECTED] wrote: > >> Author: oching >> Date: Thu May 8 04:27:00 2008 >> New Revision: 654479 >> >> URL: http://svn.apache.org/viewvc?rev=654479&view=rev >> Log: >> [MRM-773] >> -use authentication scheme used in RepositoryServlet >> -temporarily commented out authentication for new versions of artifacts >> Modified: >> >> >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/rss/RssFeedServlet.java >> >> >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/RssFeedServletTest.java >> >> >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/SecuritySystemStub.java >> >> Modified: >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/rss/RssFeedServlet.java >> URL: >> http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/rss/RssFeedServlet.java?rev=654479&r1=654478&r2=654479&view=diff >> >> ============================================================================== >> --- >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/rss/RssFeedServlet.java >> (original) >> +++ >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/rss/RssFeedServlet.java >> Thu May 8 04:27:00 2008 >> @@ -40,14 +40,16 @@ >> import org.apache.maven.archiva.security.ArchivaSecurityException; >> import org.apache.maven.archiva.security.PrincipalNotFoundException; >> import org.apache.maven.archiva.security.UserRepositories; >> -import >> org.codehaus.plexus.redback.authentication.AuthenticationDataSource; >> import >> org.codehaus.plexus.redback.authentication.AuthenticationException; >> -import >> org.codehaus.plexus.redback.authentication.PasswordBasedAuthenticationDataSource; >> +import org.codehaus.plexus.redback.authentication.AuthenticationResult; >> import org.codehaus.plexus.redback.authorization.AuthorizationException; >> +import org.codehaus.plexus.redback.authorization.AuthorizationResult; >> import org.codehaus.plexus.redback.policy.AccountLockedException; >> +import org.codehaus.plexus.redback.policy.MustChangePasswordException; >> import org.codehaus.plexus.redback.system.SecuritySession; >> import org.codehaus.plexus.redback.system.SecuritySystem; >> import org.codehaus.plexus.redback.users.UserNotFoundException; >> +import >> org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator; >> import org.codehaus.plexus.spring.PlexusToSpringUtils; >> import org.slf4j.Logger; >> import org.slf4j.LoggerFactory; >> @@ -85,6 +87,8 @@ >> private UserRepositories userRepositories; >> + private HttpAuthenticator httpAuth; >> + >> public void init( javax.servlet.ServletConfig servletConfig ) >> throws ServletException >> { >> @@ -94,11 +98,13 @@ >> (SecuritySystem) wac.getBean( >> PlexusToSpringUtils.buildSpringId( SecuritySystem.class.getName() ) ); >> userRepositories = >> (UserRepositories) wac.getBean( >> PlexusToSpringUtils.buildSpringId( UserRepositories.class.getName() ) ); >> + httpAuth = >> + (HttpAuthenticator) wac.getBean( >> PlexusToSpringUtils.buildSpringId( HttpAuthenticator.ROLE, "basic" ) ); >> } >> public void doGet( HttpServletRequest req, HttpServletResponse res ) >> throws ServletException, IOException >> - { + { >> try >> { >> Map<String, String> map = new HashMap<String, String>(); >> @@ -107,16 +113,22 @@ >> String groupId = req.getParameter( "groupId" ); >> String artifactId = req.getParameter( "artifactId" ); >> - if ( isAuthorized( req ) ) >> + if( ( repoId == null ) && ( groupId == null && artifactId == >> null ) ) + { >> + res.sendError( HttpServletResponse.SC_BAD_REQUEST, >> "Required fields not found in request." ); >> + return; >> + } >> + >> + if ( isAllowed( req ) ) >> { >> if ( repoId != null ) >> - { + { >> // new artifacts in repo feed request >> processor = >> (RssFeedProcessor) wac.getBean( >> PlexusToSpringUtils.buildSpringId( >> >> RssFeedProcessor.class.getName(), >> >> "new-artifacts" ) ); >> - map.put( RssFeedProcessor.KEY_REPO_ID, repoId ); >> + map.put( RssFeedProcessor.KEY_REPO_ID, >> repoId ); >> } >> else if ( ( groupId != null ) && ( artifactId != null ) ) >> { >> @@ -126,23 +138,18 @@ >> >> RssFeedProcessor.class.getName(), >> >> "new-versions" ) ); >> map.put( RssFeedProcessor.KEY_GROUP_ID, groupId ); >> - map.put( RssFeedProcessor.KEY_ARTIFACT_ID, artifactId >> ); - } >> - else >> - { >> - res.sendError( HttpServletResponse.SC_BAD_REQUEST, >> "Required fields not found in request." ); >> - return; >> - } >> + map.put( RssFeedProcessor.KEY_ARTIFACT_ID, artifactId >> ); >> + } } >> else >> { >> res.sendError( HttpServletResponse.SC_UNAUTHORIZED, >> "Request is not authorized." ); >> return; >> } >> - + >> feed = processor.process( map ); >> res.setContentType( MIME_TYPE ); >> - + >> if ( repoId != null ) >> { >> feed.setLink( req.getRequestURL() + "?repoId=" + repoId ); >> @@ -188,55 +195,62 @@ >> * @param req >> * @return >> */ >> - private boolean isAuthorized( HttpServletRequest req ) >> + private boolean isAllowed( HttpServletRequest req ) >> throws UserNotFoundException, AccountLockedException, >> AuthenticationException, AuthorizationException >> { >> String auth = req.getHeader( "Authorization" ); >> - - if ( auth == null ) >> - { >> - return false; >> - } >> - >> - if ( !auth.toUpperCase().startsWith( "BASIC " ) ) >> - { >> - return false; >> - } >> - >> - Decoder dec = new Base64(); - String >> usernamePassword = ""; >> - try >> - { >> - usernamePassword = new String( ( byte[] ) dec.decode( >> auth.substring( 6 ).getBytes() ) ); >> - } >> - catch ( DecoderException ie ) >> - { >> - log.error( "Error decoding username and password.", >> ie.getMessage() ); >> - } >> - - String[] userCredentials = usernamePassword.split( ":" >> ); >> - String username = userCredentials[0]; >> - String password = userCredentials[1]; >> - - AuthenticationDataSource dataSource = new >> PasswordBasedAuthenticationDataSource( username, password ); >> - SecuritySession session = null; >> + // if ( auth == null ) >> + // { >> + // return false; >> + // } >> List<String> repoIds = new ArrayList<String>(); >> if ( req.getParameter( "repoId" ) != null ) >> { >> repoIds.add( req.getParameter( "repoId" ) ); >> } >> - else >> + >> + if ( auth != null ) >> { >> - repoIds = getObservableRepos( username ); >> - } >> + if ( !auth.toUpperCase().startsWith( "BASIC " ) ) >> + { >> + return false; >> + } >> + >> + Decoder dec = new Base64(); >> + String usernamePassword = ""; >> - session = securitySystem.authenticate( dataSource ); >> + try >> + { >> + usernamePassword = new String( (byte[]) dec.decode( >> auth.substring( 6 ).getBytes() ) ); >> + } >> + catch ( DecoderException ie ) >> + { >> + log.error( "Error decoding username and password.", >> ie.getMessage() ); >> + } >> + >> + if ( usernamePassword != null && >> !usernamePassword.trim().equals( "" ) ) >> + { >> + //String[] userCredentials = usernamePassword.split( ":" >> ); >> + //String username = userCredentials[0]; >> + //String password = userCredentials[1]; >> + >> + //AuthenticationDataSource dataSource = new >> PasswordBasedAuthenticationDataSource( username, password ); >> + //SecuritySession session = null; + >> + //if( req.getParameter( "groupId" ) != null && >> req.getParameter( "artifactId" ) != null ) + //{ >> + // repoIds = getObservableRepos( username ); >> + //} >> + } >> + } >> + //session = securitySystem.authenticate( dataSource ); >> for ( String repoId : repoIds ) >> - { - if ( securitySystem.isAuthorized( >> session, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS, repoId ) ) >> + { >> + //if ( securitySystem.isAuthorized( session, >> ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS, repoId ) ) >> + if ( isAuthenticated( req, repoId ) && isAuthorized( req, >> repoId ) ) >> { >> return true; >> } >> @@ -266,4 +280,65 @@ >> return Collections.emptyList(); >> } >> + >> + private boolean isAuthenticated( HttpServletRequest request, String >> repositoryId ) >> + { >> + try >> + { >> + AuthenticationResult result = >> httpAuth.getAuthenticationResult( request, null ); >> + + if ( result != null && !result.isAuthenticated() >> ) >> + { >> + log.error( "User credentials is invalid." ); >> + return false; >> + } >> + } >> + catch ( AuthenticationException e ) >> + { >> + log.error( "User is not authenticated." ); >> + return false; >> + } >> + catch ( AccountLockedException e ) >> + { >> + log.error( "User account is locked." ); >> + return false; >> + } >> + catch ( MustChangePasswordException e ) >> + { >> + log.error( "Password must be changed." ); >> + return false; >> + } >> + >> + log.info( "before returning TRUE in isAuthenticated(..)" ); >> + return true; >> + } >> + >> + private boolean isAuthorized( HttpServletRequest request, String >> repositoryId ) >> + { >> + SecuritySession securitySession = httpAuth.getSecuritySession(); >> + >> + try >> + { >> + String permission = >> ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS; >> + >> + AuthorizationResult authzResult = securitySystem.authorize( >> securitySession, permission, repositoryId ); >> + >> + if ( !authzResult.isAuthorized() ) >> + { >> + if ( authzResult.getException() != null ) >> + { >> + log.info( "Authorization Denied [ip=" + >> request.getRemoteAddr() + ",permission=" + permission + >> + ",repo=" + repositoryId + "] : " + >> authzResult.getException().getMessage() ); >> + } >> + return false; >> + } >> + } >> + catch ( AuthorizationException e ) >> + { >> + log.error( "Error in authorization : " + e.getMessage() ); >> + return false; >> + } >> + >> + return true; >> + } >> } >> >> Modified: >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/RssFeedServletTest.java >> URL: >> http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/RssFeedServletTest.java?rev=654479&r1=654478&r2=654479&view=diff >> >> ============================================================================== >> --- >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/RssFeedServletTest.java >> (original) >> +++ >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/RssFeedServletTest.java >> Thu May 8 04:27:00 2008 >> @@ -83,6 +83,7 @@ >> assertEquals( "Should have been an OK response code.", >> HttpServletResponse.SC_OK, response.getResponseCode() ); >> } >> + /* >> public void testRequestNewVersionsOfArtifact() >> throws Exception >> { >> @@ -103,6 +104,7 @@ >> assertNotNull( "Should have recieved a response", response ); >> assertEquals( "Should have been an OK response code.", >> HttpServletResponse.SC_OK, response.getResponseCode() ); } >> + */ >> public void testInvalidRequest() >> throws Exception >> >> Modified: >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/SecuritySystemStub.java >> URL: >> http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/SecuritySystemStub.java?rev=654479&r1=654478&r2=654479&view=diff >> >> ============================================================================== >> --- >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/SecuritySystemStub.java >> (original) >> +++ >> archiva/trunk/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/web/rss/SecuritySystemStub.java >> Thu May 8 04:27:00 2008 >> @@ -24,6 +24,7 @@ >> import java.util.List; >> import java.util.Map; >> +import org.apache.maven.archiva.security.ArchivaRoleConstants; >> import >> org.codehaus.plexus.redback.authentication.AuthenticationDataSource; >> import >> org.codehaus.plexus.redback.authentication.AuthenticationException; >> import org.codehaus.plexus.redback.authentication.AuthenticationResult; >> @@ -89,15 +90,15 @@ >> public AuthorizationResult authorize( SecuritySession arg0, Object >> arg1 ) >> throws AuthorizationException >> { >> - // TODO Auto-generated method stub >> return null; >> } >> public AuthorizationResult authorize( SecuritySession arg0, Object >> arg1, Object arg2 ) >> throws AuthorizationException >> { >> - // TODO Auto-generated method stub >> - return null; >> + AuthorizationResult result = new AuthorizationResult( true, arg1, >> null); >> + + return result; >> } >> public String getAuthenticatorId() >> >> >> >> > >
