You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by ud...@apache.org on 2016/10/11 03:07:43 UTC
[15/20] incubator-geode git commit: GEODE-1570 - developer REST API
should be secured
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java
new file mode 100644
index 0000000..c4226f6
--- /dev/null
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthentication.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.geode.rest.internal.web.security;
+
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+class GeodeAuthentication extends UsernamePasswordAuthenticationToken {
+ /**
+ * This constructor should only be used by <code>AuthenticationManager</code> or <code>AuthenticationProvider</code>
+ * implementations that are satisfied with producing a trusted (i.e. {@link #isAuthenticated()} = <code>true</code>)
+ * authentication token.
+ * @param principal
+ * @param credentials
+ */
+ public GeodeAuthentication(final Object principal,
+ final Object credentials) {
+ super(principal, credentials, AuthorityUtils.NO_AUTHORITIES);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java
new file mode 100644
index 0000000..c482047
--- /dev/null
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthenticationProvider.java
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.geode.rest.internal.web.security;
+
+import org.apache.shiro.subject.Subject;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.stereotype.Component;
+
+import org.apache.geode.internal.security.IntegratedSecurityService;
+import org.apache.geode.security.AuthenticationFailedException;
+
+
+@Component
+public class GeodeAuthenticationProvider implements AuthenticationProvider {
+
+ @Override
+ public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+ String username = authentication.getName();
+ String password = authentication.getCredentials().toString();
+
+ try {
+ Subject subject = IntegratedSecurityService.getSecurityService().login(username, password);
+ if (subject != null) {
+ return new GeodeAuthentication(subject.getPrincipal(), authentication.getCredentials());
+ }
+ } catch (AuthenticationFailedException authFailedEx) {
+ throw new BadCredentialsException("Invalid username or password");
+ }
+ return authentication;
+ }
+
+ @Override
+ public boolean supports(Class<?> authentication) {
+ return authentication.equals(UsernamePasswordAuthenticationToken.class);
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java
new file mode 100644
index 0000000..fd21628
--- /dev/null
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/GeodeAuthority.java
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.geode.rest.internal.web.security;
+
+import org.springframework.security.core.GrantedAuthority;
+
+public class GeodeAuthority implements GrantedAuthority {
+
+ private String authority;
+
+ GeodeAuthority(String authority) {
+ this.authority = authority;
+ }
+
+ /**
+ * If the <code>GrantedAuthority</code> can be represented as a <code>String</code> and that
+ * <code>String</code> is sufficient in precision to be relied upon for an access control decision by an {@link
+ * AccessDecisionManager} (or delegate), this method should return such a <code>String</code>.
+ * <p>
+ * If the <code>GrantedAuthority</code> cannot be expressed with sufficient precision as a <code>String</code>,
+ * <code>null</code> should be returned. Returning <code>null</code> will require an
+ * <code>AccessDecisionManager</code> (or delegate) to specifically support the <code>GrantedAuthority</code>
+ * implementation, so returning <code>null</code> should be avoided unless actually required.
+ * @return a representation of the granted authority (or <code>null</code> if the granted authority cannot be
+ * expressed as a <code>String</code> with sufficient precision).
+ */
+ @Override
+ public String getAuthority() {
+ return authority;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java
new file mode 100644
index 0000000..f3b5c4d
--- /dev/null
+++ b/geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.geode.rest.internal.web.security;
+
+import org.apache.geode.internal.security.IntegratedSecurityService;
+import org.apache.geode.internal.security.SecurityService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@ComponentScan("org.apache.geode.rest.internal.web")
+public class RestSecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+ private SecurityService securityService = IntegratedSecurityService.getSecurityService();
+
+ @Autowired
+ private GeodeAuthenticationProvider authProvider;
+
+ @Override
+ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+ auth.authenticationProvider(authProvider);
+ }
+
+ @Bean
+ @Override
+ public AuthenticationManager authenticationManagerBean() throws Exception {
+ return super.authenticationManagerBean();
+ }
+
+ protected void configure(HttpSecurity http) throws Exception {
+ http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+ .and()
+ .authorizeRequests()
+ .antMatchers("/ping").permitAll()
+ .anyRequest().authenticated()
+ .and()
+ .formLogin()
+ .and()
+ .csrf().disable();
+
+ if(securityService.isIntegratedSecurity()) {
+ http.httpBasic();
+ }
+ else{
+ http
+ .authorizeRequests()
+ .anyRequest().permitAll();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml b/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml
index c24e74a..c75d975 100644
--- a/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml
+++ b/geode-web-api/src/main/webapp/WEB-INF/geode-servlet.xml
@@ -30,20 +30,13 @@ limitations under the License.
