NIHVIVO-2492 restrict Ajax controllers by UseBasicAjaxControllers
This commit is contained in:
j2blake
parent
a49554db8f
commit
4654ec7354
9 changed files with 38 additions and 55 deletions
|
|
@ -15,6 +15,7 @@ import java.util.HashSet;
|
|||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.http.HttpServlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
|
|
@ -28,7 +29,6 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
|
|||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
|
||||
|
||||
/**
|
||||
* A collection of static methods to help determine whether requested actions
|
||||
|
|
@ -76,8 +76,8 @@ public class PolicyHelper {
|
|||
/**
|
||||
* Does this servlet require authorization?
|
||||
*/
|
||||
public static boolean isServletRestricted(VitroHttpServlet servlet) {
|
||||
Class<? extends VitroHttpServlet> servletClass = servlet.getClass();
|
||||
public static boolean isServletRestricted(HttpServlet servlet) {
|
||||
Class<? extends HttpServlet> servletClass = servlet.getClass();
|
||||
try {
|
||||
return !ActionClauses.forServletClass(servletClass).isEmpty();
|
||||
} catch (PolicyHelperException e) {
|
||||
|
|
@ -90,7 +90,7 @@ public class PolicyHelper {
|
|||
* user by the current policies?
|
||||
*/
|
||||
public static boolean isAuthorizedForServlet(HttpServletRequest req,
|
||||
VitroHttpServlet servlet) {
|
||||
HttpServlet servlet) {
|
||||
return isAuthorizedForServlet(req, servlet.getClass());
|
||||
}
|
||||
|
||||
|
|
@ -99,7 +99,7 @@ public class PolicyHelper {
|
|||
* current user by the current policies?
|
||||
*/
|
||||
public static boolean isAuthorizedForServlet(HttpServletRequest req,
|
||||
Class<? extends VitroHttpServlet> servletClass) {
|
||||
Class<? extends HttpServlet> servletClass) {
|
||||
try {
|
||||
return isAuthorizedForActionClauses(req,
|
||||
ActionClauses.forServletClass(servletClass));
|
||||
|
|
@ -197,7 +197,7 @@ public class PolicyHelper {
|
|||
*/
|
||||
private static class ActionClauses {
|
||||
static ActionClauses forServletClass(
|
||||
Class<? extends VitroHttpServlet> servletClass)
|
||||
Class<? extends HttpServlet> servletClass)
|
||||
throws PolicyHelperException {
|
||||
return new ActionClauses(
|
||||
servletClass.getAnnotation(RequiresAuthorizationFor.class));
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
|
|||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.SeeRevisionInfo;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseAdvancedDataToolsPages;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseEditUserAccountsPages;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseIndividualEditorPages;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseMenuEditorPages;
|
||||
|
|
@ -83,6 +84,9 @@ public class UseRestrictedPagesByRoleLevelPolicy implements PolicyIface {
|
|||
} else if (whatToAuth instanceof SeeRevisionInfo) {
|
||||
result = isAuthorized(whatToAuth, RoleLevel.EDITOR, userRole);
|
||||
|
||||
} else if (whatToAuth instanceof UseBasicAjaxControllers) {
|
||||
result = isAuthorized(whatToAuth, RoleLevel.SELF, userRole);
|
||||
|
||||
} else {
|
||||
result = defaultDecision("Unrecognized action");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
|
||||
/** Should we allow the user to use the basic Ajax controllers? */
|
||||
public class UseBasicAjaxControllers extends RequestedAction implements
|
||||
UsePagesRequestedAction {
|
||||
// no fields
|
||||
}
|
||||
|
|
@ -9,7 +9,6 @@ import java.io.IOException;
|
|||
import java.io.OutputStream;
|
||||
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
|
|
@ -26,7 +25,8 @@ import com.hp.hpl.jena.query.ResultSetFormatter;
|
|||
import com.hp.hpl.jena.query.Syntax;
|
||||
import com.hp.hpl.jena.rdf.model.Model;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
|
||||
/**
|
||||
|
|
@ -35,6 +35,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
|||
*
|
||||
* The result is delivered in JSON format.
|
||||
*/
|
||||
@RequiresAuthorizationFor(UseBasicAjaxControllers.class)
|
||||
public class SparqlQueryAjaxController extends VitroAjaxController {
|
||||
private static final Log log = LogFactory
|
||||
.getLog(SparqlQueryAjaxController.class);
|
||||
|
|
@ -42,14 +43,6 @@ public class SparqlQueryAjaxController extends VitroAjaxController {
|
|||
private static final String PARAMETER_QUERY = "query";
|
||||
private static final String RESPONSE_MIME_TYPE = "application/javascript";
|
||||
|
||||
/**
|
||||
* If you are logged in, you can use this servlet.
|
||||
*/
|
||||
@Override
|
||||
protected boolean testIsAuthorized(HttpServletRequest request) {
|
||||
return LoginStatusBean.getBean(request).isLoggedIn();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doRequest(VitroRequest vreq, HttpServletResponse response)
|
||||
throws ServletException, IOException {
|
||||
|
|
|
|||
|
|
@ -15,14 +15,11 @@ import javax.servlet.http.HttpServletResponse;
|
|||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerConfigurationLoader;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.freemarker.TemplateProcessingHelper;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.freemarker.TemplateProcessingHelper.TemplateProcessingException;
|
||||
import edu.cornell.mannlib.vitro.webapp.search.controller.AutocompleteController;
|
||||
import freemarker.template.Configuration;
|
||||
import freemarker.template.Template;
|
||||
import freemarker.template.TemplateException;
|
||||
|
||||
/**
|
||||
* A base class for servlets that handle AJAX requests.
