You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ay...@apache.org on 2013/02/14 14:59:47 UTC
svn commit: r1446180 - in /cxf/trunk/rt/core/src:
main/java/org/apache/cxf/interceptor/security/
test/java/org/apache/cxf/interceptor/security/
Author: ay
Date: Thu Feb 14 13:59:47 2013
New Revision: 1446180
URL: http://svn.apache.org/r1446180
Log:
[CXF-4829] Add OperationInfo based authorizing interceptor
Added:
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java (with props)
cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptorTest.java (with props)
Modified:
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java?rev=1446180&r1=1446179&r2=1446180&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java (original)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java Thu Feb 14 13:59:47 2013
@@ -48,7 +48,6 @@ public abstract class AbstractAuthorizin
SecurityContext sc = message.get(SecurityContext.class);
if (sc != null && sc.getUserPrincipal() != null) {
Method method = getTargetMethod(message);
-
if (authorize(sc, method)) {
return;
}
Added: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java?rev=1446180&view=auto
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java (added)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java Thu Feb 14 13:59:47 2013
@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.interceptor.security;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.service.model.BindingOperationInfo;
+import org.apache.cxf.service.model.OperationInfo;
+
+/**
+ *
+ */
+public class OperationInfoAuthorizingInterceptor extends SimpleAuthorizingInterceptor {
+ private static final Logger LOG = LogUtils.getL7dLogger(OperationInfoAuthorizingInterceptor.class);
+
+ @Override
+ public void handleMessage(Message message) throws Fault {
+ SecurityContext sc = message.get(SecurityContext.class);
+ if (sc != null && sc.getUserPrincipal() != null) {
+ OperationInfo opinfo = getTargetOperationInfo(message);
+ if (opinfo != null && opinfo.getName() != null
+ && authorize(sc, opinfo.getName().getLocalPart())) {
+ return;
+ }
+ }
+
+ throw new AccessDeniedException("Unauthorized");
+
+ }
+
+ protected boolean authorize(SecurityContext sc, String key) {
+ List<String> expectedRoles = getExpectedRoles(key);
+ if (expectedRoles.isEmpty()) {
+ List<String> denyRoles = getDenyRoles(key);
+ return denyRoles.isEmpty() ? true : isUserInRole(sc, denyRoles, true);
+ }
+
+ if (isUserInRole(sc, expectedRoles, false)) {
+ return true;
+ }
+ if (LOG.isLoggable(Level.FINE)) {
+ LOG.fine(sc.getUserPrincipal().getName() + " is not authorized");
+ }
+ return false;
+ }
+
+ protected OperationInfo getTargetOperationInfo(Message message) {
+ BindingOperationInfo bop = message.getExchange().get(BindingOperationInfo.class);
+ return bop != null ? bop.getOperationInfo() : null;
+ }
+
+ protected List<String> getExpectedRoles(String key) {
+ List<String> roles = methodRolesMap.get(key);
+ if (roles != null) {
+ return roles;
+ }
+ return globalRoles;
+ }
+
+ protected List<String> getDenyRoles(String key) {
+ return Collections.emptyList();
+ }
+}
Propchange: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptor.java
------------------------------------------------------------------------------
svn:executable = *
Modified: cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java?rev=1446180&r1=1446179&r2=1446180&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java (original)
+++ cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java Thu Feb 14 13:59:47 2013
@@ -31,9 +31,9 @@ import org.apache.cxf.security.SecurityC
public class SimpleAuthorizingInterceptor extends AbstractAuthorizingInInterceptor {
- private Map<String, List<String>> methodRolesMap = new HashMap<String, List<String>>();
- private Map<String, List<String>> userRolesMap = Collections.emptyMap();
- private List<String> globalRoles = Collections.emptyList();
+ protected Map<String, List<String>> methodRolesMap = new HashMap<String, List<String>>();
+ protected Map<String, List<String>> userRolesMap = Collections.emptyMap();
+ protected List<String> globalRoles = Collections.emptyList();
private boolean checkConfiguredRolesOnly;
@Override
Added: cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptorTest.java?rev=1446180&view=auto
==============================================================================
--- cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptorTest.java (added)
+++ cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptorTest.java Thu Feb 14 13:59:47 2013
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.interceptor.security;
+
+import java.util.Collections;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.message.Exchange;
+import org.apache.cxf.service.Service;
+import org.apache.cxf.service.invoker.MethodDispatcher;
+import org.apache.cxf.service.model.BindingOperationInfo;
+import org.apache.cxf.service.model.OperationInfo;
+import org.easymock.EasyMock;
+
+import org.junit.Before;
+
+public class OperationInfoAuthorizingInterceptorTest extends SimpleAuthorizingInterceptorTest {
+
+ @Before
+ @Override
+ public void setUp() throws Exception {
+ Exchange ex = setUpExchange();
+ Service service = EasyMock.createMock(Service.class);
+ ex.put(Service.class, service);
+ MethodDispatcher md = EasyMock.createMock(MethodDispatcher.class);
+ EasyMock.expect(service.get(MethodDispatcher.class.getName())).andReturn(md).anyTimes();
+
+ BindingOperationInfo boi = EasyMock.createMock(BindingOperationInfo.class);
+ ex.put(BindingOperationInfo.class, boi);
+ EasyMock.expect(md.getMethod(boi)).andReturn(null);
+ OperationInfo opinfo = EasyMock.createMock(OperationInfo.class);
+ EasyMock.expect(opinfo.getName()).andReturn(new QName("urn:test", "echo")).anyTimes();
+ EasyMock.expect(boi.getOperationInfo()).andReturn(opinfo).anyTimes();
+ EasyMock.replay(service, md, boi, opinfo);
+ }
+
+ @Override
+ protected SimpleAuthorizingInterceptor createSimpleAuthorizingInterceptor() {
+ return new OperationInfoAuthorizingInterceptor();
+ }
+
+ @Override
+ protected SimpleAuthorizingInterceptor createSimpleAuthorizingInterceptorWithDenyRoles(final String role) {
+ SimpleAuthorizingInterceptor in = new OperationInfoAuthorizingInterceptor() {
+ @Override
+ public List<String> getDenyRoles(String key) {
+ return Collections.singletonList(role);
+ }
+ };
+ return in;
+ }
+}
Propchange: cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/OperationInfoAuthorizingInterceptorTest.java
------------------------------------------------------------------------------
svn:executable = *
Modified: cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java?rev=1446180&r1=1446179&r2=1446180&view=diff
==============================================================================
--- cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java (original)
+++ cxf/trunk/rt/core/src/test/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptorTest.java Thu Feb 14 13:59:47 2013
@@ -39,16 +39,14 @@ import org.junit.Test;
public class SimpleAuthorizingInterceptorTest extends Assert {
+ protected Message message = new MessageImpl();
private Method method;
- private Message message = new MessageImpl();
+
@Before
public void setUp() throws Exception {
method = TestService.class.getMethod("echo", new Class[]{});
- message.put(SecurityContext.class, new TestSecurityContext());
- Exchange ex = new ExchangeImpl();
- message.setExchange(ex);
-
+ Exchange ex = setUpExchange();
Service service = EasyMock.createMock(Service.class);
ex.put(Service.class, service);
MethodDispatcher md = EasyMock.createMock(MethodDispatcher.class);
@@ -62,33 +60,54 @@ public class SimpleAuthorizingIntercepto
EasyMock.replay(service, md);
}
+ protected Exchange setUpExchange() {
+ message.put(SecurityContext.class, new TestSecurityContext());
+ Exchange ex = new ExchangeImpl();
+ message.setExchange(ex);
+ return ex;
+ }
+
+ protected SimpleAuthorizingInterceptor createSimpleAuthorizingInterceptor() {
+ return new SimpleAuthorizingInterceptor();
+ }
+
+ protected SimpleAuthorizingInterceptor createSimpleAuthorizingInterceptorWithDenyRoles(final String role) {
+ SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor() {
+ @Override
+ public List<String> getDenyRoles(Method m) {
+ return Collections.singletonList(role);
+ }
+ };
+ return in;
+ }
+
@Test(expected = AccessDeniedException.class)
public void testNoSecurityContext() {
message.put(SecurityContext.class, null);
- new SimpleAuthorizingInterceptor().handleMessage(message);
+ createSimpleAuthorizingInterceptor().handleMessage(message);
}
@Test(expected = AccessDeniedException.class)
public void testIncompleteSecurityContext() {
message.put(SecurityContext.class, new IncompleteSecurityContext());
- new SimpleAuthorizingInterceptor().handleMessage(message);
+ createSimpleAuthorizingInterceptor().handleMessage(message);
}
@Test
public void testPermitWithNoRoles() {
- new SimpleAuthorizingInterceptor().handleMessage(message);
+ createSimpleAuthorizingInterceptor().handleMessage(message);
}
@Test
public void testPermitWithMethodRoles() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
in.setMethodRolesMap(Collections.singletonMap("echo", "role1 testRole"));
in.handleMessage(message);
}
@Test
public void testPermitWithMethodRolesConfigurationOnly() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
in.setCheckConfiguredRolesOnly(true);
in.setUserRolesMap(Collections.singletonMap("testUser", "role1"));
in.setMethodRolesMap(Collections.singletonMap("echo", "role1 role2"));
@@ -97,7 +116,7 @@ public class SimpleAuthorizingIntercepto
@Test(expected = AccessDeniedException.class)
public void testDenyWithMethodRolesConfigurationOnly() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
in.setCheckConfiguredRolesOnly(true);
in.setUserRolesMap(Collections.singletonMap("testUser", "role1"));
in.setMethodRolesMap(Collections.singletonMap("echo", "role2 role3"));
@@ -106,7 +125,7 @@ public class SimpleAuthorizingIntercepto
@Test(expected = AccessDeniedException.class)
public void testEmptyRolesConfigurationOnly() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
in.setCheckConfiguredRolesOnly(true);
in.setMethodRolesMap(Collections.singletonMap("echo", "role1 role2"));
in.handleMessage(message);
@@ -114,65 +133,47 @@ public class SimpleAuthorizingIntercepto
@Test
public void testPermitAll() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
in.setMethodRolesMap(Collections.singletonMap("echo", "*"));
in.handleMessage(message);
}
@Test
public void testPermitWithClassRoles() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
in.setGlobalRoles("role1 testRole");
in.handleMessage(message);
}
@Test(expected = AccessDeniedException.class)
public void testDenyWithMethodRoles() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
in.setMethodRolesMap(Collections.singletonMap("echo", "role1 role2"));
in.handleMessage(message);
}
@Test(expected = AccessDeniedException.class)
public void testDenyWithClassRoles() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor();
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptor();
in.setGlobalRoles("role1 role2");
in.handleMessage(message);
}
@Test
public void testPermitWithDenyRoles() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor() {
- @Override
- public List<String> getDenyRoles(Method m) {
- return Collections.singletonList("frogs");
- }
-
- };
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptorWithDenyRoles("frogs");
in.handleMessage(message);
}
@Test(expected = AccessDeniedException.class)
public void testDenyWithDenyRoles() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor() {
- @Override
- public List<String> getDenyRoles(Method m) {
- return Collections.singletonList("testRole");
- }
-
- };
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptorWithDenyRoles("testRole");
in.handleMessage(message);
}
@Test(expected = AccessDeniedException.class)
public void testDenyAll() {
- SimpleAuthorizingInterceptor in = new SimpleAuthorizingInterceptor() {
- @Override
- public List<String> getDenyRoles(Method m) {
- return Collections.singletonList("*");
- }
-
- };
+ SimpleAuthorizingInterceptor in = createSimpleAuthorizingInterceptorWithDenyRoles("*");
in.handleMessage(message);
}