fix bug with enabled anonymous access

2025-11-08 22:45:45 +01:00 · 2010-12-31 14:58:11 +01:00
parent b5acab0782
commit c1a3d4268a
6 changed files with 176 additions and 71 deletions
--- a/scm-core/src/main/java/sonia/scm/SCMContext.java
+++ b/scm-core/src/main/java/sonia/scm/SCMContext.java
@@ -47,6 +47,9 @@ public class SCMContext
  /** Field description */
  public static final String DEFAULT_PACKAGE = "sonia.scm";

+  /** Field description */
+  public static final String USER_ANONYMOUS = "anonymous";
+
  /** Field description */
  private static volatile SCMContextProvider provider;

--- a/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
+++ b/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
@@ -0,0 +1,74 @@
+/**
+ * Copyright (c) 2010, Sebastian Sdorra
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. Neither the name of SCM-Manager; nor the names of its
+ *    contributors may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.util;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ */
+public class HttpUtil
+{
+
+  /** Field description */
+  public static final String AUTHENTICATION_REALM = "SONIA :: SCM Manager";
+
+  /** Field description */
+  public static final String HEADERVALUE_CONNECTION_CLOSE = "close";
+
+  /** Field description */
+  public static final String HEADER_CONNECTION = "connection";
+
+  /** Field description */
+  public static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
+
+  //~--- methods --------------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param response
+   */
+  public static void sendUnauthorized(HttpServletResponse response)
+  {
+    response.setHeader(HEADER_WWW_AUTHENTICATE,
+                       "Basic realm=\"" + AUTHENTICATION_REALM + "\"");
+    response.setHeader(HEADER_CONNECTION, HEADERVALUE_CONNECTION_CLOSE);
+    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+  }
+}
--- a/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
+++ b/scm-core/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
@@ -29,6 +29,8 @@
 *
 */

+
+
 package sonia.scm.web.filter;

 //~--- non-JDK imports --------------------------------------------------------
@@ -38,6 +40,8 @@ import com.google.inject.Provider;
 import com.google.inject.Singleton;

 import sonia.scm.user.User;
+import sonia.scm.util.AssertUtil;
+import sonia.scm.util.HttpUtil;
 import sonia.scm.util.Util;
 import sonia.scm.web.security.WebSecurityContext;

@@ -60,27 +64,15 @@ import javax.servlet.http.HttpServletResponse;
 public class BasicAuthenticationFilter extends HttpFilter
 {

-  /** Field description */
-  public static final String AUTHENTICATION_REALM = "SONIA :: SCM Manager";
-
  /** Field description */
  public static final String AUTHORIZATION_BASIC_PREFIX = "BASIC";

  /** Field description */
  public static final String CREDENTIAL_SEPARATOR = ":";

-  /** Field description */
-  public static final String HEADERVALUE_CONNECTION_CLOSE = "close";
-
  /** Field description */
  public static final String HEADER_AUTHORIZATION = "Authorization";

-  /** Field description */
-  public static final String HEADER_CONNECTION = "connection";
-
-  /** Field description */
-  public static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
-
  //~--- constructors ---------------------------------------------------------

  /**
@@ -115,50 +107,34 @@ public class BasicAuthenticationFilter extends HttpFilter
          throws IOException, ServletException
  {
    WebSecurityContext securityContext = securityContextProvider.get();
-    User user = null;

-    if (securityContext != null)
-    {
-      if (!securityContext.isAuthenticated())
-      {
+    AssertUtil.assertIsNotNull(securityContext);
+
+    User user = null;
    String authentication = request.getHeader(HEADER_AUTHORIZATION);

-        if (Util.isEmpty(authentication))
+    if (Util.isNotEmpty(authentication))
    {
-          sendUnauthorized(response);
-        }
-        else
-        {
-          if (!authentication.toUpperCase().startsWith(
-                  AUTHORIZATION_BASIC_PREFIX))
+      if (!authentication.toUpperCase().startsWith(AUTHORIZATION_BASIC_PREFIX))
      {
        throw new ServletException("wrong basic header");
      }

-          String token = authentication.substring(6);
-
-          token = new String(Base64.decode(token.getBytes()));
-
-          String[] credentials = token.split(CREDENTIAL_SEPARATOR);
-
-          user = securityContext.authenticate(request, response,
-                  credentials[0], credentials[1]);
+      user = authenticate(request, response, securityContext, authentication);
    }
-      }
-      else
+    else if (securityContext.isAuthenticated())
    {
      user = securityContext.getUser();
    }
-    }

-    if (user != null)
+    if (user == null)
    {
-      chain.doFilter(new SecurityHttpServletRequestWrapper(request, user),
-                     response);
+      HttpUtil.sendUnauthorized(response);
    }
    else
    {
-      sendUnauthorized(response);
+      chain.doFilter(new SecurityHttpServletRequestWrapper(request, user),
+                     response);
    }
  }

@@ -166,14 +142,26 @@ public class BasicAuthenticationFilter extends HttpFilter
   * Method description
   *
   *
+   * @param request
   * @param response
+   * @param securityContext
+   * @param authentication
+   *
+   * @return
   */
-  private void sendUnauthorized(HttpServletResponse response)
+  private User authenticate(HttpServletRequest request,
+                            HttpServletResponse response,
+                            WebSecurityContext securityContext,
+                            String authentication)
  {
-    response.setHeader(HEADER_WWW_AUTHENTICATE,
-                       "Basic realm=\"" + AUTHENTICATION_REALM + "\"");
-    response.setHeader(HEADER_CONNECTION, HEADERVALUE_CONNECTION_CLOSE);
-    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+    String token = authentication.substring(6);
+
+    token = new String(Base64.decode(token.getBytes()));
+
+    String[] credentials = token.split(CREDENTIAL_SEPARATOR);
+
+    return securityContext.authenticate(request, response, credentials[0],
+            credentials[1]);
  }

  //~--- fields ---------------------------------------------------------------
--- a/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java
+++ b/scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java
@@ -40,11 +40,14 @@ import com.google.inject.Provider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import sonia.scm.SCMContext;
 import sonia.scm.repository.PermissionType;
 import sonia.scm.repository.PermissionUtil;
 import sonia.scm.repository.Repository;
+import sonia.scm.security.ScmSecurityException;
 import sonia.scm.user.User;
 import sonia.scm.util.AssertUtil;
+import sonia.scm.util.HttpUtil;
 import sonia.scm.web.security.WebSecurityContext;

 //~--- JDK imports ------------------------------------------------------------
@@ -127,6 +130,8 @@ public abstract class PermissionFilter extends HttpFilter
    User user = securityContext.getUser();

    if (user != null)
+    {
+      try
      {
        Repository repository = getRepository(request);

@@ -134,7 +139,8 @@ public abstract class PermissionFilter extends HttpFilter
        {
          boolean writeRequest = isWriteRequest(request);

-        if (PermissionUtil.hasPermission(repository, securityContext.getUser(),
+          if (PermissionUtil.hasPermission(repository,
+                                           securityContext.getUser(),
                                           writeRequest
                                           ? PermissionType.WRITE
                                           : PermissionType.READ))
@@ -152,7 +158,7 @@ public abstract class PermissionFilter extends HttpFilter
                                         user.getName() });
            }

-          response.sendError(HttpServletResponse.SC_FORBIDDEN);
+            sendAccessDenied(response, user);
          }
        }
        else
@@ -165,6 +171,16 @@ public abstract class PermissionFilter extends HttpFilter
          response.sendError(HttpServletResponse.SC_NOT_FOUND);
        }
      }
+      catch (ScmSecurityException ex)
+      {
+        if (logger.isWarnEnabled())
+        {
+          logger.warn("user {} has not enough permissions", user.getName());
+        }
+
+        sendAccessDenied(response, user);
+      }
+    }
    else
    {
      if (logger.isDebugEnabled())
@@ -176,6 +192,28 @@ public abstract class PermissionFilter extends HttpFilter
    }
  }

+  /**
+   * Method description
+   *
+   *
+   * @param response
+   * @param user
+   *
+   * @throws IOException
+   */
+  private void sendAccessDenied(HttpServletResponse response, User user)
+          throws IOException
+  {
+    if (SCMContext.USER_ANONYMOUS.equals(user.getName()))
+    {
+      HttpUtil.sendUnauthorized(response);
+    }
+    else
+    {
+      response.sendError(HttpServletResponse.SC_FORBIDDEN);
+    }
+  }
+
  //~--- fields ---------------------------------------------------------------

  /** Field description */
--- a/scm-webapp/src/main/java/sonia/scm/repository/xml/XmlRepositoryManager.java
+++ b/scm-webapp/src/main/java/sonia/scm/repository/xml/XmlRepositoryManager.java
@@ -55,6 +55,7 @@ import sonia.scm.repository.RepositoryAllreadyExistExeption;
 import sonia.scm.repository.RepositoryException;
 import sonia.scm.repository.RepositoryHandler;
 import sonia.scm.repository.RepositoryHandlerNotFoundException;
+import sonia.scm.security.ScmSecurityException;
 import sonia.scm.security.SecurityContext;
 import sonia.scm.store.Store;
 import sonia.scm.store.StoreFactory;
@@ -358,7 +359,7 @@ public class XmlRepositoryManager extends AbstractRepositoryManager
      }
      else
      {
-        repository = null;
+        throw new ScmSecurityException("not enaugh permissions");
      }
    }

--- a/scm-webapp/src/main/java/sonia/scm/user/xml/XmlUserManager.java
+++ b/scm-webapp/src/main/java/sonia/scm/user/xml/XmlUserManager.java
@@ -370,6 +370,7 @@ public class XmlUserManager extends AbstractUserManager
    {
      User user = (User) unmarshaller.unmarshal(input);

+      user.setCreationDate(System.currentTimeMillis());
      userDB.add(user);
      storeDB();
    }