You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/07/09 15:24:37 UTC
git commit: [CXF-5864] Optional support for anonymous users
Repository: cxf
Updated Branches:
refs/heads/master badfac577 -> 38a9b6614
[CXF-5864] Optional support for anonymous users
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/38a9b661
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/38a9b661
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/38a9b661
Branch: refs/heads/master
Commit: 38a9b6614c4c28014710eb47c40d77c8adf54071
Parents: badfac5
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Wed Jul 9 14:24:18 2014 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Wed Jul 9 14:24:18 2014 +0100
----------------------------------------------------------------------
.../AbstractAuthorizingInInterceptor.java | 18 ++++++++++++++--
.../OperationInfoAuthorizingInterceptor.java | 15 ++++++++++---
.../SimpleAuthorizingInterceptorTest.java | 22 ++++++++++++++++++--
3 files changed, 48 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/38a9b661/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java b/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
index 11f6b31..d4f22f1 100644
--- a/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
+++ b/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
@@ -38,21 +38,24 @@ public abstract class AbstractAuthorizingInInterceptor extends AbstractPhaseInte
private static final Logger LOG = LogUtils.getL7dLogger(AbstractAuthorizingInInterceptor.class);
private static final String ALL_ROLES = "*";
-
+ private boolean allowAnonymousUsers = true;
public AbstractAuthorizingInInterceptor() {
super(Phase.PRE_INVOKE);
}
public void handleMessage(Message message) throws Fault {
+ Method method = getTargetMethod(message);
SecurityContext sc = message.get(SecurityContext.class);
if (sc != null && sc.getUserPrincipal() != null) {
- Method method = getTargetMethod(message);
if (authorize(sc, method)) {
return;
}
+ } else if (!isMethodProtected(method) && isAllowAnonymousUsers()) {
+ return;
}
+
throw new AccessDeniedException("Unauthorized");
}
@@ -87,6 +90,9 @@ public abstract class AbstractAuthorizingInInterceptor extends AbstractPhaseInte
}
return false;
}
+ protected boolean isMethodProtected(Method method) {
+ return !getExpectedRoles(method).isEmpty() || !getDenyRoles(method).isEmpty();
+ }
protected boolean isUserInRole(SecurityContext sc, List<String> roles, boolean deny) {
@@ -118,5 +124,13 @@ public abstract class AbstractAuthorizingInInterceptor extends AbstractPhaseInte
protected List<String> getDenyRoles(Method method) {
return Collections.emptyList();
}
+
+ public boolean isAllowAnonymousUsers() {
+ return allowAnonymousUsers;
+ }
+
+ public void setAllowAnonymousUsers(boolean allowAnonymousUsers) {
+ this.allowAnonymousUsers = allowAnonymousUsers;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38a9b661/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java b/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
index b7e496c..f0dbaa0 100755
--- a/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
+++ b/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
@@ -39,13 +39,15 @@ public class OperationInfoAuthorizingInterceptor extends SimpleAuthorizingInterc
@Override
public void handleMessage(Message message) throws Fault {
+ OperationInfo opinfo = getTargetOperationInfo(message);
SecurityContext sc = message.get(SecurityContext.class);
if (sc != null && sc.getUserPrincipal() != null) {
- OperationInfo opinfo = getTargetOperationInfo(message);
- if (opinfo != null && opinfo.getName() != null
+ if (opinfo.getName() != null
&& authorize(sc, opinfo.getName().getLocalPart())) {
return;
}
+ } else if (!isMethodProtected(opinfo.getName().getLocalPart()) && isAllowAnonymousUsers()) {
+ return;
}
throw new AccessDeniedException("Unauthorized");
@@ -70,7 +72,10 @@ public class OperationInfoAuthorizingInterceptor extends SimpleAuthorizingInterc
protected OperationInfo getTargetOperationInfo(Message message) {
BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
- return bop != null ? bop.getOperationInfo() : null;
+ if (bop != null) {
+ return bop.getOperationInfo();
+ }
+ throw new AccessDeniedException("OperationInfo is not available : Unauthorized");
}
protected List<String> getExpectedRoles(String key) {
@@ -84,4 +89,8 @@ public class OperationInfoAuthorizingInterceptor extends SimpleAuthorizingInterc
protected List<String> getDenyRoles(String key) {
return Collections.emptyList();
}
+
+ protected boolean isMethodProtected(String key) {
+ return !getExpectedRoles(key).isEmpty() || !getDenyRoles(key).isEmpty();
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38a9b661/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java b/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
index c54c71f..ad9b5c0 100644
--- a/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
+++ b/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
@@ -84,13 +84,31 @@ public class SimpleAuthorizingInterceptorTest extends Assert {
@Test(expected = AccessDeniedException.class)
public void testNoSecurityContext() {
message.put(SecurityContext.class, null);
- createSimpleAuthorizingInterceptor().handleMessage(message);
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
+ in.setAllowAnonymousUsers(false);
+ in.handleMessage(message);
+ }
+
+ @Test(expected = AccessDeniedException.class)
+ public void testNoSecurityContextAnonymousUserRoles() {
+ message.put(SecurityContext.class, null);
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
+ in.setMethodRolesMap(Collections.singletonMap("echo", "role1 testRole"));
+ in.handleMessage(message);
+ }
+ @Test
+ public void testNoSecurityContextAnonymousUserUnprotectedMethod() {
+ message.put(SecurityContext.class, null);
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
+ in.handleMessage(message);
}
@Test(expected = AccessDeniedException.class)
public void testIncompleteSecurityContext() {
message.put(SecurityContext.class, new IncompleteSecurityContext());
- createSimpleAuthorizingInterceptor().handleMessage(message);
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
+ in.setAllowAnonymousUsers(false);
+ in.handleMessage(message);
}
@Test