NIHVIVO-1207 Make the external auth-header a configuration property. Clean up SelfEditingIdentifierFactory and VitroRequestPrep.
This commit is contained in:
jeb228
parent
831d2209e9
commit
b9230edaf2
4 changed files with 169 additions and 131 deletions
|
|
@ -27,78 +27,154 @@ import com.hp.hpl.jena.rdf.model.Model;
|
|||
import com.hp.hpl.jena.rdf.model.RDFNode;
|
||||
import com.hp.hpl.jena.rdf.model.Resource;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.ConfigurationProperties;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.Individual;
|
||||
import edu.cornell.mannlib.vitro.webapp.dao.WebappDaoFactory;
|
||||
|
||||
/**
|
||||
* Pulls a netId out of the CUWebAuth REMOTE_USER header.
|
||||
*
|
||||
* @author bdc34
|
||||
* @author bdc34, trashed by jeb228
|
||||
*/
|
||||
public class SelfEditingIdentifierFactory implements IdentifierBundleFactory {
|
||||
public final static String httpHeaderForNetId = "REMOTE_USER";
|
||||
private static final Log log = LogFactory.getLog(SelfEditingIdentifierFactory.class);
|
||||
|
||||
private static final Log log = LogFactory.getLog(SelfEditingIdentifierFactory.class.getName());
|
||||
/**
|
||||
* The configuration property that names the HTTP header that will hold the
|
||||
* username from the external authorization system.
|
||||
*/
|
||||
private static final String PROPERTY_EXTERNAL_AUTH_HEADER_NAME = "externalAuth.headerName";
|
||||
|
||||
public IdentifierBundle getIdentifierBundle(ServletRequest request, HttpSession session, ServletContext context) {
|
||||
IdentifierBundle idb = getFromCUWebAuthHeader(request,session,context);
|
||||
if( idb != null )
|
||||
return idb;
|
||||
else
|
||||
return getFromSession(session);
|
||||
}
|
||||
private final static String ATTRIBUTE_NETID = "SelfEditingIdentifierFactory.netid";
|
||||
private final static String ATTRIBUTE_SELFID = "SelfEditingIdentifierFactory.selfid";
|
||||
|
||||
private IdentifierBundle getFromCUWebAuthHeader(ServletRequest request, HttpSession session,ServletContext context){
|
||||
String cuwebauthUser = ((HttpServletRequest)request).getHeader(CUWEBAUTH_REMOTE_USER_HEADER);
|
||||
log.debug("Looking for CUWebAuth header " + CUWEBAUTH_REMOTE_USER_HEADER + " found : '" + cuwebauthUser +"'");
|
||||
private static final int MAXIMUM_USERNAME_LENGTH = 100;
|
||||
|
||||
if( cuwebauthUser == null || cuwebauthUser.length() == 0){
|
||||
log.debug("No CUWebAuthUser string found");
|
||||
public IdentifierBundle getIdentifierBundle(ServletRequest request,
|
||||
HttpSession session, ServletContext context) {
|
||||
if (session == null) {
|
||||
log.debug("session is null.");
|
||||
return null;
|
||||
}
|
||||
if( cuwebauthUser.length() > 100){
|
||||
log.info("CUWebAuthUser is longer than 100 chars, this may be a malicious request");
|
||||
if (!(request instanceof HttpServletRequest)) {
|
||||
log.debug("request is null or not an HttpServletRequest");
|
||||
return null;
|
||||
}
|
||||
if( context == null ){
|
||||
log.error("ServletContext was null");
|
||||
HttpServletRequest req = (HttpServletRequest) request;
|
||||
log.debug("request is for " + req.getRequestURI());
|
||||
|
||||
NetId netId = figureNetId(req);
|
||||
SelfEditing selfId = figureSelfEditingId(req, netId);
|
||||
putIdsInSession(req, netId, selfId);
|
||||
|
||||
return getIdsFromSession(session);
|
||||
}
|
||||
|
||||
private NetId figureNetId(HttpServletRequest req) {
|
||||
String externalAuthHeaderName = ConfigurationProperties.getProperty(PROPERTY_EXTERNAL_AUTH_HEADER_NAME);
|
||||
if (isEmpty(externalAuthHeaderName)) {
|
||||
log.debug(PROPERTY_EXTERNAL_AUTH_HEADER_NAME + " property is not configured.");
|
||||
return null;
|
||||
}
|
||||
|
||||
NetId netid = new NetId(cuwebauthUser);
|
||||
SelfEditing selfE = null;
|
||||
String externalUsername = req.getHeader(externalAuthHeaderName);
|
||||
if (isEmpty(externalUsername)) {
|
||||
log.debug("The external username is empty.");
|
||||
return null;
|
||||
}
|
||||
if (externalUsername.length() > MAXIMUM_USERNAME_LENGTH) {
|
||||
log.info("The external username is longer than " + MAXIMUM_USERNAME_LENGTH
|
||||
+ " chars; this may be a malicious request");
|
||||
return null;
|
||||
}
|
||||
|
||||
IdentifierBundle idb = new ArrayIdentifierBundle();
|
||||
idb.add(netid);
|
||||
log.debug("added NetId object to IdentifierBundle from CUWEBAUTH header");
|
||||
//VitroRequest vreq = new VitroRequest((HttpServletRequest)request);
|
||||
return new NetId(externalUsername);
|
||||
}
|
||||
|
||||
WebappDaoFactory wdf = (WebappDaoFactory)context.getAttribute("webappDaoFactory");
|
||||
private SelfEditing figureSelfEditingId(HttpServletRequest request,
|
||||
NetId netId) {
|
||||
if (netId == null) {
|
||||
return null;
|
||||
}
|
||||
String username = netId.getValue();
|
||||
|
||||
HttpSession session = request.getSession(false);
|
||||
if (session == null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
ServletContext context = session.getServletContext();
|
||||
WebappDaoFactory wdf = (WebappDaoFactory) context
|
||||
.getAttribute("webappDaoFactory");
|
||||
if (wdf == null) {
|
||||
log.error("Could not get a WebappDaoFactory from the ServletContext");
|
||||
return null;
|
||||
}
|
||||
|
||||
String uri = wdf.getIndividualDao().getIndividualURIFromNetId(cuwebauthUser);
|
||||
String uri = wdf.getIndividualDao().getIndividualURIFromNetId(username);
|
||||
if (uri == null) {
|
||||
log.debug("could not find an Individual with a netId of "
|
||||
+ username);
|
||||
}
|
||||
|
||||
if( uri != null){
|
||||
Individual ind = wdf.getIndividualDao().getIndividualByURI(uri);
|
||||
if( ind != null ){
|
||||
String blacklisted = checkForBlacklisted(ind, context);
|
||||
if (ind == null) {
|
||||
log.warn("found a URI for the netId " + username
|
||||
+ " but could not build Individual");
|
||||
return null;
|
||||
}
|
||||
|
||||
selfE = new SelfEditing( ind ,blacklisted , false);
|
||||
idb.add( selfE );
|
||||
log.debug("Found an Individual for netId " + cuwebauthUser + " URI: " + ind.getURI() );
|
||||
}else{
|
||||
log.warn("found a URI for the netId " + cuwebauthUser + " but could not build Individual");
|
||||
log.debug("Found an Individual for netId " + username + " URI: " + uri);
|
||||
String blacklisted = checkForBlacklisted(ind, context);
|
||||
return new SelfEditing(ind, blacklisted, false);
|
||||
}
|
||||
}else{
|
||||
log.debug("could not find an Individual with a netId of " + cuwebauthUser );
|
||||
|
||||
private void putIdsInSession(HttpServletRequest request, NetId netId,
|
||||
SelfEditing selfId) {
|
||||
// If there is no session, and nothing to store, we're done.
|
||||
HttpSession session = request.getSession(false);
|
||||
if ((session == null) && (netId == null) && (selfId == null)) {
|
||||
return;
|
||||
}
|
||||
|
||||
// If there is a session, set or clear the attributes as appropriate.
|
||||
session = request.getSession();
|
||||
session.setAttribute(ATTRIBUTE_NETID, netId);
|
||||
session.setAttribute(ATTRIBUTE_SELFID, selfId);
|
||||
}
|
||||
|
||||
private IdentifierBundle getIdsFromSession(HttpSession session) {
|
||||
NetId netId = (NetId) session.getAttribute(ATTRIBUTE_NETID);
|
||||
SelfEditing selfId = (SelfEditing) session.getAttribute(ATTRIBUTE_SELFID);
|
||||
|
||||
if (netId == null && selfId == null) {
|
||||
log.debug("no self-editing IDs in the session");
|
||||
return null;
|
||||
}
|
||||
|
||||
IdentifierBundle idb = new ArrayIdentifierBundle();
|
||||
if (netId != null) {
|
||||
idb.add(netId);
|
||||
log.debug("added NetId from session: " + netId);
|
||||
}
|
||||
if (selfId != null) {
|
||||
idb.add(selfId);
|
||||
log.debug("added SelfEditing from Session: " + selfId);
|
||||
}
|
||||
putNetIdInSession(session, selfE, netid);
|
||||
return idb;
|
||||
}
|
||||
|
||||
private boolean isEmpty(String string) {
|
||||
return (string == null || string.isEmpty());
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------
|
||||
// static utility methods
|
||||
// ----------------------------------------------------------------------
|
||||
|
||||
public static final String NOT_BLACKLISTED = null;
|
||||
private final static String BLACKLIST_SPARQL_DIR = "/admin/selfEditBlacklist";
|
||||
|
||||
/**
|
||||
* Runs through .sparql files in the BLACKLIST_SPARQL_DIR, the first that returns one
|
||||
* or more rows will be cause the user to be blacklisted. The first variable from
|
||||
|
|
@ -210,44 +286,27 @@ public class SelfEditingIdentifierFactory implements IdentifierBundleFactory {
|
|||
return null;
|
||||
}
|
||||
|
||||
private IdentifierBundle getFromSession( HttpSession session ){
|
||||
if (session == null) {
|
||||
public static SelfEditing getSelfEditingIdentifier( IdentifierBundle whoToAuth ){
|
||||
if( whoToAuth == null ) return null;
|
||||
for(Identifier id : whoToAuth){
|
||||
if (id instanceof SelfEditing)
|
||||
return (SelfEditing)id;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
NetId netid = (NetId)session.getAttribute(NETID_IN_SESSION);
|
||||
SelfEditing sed = (SelfEditing)session.getAttribute(URI_IN_SESSION);
|
||||
|
||||
if( netid != null || sed != null ){
|
||||
IdentifierBundle idb = new ArrayIdentifierBundle();
|
||||
if( netid != null){
|
||||
idb.add(netid);
|
||||
log.debug("added NetId from session");
|
||||
}
|
||||
if( sed != null ){
|
||||
idb.add(sed);
|
||||
log.debug("added SelfEditing from Session");
|
||||
}
|
||||
return idb;
|
||||
}else
|
||||
public static String getSelfEditingUri( IdentifierBundle whoToAuth){
|
||||
SelfEditing sid = getSelfEditingIdentifier(whoToAuth);
|
||||
if( sid != null )
|
||||
return sid.getValue();
|
||||
else
|
||||
return null;
|
||||
}
|
||||
|
||||
// ----------------------------------------------------------------------
|
||||
// Helper classes
|
||||
// ----------------------------------------------------------------------
|
||||
|
||||
protected final static String NETID_IN_SESSION = "NetIdIdentifierFactory.netid";
|
||||
protected final static String URI_IN_SESSION = "NetIdIdentifierFactory.uri";
|
||||
|
||||
public static void putNetIdInSession( HttpSession session, SelfEditing se, NetId ni){
|
||||
session.setAttribute(NETID_IN_SESSION, ni);
|
||||
session.setAttribute(URI_IN_SESSION, se);
|
||||
}
|
||||
|
||||
public static void clearNetIdFromSession( HttpSession session ){
|
||||
session.removeAttribute(NETID_IN_SESSION);
|
||||
session.removeAttribute(URI_IN_SESSION);
|
||||
}
|
||||
|
||||
/********************** NetId inner class *************************/
|
||||
public static class NetId implements Identifier{
