You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2015/03/12 16:30:22 UTC
directory-fortress-commander git commit: FC-80 - Fix logout for
unauthorized users
Repository: directory-fortress-commander
Updated Branches:
refs/heads/master 6c3d0cba6 -> ff708e123
FC-80 - Fix logout for unauthorized users
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/commit/ff708e12
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/tree/ff708e12
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/diff/ff708e12
Branch: refs/heads/master
Commit: ff708e123e6380c2fdbe71d58a5598abcb5e14f3
Parents: 6c3d0cb
Author: Shawn McKinney <sm...@apache.org>
Authored: Thu Mar 12 10:30:08 2015 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Thu Mar 12 10:30:08 2015 -0500
----------------------------------------------------------------------
.../fortress/web/FortressWebBasePage.java | 6 +-
.../fortress/web/FtIndicatingAjaxButton.java | 105 +++++++++++++++++++
.../directory/fortress/web/LogoutPage.java | 44 ++++++++
.../apache/directory/fortress/web/SecUtils.java | 35 +++++++
.../web/SecureIndicatingAjaxButton.java | 2 -
.../directory/fortress/web/LogoutPage.html | 27 +++++
src/main/webapp/WEB-INF/web.xml | 81 +++++++-------
src/main/webapp/login/unauthorized.html | 9 +-
8 files changed, 264 insertions(+), 45 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java b/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java
index b78d185..46593fc 100644
--- a/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java
+++ b/src/main/java/org/apache/directory/fortress/web/FortressWebBasePage.java
@@ -133,14 +133,10 @@ public abstract class FortressWebBasePage extends WebPage
/** Default serialVersionUID */
private static final long serialVersionUID = 1L;
-
@Override
public void onClick()
{
- HttpServletRequest servletReq = ( HttpServletRequest ) getRequest().getContainerRequest();
- servletReq.getSession().invalidate();
- getSession().invalidate();
- setResponsePage( LaunchPage.class );
+ setResponsePage( LogoutPage.class );
}
};
add( actionLink );
http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/FtIndicatingAjaxButton.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/FtIndicatingAjaxButton.java b/src/main/java/org/apache/directory/fortress/web/FtIndicatingAjaxButton.java
new file mode 100644
index 0000000..eabf605
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/web/FtIndicatingAjaxButton.java
@@ -0,0 +1,105 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.web;
+
+import com.googlecode.wicket.jquery.ui.form.button.IndicatingAjaxButton;
+import org.apache.log4j.Logger;
+import org.apache.wicket.spring.injection.annot.SpringBean;
+import org.apache.directory.fortress.core.*;
+import org.apache.directory.fortress.core.rbac.Permission;
+
+
+/**
+ * ...
+ *
+ * @author Shawn McKinney
+ * @version $Rev$
+ */
+public class FtIndicatingAjaxButton extends IndicatingAjaxButton
+{
+ Permission perm;
+
+ @SpringBean
+ private AccessMgr accessMgr;
+
+ private static final Logger LOG = Logger.getLogger( SecureIndicatingAjaxButton.class.getName() );
+
+ public FtIndicatingAjaxButton(String id)
+ {
+ super( id );
+ String[] parts = id.split( "\\." );
+ if(parts != null && parts.length > 1)
+ {
+ String objName = parts[0];
+ String opName = parts[1];
+ this.perm = new Permission(objName, opName);
+ if ( SecUtils.isFound( perm, this ) )
+ {
+ LOG.debug( "FtIndicatingAjaxButton id: " + id + ", status found" );
+ }
+ else
+ {
+ LOG.debug( "FtIndicatingAjaxButton id: " + id + ", status NOT found" );
+ setVisible( false );
+ }
+
+ }
+ else
+ {
+ throw new RuntimeException( "FtIndicatingAjaxButton Constructor ID: " + id + ", requires objectname.opname format" );
+ }
+ }
+
+ protected boolean checkAccess( )
+ {
+ boolean isAuthorized = false;
+ try
+ {
+ WicketSession session = ( WicketSession )getSession();
+ isAuthorized = accessMgr.checkAccess( session.getSession(), perm );
+ LOG.info( "Fortress checkAccess objName: " + this.perm.getObjName() + " opName: " + this.perm.getOpName() + " userId: " + session.getSession().getUserId() + " result: " + isAuthorized);
+ }
+ catch(org.apache.directory.fortress.core.SecurityException se)
+ {
+ String error = "Fortress SecurityException checkAccess objName: " + this.perm.getObjName() + " opName: " + this.perm.getOpName() + " error=" + se;
+ LOG.error( error );
+ }
+ return isAuthorized;
+ }
+
+
+ protected boolean checkAccess( String objectId )
+ {
+ boolean isAuthorized = false;
+ try
+ {
+ WicketSession session = ( WicketSession )getSession();
