Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-08 22:45:45 +01:00
Code Issues Packages Projects Releases Activity

fix bug with enabled anonymous access

Browse Source
This commit is contained in:
Sebastian Sdorra
2010-12-31 14:58:11 +01:00
parent b5acab0782
commit c1a3d4268a
6 changed files with 176 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
scm-core/src/main/java/sonia/scm/SCMContext.java
View File

@@ -47,6 +47,9 @@ public class SCMContext
/** Field description */ /** Field description */
public static final String DEFAULT_PACKAGE = "sonia.scm"; public static final String DEFAULT_PACKAGE = "sonia.scm";
/** Field description */
public static final String USER_ANONYMOUS = "anonymous";
/** Field description */ /** Field description */
private static volatile SCMContextProvider provider; private static volatile SCMContextProvider provider;

74
scm-core/src/main/java/sonia/scm/util/HttpUtil.java Normal file
View File

@@ -0,0 +1,74 @@
/**
* Copyright (c) 2010, Sebastian Sdorra
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. Neither the name of SCM-Manager; nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.util;
//~--- JDK imports ------------------------------------------------------------
import javax.servlet.http.HttpServletResponse;
/**
*
* @author Sebastian Sdorra
*/
public class HttpUtil
{
/** Field description */
public static final String AUTHENTICATION_REALM = "SONIA :: SCM Manager";
/** Field description */
public static final String HEADERVALUE_CONNECTION_CLOSE = "close";
/** Field description */
public static final String HEADER_CONNECTION = "connection";
/** Field description */
public static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param response
*/
public static void sendUnauthorized(HttpServletResponse response)
{
response.setHeader(HEADER_WWW_AUTHENTICATE,
"Basic realm=\"" + AUTHENTICATION_REALM + "\"");
response.setHeader(HEADER_CONNECTION, HEADERVALUE_CONNECTION_CLOSE);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
}

88
scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
View File

@@ -29,6 +29,8 @@
* *
*/ */
package sonia.scm.web.filter; package sonia.scm.web.filter;
//~--- non-JDK imports -------------------------------------------------------- //~--- non-JDK imports --------------------------------------------------------
@@ -38,6 +40,8 @@ import com.google.inject.Provider;
import com.google.inject.Singleton; import com.google.inject.Singleton;
import sonia.scm.user.User; import sonia.scm.user.User;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.HttpUtil;
import sonia.scm.util.Util; import sonia.scm.util.Util;
import sonia.scm.web.security.WebSecurityContext; import sonia.scm.web.security.WebSecurityContext;
@@ -60,27 +64,15 @@ import javax.servlet.http.HttpServletResponse;
public class BasicAuthenticationFilter extends HttpFilter public class BasicAuthenticationFilter extends HttpFilter
{ {
/** Field description */
public static final String AUTHENTICATION_REALM = "SONIA :: SCM Manager";
/** Field description */ /** Field description */
public static final String AUTHORIZATION_BASIC_PREFIX = "BASIC"; public static final String AUTHORIZATION_BASIC_PREFIX = "BASIC";
/** Field description */ /** Field description */
public static final String CREDENTIAL_SEPARATOR = ":"; public static final String CREDENTIAL_SEPARATOR = ":";
/** Field description */
public static final String HEADERVALUE_CONNECTION_CLOSE = "close";
/** Field description */ /** Field description */
public static final String HEADER_AUTHORIZATION = "Authorization"; public static final String HEADER_AUTHORIZATION = "Authorization";
/** Field description */
public static final String HEADER_CONNECTION = "connection";
/** Field description */
public static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
//~--- constructors --------------------------------------------------------- //~--- constructors ---------------------------------------------------------
/** /**
@@ -115,50 +107,34 @@ public class BasicAuthenticationFilter extends HttpFilter
throws IOException, ServletException throws IOException, ServletException
{ {
WebSecurityContext securityContext = securityContextProvider.get(); WebSecurityContext securityContext = securityContextProvider.get();
AssertUtil.assertIsNotNull(securityContext);
User user = null; User user = null;
String authentication = request.getHeader(HEADER_AUTHORIZATION);
if (securityContext != null) if (Util.isNotEmpty(authentication))
{ {
if (!securityContext.isAuthenticated()) if (!authentication.toUpperCase().startsWith(AUTHORIZATION_BASIC_PREFIX))
{ {
String authentication = request.getHeader(HEADER_AUTHORIZATION); throw new ServletException("wrong basic header");
if (Util.isEmpty(authentication))
{
sendUnauthorized(response);
}
else
{
if (!authentication.toUpperCase().startsWith(
AUTHORIZATION_BASIC_PREFIX))
{
throw new ServletException("wrong basic header");
}
String token = authentication.substring(6);
token = new String(Base64.decode(token.getBytes()));
String[] credentials = token.split(CREDENTIAL_SEPARATOR);
user = securityContext.authenticate(request, response,
credentials[0], credentials[1]);
}
}
else
{
user = securityContext.getUser();
} }
user = authenticate(request, response, securityContext, authentication);
}
else if (securityContext.isAuthenticated())
{
user = securityContext.getUser();
} }
if (user != null) if (user == null)
{ {
chain.doFilter(new SecurityHttpServletRequestWrapper(request, user), HttpUtil.sendUnauthorized(response);
response);
} }
else else
{ {
sendUnauthorized(response); chain.doFilter(new SecurityHttpServletRequestWrapper(request, user),
response);
} }
} }
@@ -166,14 +142,26 @@ public class BasicAuthenticationFilter extends HttpFilter
* Method description * Method description
* *
* *
* @param request
* @param response * @param response
* @param securityContext
* @param authentication
*
* @return
*/ */
private void sendUnauthorized(HttpServletResponse response) private User authenticate(HttpServletRequest request,
HttpServletResponse response,
WebSecurityContext securityContext,
String authentication)
{ {
response.setHeader(HEADER_WWW_AUTHENTICATE, String token = authentication.substring(6);
"Basic realm=\"" + AUTHENTICATION_REALM + "\"");
response.setHeader(HEADER_CONNECTION, HEADERVALUE_CONNECTION_CLOSE); token = new String(Base64.decode(token.getBytes()));
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
String[] credentials = token.split(CREDENTIAL_SEPARATOR);
return securityContext.authenticate(request, response, credentials[0],
credentials[1]);
} }
//~--- fields --------------------------------------------------------------- //~--- fields ---------------------------------------------------------------