|
||||
|
|
@ -30,12 +27,6 @@ import freemarker.template.TemplateException;
|
|||
public abstract class VitroAjaxController extends HttpServlet {
|
||||
|
||||
private static final Log log = LogFactory.getLog(VitroAjaxController.class);
|
||||
|
||||
/**
|
||||
* Sub-classes must implement this method to verify that the user is
|
||||
* authorized to execute this request.
|
||||
*/
|
||||
protected abstract boolean testIsAuthorized(HttpServletRequest request);
|
||||
|
||||
/**
|
||||
* Sub-classes must implement this method to handle both GET and POST
|
||||
|
|
@ -51,7 +42,7 @@ public abstract class VitroAjaxController extends HttpServlet {
|
|||
protected final void doGet(HttpServletRequest req, HttpServletResponse resp)
|
||||
throws ServletException, IOException {
|
||||
VitroRequest vreq = new VitroRequest(req);
|
||||
if (testIsAuthorized(vreq)) {
|
||||
if (PolicyHelper.isAuthorizedForServlet(vreq, this)) {
|
||||
doRequest(vreq, resp);
|
||||
} else {
|
||||
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Not authorized");
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.controller.edit;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.httpclient.HttpStatus;
|
||||
|
|
@ -10,23 +9,20 @@ import org.apache.commons.lang.StringUtils;
|
|||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
|
||||
|
||||
|
||||
@RequiresAuthorizationFor(UseBasicAjaxControllers.class)
|
||||
public class PrimitiveDelete extends VitroAjaxController {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
private static final Log log = LogFactory.getLog(PrimitiveDelete.class);
|
||||
|
||||
@Override
|
||||
protected boolean testIsAuthorized(HttpServletRequest request) {
|
||||
return LoginStatusBean.getBean(request).isLoggedIn();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doRequest(VitroRequest vreq, HttpServletResponse response) {
|
||||
|
||||
|
|
|
|||
|
|
@ -21,21 +21,19 @@ import com.hp.hpl.jena.rdf.model.Model;
|
|||
import com.hp.hpl.jena.shared.Lock;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.jena.DependentResourceDeleteJena;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.jena.event.EditEvent;
|
||||
import edu.cornell.mannlib.vitro.webapp.edit.n3editing.EditN3Utils;
|
||||
|
||||
@RequiresAuthorizationFor(UseBasicAjaxControllers.class)
|
||||
public class PrimitiveRdfEdit extends VitroAjaxController {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
@Override
|
||||
protected boolean testIsAuthorized(HttpServletRequest request) {
|
||||
return LoginStatusBean.getBean(request).isLoggedIn();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doRequest(VitroRequest vreq,
|
||||
HttpServletResponse response) throws ServletException, IOException {
|
||||
|
|
|
|||
|
|
@ -2,14 +2,14 @@
|
|||
|
||||
package edu.cornell.mannlib.vitro.webapp.controller.edit;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.httpclient.HttpStatus;
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController;
|
||||
|
|
@ -24,6 +24,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
|
|||
* @author rjy7
|
||||
*
|
||||
*/
|
||||
@RequiresAuthorizationFor(UseBasicAjaxControllers.class)
|
||||
public class ReorderController extends VitroAjaxController {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
|
@ -32,12 +33,6 @@ public class ReorderController extends VitroAjaxController {
|
|||
private static String RANK_PREDICATE_PARAMETER_NAME = "predicate";
|
||||
private static String INDIVIDUAL_PREDICATE_PARAMETER_NAME = "individuals";
|
||||
|
||||
|
||||
@Override
|
||||
protected boolean testIsAuthorized(HttpServletRequest request) {
|
||||
return LoginStatusBean.getBean(request).isLoggedIn();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doRequest(VitroRequest vreq, HttpServletResponse response) {
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,8 @@ import org.json.JSONArray;
|
|||
|
||||
import com.hp.hpl.jena.sparql.lib.org.json.JSONObject;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController;
|
||||
import edu.cornell.mannlib.vitro.webapp.flags.PortalFlag;
|
||||
|
|
@ -46,7 +47,7 @@ import edu.cornell.mannlib.vitro.webapp.search.lucene.LuceneSetup;
|
|||
* AutocompleteController generates autocomplete content
|
||||
* through a Lucene search.
|
||||
*/
|
||||
|
||||
@RequiresAuthorizationFor(UseBasicAjaxControllers.class)
|
||||
public class AutocompleteController extends VitroAjaxController {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
|
@ -59,12 +60,6 @@ public class AutocompleteController extends VitroAjaxController {
|
|||
String NORESULT_MSG = "";
|
||||
private int defaultMaxSearchSize= 1000;
|
||||
|
||||
|
||||
@Override
|
||||
protected boolean testIsAuthorized(HttpServletRequest request) {
|
||||
return LoginStatusBean.getBean(request).isLoggedIn();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void doRequest(VitroRequest vreq, HttpServletResponse response)
|
||||
throws IOException, ServletException {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue