Merge authors: Morten Olav Hansen (mortenoh) ------------------------------------------------------------ revno: 5367 [merge] committer: Morten Olav Hansen <morte...@gmail.com> branch nick: dhis2 timestamp: Mon 2011-12-12 12:20:20 +0100 message: dxf2merge: tightened security for /api, now requires ALL or F_WEBAPI_READ (also added F_WEBAPI_CREATE, F_WEBAPI_UPDATE, F_WEBAPI_DELETE ... not currently in use) added: dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java modified: dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml
-- lp:dhis2 https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk Your team DHIS 2 developers is subscribed to branch lp:dhis2. To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== added directory 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action' === added file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java 1970-01-01 00:00:00 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java 2011-12-12 11:18:21 +0000 @@ -0,0 +1,43 @@ +package org.hisp.dhis.api.action; + +/* + * Copyright (c) 2004-2009, University of Oslo + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * * Neither the name of the HISP project nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON + * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +import com.opensymphony.xwork2.Action; + +/** + * @author Morten Olav Hansen <morte...@gmail.com> + */ +public class NoAction + implements Action +{ + public String execute() + throws Exception + { + return SUCCESS; + } +} \ No newline at end of file === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java 2011-12-09 20:53:07 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java 2011-12-12 11:18:21 +0000 @@ -39,6 +39,7 @@ import org.jfree.chart.ChartUtilities; import org.jfree.chart.JFreeChart; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.PathVariable; === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java' --- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java 2011-12-08 14:31:31 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java 2011-12-12 11:18:21 +0000 @@ -27,6 +27,7 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml' --- dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml 2011-12-07 13:44:45 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml 2011-12-12 11:18:21 +0000 @@ -3,10 +3,14 @@ xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" + xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> + <sec:global-method-security pre-post-annotations="enabled" /> + <mvc:annotation-driven /> <context:component-scan base-package="org.hisp.dhis.api" /> === modified file 'dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml' --- dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml 2011-11-02 11:14:35 +0000 +++ dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml 2011-12-12 11:18:21 +0000 @@ -1,11 +1,16 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE struts PUBLIC -"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN" -"http://struts.apache.org/dtds/struts-2.0.dtd"> + "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN" + "http://struts.apache.org/dtds/struts-2.0.dtd"> <struts> <include file="dhis-web-commons.xml" /> <package name="dhis-web-api" extends="dhis-web-commons" namespace="/dhis-web-api"> + + <action name="index" class="org.hisp.dhis.api.action.NoAction"> + <param name="requiredAuthorities">F_WEBAPI_CREATE, F_WEBAPI_READ, F_WEBAPI_UPDATE, F_WEBAPI_DELETE</param> + </action> + </package> </struts> === modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml' --- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml 2011-10-24 09:55:12 +0000 +++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml 2011-12-12 11:18:21 +0000 @@ -1,13 +1,10 @@ <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation=" - http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation=" + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> - <sec:global-method-security jsr250-annotations="disabled" pre-post-annotations="disabled" - secured-annotations="disabled" /> - <bean id="mappedRedirectStrategy" class="org.hisp.dhis.security.MappedRedirectStrategy"> <property name="redirectMap"> <map> @@ -28,15 +25,18 @@ <sec:http access-decision-manager-ref="accessDecisionManager" use-expressions="true" realm="DHIS2"> <sec:form-login default-target-url="/" always-use-default-target="false" - login-processing-url="/dhis-web-commons-security/login.action" authentication-failure-url="/dhis-web-commons/security/login.action?failed=true" - login-page="/dhis-web-commons/security/login.action" authentication-success-handler-ref="defaultAuthenticationSuccessHandler" /> + login-processing-url="/dhis-web-commons-security/login.action" + authentication-failure-url="/dhis-web-commons/security/login.action?failed=true" + login-page="/dhis-web-commons/security/login.action" + authentication-success-handler-ref="defaultAuthenticationSuccessHandler" /> <sec:http-basic /> <sec:logout logout-url="/dhis-web-commons-security/logout.action" /> - <sec:intercept-url pattern="/dhis-web-commons/security/**" access="permitAll" /> <sec:intercept-url pattern="/dhis-web-commons/javascripts/**" filters="none" /> <sec:intercept-url pattern="/dhis-web-commons/css/**" filters="none" /> <sec:intercept-url pattern="/favicon.ico" filters="none" /> + <sec:intercept-url pattern="/api*" access="hasRole('F_WEBAPI_READ')" /> + <sec:intercept-url pattern="/api/**" access="hasRole('F_WEBAPI_READ')" /> <sec:intercept-url pattern="/**" access="isAuthenticated()" /> <sec:custom-filter ref="automaticAccessFilter" before="LOGOUT_FILTER" /> @@ -44,7 +44,7 @@ <!-- Security : Action --> <bean id="restrictOrganisationUnitsAction" class="org.hisp.dhis.security.action.RestrictOrganisationUnitsAction" - scope="prototype"> + scope="prototype"> <property name="currentUserService" ref="org.hisp.dhis.user.CurrentUserService" /> <property name="selectionManager" ref="org.hisp.dhis.ouwt.manager.OrganisationUnitSelectionManager" /> <property name="selectionTreeManager" ref="org.hisp.dhis.oust.manager.SelectionTreeManager" /> @@ -143,7 +143,8 @@ </property> </bean> - <bean id="org.hisp.dhis.security.ActionAccessResolver" class="org.hisp.dhis.security.SpringSecurityActionAccessResolver"> + <bean id="org.hisp.dhis.security.ActionAccessResolver" + class="org.hisp.dhis.security.SpringSecurityActionAccessResolver"> <property name="requiredAuthoritiesProvider" ref="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" /> <property name="accessDecisionManager" ref="accessDecisionManager" /> </bean> @@ -158,7 +159,8 @@ </property> </bean> - <bean id="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor" class="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor"> + <bean id="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor" + class="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor"> <property name="accessDecisionManager" ref="accessDecisionManager" /> <property name="authenticationManager" ref="authenticationManager" /> <property name="validateConfigAttributes" value="false" /> @@ -168,7 +170,8 @@ <!-- Security : AuthorityProvider --> - <bean id="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" class="org.hisp.dhis.security.authority.DefaultRequiredAuthoritiesProvider"> + <bean id="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" + class="org.hisp.dhis.security.authority.DefaultRequiredAuthoritiesProvider"> <property name="requiredAuthoritiesKey" value="requiredAuthorities" /> <property name="globalAttributes"> <set> @@ -177,11 +180,13 @@ </property> </bean> - <bean id="org.hisp.dhis.security.authority.SystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.CachingSystemAuthoritiesProvider"> + <bean id="org.hisp.dhis.security.authority.SystemAuthoritiesProvider" + class="org.hisp.dhis.security.authority.CachingSystemAuthoritiesProvider"> <property name="source" ref="compositeSystemAuthoritiesProvider" /> </bean> - <bean id="compositeSystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.CompositeSystemAuthoritiesProvider"> + <bean id="compositeSystemAuthoritiesProvider" + class="org.hisp.dhis.security.authority.CompositeSystemAuthoritiesProvider"> <property name="sources"> <set> <ref bean="detectingSystemAuthoritiesProvider" /> @@ -191,7 +196,8 @@ </property> </bean> - <bean id="detectingSystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.DetectingSystemAuthoritiesProvider"> + <bean id="detectingSystemAuthoritiesProvider" + class="org.hisp.dhis.security.authority.DetectingSystemAuthoritiesProvider"> <property name="requiredAuthoritiesProvider" ref="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" /> </bean>
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp