You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by ra...@apache.org on 2019/01/17 13:10:21 UTC

[tomee] 07/17: TOMEE-2365 - Implemented SecurityContext isCallerInRole.

This is an automated email from the ASF dual-hosted git repository.

radcortez pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git

commit 348ee7dbec48cfce8e08eeb791c978b3518dd3b4
Author: Roberto Cortez <ra...@yahoo.com>
AuthorDate: Tue Jan 15 23:33:10 2019 +0000

    TOMEE-2365 - Implemented SecurityContext isCallerInRole.
---
 .../tomee/security/TomEESecurityContext.java       | 10 ++++--
 .../security/http/TomEEHttpMessageContext.java     |  7 +----
 .../security/context/SecurityContextTest.java      | 36 +++++++++++++++++++++-
 3 files changed, 43 insertions(+), 10 deletions(-)

diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/TomEESecurityContext.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/TomEESecurityContext.java
index 57df3f6..1ca2d89 100644
--- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/TomEESecurityContext.java
+++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/TomEESecurityContext.java
@@ -18,6 +18,7 @@ package org.apache.tomee.security;
 
 import org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl;
 import org.apache.catalina.connector.Request;
+import org.apache.catalina.realm.GenericPrincipal;
 import org.apache.openejb.loader.SystemInstance;
 import org.apache.openejb.spi.SecurityService;
 import org.apache.tomee.catalina.OpenEJBSecurityListener;
@@ -39,6 +40,7 @@ import javax.security.enterprise.authentication.mechanism.http.AuthenticationPar
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.security.Principal;
+import java.util.ArrayList;
 import java.util.Set;
 
 import static javax.security.auth.message.AuthStatus.SEND_CONTINUE;
@@ -68,7 +70,7 @@ public class TomEESecurityContext implements SecurityContext {
 
     @Override
     public boolean isCallerInRole(final String role) {
-        return false;
+        return securityService.isCallerInRole(role);
     }
 
     @Override
@@ -120,13 +122,15 @@ public class TomEESecurityContext implements SecurityContext {
         return serverAuthConfig.getAuthContext(null, null, null);
     }
 
-    public static void registerContainerAboutLogin(final Principal principal) {
+    public static void registerContainerAboutLogin(final Principal principal, final Set<String> groups) {
         final SecurityService securityService = SystemInstance.get().getComponent(SecurityService.class);
         if (TomcatSecurityService.class.isInstance(securityService)) {
             final TomcatSecurityService tomcatSecurityService = (TomcatSecurityService) securityService;
             final Request request = OpenEJBSecurityListener.requests.get();
+            final GenericPrincipal genericPrincipal =
+                    new GenericPrincipal(principal.getName(), null, new ArrayList<>(groups), principal);
             tomcatSecurityService.enterWebApp(request.getWrapper().getRealm(),
-                                              principal,
+                                              genericPrincipal,
                                               request.getWrapper().getRunAs());
         }
     }
diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/http/TomEEHttpMessageContext.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/http/TomEEHttpMessageContext.java
index 16f3c29..ae77887 100644
--- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/http/TomEEHttpMessageContext.java
+++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/http/TomEEHttpMessageContext.java
@@ -17,11 +17,6 @@
 package org.apache.tomee.security.http;
 
 import org.apache.catalina.authenticator.jaspic.MessageInfoImpl;
-import org.apache.catalina.connector.Request;
-import org.apache.openejb.loader.SystemInstance;
-import org.apache.openejb.spi.SecurityService;
-import org.apache.tomee.catalina.OpenEJBSecurityListener;
-import org.apache.tomee.catalina.TomcatSecurityService;
 import org.apache.tomee.security.TomEESecurityContext;
 import org.apache.tomee.security.message.TomEEMessageInfo;
 
@@ -209,7 +204,7 @@ public final class TomEEHttpMessageContext implements HttpMessageContext {
         this.principal = principal;
         this.groups = groups;
 
-        TomEESecurityContext.registerContainerAboutLogin(principal);
+        TomEESecurityContext.registerContainerAboutLogin(principal, groups);
 
         return SUCCESS;
     }
diff --git a/tomee/tomee-security/src/test/java/org/apache/tomee/security/context/SecurityContextTest.java b/tomee/tomee-security/src/test/java/org/apache/tomee/security/context/SecurityContextTest.java
index fe491fb..4e626bd 100644
--- a/tomee/tomee-security/src/test/java/org/apache/tomee/security/context/SecurityContextTest.java
+++ b/tomee/tomee-security/src/test/java/org/apache/tomee/security/context/SecurityContextTest.java
@@ -17,7 +17,6 @@
 package org.apache.tomee.security.context;
 
 import org.apache.tomee.security.AbstractTomEESecurityTest;
-import org.junit.Ignore;
 import org.junit.Test;
 
 import javax.inject.Inject;
@@ -73,6 +72,21 @@ public class SecurityContextTest extends AbstractTomEESecurityTest {
     }
 
     @Test
+    public void callerInRole() throws Exception {
+        final String servlet = getAppUrl() + "/securityContextRole";
+        final Response response = ClientBuilder.newBuilder()
+                                               .build()
+                                               .target(servlet)
+                                               .queryParam("username", "tomcat")
+                                               .queryParam("password", "tomcat")
+                                               .queryParam("role", "tomcat")
+                                               .request()
+                                               .get();
+        assertEquals(200, response.getStatus());
+        assertEquals("ok", response.readEntity(String.class));
+    }
+
+    @Test
     public void wrongPassword() throws Exception {
         final String servlet = getAppUrl() + "/securityContext";
         assertEquals(401, ClientBuilder.newBuilder().build()
@@ -127,6 +141,26 @@ public class SecurityContextTest extends AbstractTomEESecurityTest {
         }
     }
 
+    @WebServlet(urlPatterns = "/securityContextRole")
+    public static class RoleServlet extends HttpServlet {
+        @Inject
+        private SecurityContext securityContext;
+
+        @Override
+        protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
+                throws ServletException, IOException {
+
+            final AuthenticationParameters parameters =
+                    AuthenticationParameters.withParams()
+                                            .credential(new UsernamePasswordCredential(req.getParameter("username"),
+                                                                                       req.getParameter("password")))
+                                            .newAuthentication(true);
+
+            securityContext.authenticate(req, resp, parameters);
+
+            resp.getWriter().write(securityContext.isCallerInRole(req.getParameter("role")) ? "ok" : "nok");
+        }
+    }
 
     public static class SecurityContextHttpAuthenticationMechanism implements HttpAuthenticationMechanism {
         @Inject