78
scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java
View File

@@ -40,11 +40,14 @@ import com.google.inject.Provider;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import sonia.scm.SCMContext;
import sonia.scm.repository.PermissionType; import sonia.scm.repository.PermissionType;
import sonia.scm.repository.PermissionUtil; import sonia.scm.repository.PermissionUtil;
import sonia.scm.repository.Repository; import sonia.scm.repository.Repository;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.user.User; import sonia.scm.user.User;
import sonia.scm.util.AssertUtil; import sonia.scm.util.AssertUtil;
import sonia.scm.util.HttpUtil;
import sonia.scm.web.security.WebSecurityContext; import sonia.scm.web.security.WebSecurityContext;
//~--- JDK imports ------------------------------------------------------------ //~--- JDK imports ------------------------------------------------------------
@@ -128,41 +131,54 @@ public abstract class PermissionFilter extends HttpFilter
if (user != null) if (user != null)
{ {
Repository repository = getRepository(request); try
if (repository != null)
{ {
boolean writeRequest = isWriteRequest(request); Repository repository = getRepository(request);
if (PermissionUtil.hasPermission(repository, securityContext.getUser(), if (repository != null)
writeRequest
? PermissionType.WRITE
: PermissionType.READ))
{ {
chain.doFilter(request, response); boolean writeRequest = isWriteRequest(request);
if (PermissionUtil.hasPermission(repository,
securityContext.getUser(),
writeRequest
? PermissionType.WRITE
: PermissionType.READ))
{
chain.doFilter(request, response);
}
else
{
if (logger.isInfoEnabled())
{
logger.info("{} access to repostitory {} for user {} denied",
new Object[] { writeRequest
? "write"
: "read", repository.getName(),
user.getName() });
}
sendAccessDenied(response, user);
}
} }
else else
{ {
if (logger.isInfoEnabled()) if (logger.isDebugEnabled())
{ {
logger.info("{} access to repostitory {} for user {} denied", logger.debug("repository not found");
new Object[] { writeRequest
? "write"
: "read", repository.getName(),
user.getName() });
} }
response.sendError(HttpServletResponse.SC_FORBIDDEN); response.sendError(HttpServletResponse.SC_NOT_FOUND);
} }
} }
else catch (ScmSecurityException ex)
{ {
if (logger.isDebugEnabled()) if (logger.isWarnEnabled())
{ {
logger.debug("repository not found"); logger.warn("user {} has not enough permissions", user.getName());
} }
response.sendError(HttpServletResponse.SC_NOT_FOUND); sendAccessDenied(response, user);
} }
} }
else else
@@ -176,6 +192,28 @@ public abstract class PermissionFilter extends HttpFilter
} }
} }
/**
* Method description
*
*
* @param response
* @param user
*
* @throws IOException
*/
private void sendAccessDenied(HttpServletResponse response, User user)
throws IOException
{
if (SCMContext.USER_ANONYMOUS.equals(user.getName()))
{
HttpUtil.sendUnauthorized(response);
}
else
{
response.sendError(HttpServletResponse.SC_FORBIDDEN);
}
}
//~--- fields --------------------------------------------------------------- //~--- fields ---------------------------------------------------------------
/** Field description */ /** Field description */

3
scm-webapp/src/main/java/sonia/scm/repository/xml/XmlRepositoryManager.java
View File

@@ -55,6 +55,7 @@ import sonia.scm.repository.RepositoryAllreadyExistExeption;
import sonia.scm.repository.RepositoryException; import sonia.scm.repository.RepositoryException;
import sonia.scm.repository.RepositoryHandler; import sonia.scm.repository.RepositoryHandler;
import sonia.scm.repository.RepositoryHandlerNotFoundException; import sonia.scm.repository.RepositoryHandlerNotFoundException;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.security.SecurityContext; import sonia.scm.security.SecurityContext;
import sonia.scm.store.Store; import sonia.scm.store.Store;
import sonia.scm.store.StoreFactory; import sonia.scm.store.StoreFactory;
@@ -358,7 +359,7 @@ public class XmlRepositoryManager extends AbstractRepositoryManager
} }
else else
{ {
repository = null; throw new ScmSecurityException("not enaugh permissions");
} }
} }

1
scm-webapp/src/main/java/sonia/scm/user/xml/XmlUserManager.java
View File

@@ -370,6 +370,7 @@ public class XmlUserManager extends AbstractUserManager
{ {
User user = (User) unmarshaller.unmarshal(input); User user = (User) unmarshaller.unmarshal(input);
user.setCreationDate(System.currentTimeMillis());
userDB.add(user); userDB.add(user);
storeDB(); storeDB();
} }