You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@usergrid.apache.org by sn...@apache.org on 2016/10/24 13:06:41 UTC
[56/83] [abbrv] usergrid git commit: Enhance superuser basic auth
filter to login to shiro with a token just like the sysadmin tokens.
Enhance superuser basic auth filter to login to shiro with a token just like the sysadmin tokens.
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/e6600b84
Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/e6600b84
Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/e6600b84
Branch: refs/heads/asf-site
Commit: e6600b84ef81ebc4eda64fa9cd2dfddb42e8ab1b
Parents: 016b7fa
Author: Michael Russo <mr...@apigee.com>
Authored: Fri Sep 9 23:43:59 2016 -0700
Committer: Michael Russo <mr...@apigee.com>
Committed: Fri Sep 9 23:43:59 2016 -0700
----------------------------------------------------------------------
.../actorsystem/ActorSystemManagerImpl.java | 2 +-
.../actorsystem/ClusterListener.java | 1 +
.../security/SecuredResourceFilterFactory.java | 35 ++++-----
.../shiro/filters/BasicAuthSecurityFilter.java | 76 +++++++++-----------
.../AbstractPasswordCredentials.java | 3 +-
.../shiro/credentials/AdminUserPassword.java | 2 +
6 files changed, 52 insertions(+), 67 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java
----------------------------------------------------------------------
diff --git a/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java b/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java
index 5a36656..ed9344c 100644
--- a/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java
+++ b/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ActorSystemManagerImpl.java
@@ -194,7 +194,7 @@ public class ActorSystemManagerImpl implements ActorSystemManager {
clusterSystem = createClusterSystem( config );
// register our cluster listener
- clusterSystem.actorOf(Props.create(ClusterListener.class),
+ clusterSystem.actorOf(Props.create(ClusterListener.class, getSeedsByRegion(), getCurrentRegion()),
"clusterListener");
createClientActors( clusterSystem );
http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java
----------------------------------------------------------------------
diff --git a/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java b/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java
index 44473a7..a568295 100644
--- a/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java
+++ b/stack/corepersistence/actorsystem/src/main/java/org/apache/usergrid/persistence/actorsystem/ClusterListener.java
@@ -38,6 +38,7 @@ public class ClusterListener extends UntypedActor {
public ClusterListener( ListMultimap<String, String> seedsByRegion, String currentRegion ){
+ // providing these to the lister as they may be used in near future to handle custom logic on member events
this.seedsByRegion = seedsByRegion;
this.currentRegion = currentRegion;
}
http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
index f1f6c17..80d9074 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
@@ -254,7 +254,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
logger.trace("SysadminLocalhostFilter.authorize");
}
- if ( !isServiceAdmin() && !isBasicAuthServiceAdmin(request)) {
+ if ( !isServiceAdmin() ) {
// not a sysadmin request
return;
}
@@ -303,7 +303,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
logger.trace("OrganizationFilter.authorize");
}
- if ( !isPermittedAccessToOrganization( getOrganizationIdentifier() ) && !isBasicAuthServiceAdmin(request) ) {
+ if ( !isPermittedAccessToOrganization( getOrganizationIdentifier() ) ) {
if (logger.isTraceEnabled()) {
logger.trace("No organization access authorized");
}
@@ -375,7 +375,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
throw mappableSecurityException( "unauthorized", "No application guest access authorized" );
}
}
- if ( !isPermittedAccessToApplication( getApplicationIdentifier() ) && !isBasicAuthServiceAdmin(request) ) {
+ if ( !isPermittedAccessToApplication( getApplicationIdentifier() ) ) {
throw mappableSecurityException( "unauthorized", "No application access authorized" );
}
}
@@ -397,7 +397,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
logger.trace("SystemFilter.authorize");
}
try {
- if (!isBasicAuthServiceAdmin(request) && !isServiceAdmin()) {
+ if (!isServiceAdmin()) {
if (logger.isTraceEnabled()) {
logger.trace("You are not the system admin.");
}
@@ -405,14 +405,11 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
SecurityException.REALM );
}
} catch (IllegalStateException e) {
- if (logger.isDebugEnabled()) {
- logger.debug("This is an invalid state", e);
- }
- if ((request.getSecurityContext().getUserPrincipal() == null) ||
- !ROLE_SERVICE_ADMIN.equals( request.getSecurityContext().getUserPrincipal().getName() )) {
- throw mappableSecurityException( "unauthorized", "No system access authorized",
- SecurityException.REALM );
- }
+
+ logger.error("This is an invalid state", e);
+ throw mappableSecurityException( "unauthorized", "No system access authorized",
+ SecurityException.REALM );
+
}
}
@@ -429,7 +426,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
if (logger.isTraceEnabled()) {
logger.trace("AdminUserFilter.authorize");
}
- if (!isUser( getUserIdentifier() ) && !isServiceAdmin() && !isBasicAuthServiceAdmin(request) ) {
+ if (!isUser( getUserIdentifier() ) && !isServiceAdmin() ) {
throw mappableSecurityException( "unauthorized", "No admin user access authorized" );
}
}
@@ -471,7 +468,10 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
logger.debug( "PathPermissionsFilter.authorize" );
}
- if ( isServiceAdmin() || isBasicAuthServiceAdmin(request)){
+ if ( isServiceAdmin() ){
+ if(logger.isTraceEnabled()){
+ logger.trace("User is sysadmin. Allowing access.");
+ }
// superuser can do anything, short circuit here and allow the request
return;
}
@@ -545,11 +545,4 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
}
}
- private static boolean isBasicAuthServiceAdmin(ContainerRequestContext request){
-
- return request.getSecurityContext().isUserInRole( ROLE_SERVICE_ADMIN );
-
- }
-
-
}
http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
index d4d2e60..b4c4f19 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
@@ -19,6 +19,8 @@ package org.apache.usergrid.rest.security.shiro.filters;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.subject.Subject;
+import org.apache.usergrid.management.UserInfo;
+import org.apache.usergrid.rest.exceptions.SecurityException;
import org.apache.usergrid.security.shiro.PrincipalCredentialsToken;
import org.apache.usergrid.security.shiro.utils.SubjectUtils;
import org.slf4j.Logger;
@@ -73,64 +75,50 @@ public class BasicAuthSecurityFilter extends SecurityFilter {
String sysadmin_login_password = properties.getProperty( "usergrid.sysadmin.login.password" );
boolean sysadmin_login_allowed =
Boolean.parseBoolean( properties.getProperty( "usergrid.sysadmin.login.allowed" ) );
- if ( name.equalsIgnoreCase( sysadmin_login_name ) && password.equals( sysadmin_login_password )
- && sysadmin_login_allowed ) {
- request.setSecurityContext( new SysAdminRoleAuthenticator() );
- if (logger.isTraceEnabled()) {
- logger.trace("System administrator access allowed");
+ if ( name.equalsIgnoreCase( sysadmin_login_name ) && sysadmin_login_allowed ) {
+
+ // short cut with a password check against the configured property
+ if( !password.equals( sysadmin_login_password ) ){
+
+ throw mappableSecurityException( "unauthorized", "No system access authorized",
+ SecurityException.REALM );
+
}
- }else{
try {
- PrincipalCredentialsToken token =
- management.getPrincipalCredentialsTokenForClientCredentials( name, password );
+ UserInfo userInfo = management.verifyAdminUserPasswordCredentials(name.toLowerCase(), password);
+ PrincipalCredentialsToken token = PrincipalCredentialsToken
+ .getFromAdminUserInfoAndPassword(userInfo, password, emf.getManagementAppId());
Subject subject = SubjectUtils.getSubject();
subject.login( token );
- }
- catch ( Exception e ) {
- throw mappableSecurityException( INVALID_CLIENT_CREDENTIALS_ERROR );
- }
-
-
- }
- }
-
- private static class SysAdminRoleAuthenticator implements SecurityContext {
-
- private final Principal principal;
-
- SysAdminRoleAuthenticator() {
- principal = new Principal() {
- @Override
- public String getName() {
- return ROLE_SERVICE_ADMIN;
+ if (logger.isTraceEnabled()) {
+ logger.trace("System administrator access allowed");
}
- };
- }
-
- @Override
- public Principal getUserPrincipal() {
- return principal;
- }
+ } catch (Exception e) {
+ logger.error("Unable to validate admin credentials");
+ throw mappableSecurityException( "unauthorized", "No system access authorized",
+ SecurityException.REALM );
+ }
- @Override
- public boolean isUserInRole( String role ) {
- return role.equals( ROLE_SERVICE_ADMIN );
}
+ // only allow client credentials with http basic auth other than the sysadmin
+ else{
-
- @Override
- public boolean isSecure() {
- return false;
- }
+ try {
+ PrincipalCredentialsToken token =
+ management.getPrincipalCredentialsTokenForClientCredentials( name, password );
+ Subject subject = SubjectUtils.getSubject();
+ subject.login( token );
+ }
+ catch ( Exception e ) {
+ throw mappableSecurityException( INVALID_CLIENT_CREDENTIALS_ERROR );
+ }
- @Override
- public String getAuthenticationScheme() {
- return SecurityContext.BASIC_AUTH;
}
}
+
}
http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java b/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java
index a69ed5e..e7e8e82 100644
--- a/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java
+++ b/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AbstractPasswordCredentials.java
@@ -19,8 +19,9 @@ package org.apache.usergrid.security.shiro.credentials;
public class AbstractPasswordCredentials implements PasswordCredentials {
- private final String password;
+ private String password;
+ public AbstractPasswordCredentials(){} // do not remove, needed for jackson
public AbstractPasswordCredentials( String password ) {
this.password = password;
http://git-wip-us.apache.org/repos/asf/usergrid/blob/e6600b84/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java b/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java
index 41c869a..69aa440 100644
--- a/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java
+++ b/stack/services/src/main/java/org/apache/usergrid/security/shiro/credentials/AdminUserPassword.java
@@ -19,6 +19,8 @@ package org.apache.usergrid.security.shiro.credentials;
public class AdminUserPassword extends AbstractPasswordCredentials implements AdminUserCredentials {
+ public AdminUserPassword(){} //do not remove, needed for Jackson
+
public AdminUserPassword( String password ) {
super( password );
}