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
">
<context:annotation-config />
- <context:component-scan base-package="org.apache.geode.rest.internal.web"/>
-
+
<mvc:annotation-driven content-negotiation-manager="contentNegotiationManager">
<mvc:message-converters register-defaults="false">
<bean class="org.springframework.http.converter.ByteArrayHttpMessageConverter"/>
<bean class="org.springframework.http.converter.ResourceHttpMessageConverter"/>
<bean class="org.springframework.http.converter.StringHttpMessageConverter"/>
- <!-- bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" p:objectMapper-ref="objectMapper"/-->
<bean class="org.apache.geode.rest.internal.web.http.converter.CustomMappingJackson2HttpMessageConverter" p:objectMapper-ref="objectMapper"/>
- <!--bean class="org.gopivotal.app.http.converter.json.JsonToPdxInstanceHttpMessageConverter"/-->
- <!--bean class="org.springframework.http.converter.xml.Jaxb2RootElementHttpMessageConverter"/-->
- <!--bean class="org.springframework.http.converter.xml.MarshallingHttpMessageConverter" p:marshaller-ref="jaxb2Marshaller" p:unmarshaller-ref="jaxb2Marshaller"/-->
- <!--bean class="org.springframework.http.converter.xml.MarshallingHttpMessageConverter" p:marshaller-ref="xstreamMarshaller" p:unmarshaller-ref="xstreamMarshaller"/-->
- <!--bean class="org.springframework.http.converter.xml.SourceHttpMessageConverter"/-->
</mvc:message-converters>
</mvc:annotation-driven>
@@ -62,7 +55,6 @@ limitations under the License.
</property>
</bean>
- <!-- bean id="objectMapper" class="org.apache.geode.rest.internal.web.config.CustomObjectMapper" factory-method="newObjectMapper"></bean-->
<bean id="objectMapper" class="org.springframework.http.converter.json.Jackson2ObjectMapperFactoryBean"
p:failOnEmptyBeans="true"
p:indentOutput="true"
@@ -82,4 +74,5 @@ limitations under the License.
</property>
</bean>
+ <bean class="org.apache.geode.rest.internal.web.security.RestSecurityConfiguration" />
</beans>
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/geode-web-api/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/geode-web-api/src/main/webapp/WEB-INF/web.xml b/geode-web-api/src/main/webapp/WEB-INF/web.xml
index 956294a..f1f93c7 100644
--- a/geode-web-api/src/main/webapp/WEB-INF/web.xml
+++ b/geode-web-api/src/main/webapp/WEB-INF/web.xml
@@ -25,27 +25,17 @@ limitations under the License.
<description>
Web deployment descriptor declaring the developer REST API for GemFire.
</description>
-
- <!-- context-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>/META-INF/cache-config.xml</param-value>
- </context-param -->
-
+
<filter>
- <filter-name>httpPutFilter</filter-name>
- <filter-class>org.springframework.web.filter.HttpPutFormContentFilter</filter-class>
- <async-supported>true</async-supported>
+ <filter-name>springSecurityFilterChain</filter-name>
+ <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
- <filter-name>httpPutFilter</filter-name>
+ <filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- listener>
- <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
- </listener-->
-
<servlet>
<description>
The Spring DispatcherServlet (FrontController) handling all HTTP requests to the Developer REST API
@@ -61,5 +51,5 @@ limitations under the License.
<servlet-name>geode</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
-
+
</web-app>
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/90ecca2d/gradle/dependency-versions.properties
----------------------------------------------------------------------
diff --git a/gradle/dependency-versions.properties b/gradle/dependency-versions.properties
index 0abe690..65fd2ee 100644
--- a/gradle/dependency-versions.properties
+++ b/gradle/dependency-versions.properties
@@ -88,13 +88,13 @@ powermock.version = 1.6.4
quartz.version = 2.2.1
scala.version = 2.10.0
selenium.version=2.53.1
-shiro.version=1.2.4
+shiro.version=1.3.0
slf4j-api.version = 1.7.7
snappy-java.version=0.4
spring-hateoas.version = 0.16.0.RELEASE
spring-shell.version = 1.1.0.RELEASE
spring-ldap-core.version = 1.3.2.RELEASE
-spring-security.version = 3.1.7.RELEASE
+spring-security.version = 3.2.7.RELEASE
spring-tx.version = 3.2.12.RELEASE
springframework.version = 4.2.4.RELEASE
stephenc-findbugs.version = 1.3.9-1