You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwebbeans.apache.org by rm...@apache.org on 2016/11/01 17:59:22 UTC
svn commit: r1767534 - in /openwebbeans/microwave/trunk/microwave-core/src:
main/java/org/apache/microwave/ main/java/org/apache/microwave/openwebbeans/
main/resources/META-INF/openwebbeans/ test/java/org/apache/microwave/
test/java/org/superbiz/app/
Author: rmannibucau
Date: Tue Nov 1 17:59:22 2016
New Revision: 1767534
URL: http://svn.apache.org/viewvc?rev=1767534&view=rev
Log:
testing and fixing security setup
Added:
openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/openwebbeans/MicrowaveSecurityService.java
openwebbeans/microwave/trunk/microwave-core/src/test/java/org/apache/microwave/PrincipalTest.java
Modified:
openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/Microwave.java
openwebbeans/microwave/trunk/microwave-core/src/main/resources/META-INF/openwebbeans/openwebbeans.properties
openwebbeans/microwave/trunk/microwave-core/src/test/java/org/superbiz/app/Endpoint.java
Modified: openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/Microwave.java
URL: http://svn.apache.org/viewvc/openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/Microwave.java?rev=1767534&r1=1767533&r2=1767534&view=diff
==============================================================================
--- openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/Microwave.java (original)
+++ openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/Microwave.java Tue Nov 1 17:59:22 2016
@@ -188,14 +188,13 @@ public class Microwave implements AutoCl
}
ctx.setJarScanner(jarScanner);
});
- ctx.addLifecycleListener(new Tomcat.FixContextListener());
ctx.addLifecycleListener(new MicrowaveContextConfig(configuration));
ctx.addLifecycleListener(event -> {
switch (event.getType()) {
case Lifecycle.AFTER_START_EVENT:
ctx.getResources().setCachingAllowed(configuration.webResourceCached);
break;
- case Lifecycle.BEFORE_START_EVENT:
+ case Lifecycle.BEFORE_INIT_EVENT:
if (configuration.loginConfig != null) {
ctx.setLoginConfig(configuration.loginConfig.build());
}
@@ -210,6 +209,7 @@ public class Microwave implements AutoCl
}
});
+ ctx.addLifecycleListener(new Tomcat.FixContextListener()); // after having configured the security!!!
ctx.addServletContainerInitializer((c, ctx1) -> {
ctx.getServletContext().setAttribute("microwave.configuration", configuration);
@@ -973,6 +973,11 @@ public class Microwave implements AutoCl
return loginConfig;
}
+ public Builder loginConfig(final LoginConfigBuilder loginConfig) {
+ setLoginConfig(loginConfig);
+ return this;
+ }
+
public void setLoginConfig(final LoginConfigBuilder loginConfig) {
this.loginConfig = loginConfig;
}
@@ -981,6 +986,12 @@ public class Microwave implements AutoCl
return securityConstraints;
}
+ public Builder securityConstraints(final SecurityConstaintBuilder securityConstraint) {
+ securityConstraints = securityConstraints == null ? new ArrayList<>() : securityConstraints;
+ securityConstraints.add(securityConstraint);
+ return this;
+ }
+
public void setSecurityConstraints(final Collection<SecurityConstaintBuilder> securityConstraints) {
this.securityConstraints = securityConstraints;
}
@@ -989,6 +1000,11 @@ public class Microwave implements AutoCl
return realm;
}
+ public Builder realm(final Realm realm) {
+ setRealm(realm);
+ return this;
+ }
+
public void setRealm(final Realm realm) {
this.realm = realm;
}
Added: openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/openwebbeans/MicrowaveSecurityService.java
URL: http://svn.apache.org/viewvc/openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/openwebbeans/MicrowaveSecurityService.java?rev=1767534&view=auto
==============================================================================
--- openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/openwebbeans/MicrowaveSecurityService.java (added)
+++ openwebbeans/microwave/trunk/microwave-core/src/main/java/org/apache/microwave/openwebbeans/MicrowaveSecurityService.java Tue Nov 1 17:59:22 2016
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.microwave.openwebbeans;
+
+import org.apache.webbeans.corespi.security.ManagedSecurityService;
