Author: ghjboss
Date: 2013-02-25 20:51:57 -0500 (Mon, 25 Feb 2013)
New Revision: 9181
Added:
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/src/main/java/org/gatein/management/gadget/mop/exportimport/server/IdentityFilter.java
Modified:
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/component/common/src/main/java/org/gatein/common/xml/stax/navigator/StaxNavUtils.java
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/pom.xml
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/src/main/webapp/WEB-INF/web.xml
Log:
commit the fix for BZ913125 and BZ913584
Modified:
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/component/common/src/main/java/org/gatein/common/xml/stax/navigator/StaxNavUtils.java
===================================================================
---
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/component/common/src/main/java/org/gatein/common/xml/stax/navigator/StaxNavUtils.java 2013-02-25
15:07:23 UTC (rev 9180)
+++
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/component/common/src/main/java/org/gatein/common/xml/stax/navigator/StaxNavUtils.java 2013-02-26
01:51:57 UTC (rev 9181)
@@ -31,6 +31,8 @@
import org.staxnav.ValueType;
import javax.xml.namespace.QName;
+import javax.xml.stream.XMLInputFactory;
+
import java.io.InputStream;
import java.io.Reader;
import java.util.Arrays;
@@ -190,7 +192,9 @@
private static StaxNavBuilder buildDefaultNavigator()
{
- return new StaxNavBuilderImpl();
+ return new StaxNavBuilderImpl()
+ // Do not support external entities in XML documents.
+ .withProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
}
private StaxNavUtils() {}
Modified:
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/pom.xml
===================================================================
---
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/pom.xml 2013-02-25
15:07:23 UTC (rev 9180)
+++
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/pom.xml 2013-02-26
01:51:57 UTC (rev 9181)
@@ -56,6 +56,11 @@
<artifactId>exo.kernel.container</artifactId>
<scope>provided</scope>
</dependency>
+ <dependency>
+ <groupId>org.exoplatform.core</groupId>
+ <artifactId>exo.core.component.security.core</artifactId>
+ <scope>provided</scope>
+ </dependency>
<!-- GWT Dependencies -->
<dependency>
<groupId>com.google.gwt</groupId>
Added:
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/src/main/java/org/gatein/management/gadget/mop/exportimport/server/IdentityFilter.java
===================================================================
---
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/src/main/java/org/gatein/management/gadget/mop/exportimport/server/IdentityFilter.java
(rev 0)
+++
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/src/main/java/org/gatein/management/gadget/mop/exportimport/server/IdentityFilter.java 2013-02-26
01:51:57 UTC (rev 9181)
@@ -0,0 +1,165 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+
+package org.gatein.management.gadget.mop.exportimport.server;
+
+import org.exoplatform.container.ExoContainer;
+import org.exoplatform.container.web.AbstractFilter;
+import org.exoplatform.services.security.ConversationRegistry;
+import org.exoplatform.services.security.ConversationState;
+import org.exoplatform.services.security.Identity;
+import org.exoplatform.services.security.StateKey;
+import org.exoplatform.services.security.web.HttpSessionStateKey;
+import org.gatein.common.logging.Logger;
+import org.gatein.common.logging.LoggerFactory;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.io.Writer;
+
+/**
+ * Identity filter which checks to see if an identity from the portal can be found before
processing request.
+ *
+ * @author <a href="mailto:nscavell@redhat.com">Nick Scavelli</a>
+ */
+public class IdentityFilter extends AbstractFilter implements Filter
+{
+
+ private static final Logger log = LoggerFactory.getLogger(IdentityFilter.class);
+
+ private String role;
+ private String group;
+ private String user;
+
+ @Override
+ protected void afterInit(FilterConfig config) throws ServletException
+ {
+ role = config.getInitParameter("role");
+ group = config.getInitParameter("group");
+ user = config.getInitParameter("user");
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain
chain) throws IOException, ServletException
+ {
+ HttpServletRequest httpRequest = (HttpServletRequest) request;
+ HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+ HttpSession httpSession = httpRequest.getSession();
+ StateKey stateKey = new HttpSessionStateKey(httpSession);
+
+ ExoContainer container = getContainer();
+
+ ConversationRegistry conversationRegistry =
+ (ConversationRegistry)
container.getComponentInstanceOfType(ConversationRegistry.class);
+
+ ConversationState state = conversationRegistry.getState(stateKey);
+ if (state == null)
+ {
+ log.error("Conversation state not found. This typically means the GWT
Gadget application is either being access anonymously or from outside the portal.");
+ handleError(httpRequest, httpResponse, 401);
+ return;
+ }
+ Identity identity = state.getIdentity();
+ if (identity == null)
+ {
+ log.error("Identity not found from conversation state. This should not
happen. GWT Gadget will not process");
+ handleError(httpRequest, httpResponse, 401);
+ return;
+ }
+ ConversationState.setCurrent(state);
+
+ // Do not process if nothing was configured
+ if (role == null && group == null && user == null)
+ {
+ log.error("Neither role, group, or user was configured as part of
init-param of IdentityFilter for GWT Gadget application.");
+ handleError(httpRequest, httpResponse, 500);
+ return;
+ }
+
+ // Check roles
+ if (role != null)
+ {
+ for (String identityRole : identity.getRoles())
+ {
+ if (role.equals(identityRole))
+ {
+ chain.doFilter(request, response);
+ return;
+ }
+ }
+ }
+
+ // Check memberships
+ if (group != null)
+ {
+ if (identity.isMemberOf(group))
+ {
+ chain.doFilter(request, response);
+ return;
+ }
+ }
+
+ // Check user
+ if (user != null)
+ {
+ if (user.equals(identity.getUserId()))
+ {
+ chain.doFilter(request, response);
+ return;
+ }
+ }
+
+ log.error("GWT Gadget not authorized for user " + identity.getUserId() +
". Check the filter configuration for IdentityFilter in web.xml.");
+ handleError(httpRequest, httpResponse, 401);
+ }
+
+ @Override
+ public void destroy()
+ {
+ }
+
+ private void handleError(HttpServletRequest request, HttpServletResponse response, int
code) throws IOException
+ {
+ if (request.getServletPath().equals("/exportimport/upload"))
+ {
+ // Stupid GWT Upload can't properly handle a response.sendError...
+ response.setContentType("text/plain");
+ Writer writer = response.getWriter();
+ writer.write("<response><error>Resource not
available</error></response>");
+ writer.flush();
+ writer.close();
+ }
+ else
+ {
+ response.sendError(code);
+ }
+ }
+}
Modified:
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/src/main/webapp/WEB-INF/web.xml
===================================================================
---
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/src/main/webapp/WEB-INF/web.xml 2013-02-25
15:07:23 UTC (rev 9180)
+++
epp/portal/branches/embargo/EPP_5_2_2_GA_BZ913125_BZ913584/gadgets/gwtGadgets/src/main/webapp/WEB-INF/web.xml 2013-02-26
01:51:57 UTC (rev 9181)
@@ -45,6 +45,32 @@
<param-value>50</param-value>
</context-param>
+ <!-- Important to ensure secure access to the gadget -->
+ <filter>
+ <filter-name>IdentityFilter</filter-name>
+
<filter-class>org.gatein.management.gadget.mop.exportimport.server.IdentityFilter</filter-class>
+ <!-- Allows users with the specific role to access the gadget -->
+ <init-param>
+ <param-name>role</param-name>
+ <param-value>administrators</param-value>
+ </init-param>
+ <!-- Uncomment to allow members of the following group access to gadget. -->
+ <!--<init-param>
+ <param-name>group</param-name>
+ <param-value>/platform/administrators</param-value>
+ </init-param>-->
+ <!-- Uncomment to allow a specific user access to gadget. -->
+ <!--<init-param>
+ <param-name>user</param-name>
+ <param-value>root</param-value>
+ </init-param>-->
+ </filter>
+
+ <filter-mapping>
+ <filter-name>IdentityFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+
<!-- GateIn service servlet -->
<servlet>
<servlet-name>gtnService</servlet-name>