Author: taylor
Date: Thu Feb 22 00:17:32 2007
New Revision: 510438
URL: http://svn.apache.org/viewvc?view=rev&rev=510438
Log:
https://issues.apache.org/jira/browse/JS2-655
Entity Editor has been broken for a long time.
Also, the entity editor is unsecured.
Propose fixing this bug by retrofitting onto a "ajax-direct" pipeline keyed of
the /ajax pipeline mapping
Also assign a security behavior to the ajax valve to give it RBAC security,
locking out all AJAX calls not authorized by a list of trusted roles
(Could have sworn there was a jira issue on this one, but i could not find it,
sorry if i have created a dupe)
Modified:
portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js
portals/jetspeed-2/trunk/components/portal/maven.xml
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java
portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml
portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml
portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
Modified:
portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
---
portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js
(original)
+++
portals/jetspeed-2/trunk/applications/j2-admin/src/webapp/javascript/ajax.js
Thu Feb 22 00:17:32 2007
@@ -53,7 +53,7 @@
}
}
- var requestCaller = new
XMLHttpRequestCaller(applicationRoot+"/ajax/portlet_apps.ajax?ajax_service=portletRegistry.getPortletApplications"
,this);
+ var requestCaller = new
XMLHttpRequestCaller(applicationRoot+"/ajax?ajax_service=portletRegistry.getPortletApplications"
,this);
requestCaller.serviceRequest();
}
@@ -78,7 +78,7 @@
this.load = function(appName)
{
this.appName = appName;
- var requestCaller = new
XMLHttpRequestCaller(applicationRoot+"/ajax/portlet_definitions.ajax?ajax_service=portletRegistry.getPortletApplication&ajax_param_0_str="+appName
,this);
+ var requestCaller = new
XMLHttpRequestCaller(applicationRoot+"/ajax?ajax_service=portletRegistry.getPortletApplication&ajax_param_0_str="+appName
,this);
requestCaller.serviceRequest();
}
}
@@ -111,7 +111,7 @@
this.load = function(portletName)
{
- var requestCaller = new
XMLHttpRequestCaller(applicationRoot+"/ajax/portlet_entities.ajax?ajax_service=entityAccess.getPortletEntities&ajax_param_0_str="+portletName
,this);
+ var requestCaller = new
XMLHttpRequestCaller(applicationRoot+"/ajax?ajax_service=entityAccess.getPortletEntities&ajax_param_0_str="+portletName
,this);
requestCaller.serviceRequest();
}
}
@@ -157,7 +157,7 @@
this.load = function(entityName)
{
- var requestCaller = new
XMLHttpRequestCaller(applicationRoot+"/ajax/portlet_entity.ajax?ajax_service=entityAccess.getPortletEntity&ajax_param_0_str="+entityName,this);
+ var requestCaller = new
XMLHttpRequestCaller(applicationRoot+"/ajax?ajax_service=entityAccess.getPortletEntity&ajax_param_0_str="+entityName,this);
requestCaller.serviceRequest();
}
Modified: portals/jetspeed-2/trunk/components/portal/maven.xml
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/maven.xml?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/components/portal/maven.xml (original)
+++ portals/jetspeed-2/trunk/components/portal/maven.xml Thu Feb 22 00:17:32
2007
@@ -17,6 +17,6 @@
<project default="java:jar" xmlns:j="jelly:core" xmlns:define="jelly:define"
xmlns:maven="jelly:maven">
<!-- Target of maven test:single test -->
- <property name='testcase'
value='org.apache.jetspeed.aggregator.TestAggregator2' />
+ <property name='testcase'
value='org.apache.jetspeed.decoration.TestDecorations' />
</project>
Modified:
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
---
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java
(original)
+++
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXServiceImpl.java
Thu Feb 22 00:17:32 2007
@@ -19,12 +19,16 @@
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