+import org.apache.webbeans.spi.SecurityService;
+
+import javax.enterprise.inject.spi.BeanManager;
+import javax.enterprise.inject.spi.CDI;
+import javax.servlet.http.HttpServletRequest;
+import java.lang.reflect.AccessibleObject;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.util.Properties;
+
+public class MicrowaveSecurityService implements SecurityService {
+ private final SecurityService securityService = new ManagedSecurityService();
+
+ @Override // reason of that class
+ public Principal getCurrentPrincipal() {
+ return new MicrowavePrincipal();
+ }
+
+ @Override
+ public <T> Constructor<T> doPrivilegedGetDeclaredConstructor(final Class<T> aClass, final Class<?>... classes) {
+ return securityService.doPrivilegedGetDeclaredConstructor(aClass, classes);
+ }
+
+ @Override
+ public <T> Constructor<T> doPrivilegedGetConstructor(final Class<T> aClass, final Class<?>... classes) {
+ return securityService.doPrivilegedGetConstructor(aClass, classes);
+ }
+
+ @Override
+ public <T> Constructor<?>[] doPrivilegedGetDeclaredConstructors(final Class<T> aClass) {
+ return securityService.doPrivilegedGetDeclaredConstructors(aClass);
+ }
+
+ @Override
+ public <T> Method doPrivilegedGetDeclaredMethod(final Class<T> aClass, final String s, final Class<?>... classes) {
+ return securityService.doPrivilegedGetDeclaredMethod(aClass, s, classes);
+ }
+
+ @Override
+ public <T> Method[] doPrivilegedGetDeclaredMethods(final Class<T> aClass) {
+ return securityService.doPrivilegedGetDeclaredMethods(aClass);
+ }
+
+ @Override
+ public <T> Field doPrivilegedGetDeclaredField(final Class<T> aClass, final String s) {
+ return securityService.doPrivilegedGetDeclaredField(aClass, s);
+ }
+
+ @Override
+ public <T> Field[] doPrivilegedGetDeclaredFields(final Class<T> aClass) {
+ return securityService.doPrivilegedGetDeclaredFields(aClass);
+ }
+
+ @Override
+ public void doPrivilegedSetAccessible(final AccessibleObject accessibleObject, final boolean b) {
+ securityService.doPrivilegedSetAccessible(accessibleObject, b);
+ }
+
+ @Override
+ public boolean doPrivilegedIsAccessible(final AccessibleObject accessibleObject) {
+ return securityService.doPrivilegedIsAccessible(accessibleObject);
+ }
+
+ @Override
+ public <T> T doPrivilegedObjectCreate(final Class<T> aClass) throws PrivilegedActionException, IllegalAccessException, InstantiationException {
+ return securityService.doPrivilegedObjectCreate(aClass);
+ }
+
+ @Override
+ public void doPrivilegedSetSystemProperty(final String s, final String s1) {
+ securityService.doPrivilegedSetSystemProperty(s, s1);
+ }
+
+ @Override
+ public String doPrivilegedGetSystemProperty(final String s, final String s1) {
+ return securityService.doPrivilegedGetSystemProperty(s, s1);
+ }
+
+ @Override
+ public Properties doPrivilegedGetSystemProperties() {
+ return securityService.doPrivilegedGetSystemProperties();
+ }
+
+ // ensure it is contextual
+ public static class MicrowavePrincipal implements Principal {
+ @Override
+ public String getName() {
+ return unwrap().getName();
+ }
+
+ public /*ensure user can cast it to get the actual instance*/ Principal unwrap() {
+ final BeanManager beanManager = CDI.current().getBeanManager();
+ return HttpServletRequest.class.cast(
+ beanManager.getReference(
+ beanManager.resolve(beanManager.getBeans(HttpServletRequest.class)), HttpServletRequest.class,
+ beanManager.createCreationalContext(null)))
+ .getUserPrincipal();
+ }
+ }
+}
Modified: openwebbeans/microwave/trunk/microwave-core/src/main/resources/META-INF/openwebbeans/openwebbeans.properties
URL: http://svn.apache.org/viewvc/openwebbeans/microwave/trunk/microwave-core/src/main/resources/META-INF/openwebbeans/openwebbeans.properties?rev=1767534&r1=1767533&r2=1767534&view=diff
==============================================================================
--- openwebbeans/microwave/trunk/microwave-core/src/main/resources/META-INF/openwebbeans/openwebbeans.properties (original)
+++ openwebbeans/microwave/trunk/microwave-core/src/main/resources/META-INF/openwebbeans/openwebbeans.properties Tue Nov 1 17:59:22 2016
@@ -17,3 +17,4 @@
configuration.ordinal=1000
org.apache.xbean.finder.filter.Filter=org.apache.microwave.openwebbeans.KnowClassesFilter
org.apache.webbeans.spi.ScannerService=org.apache.microwave.openwebbeans.OWBTomcatWebScannerService
+org.apache.webbeans.spi.SecurityService=org.apache.microwave.openwebbeans.MicrowaveSecurityService
Added: openwebbeans/microwave/trunk/microwave-core/src/test/java/org/apache/microwave/PrincipalTest.java
URL: http://svn.apache.org/viewvc/openwebbeans/microwave/trunk/microwave-core/src/test/java/org/apache/microwave/PrincipalTest.java?rev=1767534&view=auto
==============================================================================
--- openwebbeans/microwave/trunk/microwave-core/src/test/java/org/apache/microwave/PrincipalTest.java (added)
+++ openwebbeans/microwave/trunk/microwave-core/src/test/java/org/apache/microwave/PrincipalTest.java Tue Nov 1 17:59:22 2016
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.microwave;
+
+import org.apache.catalina.realm.RealmBase;
+import org.apache.microwave.io.IO;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.net.URLConnection;
+import java.nio.charset.StandardCharsets;
+import java.security.Principal;
+
+import static javax.xml.bind.DatatypeConverter.printBase64Binary;
+import static org.junit.Assert.assertEquals;
+
+public class PrincipalTest {
+ @Test
+ public void run() throws IOException {
+ try (final Microwave container = new Microwave(new Microwave.Builder()
+ .randomHttpPort()
+ .realm(new RealmBase() {
+ @Override
+ protected String getName() {
+ return "test";
+ }
+
+ @Override
+ protected String getPassword(final String username) {
+ return "foo".equals(username) ? "pwd" : null;
+ }
+
+ @Override
+ protected Principal getPrincipal(final String username) {
+ return new MyPrincipal(username);
+ }
+ }).loginConfig(new Microwave.LoginConfigBuilder()
+ .basic()
+ .realmName("basic realm"))
+ .securityConstraints(new Microwave.SecurityConstaintBuilder()
+ .authConstraint(true)
+ .addAuthRole("**")
+ .addCollection("secured", "/*")))
+ .bake()) {
+ assertEquals(
+ "org.apache.microwave.PrincipalTest$MyPrincipal_foo org.apache.webbeans.custom.security.Principal_foo",
+ slurp(new URL("http://localhost:" + container.getConfiguration().getHttpPort() + "/api/test/principal")));
+ }
+ }
+
+ private String slurp(final URL url) throws IOException {
+ final URLConnection is = HttpURLConnection.class.cast(url.openConnection());
+ is.setRequestProperty("Authorization", "Basic " + printBase64Binary("foo:pwd".getBytes(StandardCharsets.UTF_8)));
+ return IO.toString(is.getInputStream());
+ }
+
+ private static class MyPrincipal implements Principal {
+ private final String name;
+
+ private MyPrincipal(final String username) {
+ this.name = username;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+ }
+}
Modified: openwebbeans/microwave/trunk/microwave-core/src/test/java/org/superbiz/app/Endpoint.java
URL: http://svn.apache.org/viewvc/openwebbeans/microwave/trunk/microwave-core/src/test/java/org/superbiz/app/Endpoint.java?rev=1767534&r1=1767533&r2=1767534&view=diff
==============================================================================
--- openwebbeans/microwave/trunk/microwave-core/src/test/java/org/superbiz/app/Endpoint.java (original)
+++ openwebbeans/microwave/trunk/microwave-core/src/test/java/org/superbiz/app/Endpoint.java Tue Nov 1 17:59:22 2016
@@ -20,11 +20,13 @@ package org.superbiz.app;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
+import java.security.Principal;
import static java.util.Optional.ofNullable;
@@ -34,6 +36,12 @@ public class Endpoint {
@Inject
private Injectable injectable;
+ @Inject
+ private Principal pcp;
+
+ @Inject
+ private HttpServletRequest request;
+
@GET
@Produces(MediaType.TEXT_PLAIN)
public String simple(@QueryParam("checkcustom") final String query) {
@@ -47,6 +55,15 @@ public class Endpoint {
return new Simple("test");
}
+
+ @GET
+ @Path("principal")
+ @Produces(MediaType.TEXT_PLAIN)
+ public String principal() {
+ return request.getUserPrincipal().getClass().getName() + "_" + request.getUserPrincipal().getName() + " " +
+ pcp.getClass().getName().replaceAll("\\$\\$OwbNormalScopeProxy[0-9]+", "") + "_" + pcp.getName();
+ }
+
public static class Simple {
private String name;