diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java index e625d3e7c..8f33dd614 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java @@ -102,29 +102,6 @@ public class PolicyHelper { Or[] or() default @Or(); } - /** - * Are the actions that this servlet requires authorized for the current - * user by the current policies? - */ - public static boolean isAuthorizedForServlet(HttpServletRequest req, - HttpServlet servlet) { - return isAuthorizedForServlet(req, servlet.getClass()); - } - - /** - * Are the actions that this servlet class requires authorized for the - * current user by the current policies? - */ - public static boolean isAuthorizedForServlet(HttpServletRequest req, - Class servletClass) { - try { - return isAuthorizedForActionClauses(req, - ActionClauses.forServletClass(servletClass)); - } catch (PolicyHelperException e) { - return false; - } - } - /** * Is this action class authorized for the current user by the current * policies? diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/Actions.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/Actions.java index d0ea67eaf..b8bedc6b2 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/Actions.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/requestedAction/Actions.java @@ -7,6 +7,7 @@ import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.HashSet; +import java.util.Iterator; import java.util.List; import java.util.Set; @@ -114,12 +115,34 @@ public class Actions { private static boolean isAuthorizedForAction(PolicyIface policy, IdentifierBundle ids, RequestedAction action) { PolicyDecision decision = policy.isAuthorized(ids, action); - log.debug("decision for '" + action.getClass().getName() + "' was: " + log.debug("decision for '" + action.getClass().getSimpleName() + "' was: " + decision); return (decision != null) && (decision.getAuthorized() == Authorization.AUTHORIZED); } + @Override + public String toString() { + StringBuffer sb = new StringBuffer("Actions["); + for (Iterator> cit = clauseList.iterator(); cit.hasNext();) { + Set clause = cit.next(); + sb.append("("); + for (Iterator it = clause.iterator(); it.hasNext();) { + RequestedAction action = it.next(); + sb.append(action.getClass().getSimpleName()); + if (it.hasNext()) { + sb.append(", "); + } + } + sb.append(")"); + if (cit.hasNext()) { + sb.append(" or "); + } + } + sb.append("]"); + return sb.toString(); + } + /** * Nobody knows about this action class, so only the root user should be * authorized for it. diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java index 3b14672dc..4b2c5286a 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/SparqlQueryAjaxController.java @@ -25,7 +25,7 @@ import com.hp.hpl.jena.query.ResultSetFormatter; import com.hp.hpl.jena.query.Syntax; import com.hp.hpl.jena.rdf.model.Model; -import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; @@ -35,7 +35,6 @@ import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; * * The result is delivered in JSON format. */ -@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class SparqlQueryAjaxController extends VitroAjaxController { private static final Log log = LogFactory .getLog(SparqlQueryAjaxController.class); @@ -43,6 +42,11 @@ public class SparqlQueryAjaxController extends VitroAjaxController { private static final String PARAMETER_QUERY = "query"; private static final String RESPONSE_MIME_TYPE = "application/javascript"; + @Override + protected Actions requiredActions(VitroRequest vreq) { + return new Actions(new UseBasicAjaxControllers()); + } + @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) throws ServletException, IOException { diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java index 552dfcf68..2975b6bc3 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/ajax/VitroAjaxController.java @@ -16,6 +16,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerConfigurationLoader; import freemarker.template.Configuration; @@ -42,7 +43,7 @@ public abstract class VitroAjaxController extends HttpServlet { protected final void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { VitroRequest vreq = new VitroRequest(req); - if (PolicyHelper.isAuthorizedForServlet(vreq, this)) { + if (PolicyHelper.isAuthorizedForActions(vreq, requiredActions(vreq))) { doRequest(vreq, resp); } else { resp.sendError(HttpServletResponse.SC_FORBIDDEN, "Not authorized"); @@ -58,6 +59,17 @@ public abstract class VitroAjaxController extends HttpServlet { doGet(req, resp); } + /** + * By default, a controller requires authorization for no actions. + * Subclasses that require authorization to process their page will override + * to return the actions that require authorization. + * In some cases, the choice of actions will depend on the contents of the request. + */ + @SuppressWarnings("unused") + protected Actions requiredActions(VitroRequest vreq) { + return Actions.EMPTY; + } + /** * Returns the current Freemarker Configuration so the controller can process * its data through a template. diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveDelete.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveDelete.java index 3467d527f..3072ea026 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveDelete.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveDelete.java @@ -9,7 +9,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController; @@ -17,12 +17,16 @@ import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao; import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; -@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class PrimitiveDelete extends VitroAjaxController { private static final long serialVersionUID = 1L; private static final Log log = LogFactory.getLog(PrimitiveDelete.class); + @Override + protected Actions requiredActions(VitroRequest vreq) { + return new Actions(new UseBasicAjaxControllers()); + } + @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) { diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveRdfEdit.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveRdfEdit.java index bf22191bf..75e4d63a7 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveRdfEdit.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PrimitiveRdfEdit.java @@ -21,7 +21,7 @@ import com.hp.hpl.jena.rdf.model.Model; import com.hp.hpl.jena.shared.Lock; import edu.cornell.mannlib.vedit.beans.LoginStatusBean; -import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController; @@ -29,11 +29,15 @@ import edu.cornell.mannlib.vitro.webapp.dao.jena.DependentResourceDeleteJena; import edu.cornell.mannlib.vitro.webapp.dao.jena.event.EditEvent; import edu.cornell.mannlib.vitro.webapp.edit.n3editing.EditN3Utils; -@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class PrimitiveRdfEdit extends VitroAjaxController { private static final long serialVersionUID = 1L; + @Override + protected Actions requiredActions(VitroRequest vreq) { + return new Actions(new UseBasicAjaxControllers()); + } + @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) throws ServletException, IOException { diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/ReorderController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/ReorderController.java index 08ba5d06e..5995deaa3 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/ReorderController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/ReorderController.java @@ -8,7 +8,7 @@ import org.apache.commons.httpclient.HttpStatus; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.beans.DataPropertyStatementImpl; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; @@ -24,7 +24,6 @@ import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory; * @author rjy7 * */ -@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class ReorderController extends VitroAjaxController { private static final long serialVersionUID = 1L; @@ -34,6 +33,11 @@ public class ReorderController extends VitroAjaxController { private static String INDIVIDUAL_PREDICATE_PARAMETER_NAME = "individuals"; @Override + protected Actions requiredActions(VitroRequest vreq) { + return new Actions(new UseBasicAjaxControllers()); + } + + @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) { String errorMsg = null; diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/AutocompleteController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/AutocompleteController.java index a0b1f2aef..cd319bb4c 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/AutocompleteController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/AutocompleteController.java @@ -33,7 +33,7 @@ import org.json.JSONArray; import com.hp.hpl.jena.sparql.lib.org.json.JSONObject; -import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper.RequiresAuthorizationFor; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.usepages.UseBasicAjaxControllers; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.controller.ajax.VitroAjaxController; @@ -47,7 +47,6 @@ import edu.cornell.mannlib.vitro.webapp.search.lucene.LuceneSetup; * AutocompleteController generates autocomplete content * through a Lucene search. */ -@RequiresAuthorizationFor(UseBasicAjaxControllers.class) public class AutocompleteController extends VitroAjaxController { private static final long serialVersionUID = 1L; @@ -60,6 +59,11 @@ public class AutocompleteController extends VitroAjaxController { String NORESULT_MSG = ""; private int defaultMaxSearchSize= 1000; + @Override + protected Actions requiredActions(VitroRequest vreq) { + return new Actions(new UseBasicAjaxControllers()); + } + @Override protected void doRequest(VitroRequest vreq, HttpServletResponse response) throws IOException, ServletException {