+ Permission finePerm = new Permission(perm.getObjName(), perm.getOpName(), objectId);
+ isAuthorized = accessMgr.checkAccess( session.getSession(), finePerm );
+ LOG.info( "Fortress checkAccess objName: " + this.perm.getObjName() + " opName: " + this.perm.getOpName() + ", objId: " + finePerm.getObjId() + ", userId: " + session.getSession().getUserId() + " result: " + isAuthorized);
+ }
+ catch(org.apache.directory.fortress.core.SecurityException se)
+ {
+ String error = "Fortress SecurityException checkAccess objectName: " + this.perm.getObjName() + " opName: " + this.perm.getOpName() + ", objId: " + objectId + ", error=" + se;
+ LOG.error( error );
+ }
+ return isAuthorized;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/LogoutPage.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/LogoutPage.java b/src/main/java/org/apache/directory/fortress/web/LogoutPage.java
new file mode 100644
index 0000000..7132156
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/web/LogoutPage.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.web;
+
+
+import org.apache.log4j.Logger;
+import org.apache.wicket.markup.html.basic.Label;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public class LogoutPage extends FortressWebBasePage
+{
+ private static final Logger LOG = Logger.getLogger( LogoutPage.class.getName() );
+ public LogoutPage()
+ {
+ HttpServletRequest servletReq = (HttpServletRequest)getRequest().getContainerRequest();
+ // invalidate the session and force the user to log back on:
+ servletReq.getSession().invalidate();
+ getSession().invalidate();
+ setResponsePage( LoginPage.class );
+ add(new Label("label1", "Select logout"));
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/SecUtils.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/SecUtils.java b/src/main/java/org/apache/directory/fortress/web/SecUtils.java
index dca3d8c..10b3161 100644
--- a/src/main/java/org/apache/directory/fortress/web/SecUtils.java
+++ b/src/main/java/org/apache/directory/fortress/web/SecUtils.java
@@ -34,6 +34,7 @@ import org.apache.directory.fortress.core.util.attr.VUtil;
import org.apache.wicket.ajax.AjaxRequestTarget;
import javax.servlet.http.HttpServletRequest;
+import java.security.Principal;
import java.util.List;
/**
@@ -336,4 +337,38 @@ public class SecUtils
}
return isSuccessful;
}
+
+ public static void enableFortress( Component component, HttpServletRequest servletReq, J2eePolicyMgr j2eePolicyMgr, AccessMgr accessMgr )
+ {
+ // Get the principal from the container:
+ Principal principal = servletReq.getUserPrincipal();
+ // Is this a Java EE secured page && has the User successfully authenticated already?
+ boolean isSecured = principal != null;
+ if(isSecured)
+ {
+ //linksLabel += " for " + principal.getName();
+ if( !isLoggedIn( component ) )
+ {
+ String szPrincipal = principal.toString();
+ // Pull the fortress session from the realm and assert into the Web app's session along with user's perms:
+ SecUtils.initializeSession( component, j2eePolicyMgr, accessMgr, szPrincipal );
+ }
+ }
+ }
+
+ /**
+ * If user has a wicket session then considered logged in.
+ *
+ * @return true if wicket session is not null
+ */
+ public static boolean isLoggedIn( Component component )
+ {
+ boolean isLoggedIn = false;
+ if ( getSession( component ) != null )
+ {
+ isLoggedIn = true;
+ }
+ return isLoggedIn;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java b/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
index 5d96066..ac548d1 100644
--- a/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
+++ b/src/main/java/org/apache/directory/fortress/web/SecureIndicatingAjaxButton.java
@@ -79,7 +79,6 @@ public class SecureIndicatingAjaxButton extends IndicatingAjaxButton
setVisible( false );
}
-
public SecureIndicatingAjaxButton( String id, String objName, String opName )
{
super( id );
@@ -87,7 +86,6 @@ public class SecureIndicatingAjaxButton extends IndicatingAjaxButton
setVisible( false );
}
-
protected boolean checkAccess( String objectName, String opName )
{
boolean isAuthorized = false;
http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/resources/org/apache/directory/fortress/web/LogoutPage.html
----------------------------------------------------------------------
diff --git a/src/main/resources/org/apache/directory/fortress/web/LogoutPage.html b/src/main/resources/org/apache/directory/fortress/web/LogoutPage.html
new file mode 100644
index 0000000..7e2cb4f
--- /dev/null
+++ b/src/main/resources/org/apache/directory/fortress/web/LogoutPage.html