+import java.io.StringWriter;
import java.lang.reflect.Method;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.context.Context;
@@ -41,8 +45,8 @@
*/
public class AJAXServiceImpl implements AJAXService, BeanFactoryAware
{
-
private Map serviceToBeans;
+ private Map serviceToTemplates;
private BeanFactory beanFactory;
private VelocityEngine engine;
@@ -52,10 +56,11 @@
this.serviceToBeans = serviceToBeans;
}
- public AJAXServiceImpl(Map serviceToBeans, VelocityEngine engine)
+ public AJAXServiceImpl(Map serviceToBeans, VelocityEngine engine, Map
serviceToTemplates)
{
this.serviceToBeans = serviceToBeans;
this.engine = engine;
+ this.serviceToTemplates = serviceToTemplates;
}
public AJAXResponse processRequest(AJAXRequest request)
@@ -63,7 +68,7 @@
{
final String serviceName = request.getServiceName();
final String methodName = request.getMethodName();
- final String templateName =
request.getServletRequest().getServletPath();
+ // final String templateName =
request.getServletRequest().getServletPath();
final String mappedServiceName = (serviceName+"."+methodName).trim();
try
@@ -92,7 +97,8 @@
Context context = new VelocityContext();
context.put("ajaxRequest", request);
context.put("result", result);
-
+
+ String templateName =
((String)serviceToTemplates.get(mappedServiceName)).trim();
final InputStream templateResource =
request.getContext().getResourceAsStream(templateName);
if(templateResource == null)
@@ -102,7 +108,21 @@
}
Reader template = new InputStreamReader(templateResource);
- return new AJAXResponseImpl(context, engine, template,
request.getServletResponse().getWriter());
+ StringWriter stringWriter = new StringWriter();
+
+ AJAXResponse ajaxResponse = new AJAXResponseImpl(context, engine,
template, stringWriter);
+ ajaxResponse.complete();
+
+ String buffer = stringWriter.getBuffer().toString();
+ System.out.println("debug: " + buffer);
+ //log.debug("output from AjaxService:" + buffer);
+
+ // Put the response XML on the response object
+ HttpServletResponse response = request.getServletResponse();
+ ServletOutputStream sos = response.getOutputStream();
+ sos.print(buffer);
+ sos.flush();
+ return ajaxResponse;
}
catch(AJAXException ae)
{
Modified:
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
---
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java
(original)
+++
portals/jetspeed-2/trunk/components/portal/src/java/org/apache/jetspeed/ajax/AJAXValve.java
Thu Feb 22 00:17:32 2007
@@ -15,8 +15,9 @@
*/
package org.apache.jetspeed.ajax;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.jetspeed.layout.PortletActionSecurityBehavior;
import org.apache.jetspeed.pipeline.PipelineException;
import org.apache.jetspeed.pipeline.valve.AbstractValve;
import org.apache.jetspeed.pipeline.valve.ValveContext;
@@ -30,27 +31,48 @@
*/
public class AJAXValve extends AbstractValve
{
- private static final Log log = LogFactory.getLog( AJAXValve.class );
- private AjaxRequestService ajaxService;
+ private AJAXService ajaxService;
+ private PortletActionSecurityBehavior securityBehavior;
- public AJAXValve(AJAXService service)
+ public AJAXValve(AJAXService service, PortletActionSecurityBehavior
securityBehavior)
{
super();
+ this.ajaxService = service;
+ this.securityBehavior = securityBehavior;
}
public void invoke( RequestContext request, ValveContext context )
throws PipelineException
{
+ HttpServletResponse response = request.getResponse();
try
{
- ajaxService.process(request);
+ response.setContentType("text/xml");
+ if (!securityBehavior.checkAccess(request, "edit"))
+ {
+ throw new AJAXException("Access Denied.");
+ }
+ AJAXRequest ajaxRequest = new
AJAXRequestImpl(request.getRequest(), response,
request.getConfig().getServletContext());
+ ajaxService.processRequest(ajaxRequest);
+ }
+ catch (AJAXException e)
+ {
+ try
+ {
+ response.sendError(500, e.getMessage());
+ }
+ catch (Exception e2)
+ {
+ throw new PipelineException(e2.getMessage(), e2);
+ }
}
- catch (Exception e)
+ catch(Exception e)
{
- throw new PipelineException(e.toString(), e);
+ throw new PipelineException(e.getMessage(), e);
}
+
// Pass control to the next Valve in the Pipeline
- context.invokeNext( request );
+ context.invokeNext(request);
}
public String toString()
Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/ajax.xml Thu Feb 22
00:17:32 2007
@@ -58,6 +58,22 @@
<property name="overrideLogging"><value>false</value></property>
</bean>
</constructor-arg>
+ <constructor-arg>
+ <map>
+ <entry key="portletRegistry.getPortletApplications">
+ <value>/ajax/portlet_apps.ajax</value>
+ </entry>
+ <entry key="portletRegistry.getPortletApplication">
+ <value>/ajax/portlet_definitions.ajax</value>
+ </entry>
+ <entry key="entityAccess.getPortletEntities">
+ <value>/ajax/portlet_entities.ajax</value>
+ </entry>
+ <entry key="entityAccess.getPortletEntity">
+ <value>/ajax/portlet_entity.ajax</value>
+ </entry>
+ </map>
+ </constructor-arg>
</bean>
</beans>
Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml
(original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/pipelines.xml Thu Feb
22 00:17:32 2007
@@ -231,8 +231,11 @@
init-method="initialize"
>
<constructor-arg>
- <ref bean="AJAXService"/>
+ <ref bean="AJAXService"/>
</constructor-arg>
+ <constructor-arg>
+ <ref bean="RolesSecurityBehavior"/>
+ </constructor-arg>
</bean>
<bean id="DecorationValve"
@@ -378,12 +381,32 @@
<ref bean="localizationValve"/>
<ref bean="profilerValve"/>
<ref bean="containerValve"/>
- <!-- TODO: replace layout valve with Ajax valve -->
+ <!-- this is the standard Jetspeed API entry point -->
<ref bean="layoutValve"/>
</list>
</constructor-arg>
</bean>
+ <bean id="ajax-direct-pipeline"
+ class="org.apache.jetspeed.pipeline.JetspeedPipeline"
+ init-method="initialize"
+ >
+ <constructor-arg>
+ <value>AjaxDirectPipeline</value>
+ </constructor-arg>
+ <constructor-arg>
+ <list>
+ <ref bean="capabilityValve"/>
+ <ref bean="portalURLValve"/>
+ <ref bean="securityValve"/>
+ <ref bean="localizationValve"/>
+ <ref bean="profilerValve"/>
+ <ref bean="containerValve"/>
+ <ref bean="AJAXValve"/>
+ </list>
+ </constructor-arg>
+ </bean>
+
<bean id="fileserver-pipeline"
class="org.apache.jetspeed.pipeline.JetspeedPipeline"
init-method="initialize"
@@ -449,6 +472,9 @@
<entry key='/action'>
<value>desktop-action-pipeline</value>
</entry>
+ <entry key='/ajax'>
+ <value>ajax-direct-pipeline</value>
+ </entry>
</map>
</constructor-arg>
</bean>
Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml?view=diff&rev=510438&r1=510437&r2=510438
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml Thu Feb 22 00:17:32 2007
@@ -30,12 +30,7 @@
<param-name>log4j.config.webApplicationRoot.key</param-name>
<param-value>applicationRoot</param-value>
</context-param>
-
- <filter>
- <filter-name>AJAXFilter</filter-name>
- <filter-class>org.apache.jetspeed.ajax.AJAXFilter</filter-class>
- </filter>
-
+
<filter>
<filter-name>staticResourceCachingFilter</filter-name>
<filter-class>org.apache.jetspeed.engine.servlet.StaticResourceCachingFilter</filter-class>
@@ -55,10 +50,6 @@
<filter-class>org.apache.jetspeed.login.filter.PortalFilter</filter-class>
</filter>
-->
- <filter-mapping>
- <filter-name>AJAXFilter</filter-name>
- <url-pattern>*.ajax</url-pattern>
- </filter-mapping>
<!--
<filter-mapping>
@@ -180,6 +171,14 @@
</servlet-name>
<url-pattern>
/ajaxapi/*
+ </url-pattern>
+ </servlet-mapping>
+ <servlet-mapping>
+ <servlet-name>
+ jetspeed
+ </servlet-name>
+ <url-pattern>
+ /ajax/*
</url-pattern>
</servlet-mapping>
<servlet-mapping>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