|
||||
public final String value;
|
||||
public NetId(String value){
|
||||
|
|
@ -288,30 +347,11 @@ public class SelfEditingIdentifierFactory implements IdentifierBundleFactory {
|
|||
}
|
||||
public String toString(){
|
||||
return "SelfEditing as " + getValue() +
|
||||
(getBlacklisted()!=null? " blacklisted by via " + getBlacklisted():"");
|
||||
(getBlacklisted()!=null? " blacklisted via " + getBlacklisted():"");
|
||||
}
|
||||
public boolean isFake() {
|
||||
return faked;
|
||||
}
|
||||
}
|
||||
|
||||
public static SelfEditing getSelfEditingIdentifier( IdentifierBundle whoToAuth ){
|
||||
if( whoToAuth == null ) return null;
|
||||
for(Identifier id : whoToAuth){
|
||||
if (id instanceof SelfEditing)
|
||||
return (SelfEditing)id;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public static String getSelfEditingUri( IdentifierBundle whoToAuth){
|
||||
SelfEditing sid = getSelfEditingIdentifier(whoToAuth);
|
||||
if( sid != null )
|
||||
return sid.getValue();
|
||||
else
|
||||
return null;
|
||||
}
|
||||
public static final String NOT_BLACKLISTED = null;
|
||||
private final static String BLACKLIST_SPARQL_DIR = "/admin/selfEditBlacklist";
|
||||
private final static String CUWEBAUTH_REMOTE_USER_HEADER = "REMOTE_USER";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,8 +20,8 @@ import javax.servlet.http.HttpSession;
|
|||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ServletIdentifierBundleFactory;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean;
|
||||
|
|
@ -412,20 +412,21 @@ public class VitroRequestPrep implements Filter {
|
|||
if (session == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
ServletContext sc = session.getServletContext();
|
||||
|
||||
IdentifierBundle idBundle = ServletIdentifierBundleFactory
|
||||
.getIdBundleForRequest(request, session, sc);
|
||||
|
||||
for (Identifier id : idBundle) {
|
||||
if (id instanceof SelfEditing) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
IdentifierBundle idBundle = ServletIdentifierBundleFactory.getIdBundleForRequest(request, session, sc);
|
||||
if (idBundle == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
SelfEditing selfId = SelfEditingIdentifierFactory.getSelfEditingIdentifier(idBundle);
|
||||
if (selfId == null) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
public void destroy() {
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,6 @@
|
|||
|
||||
<%
|
||||
if( request.getParameter("force") != null ){
|
||||
VitroRequestPrep.forceToSelfEditing(request);
|
||||
String netid = request.getParameter("netid");
|
||||
// note that this affects the current user's session, not the whole servlet context
|
||||
FakeSelfEditingIdentifierFactory.clearFakeIdInSession( session );
|
||||
|
|
@ -28,7 +27,6 @@
|
|||
<% }
|
||||
String loggedOutNetId = (String)session.getAttribute(FakeSelfEditingIdentifierFactory.FAKE_SELF_EDIT_NETID);
|
||||
if( request.getParameter("stopfaking") != null){
|
||||
VitroRequestPrep.forceOutOfSelfEditing(request);
|
||||
FakeSelfEditingIdentifierFactory.clearFakeIdInSession( session );
|
||||
// don't want to do this because would affect the whole session
|
||||
// if (!LoginStatusBean.getBean(request).isLoggedInAtLeast(LoginStatusBean.CURATOR)) {
|
||||
|
|
|
|||
|
|
@ -74,7 +74,6 @@ private void checkNetId( String inNetId, JspWriter out, HttpServletRequest reque
|
|||
}else{
|
||||
out.println("could not find a Individual with the neditd of " + inNetId );
|
||||
}
|
||||
//putNetIdInSession(session, selfE, netid);
|
||||
|
||||
}else{
|
||||
out.println("no remote user value found or value was longer than 100 chars.");
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue