Author: sergeyb Date: Thu Dec 16 19:00:34 2010 New Revision: 1050097 URL: http://svn.apache.org/viewvc?rev=1050097&view=rev Log: Merged revisions 1050095 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk
........ r1050095 | sergeyb | 2010-12-16 18:57:02 +0000 (Thu, 16 Dec 2010) | 1 line [CXF-3195,CXF-3172] Updatig SecureAnnotationsInterceptor to check interfaces and JAASAuthenticationFilter to redirect to context-based addresses by default ........ Modified: cxf/branches/2.3.x-fixes/ (props changed) cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml Propchange: cxf/branches/2.3.x-fixes/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Thu Dec 16 19:00:34 2010 @@ -1 +1 @@ -/cxf/trunk:1041183,1041790,1041993,1042346,1042571,1042724,1042805,1042821,1043225,1043229,1043902,1043907,1043954,1044085,1044238-1044305,1045024,1048915,1048919,1048930,1049078,1049937,1050005,1050021 +/cxf/trunk:1041183,1041790,1041993,1042346,1042571,1042724,1042805,1042821,1043225,1043229,1043902,1043907,1043954,1044085,1044238-1044305,1045024,1048915,1048919,1048930,1049078,1049937,1050005,1050021,1050095 Propchange: cxf/branches/2.3.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java?rev=1050097&r1=1050096&r2=1050097&view=diff ============================================================================== --- cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java (original) +++ cxf/branches/2.3.x-fixes/rt/core/src/main/java/org/apache/cxf/interceptor/security/SecureAnnotationsInterceptor.java Thu Dec 16 19:00:34 2010 @@ -27,6 +27,7 @@ import java.util.Map; import java.util.Set; import org.apache.cxf.common.classloader.ClassLoaderUtils; +import org.apache.cxf.common.util.ClassHelper; public class SecureAnnotationsInterceptor extends SimpleAuthorizingInterceptor { @@ -54,10 +55,17 @@ public class SecureAnnotationsIntercepto } public void setSecuredObject(Object object) { - Class<?> cls = object.getClass(); - String classRolesAllowed = getRoles(cls.getAnnotations(), annotationClassName); - + Class<?> cls = ClassHelper.getRealClass(object); Map<String, String> rolesMap = new HashMap<String, String>(); + findRoles(cls, rolesMap); + super.setMethodRolesMap(rolesMap); + } + + protected void findRoles(Class<?> cls, Map<String, String> rolesMap) { + if (cls == null || cls == Object.class) { + return; + } + String classRolesAllowed = getRoles(cls.getAnnotations(), annotationClassName); for (Method m : cls.getMethods()) { if (SKIP_METHODS.contains(m.getName())) { continue; @@ -68,10 +76,21 @@ public class SecureAnnotationsIntercepto rolesMap.put(m.getName(), theRoles); } } - super.setMethodRolesMap(rolesMap); + if (!rolesMap.isEmpty()) { + return; + } + + findRoles(cls.getSuperclass(), rolesMap); + + if (!rolesMap.isEmpty()) { + return; + } + for (Class<?> interfaceCls : cls.getInterfaces()) { + findRoles(interfaceCls, rolesMap); + } } - + private String getRoles(Annotation[] anns, String annName) { for (Annotation ann : anns) { if (ann.annotationType().getName().equals(annName)) { Modified: cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java?rev=1050097&r1=1050096&r2=1050097&view=diff ============================================================================== --- cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java (original) +++ cxf/branches/2.3.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/JAASAuthenticationFilter.java Thu Dec 16 19:00:34 2010 @@ -18,6 +18,7 @@ */ package org.apache.cxf.jaxrs.security; +import java.net.URI; import java.util.Arrays; import java.util.List; @@ -26,6 +27,7 @@ import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.ResponseBuilder; +import javax.ws.rs.core.UriBuilder; import org.apache.cxf.interceptor.security.AuthenticationException; import org.apache.cxf.interceptor.security.JAASLoginInterceptor; @@ -33,6 +35,7 @@ import org.apache.cxf.interceptor.securi import org.apache.cxf.jaxrs.ext.RequestHandler; import org.apache.cxf.jaxrs.impl.HttpHeadersImpl; import org.apache.cxf.jaxrs.model.ClassResourceInfo; +import org.apache.cxf.jaxrs.utils.HttpUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.message.Message; @@ -42,8 +45,9 @@ public class JAASAuthenticationFilter im private static final List<MediaType> HTML_MEDIA_TYPES = Arrays.asList(MediaType.APPLICATION_XHTML_XML_TYPE, MediaType.TEXT_HTML_TYPE); - private String redirectURI; + private URI redirectURI; private String realmName; + private boolean ignoreBasePath = true; private JAASLoginInterceptor interceptor = new JAASLoginInterceptor() { protected CallbackHandler getCallbackHandler(String name, String password) { @@ -51,6 +55,10 @@ public class JAASAuthenticationFilter im } }; + public void setIgnoreBasePath(boolean ignore) { + this.ignoreBasePath = ignore; + } + public void setContextName(String name) { interceptor.setContextName(name); } @@ -60,7 +68,7 @@ public class JAASAuthenticationFilter im } public void setRedirectURI(String uri) { - this.redirectURI = uri; + this.redirectURI = URI.create(uri); } public void setRealmName(String name) { @@ -76,14 +84,32 @@ public class JAASAuthenticationFilter im interceptor.handleMessage(m); return null; } catch (AuthenticationException ex) { - return handleSecurityException(ex, new HttpHeadersImpl(m)); + return handleAuthenticationException(ex, m); } } - protected Response handleSecurityException(SecurityException ex, HttpHeaders headers) { + protected Response handleAuthenticationException(AuthenticationException ex, Message m) { + HttpHeaders headers = new HttpHeadersImpl(m); if (redirectURI != null && isRedirectPossible(headers)) { + + URI finalRedirectURI = null; + + if (!redirectURI.isAbsolute()) { + String endpointAddress = HttpUtils.getEndpointAddress(m); + Object basePathProperty = m.get(Message.BASE_PATH); + if (ignoreBasePath && basePathProperty != null && !"/".equals(basePathProperty)) { + int index = endpointAddress.lastIndexOf(basePathProperty.toString()); + if (index != -1) { + endpointAddress = endpointAddress.substring(0, index); + } + } + finalRedirectURI = UriBuilder.fromUri(endpointAddress).path(redirectURI.toString()).build(); + } else { + finalRedirectURI = redirectURI; + } + return Response.status(getRedirectStatus()). - header(HttpHeaders.LOCATION, redirectURI).build(); + header(HttpHeaders.LOCATION, finalRedirectURI).build(); } else { ResponseBuilder builder = Response.status(Response.Status.UNAUTHORIZED); Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java?rev=1050097&r1=1050096&r2=1050097&view=diff ============================================================================== --- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java (original) +++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSJaasSecurityTest.java Thu Dec 16 19:00:34 2010 @@ -47,14 +47,14 @@ public class JAXRSJaasSecurityTest exten @Test public void testJaasInterceptorAuthenticationFailure() throws Exception { String endpointAddress = - "http://localhost:" + PORT + "/jaas/bookstorestorage/thosebooks/123"; + "http://localhost:" + PORT + "/service/jaas/bookstorestorage/thosebooks/123"; getBook(endpointAddress, "foo", "bar1", 401); } @Test public void testGetBookUserAdminJaasInterceptor() throws Exception { String endpointAddress = - "http://localhost:" + PORT + "/jaas/bookstorestorage/thosebooks/123"; + "http://localhost:" + PORT + "/service/jaas/bookstorestorage/thosebooks/123"; getBook(endpointAddress, "foo", "bar", 403); getBook(endpointAddress, "bob", "bobspassword", 200); } @@ -62,7 +62,7 @@ public class JAXRSJaasSecurityTest exten @Test public void testJaasFilterAuthenticationFailure() throws Exception { String endpointAddress = - "http://localhost:" + PORT + "/jaas2/bookstorestorage/thosebooks/123"; + "http://localhost:" + PORT + "/service/jaas2/bookstorestorage/thosebooks/123"; WebClient wc = WebClient.create(endpointAddress); wc.accept("text/xml"); wc.header(HttpHeaders.AUTHORIZATION, @@ -77,7 +77,7 @@ public class JAXRSJaasSecurityTest exten @Test public void testJaasFilterAuthenticationFailureWithRedirection() throws Exception { String endpointAddress = - "http://localhost:" + PORT + "/jaas2/bookstorestorage/thosebooks/123"; + "http://localhost:" + PORT + "/service/jaas2/bookstorestorage/thosebooks/123"; WebClient wc = WebClient.create(endpointAddress); wc.accept("text/xml,text/html"); wc.header(HttpHeaders.AUTHORIZATION, @@ -86,14 +86,14 @@ public class JAXRSJaasSecurityTest exten assertEquals(307, r.getStatus()); Object locationHeader = r.getMetadata().getFirst(HttpHeaders.LOCATION); assertNotNull(locationHeader); - assertEquals("http://localhost:" + PORT + "/jaas2/login.jsp", + assertEquals("http://localhost:" + PORT + "/service/login.jsp", locationHeader.toString()); } @Test public void testGetBookUserAdminJaasFilter() throws Exception { String endpointAddress = - "http://localhost:" + PORT + "/jaas2/bookstorestorage/thosebooks/123"; + "http://localhost:" + PORT + "/service/jaas2/bookstorestorage/thosebooks/123"; getBook(endpointAddress, "foo", "bar", 403); getBook(endpointAddress, "bob", "bobspassword", 200); } Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java?rev=1050097&r1=1050096&r2=1050097&view=diff ============================================================================== --- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java (original) +++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java Thu Dec 16 19:00:34 2010 @@ -56,6 +56,14 @@ public class JAXRSSimpleSecurityTest ext } @Test + public void testGetBookUserAdminWithAnnotationsInterface() throws Exception { + String endpointAddress = + "http://localhost:" + PORT + "/security5/bookstorestorage/thosebooks"; + getBook(endpointAddress, "foo", "bar", 403); + getBook(endpointAddress, "bob", "bobspassword", 200); + } + + @Test public void testGetBookUserAdminWithAnnotationsFilter() throws Exception { String endpointAddress = "http://localhost:" + PORT + "/security4/bookstorestorage/thebook/123"; Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java?rev=1050097&r1=1050096&r2=1050097&view=diff ============================================================================== --- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java (original) +++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookInterface.java Thu Dec 16 19:00:34 2010 @@ -46,7 +46,7 @@ public interface SecureBookInterface { @GET @Path("/thosebooks") @Produces("application/xml") - @Secured("ROLE_ADMIN") + @Secured({"ROLE_ADMIN", "ROLE_BOOK_OWNER" }) Book getThatBook() throws BookNotFoundFault; @Path("/subresource") Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java?rev=1050097&r1=1050096&r2=1050097&view=diff ============================================================================== --- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java (original) +++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecureBookStore.java Thu Dec 16 19:00:34 2010 @@ -66,7 +66,8 @@ public class SecureBookStore implements } public Book getThatBook() throws BookNotFoundFault { - if (securityContext.isUserInRole("ROLE_ADMIN") + if ((securityContext.isUserInRole("ROLE_ADMIN") + || securityContext.isUserInRole("ROLE_BOOK_OWNER")) && !securityContext.isUserInRole("ROLE_BAZ")) { return books.get(123L); } Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml?rev=1050097&r1=1050096&r2=1050097&view=diff ============================================================================== --- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml (original) +++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_jaas_security/WEB-INF/web.xml Thu Dec 16 19:00:34 2010 @@ -44,7 +44,7 @@ <servlet-mapping> <servlet-name>CXFServlet</servlet-name> - <url-pattern>/*</url-pattern> + <url-pattern>/service/*</url-pattern> </servlet-mapping> </web-app> <!-- END SNIPPET: webxml --> Modified: cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml?rev=1050097&r1=1050096&r2=1050097&view=diff ============================================================================== --- cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml (original) +++ cxf/branches/2.3.x-fixes/systests/jaxrs/src/test/resources/jaxrs_simple_security/WEB-INF/beans.xml Thu Dec 16 19:00:34 2010 @@ -80,6 +80,20 @@ http://cxf.apache.org/schemas/jaxrs.xsd" </jaxrs:providers> </jaxrs:server> + + <jaxrs:server id="bookservice5" + address="/security5"> + <jaxrs:serviceBeans> + <ref bean="securedObjectWithInterface"/> + </jaxrs:serviceBeans> + <jaxrs:inInterceptors> + <ref bean="annotationsInterceptor2"/> + </jaxrs:inInterceptors> + <jaxrs:outFaultInterceptors> + <bean class="org.apache.cxf.systest.jaxrs.security.SecurityOutFaultInterceptor"/> + </jaxrs:outFaultInterceptors> + </jaxrs:server> + <bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"> <property name="methodRolesMap" ref="rolesMap"/> </bean> @@ -88,7 +102,15 @@ http://cxf.apache.org/schemas/jaxrs.xsd" <property name="securedObject" ref="securedObject"/> </bean> + <bean id="annotationsInterceptor2" + class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor"> + <property name="annotationClassName" + value="org.springframework.security.annotation.Secured"/> + <property name="securedObject" ref="securedObjectWithInterface"/> + </bean> + <bean id="securedObject" class="org.apache.cxf.systest.jaxrs.security.SecureBookStoreNoInterface"/> + <bean id="securedObjectWithInterface" class="org.apache.cxf.systest.jaxrs.security.SecureBookStore"/> <bean id="authorizationFilter" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter"> <property name="methodRolesMap" ref="rolesMap"/>