@@ -0,0 +1,27 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<html>
+<head></head>
+<body>
+<wicket:extend>
+ <h3>Commander Logout Page</h3>
+ <strong><span wicket:id="label1"></span></strong>
+</wicket:extend>
+</body>
+</html>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/src/main/webapp/WEB-INF/web.xml b/src/main/webapp/WEB-INF/web.xml
index a32a1ca..c39f7e0 100644
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@@ -98,46 +98,53 @@
</error-page>
<!-- Begin JAVA EE Security configs: -->
- <!-- Begin JAVA EE Security configs: -->
- <security-constraint>
- <display-name>Commander Security Constraint</display-name>
- <web-resource-collection>
- <web-resource-name>Protected Area</web-resource-name>
- <!-- Define the context-relative URL(s) to be protected -->
- <url-pattern>/wicket/*</url-pattern>
- <!-- If you list http methods, only those methods are protected -->
- <!--http-method>GET</http-method-->
- </web-resource-collection>
- <auth-constraint>
- <!-- Anyone with one of the listed roles may access this area -->
- <role-name>ROLE_ADMIN</role-name>
- <role-name>ROLE_USERS</role-name>
- <role-name>ROLE_ROLES</role-name>
- <role-name>ROLE_PERMS</role-name>
- <role-name>ROLE_SSDS</role-name>
- <role-name>ROLE_DSDS</role-name>
- <role-name>ROLE_POLICIES</role-name>
- <role-name>ROLE_PERMOBJS</role-name>
- <role-name>ROLE_USEROUS</role-name>
- <role-name>ROLE_PERMOUS</role-name>
- <role-name>ROLE_ADMINROLES</role-name>
- <role-name>ROLE_ADMINOBJS</role-name>
- <role-name>ROLE_ADMINPERMS</role-name>
- <role-name>ROLE_AUDIT_AUTHZS</role-name>
- <role-name>ROLE_AUDIT_MODS</role-name>
- <role-name>ROLE_AUDIT_BINDS</role-name>
- </auth-constraint>
- </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>app</web-resource-name>
+ <url-pattern>/wicket/bookmarkable/org.apache.directory.fortress.web.LogoutPage</url-pattern>
+ </web-resource-collection>
+ <!-- OMIT auth-constraint -->
+ </security-constraint>
+
+ <security-constraint>
+ <display-name>Commander Security Constraint</display-name>
+ <web-resource-collection>
+ <web-resource-name>Protected Area</web-resource-name>
+ <!-- Define the context-relative URL(s) to be protected -->
+ <url-pattern>/wicket/*</url-pattern>
+ <!-- If you list http methods, only those methods are protected -->
+ <!--http-method>GET</http-method-->
+ </web-resource-collection>
+ <auth-constraint>
+ <!-- Anyone with one of the listed roles may access this area -->
+ <role-name>ROLE_ADMIN</role-name>
+ <role-name>ROLE_USERS</role-name>
+ <role-name>ROLE_ROLES</role-name>
+ <role-name>ROLE_PERMS</role-name>
+ <role-name>ROLE_SSDS</role-name>
+ <role-name>ROLE_DSDS</role-name>
+ <role-name>ROLE_POLICIES</role-name>
+ <role-name>ROLE_PERMOBJS</role-name>
+ <role-name>ROLE_USEROUS</role-name>
+ <role-name>ROLE_PERMOUS</role-name>
+ <role-name>ROLE_ADMINROLES</role-name>
+ <role-name>ROLE_ADMINOBJS</role-name>
+ <role-name>ROLE_ADMINPERMS</role-name>
+ <role-name>ROLE_AUDIT_AUTHZS</role-name>
+ <role-name>ROLE_AUDIT_MODS</role-name>
+ <role-name>ROLE_AUDIT_BINDS</role-name>
+ </auth-constraint>
+ </security-constraint>
<!-- Default login configuration uses form-based authentication -->
-<!--
- <login-config>
- <auth-method>BASIC</auth-method>
- <realm-name>SentrySecurityRealm</realm-name>
- </login-config>
--->
+ <!--
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>SentrySecurityRealm</realm-name>
+ </login-config>
+ -->
<login-config>
- <auth-method>FORM</auth-method>
+ <auth-method>FORM</auth-method>
<realm-name>SentrySecurityRealm</realm-name>
<form-login-config>
basedir
http://git-wip-us.apache.org/repos/asf/directory-fortress-commander/blob/ff708e12/src/main/webapp/login/unauthorized.html
----------------------------------------------------------------------
diff --git a/src/main/webapp/login/unauthorized.html b/src/main/webapp/login/unauthorized.html
index 3fcd181..e567f1b 100644
--- a/src/main/webapp/login/unauthorized.html
+++ b/src/main/webapp/login/unauthorized.html
@@ -26,10 +26,17 @@
<body>
<h3>Unauthorized access attempt detected</h3>
-<FORM METHOD=POST ACTION="/fortress-web/wicket/bookmarkable/org.apache.directory.fortress.web.LaunchPage">
+<FORM METHOD=POST ACTION="org.apache.directory.fortress.web.LaunchPage">
<p>
<font size="2">Click the button to return to home page.</font>
<BR><BR>
+ <input type="submit" name="restart" value="return">
+ </p>
+</form>
+<FORM METHOD=POST ACTION="org.apache.directory.fortress.web.LogoutPage">
+ <p>
+ <font size="2">Click the button to relogin.</font>
+ <BR><BR>
<input type="submit" name="relogin" value="return">
</p>
</form>