diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java index 4041b7a1a..e069e046c 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java @@ -15,6 +15,7 @@ import java.util.HashSet; import java.util.List; import java.util.Set; +import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import org.apache.commons.logging.Log; @@ -28,7 +29,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; -import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet; /** * A collection of static methods to help determine whether requested actions @@ -76,8 +76,8 @@ public class PolicyHelper { /** * Does this servlet require authorization? */ - public static boolean isServletRestricted(VitroHttpServlet servlet) { - Class servletClass = servlet.getClass(); + public static boolean isServletRestricted(HttpServlet servlet) { + Class servletClass = servlet.getClass(); try { return !ActionClauses.forServletClass(servletClass).isEmpty(); } catch (PolicyHelperException e) { @@ -90,7 +90,7 @@ public class PolicyHelper { * user by the current policies? */ public static boolean isAuthorizedForServlet(HttpServletRequest req, - VitroHttpServlet servlet) { + HttpServlet servlet) { return isAuthorizedForServlet(req, servlet.getClass()); } @@ -99,7 +99,7 @@ public class PolicyHelper { * current user by the current policies? */ public static boolean isAuthorizedForServlet(HttpServletRequest req, - Class servletClass) { + Class servletClass) { try { return isAuthorizedForActionClauses(req, ActionClauses.forServletClass(servletClass)); @@ -197,7 +197,7 @@ public class PolicyHelper { */ private static class ActionClauses { static ActionClauses forServletClass( - Class servletClass) + Class servletClass) throws PolicyHelperException { return new ActionClauses( servletClass.getAnnotation(RequiresAuthorizationFor.class)); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java index 759e83e51..63085234e 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/UseRestrictedPagesByRoleLevelPolicy.java @@ -14,6 +14,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.SeeRevisionInfo; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseAdvancedDataToolsPages; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseEditUserAccountsPages; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseIndividualEditorPages; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMenuEditorPages; @@ -83,6 +84,9 @@ public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface { } else if (whatToAuth instanceof SeeRevisionInfo) { result = isAuthorized(whatToAuth, RoleLevel.EDITOR, userRole); + } else if (whatToAuth instanceof UseBasicAjaxControllers) { + result = isAuthorized(whatToAuth, RoleLevel.SELF, userRole); + } else { result = defaultDecision("Unrecognized action"); } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseBasicAjaxControllers.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseBasicAjaxControllers.java new file mode 100644 index 000000000..9e1070146 --- /dev/null +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/usepages/UseBasicAjaxControllers.java @@ -0,0 +1,11 @@ +/* $This file is distributed under the terms of the license in /doc/license.txt$ */ + +package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages; + +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; + +/** Should we allow the user to use the basic Ajax controllers? */ +public class UseBasicAjaxControllers extends RequestedAction implements + UsePagesRequestedAction { + // no fields +} diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java index 2bc87de12..3b14672dc 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java @@ -9,7 +9,6 @@ import java.io.IOException; import java.io.OutputStream; import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; @@ -26,7 +25,8 @@ import com.hp.hpl.jena.query.ResultSetFormatter; import com.hp.hpl.jena.query.Syntax; import com.hp.hpl.jena.rdf.model.Model; -import edu.cornell.mannlib.vedit.beans.LoginStatusBean; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; /** @@ -35,6 +35,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; * * The result is delivered in JSON format. */ +@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class SparqlQueryAjaxController extends VitroAjaxController { private static final Log log = LogFactory .getLog(SparqlQueryAjaxController.class); @@ -42,14 +43,6 @@ public class SparqlQueryAjaxController extends VitroAjaxController { private static final String PARAMETER_QUERY = "query"; private static final String RESPONSE_MIME_TYPE = "application/javascript"; - /** - * If you are logged in, you can use this servlet. - */ - @Override - protected boolean testIsAuthorized(HttpServletRequest request) { - return LoginStatusBean.getBean(request).isLoggedIn(); - } - @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) throws ServletException, IOException { diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java index 49a993ca3..552dfcf68 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java @@ -15,14 +15,11 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerConfigurationLoader; -import edu.cornell.mannlib.vitro.webapp.controller.freemarker.TemplateProcessingHelper; -import edu.cornell.mannlib.vitro.webapp.controller.freemarker.TemplateProcessingHelper.TemplateProcessingException; -import edu.cornell.mannlib.vitro.webapp.search.controller.AutocompleteController; import freemarker.template.Configuration; import freemarker.template.Template; -import freemarker.template.TemplateException; /** * A base class for servlets that handle AJAX requests. @@ -30,12 +27,6 @@ import freemarker.template.TemplateException; public abstract class VitroAjaxController extends HttpServlet { private static final Log log = LogFactory.getLog(VitroAjaxController.class); - - /** - * Sub-classes must implement this method to verify that the user is - * authorized to execute this request. - */ - protected abstract boolean testIsAuthorized(HttpServletRequest request); /** * Sub-classes must implement this method to handle both GET and POST @@ -51,7 +42,7 @@ public abstract class VitroAjaxController extends HttpServlet { protected final void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { VitroRequest vreq = new VitroRequest(req); - if (testIsAuthorized(vreq)) { + if (PolicyHelper.isAuthorizedForServlet(vreq, this)) { doRequest(vreq, resp); } else { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Not authorized"); diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveDelete.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveDelete.java index 06435026f..3467d527f 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveDelete.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveDelete.java @@ -2,7 +2,6 @@ package edu.cornell.mannlib.vitro.webapp.controller.edit; -import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.httpclient.HttpStatus; @@ -10,23 +9,20 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import edu.cornell.mannlib.vedit.beans.LoginStatusBean; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController; import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao; import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; +@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class PrimitiveDelete extends VitroAjaxController { private static final long serialVersionUID = 1L; private static final Log log = LogFactory.getLog(PrimitiveDelete.class); - @Override - protected boolean testIsAuthorized(HttpServletRequest request) { - return LoginStatusBean.getBean(request).isLoggedIn(); - } - @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) { diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveRdfEdit.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveRdfEdit.java index f6a87db5a..bf22191bf 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveRdfEdit.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveRdfEdit.java @@ -21,21 +21,19 @@ import com.hp.hpl.jena.rdf.model.Model; import com.hp.hpl.jena.shared.Lock; import edu.cornell.mannlib.vedit.beans.LoginStatusBean; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController; import edu.cornell.mannlib.vitro.webapp.dao.jena.DependentResourceDeleteJena; import edu.cornell.mannlib.vitro.webapp.dao.jena.event.EditEvent; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.EditN3Utils; +@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class PrimitiveRdfEdit extends VitroAjaxController { private static final long serialVersionUID = 1L; - @Override - protected boolean testIsAuthorized(HttpServletRequest request) { - return LoginStatusBean.getBean(request).isLoggedIn(); - } - @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) throws ServletException, IOException { diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/ReorderController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/ReorderController.java index ae18ca137..08ba5d06e 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/ReorderController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/ReorderController.java @@ -2,14 +2,14 @@ package edu.cornell.mannlib.vitro.webapp.controller.edit; -import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.httpclient.HttpStatus; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import edu.cornell.mannlib.vedit.beans.LoginStatusBean; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController; @@ -24,6 +24,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; * @author rjy7 * */ +@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class ReorderController extends VitroAjaxController { private static final long serialVersionUID = 1L; @@ -32,12 +33,6 @@ public class ReorderController extends VitroAjaxController { private static String RANK_PREDICATE_PARAMETER_NAME = "predicate"; private static String INDIVIDUAL_PREDICATE_PARAMETER_NAME = "individuals"; - - @Override - protected boolean testIsAuthorized(HttpServletRequest request) { - return LoginStatusBean.getBean(request).isLoggedIn(); - } - @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) { diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/AutocompleteController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/AutocompleteController.java index 8953f6519..a0b1f2aef 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/AutocompleteController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/AutocompleteController.java @@ -33,7 +33,8 @@ import org.json.JSONArray; import com.hp.hpl.jena.sparql.lib.org.json.JSONObject; -import edu.cornell.mannlib.vedit.beans.LoginStatusBean; +import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController; import edu.cornell.mannlib.vitro.webapp.flags.PortalFlag; @@ -46,7 +47,7 @@ import edu.cornell.mannlib.vitro.webapp.search.lucene.LuceneSetup; * AutocompleteController generates autocomplete content * through a Lucene search. */ - +@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class AutocompleteController extends VitroAjaxController { private static final long serialVersionUID = 1L; @@ -59,12 +60,6 @@ public class AutocompleteController extends VitroAjaxController { String NORESULT_MSG = ""; private int defaultMaxSearchSize= 1000; - - @Override - protected boolean testIsAuthorized(HttpServletRequest request) { - return LoginStatusBean.getBean(request).isLoggedIn(); - } - @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) throws IOException, ServletException {