You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by ud...@apache.org on 2016/10/11 03:07:43 UTC

[15/20] incubator-geode git commit: GEODE-1570 - developer REST API should be secured

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java
new file mode 100644
index 0000000..c4226f6
--- /dev/null
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.geode.rest.internal.web.security;
+
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+class GeodeAuthentication extends UsernamePasswordAuthenticationToken {
+  /**
+   * This constructor should only be used by <code>AuthenticationManager</code> or <code>AuthenticationProvider</code>
+   * implementations that are satisfied with producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
+   * authentication token.
+   * @param principal
+   * @param credentials
+   */
+  public GeodeAuthentication(final Object principal,
+                             final Object credentials) {
+    super(principal, credentials, AuthorityUtils.NO_AUTHORITIES);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java
new file mode 100644
index 0000000..c482047
--- /dev/null
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.geode.rest.internal.web.security;
+
+import org.apache.shiro.subject.Subject;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.stereotype.Component;
+
+import org.apache.geode.internal.security.IntegratedSecurityService;
+import org.apache.geode.security.AuthenticationFailedException;
+
+
+@Component
+public class GeodeAuthenticationProvider implements AuthenticationProvider {
+
+  @Override
+  public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+    String username = authentication.getName();
+    String password = authentication.getCredentials().toString();
+
+    try {
+      Subject subject = IntegratedSecurityService.getSecurityService().login(username, password);
+      if (subject != null) {
+        return new GeodeAuthentication(subject.getPrincipal(), authentication.getCredentials());
+      }
+    } catch (AuthenticationFailedException authFailedEx) {
+      throw new BadCredentialsException("Invalid username or password");
+    }
+    return authentication;
+  }
+
+  @Override
+  public boolean supports(Class<?> authentication) {
+    return authentication.equals(UsernamePasswordAuthenticationToken.class);
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java
new file mode 100644
index 0000000..fd21628
--- /dev/null
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.geode.rest.internal.web.security;
+
+import org.springframework.security.core.GrantedAuthority;
+
+public class GeodeAuthority implements GrantedAuthority {
+
+  private String authority;
+
+  GeodeAuthority(String authority) {
+    this.authority = authority;
+  }
+
+  /**
+   * If the <code>GrantedAuthority</code> can be represented as a <code>String</code> and that
+   * <code>String</code> is sufficient in precision to be relied upon for an access control decision by an {@link
+   * AccessDecisionManager} (or delegate), this method should return such a <code>String</code>.
+   * <p>
+   * If the <code>GrantedAuthority</code> cannot be expressed with sufficient precision as a <code>String</code>,
+   * <code>null</code> should be returned. Returning <code>null</code> will require an
+   * <code>AccessDecisionManager</code> (or delegate) to specifically support the <code>GrantedAuthority</code>
+   * implementation, so returning <code>null</code> should be avoided unless actually required.
+   * @return a representation of the granted authority (or <code>null</code> if the granted authority cannot be
+   * expressed as a <code>String</code> with sufficient precision).
+   */
+  @Override
+  public String getAuthority() {
+    return authority;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java
new file mode 100644
index 0000000..f3b5c4d
--- /dev/null
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.geode.rest.internal.web.security;
+
+import org.apache.geode.internal.security.IntegratedSecurityService;
+import org.apache.geode.internal.security.SecurityService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@ComponentScan("org.apache.geode.rest.internal.web")
+public class RestSecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+  private SecurityService securityService = IntegratedSecurityService.getSecurityService();
+
+  @Autowired
+  private GeodeAuthenticationProvider authProvider;
+
+  @Override
+  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+    auth.authenticationProvider(authProvider);
+  }
+
+  @Bean
+  @Override
+  public AuthenticationManager authenticationManagerBean() throws Exception {
+    return super.authenticationManagerBean();
+  }
+
+  protected void configure(HttpSecurity http) throws Exception {
+    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+        .and()
+        .authorizeRequests()
+        .antMatchers("/ping").permitAll()
+        .anyRequest().authenticated()
+        .and()
+        .formLogin()
+        .and()
+        .csrf().disable();
+
+    if(securityService.isIntegratedSecurity()) {
+      http.httpBasic();
+    }
+    else{
+      http
+        .authorizeRequests()
+        .anyRequest().permitAll();
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml b/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml
index c24e74a..c75d975 100644
--- a/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml
+++ b/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml
@@ -30,20 +30,13 @@ limitations under the License.
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
   ">
   <context:annotation-config />
-  <context:component-scan base-package="org.apache.geode.rest.internal.web"/>
-  
+
   <mvc:annotation-driven content-negotiation-manager="contentNegotiationManager">
     <mvc:message-converters register-defaults="false">
       <bean class="org.springframework.http.converter.ByteArrayHttpMessageConverter"/>
       <bean class="org.springframework.http.converter.ResourceHttpMessageConverter"/>
       <bean class="org.springframework.http.converter.StringHttpMessageConverter"/>
-      <!-- bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" p:objectMapper-ref="objectMapper"/-->
       <bean class="org.apache.geode.rest.internal.web.http.converter.CustomMappingJackson2HttpMessageConverter" p:objectMapper-ref="objectMapper"/>
-      <!--bean class="org.gopivotal.app.http.converter.json.JsonToPdxInstanceHttpMessageConverter"/-->
-      <!--bean class="org.springframework.http.converter.xml.Jaxb2RootElementHttpMessageConverter"/-->
-      <!--bean class="org.springframework.http.converter.xml.MarshallingHttpMessageConverter" p:marshaller-ref="jaxb2Marshaller" p:unmarshaller-ref="jaxb2Marshaller"/-->
-      <!--bean class="org.springframework.http.converter.xml.MarshallingHttpMessageConverter" p:marshaller-ref="xstreamMarshaller" p:unmarshaller-ref="xstreamMarshaller"/-->
-      <!--bean class="org.springframework.http.converter.xml.SourceHttpMessageConverter"/-->
     </mvc:message-converters>
   </mvc:annotation-driven>
 
@@ -62,7 +55,6 @@ limitations under the License.
     </property>
   </bean>
   
-  <!-- bean id="objectMapper" class="org.apache.geode.rest.internal.web.config.CustomObjectMapper" factory-method="newObjectMapper"></bean-->
   <bean id="objectMapper" class="org.springframework.http.converter.json.Jackson2ObjectMapperFactoryBean"
         p:failOnEmptyBeans="true"
         p:indentOutput="true"
@@ -82,4 +74,5 @@ limitations under the License.
     </property>
   </bean>
 
+  <bean class="org.apache.geode.rest.internal.web.security.RestSecurityConfiguration" />
 </beans>

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/webapp/WEB-INF/web.xml b/geode-web-api/src/main/webapp/WEB-INF/web.xml
index 956294a..f1f93c7 100644
--- a/geode-web-api/src/main/webapp/WEB-INF/web.xml
+++ b/geode-web-api/src/main/webapp/WEB-INF/web.xml
@@ -25,27 +25,17 @@ limitations under the License.
   <description>
     Web deployment descriptor declaring the developer REST API for GemFire.
   </description>
-  
-  <!-- context-param>
-    <param-name>contextConfigLocation</param-name>
-    <param-value>/META-INF/cache-config.xml</param-value>
-  </context-param -->
-  
+
   <filter>
-    <filter-name>httpPutFilter</filter-name>
-    <filter-class>org.springframework.web.filter.HttpPutFormContentFilter</filter-class>
-    <async-supported>true</async-supported>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
 
   <filter-mapping>
-    <filter-name>httpPutFilter</filter-name>
+    <filter-name>springSecurityFilterChain</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
 
-  <!-- listener>
-    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
-  </listener-->
-
   <servlet>
     <description>
       The Spring DispatcherServlet (FrontController) handling all HTTP requests to the Developer REST API
@@ -61,5 +51,5 @@ limitations under the License.
     <servlet-name>geode</servlet-name>
     <url-pattern>/*</url-pattern>
   </servlet-mapping>
-  
+
 </web-app>

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/gradle/dependency-versions.properties
----------------------------------------------------------------------
diff --git a/gradle/dependency-versions.properties b/gradle/dependency-versions.properties
index 0abe690..65fd2ee 100644
--- a/gradle/dependency-versions.properties
+++ b/gradle/dependency-versions.properties
@@ -88,13 +88,13 @@ powermock.version = 1.6.4
 quartz.version = 2.2.1
 scala.version = 2.10.0
 selenium.version=2.53.1
-shiro.version=1.2.4
+shiro.version=1.3.0
 slf4j-api.version = 1.7.7
 snappy-java.version=0.4
 spring-hateoas.version = 0.16.0.RELEASE
 spring-shell.version = 1.1.0.RELEASE
 spring-ldap-core.version = 1.3.2.RELEASE
-spring-security.version = 3.1.7.RELEASE
+spring-security.version = 3.2.7.RELEASE
 spring-tx.version = 3.2.12.RELEASE
 springframework.version = 4.2.4.RELEASE
 stephenc-findbugs.version = 1.3.9-1