Author: scottbw
Date: Sun Nov 6 21:41:58 2011
New Revision: 1198571
URL: http://svn.apache.org/viewvc?rev=1198571&view=rev
Log:
Moved authorization code from inside servlets into an AuthorizationFilter
configured in web.xml. This gives us more configuration options, e.g. the
ability to more easily extend our authz options (e.g. adding two-legged oAuth),
separates concerns more cleanly, and reduces code duplication.
Added:
incubator/wookie/trunk/src/org/apache/wookie/server/security/
incubator/wookie/trunk/src/org/apache/wookie/server/security/AuthorizationFilter.java
Modified:
incubator/wookie/trunk/WebContent/WEB-INF/web.xml
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/ParticipantsControllerTest.java
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/PropertiesControllerTest.java
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/WidgetInstancesControllerTest.java
incubator/wookie/trunk/src/org/apache/wookie/WidgetServiceServlet.java
incubator/wookie/trunk/src/org/apache/wookie/controller/ParticipantsController.java
incubator/wookie/trunk/src/org/apache/wookie/controller/PropertiesController.java
incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java
incubator/wookie/trunk/src/org/apache/wookie/flatpack/FlatpackController.java
incubator/wookie/trunk/src/org/apache/wookie/helpers/WidgetKeyManager.java
Modified: incubator/wookie/trunk/WebContent/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/WebContent/WEB-INF/web.xml?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
--- incubator/wookie/trunk/WebContent/WEB-INF/web.xml (original)
+++ incubator/wookie/trunk/WebContent/WEB-INF/web.xml Sun Nov 6 21:41:58 2011
@@ -322,9 +322,34 @@
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
- <!--****************** SECURITY SECTION ************************
- uncomment to enable password protection on admin pages
- -->
+ <!--****************** SECURITY SECTION ************************-->
+
+ <!-- Use Authorization Filter for REST API -->
+ <filter>
+ <filter-name>AuthorizationFilter</filter-name>
+
<filter-class>org.apache.wookie.server.security.AuthorizationFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>AuthorizationFilter</filter-name>
+ <servlet-name>WidgetInstancesServlet</servlet-name>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>AuthorizationFilter</filter-name>
+ <servlet-name>PropertiesServlet</servlet-name>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>AuthorizationFilter</filter-name>
+ <servlet-name>ParticipantServlet</servlet-name>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>AuthorizationFilter</filter-name>
+ <servlet-name>WidgetServiceServlet</servlet-name>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>AuthorizationFilter</filter-name>
+ <servlet-name>Flatpack</servlet-name>
+ </filter-mapping>
+
<security-constraint>
<web-resource-collection>
<web-resource-name>Widget Admin
Section</web-resource-name>
Modified:
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/ParticipantsControllerTest.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/ParticipantsControllerTest.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
---
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/ParticipantsControllerTest.java
(original)
+++
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/ParticipantsControllerTest.java
Sun Nov 6 21:41:58 2011
@@ -148,7 +148,7 @@ public class ParticipantsControllerTest
+ WIDGET_ID_VALID + "&userid=test&shareddatakey=participantstest");
client.executeMethod(post);
int code = post.getStatusCode();
- assertEquals(401, code);
+ assertEquals(403, code);
post.releaseConnection();
}
@@ -249,7 +249,7 @@ public class ParticipantsControllerTest
+ WIDGET_ID_VALID + "&userid=test&shareddatakey=participantstest");
client.executeMethod(post);
int code = post.getStatusCode();
- assertEquals(401, code);
+ assertEquals(403, code);
post.releaseConnection();
}
Modified:
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/PropertiesControllerTest.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/PropertiesControllerTest.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
---
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/PropertiesControllerTest.java
(original)
+++
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/PropertiesControllerTest.java
Sun Nov 6 21:41:58 2011
@@ -336,7 +336,7 @@ public class PropertiesControllerTest ex
+ "&userid=test&shareddatakey=propstest&propertyname=cat");
client.executeMethod(get);
int code = get.getStatusCode();
- assertEquals(401, code);
+ assertEquals(403, code);
get.releaseConnection();
}
Modified:
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/WidgetInstancesControllerTest.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/WidgetInstancesControllerTest.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
---
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/WidgetInstancesControllerTest.java
(original)
+++
incubator/wookie/trunk/src-tests/org/apache/wookie/tests/functional/WidgetInstancesControllerTest.java
Sun Nov 6 21:41:58 2011
@@ -243,7 +243,7 @@ public class WidgetInstancesControllerTe
+ WIDGET_ID_VALID + "&userid=test&shareddatakey=test");
client.executeMethod(post);
int code = post.getStatusCode();
- assertEquals(401, code);
+ assertEquals(403, code);
post.releaseConnection();
}
Modified: incubator/wookie/trunk/src/org/apache/wookie/WidgetServiceServlet.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/org/apache/wookie/WidgetServiceServlet.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
--- incubator/wookie/trunk/src/org/apache/wookie/WidgetServiceServlet.java
(original)
+++ incubator/wookie/trunk/src/org/apache/wookie/WidgetServiceServlet.java Sun
Nov 6 21:41:58 2011
@@ -53,9 +53,6 @@ public class WidgetServiceServlet extend
* @see javax.servlet.http.HttpServlet#doGet(HttpServletRequest
request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse
response){
- if (!WidgetKeyManager.isValidRequest(request)){
-
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- } else {
try {
String requestId =
request.getParameter("requestid"); //$NON-NLS-1$
if(requestId.equals("getwidget")){ //$NON-NLS-1$
@@ -108,7 +105,6 @@ public class WidgetServiceServlet extend
catch (Exception ex) {
_logger.error("Error in doGet():", ex);
//$NON-NLS-1$
}
- }
}
/* (non-Javadoc)
Modified:
incubator/wookie/trunk/src/org/apache/wookie/controller/ParticipantsController.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/org/apache/wookie/controller/ParticipantsController.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
---
incubator/wookie/trunk/src/org/apache/wookie/controller/ParticipantsController.java
(original)
+++
incubator/wookie/trunk/src/org/apache/wookie/controller/ParticipantsController.java
Sun Nov 6 21:41:58 2011
@@ -31,7 +31,6 @@ import org.apache.wookie.exceptions.Reso
import org.apache.wookie.exceptions.UnauthorizedAccessException;
import org.apache.wookie.helpers.Notifier;
import org.apache.wookie.helpers.ParticipantHelper;
-import org.apache.wookie.helpers.WidgetKeyManager;
/**
* Implementation of the REST API for working with Participants. For a
description of the methods implemented by this controller see
@@ -70,7 +69,6 @@ public class ParticipantsController exte
@Override
public void show(String resourceId,HttpServletRequest request,
HttpServletResponse response) throws
UnauthorizedAccessException,ResourceNotFoundException, IOException{
- if (!WidgetKeyManager.isValidRequest(request)) throw new
UnauthorizedAccessException();
IWidgetInstance instance =
WidgetInstancesController.findWidgetInstance(request);
if (instance == null) throw new ResourceNotFoundException();
IParticipant[] participants = new
SharedContext(instance).getParticipants();
@@ -96,7 +94,6 @@ public class ParticipantsController exte
public static boolean create(HttpServletRequest request)
throws ResourceDuplicationException,
InvalidParametersException,
UnauthorizedAccessException {
- if (!WidgetKeyManager.isValidRequest(request)) throw new
UnauthorizedAccessException();
IWidgetInstance instance =
WidgetInstancesController.findWidgetInstance(request);
if (instance == null) throw new InvalidParametersException();
@@ -131,7 +128,6 @@ public class ParticipantsController exte
public static boolean remove(HttpServletRequest request)
throws ResourceNotFoundException,
UnauthorizedAccessException,
InvalidParametersException {
- if (!WidgetKeyManager.isValidRequest(request)) throw new
UnauthorizedAccessException();
IWidgetInstance instance =
WidgetInstancesController.findWidgetInstance(request);
if (instance == null) throw new InvalidParametersException();
HttpSession session = request.getSession(true);
Modified:
incubator/wookie/trunk/src/org/apache/wookie/controller/PropertiesController.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/org/apache/wookie/controller/PropertiesController.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
---
incubator/wookie/trunk/src/org/apache/wookie/controller/PropertiesController.java
(original)
+++
incubator/wookie/trunk/src/org/apache/wookie/controller/PropertiesController.java
Sun Nov 6 21:41:58 2011
@@ -33,7 +33,6 @@ import org.apache.wookie.exceptions.Reso
import org.apache.wookie.exceptions.ResourceNotFoundException;
import org.apache.wookie.exceptions.UnauthorizedAccessException;
import org.apache.wookie.helpers.Notifier;
-import org.apache.wookie.helpers.WidgetKeyManager;
/**
* REST implementation for widgetInstance
@@ -81,7 +80,6 @@ public class PropertiesController extend
protected void show(String resourceId, HttpServletRequest request,
HttpServletResponse response) throws
ResourceNotFoundException,
UnauthorizedAccessException, IOException {
- if (!WidgetKeyManager.isValidRequest(request)) throw new
UnauthorizedAccessException();
IWidgetInstance instance =
WidgetInstancesController.findWidgetInstance(request);
if (instance == null) throw new ResourceNotFoundException();
String name = request.getParameter("propertyname");
//$NON-NLS-1$
@@ -101,7 +99,6 @@ public class PropertiesController extend
@Override
protected boolean remove(String resourceId, HttpServletRequest request)
throws
ResourceNotFoundException,UnauthorizedAccessException,InvalidParametersException
{
- if (!WidgetKeyManager.isValidRequest(request)) throw new
UnauthorizedAccessException();
if (request.getParameter("value") != null) throw new
InvalidParametersException();//$NON-NLS-1$
String name = request.getParameter("propertyname");
//$NON-NLS-1$
IWidgetInstance instance =
WidgetInstancesController.findWidgetInstance(request);
@@ -142,7 +139,6 @@ public class PropertiesController extend
*/
public static void createOrUpdate(HttpServletRequest request)
throws InvalidParametersException,UnauthorizedAccessException {
- if (!WidgetKeyManager.isValidRequest(request)) throw new
UnauthorizedAccessException();
String name = request.getParameter("propertyname");
//$NON-NLS-1$
String value = request.getParameter("propertyvalue");
//$NON-NLS-1$
IWidgetInstance instance =
WidgetInstancesController.findWidgetInstance(request);
Modified:
incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
---
incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java
(original)
+++
incubator/wookie/trunk/src/org/apache/wookie/controller/WidgetInstancesController.java
Sun Nov 6 21:41:58 2011
@@ -44,7 +44,6 @@ import org.apache.wookie.helpers.Notifie
import org.apache.wookie.helpers.SharedDataHelper;
import org.apache.wookie.helpers.WidgetInstanceFactory;
import org.apache.wookie.helpers.WidgetInstanceHelper;
-import org.apache.wookie.helpers.WidgetKeyManager;
import org.apache.wookie.server.LocaleHandler;
import org.apache.wookie.w3c.util.LocalizationUtils;
@@ -73,11 +72,7 @@ public class WidgetInstancesController e
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
- if (!WidgetKeyManager.isValidRequest(request)){
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- } else {
doGetOrCreateWidget(request, response);
- }
}
/* (non-Javadoc)
@@ -89,9 +84,6 @@ public class WidgetInstancesController e
*/
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException{
- if (!WidgetKeyManager.isValidRequest(request)){
- response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
- } else {
try {
String resourceId = getResourceId(request);
String requestId = request.getParameter("requestid");
//$NON-NLS-1$
@@ -117,7 +109,6 @@ public class WidgetInstancesController e
} catch (Exception ex) {
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
- }
}
/// Implementation
@@ -152,8 +143,6 @@ public class WidgetInstancesController e
protected void update(String resourceId, HttpServletRequest request)
throws ResourceNotFoundException, InvalidParametersException,
UnauthorizedAccessException {
- if (!WidgetKeyManager.isValidRequest(request))
- throw new UnauthorizedAccessException();
String requestId = request.getParameter("requestid"); //$NON-NLS-1$
if (requestId == null || requestId.equals(""))
throw new InvalidParametersException();
Modified:
incubator/wookie/trunk/src/org/apache/wookie/flatpack/FlatpackController.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/org/apache/wookie/flatpack/FlatpackController.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
---
incubator/wookie/trunk/src/org/apache/wookie/flatpack/FlatpackController.java
(original)
+++
incubator/wookie/trunk/src/org/apache/wookie/flatpack/FlatpackController.java
Sun Nov 6 21:41:58 2011
@@ -31,7 +31,6 @@ import org.apache.wookie.controller.Widg
import org.apache.wookie.exceptions.InvalidParametersException;
import org.apache.wookie.exceptions.ResourceNotFoundException;
import org.apache.wookie.exceptions.UnauthorizedAccessException;
-import org.apache.wookie.helpers.WidgetKeyManager;
/**
* Controller for the Flatpack/exports API
@@ -198,7 +197,6 @@ public class FlatpackController extends
* @throws InvalidParametersException if there is no valid widget
instance
*/
private String createFlatpack(HttpServletRequest request) throws
UnauthorizedAccessException, InvalidParametersException{
- if (!WidgetKeyManager.isValidRequest(request)) throw new
UnauthorizedAccessException();
String path;
try {
//
Modified:
incubator/wookie/trunk/src/org/apache/wookie/helpers/WidgetKeyManager.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/org/apache/wookie/helpers/WidgetKeyManager.java?rev=1198571&r1=1198570&r2=1198571&view=diff
==============================================================================
--- incubator/wookie/trunk/src/org/apache/wookie/helpers/WidgetKeyManager.java
(original)
+++ incubator/wookie/trunk/src/org/apache/wookie/helpers/WidgetKeyManager.java
Sun Nov 6 21:41:58 2011
@@ -104,38 +104,6 @@ public class WidgetKeyManager{
}
/**
- * Check if the given key is valid
- * @param key the api key supplied with the request
- * @return true if valid, otherwise false
- */
- public static boolean isValid(String key) {
- // No key/n
- if (key == null) {
- _logger.info("No API key supplied");
- return false;
- }
-
- // Empty key/empty origin
- if (key.trim().equals("")) return false; //$NON-NLS-1$
- IPersistenceManager persistenceManager =
PersistenceManagerFactory.getPersistenceManager();
- IApiKey[] apiKey =
persistenceManager.findByValue(IApiKey.class, "value", key);
- if (apiKey == null || apiKey.length !=1) {
- _logger.info("Invalid API key supplied: " + key);
- return false;
- }
- return true;
- }
-
- /**
- * Checks if the given request is accompanied by a valid API key
- * @param request
- * @return true if valid, otherwise false
- */
- public static boolean isValidRequest(HttpServletRequest request) {
- return isValid(request.getParameter("api_key")); //$NON-NLS-1$
- }
-
- /**
* Send email.
*
* @param mailserver - the SMTP mail server address
Added:
incubator/wookie/trunk/src/org/apache/wookie/server/security/AuthorizationFilter.java
URL:
http://svn.apache.org/viewvc/incubator/wookie/trunk/src/org/apache/wookie/server/security/AuthorizationFilter.java?rev=1198571&view=auto
==============================================================================
---
incubator/wookie/trunk/src/org/apache/wookie/server/security/AuthorizationFilter.java
(added)
+++
incubator/wookie/trunk/src/org/apache/wookie/server/security/AuthorizationFilter.java
Sun Nov 6 21:41:58 2011
@@ -0,0 +1,158 @@
+/*
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.wookie.server.security;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.log4j.Logger;
+import org.apache.wookie.beans.IApiKey;
+import org.apache.wookie.beans.util.IPersistenceManager;
+import org.apache.wookie.beans.util.PersistenceManagerFactory;
+
+/**
+ * Authorization Filter for API Requests
+ */
+public class AuthorizationFilter implements Filter {
+
+ static Logger _logger =
Logger.getLogger(AuthorizationFilter.class.getName());
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
+ */
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
+ * javax.servlet.ServletResponse, javax.servlet.FilterChain)
+ */
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+
+ //
+ // Check for exceptions
+ //
+ if (isException((HttpServletRequest) request)) {
+ chain.doFilter(request, response);
+ return;
+ }
+
+ //
+ // Choose the authorization method required
+ //
+ boolean isAuthorized =
this.isAuthorizedUsingPlainMessaging((HttpServletRequest) request);
+
+ //
+ // return 403 if not authorised, otherwise continue
+ //
+ if (!isAuthorized) {
+ ((HttpServletResponse) response)
+ .sendError(HttpServletResponse.SC_FORBIDDEN);
+ } else {
+ chain.doFilter(request, response);
+ }
+ }
+
+ /*
+ * (non-Javadoc)
+ *
+ * @see javax.servlet.Filter#destroy()
+ */
+ public void destroy() {
+ }
+
+ /**
+ * Returns true if the request is an exception - i.e. an open request type
+ * against one of the mapped servlets
+ *
+ * @param request
+ * @return true if the request should be allowed as an exception, false if it
+ * should be processed normally
+ */
+ private boolean isException(HttpServletRequest request) {
+ if (request.getServletPath().equalsIgnoreCase("flatpack")
+ && request.getMethod().equals("GET"))
+ return true;
+ return false;
+ }
+
+ /**
+ * Checks if the given request is accompanied by a valid API key
+ *
+ * @param request
+ * @return true if valid, otherwise false
+ */
+ private boolean isAuthorizedUsingPlainMessaging(HttpServletRequest request) {
+
+ //
+ // Verify the API key exists
+ //
+ String key = request.getParameter("api_key");
+
+ //
+ // No key
+ //
+ if (key == null || key.trim().equals("")) {
+ _logger.info("No API key supplied");
+ return false;
+ }
+
+ //
+ // Look up the key
+ //
+ return isRegistered(key);
+ }
+
+ /**
+ * Looks up an API key
+ * @param apiKey
+ * @return true if the API key is registered, false otherwise
+ */
+ private boolean isRegistered(String apiKey){
+
+ //
+ // Key not found
+ //
+ IPersistenceManager persistenceManager =
PersistenceManagerFactory.getPersistenceManager();
+ IApiKey[] apiKeyBean = persistenceManager.findByValue(IApiKey.class,
"value", apiKey);
+ if (apiKeyBean == null || apiKeyBean.length != 1) {
+ _logger.info("Invalid API key supplied: " + apiKey);
+ return false;
+ }
+
+ //
+ // Key valid
+ //
+ return true;
+
+ }
+
+}
