// Ch 6 Access Denied @RequestMapping(method = RequestMethod.GET, value = "/accessDenied.do") public void accessDenied(ModelMap model, HttpServletRequest request) { AccessDeniedException ex = (AccessDeniedException) request.getAttribute( AccessDeniedHandlerImpl.SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY); StringWriter sw = new StringWriter(); model.addAttribute("errorDetails", ex.getMessage()); ex.printStackTrace(new PrintWriter(sw)); model.addAttribute("errorTrace", sw.toString()); }
@Override public void decide( Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException { FilterInvocation fi = (FilterInvocation) object; authentication = fresh(authentication, fi.getRequest()); try { super.decide(authentication, object, configAttributes); } catch (AccessDeniedException ade) { throw new MyAccessDeniedException(ade.getMessage(), authentication, object, configAttributes); } }
@Test public void testEditWithoutPermission() throws Exception { log.debug("testing edit..."); request = newGet("/userform.html"); request.addParameter("id", "-1"); // regular user try { c.showForm(request, new MockHttpServletResponse()); fail("AccessDeniedException not thrown..."); } catch (AccessDeniedException ade) { assertNotNull(ade.getMessage()); } }
// Test fix to http://issues.appfuse.org/browse/APF-96 @Test public void testChangeToAdminRoleFromUserRole() throws Exception { UserManager userManager = makeInterceptedTarget(); User user = new User("user"); user.setId(1L); user.getRoles().add(new Role(Constants.ADMIN_ROLE)); try { userManager.saveUser(user); fail("AccessDeniedException not thrown"); } catch (AccessDeniedException expected) { assertNotNull(expected); assertEquals(expected.getMessage(), UserSecurityAdvice.ACCESS_DENIED); } }
@Test public void testAddUserWithoutAdminRole() throws Exception { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); assertTrue(auth.isAuthenticated()); UserManager userManager = makeInterceptedTarget(); User user = new User("admin"); user.setId(2L); try { userManager.saveUser(user); fail("AccessDeniedException not thrown"); } catch (AccessDeniedException expected) { assertNotNull(expected); Assert.assertEquals(expected.getMessage(), UserSecurityAdvice.ACCESS_DENIED); } }
public String save() throws Exception { user.setEnabled(true); // Set the default user role on this new user user.addRole(roleManager.getRole(Constants.USER_ROLE)); try { user = userManager.saveUser(user); } catch (AccessDeniedException ade) { // thrown by UserSecurityAdvice configured in aop:advisor userManagerSecurity log.warn(ade.getMessage()); getResponse().sendError(HttpServletResponse.SC_FORBIDDEN); return null; } catch (UserExistsException e) { addMessage("errors.existing.user", new Object[] {user.getUsername(), user.getEmail()}); // redisplay the unencrypted passwords user.setPassword(user.getConfirmPassword()); return null; } addMessage("user.registered"); getSession().setAttribute(Constants.REGISTERED, Boolean.TRUE); // log user in automatically UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken( user.getUsername(), user.getConfirmPassword(), user.getAuthorities()); auth.setDetails(user); SecurityContextHolder.getContext().setAuthentication(auth); // Send an account information e-mail message.setSubject(getText("signup.email.subject")); try { sendUserMessage(user, getText("signup.email.message"), RequestUtil.getAppURL(getRequest())); } catch (MailException me) { addError(me.getMostSpecificCause().getMessage()); return null; } return "mainMenu"; }
/** * If marshall unmarshall fails then return bad request. * * @param ex Caused exception. * @return Error message. */ @ExceptionHandler @ResponseStatus(HttpStatus.FORBIDDEN) @ResponseBody public ErrorElementType handleException(final AccessDeniedException ex) { LOGGER.info("Access denied. " + ex.getMessage()); ErrorElementType element = new ErrorElementType(); element.setErrorcode(BigInteger.valueOf(HttpStatus.FORBIDDEN.value())); element.setMessage( "User does not have access to the resource. Contact [email protected] for more information."); return element; }
@Override public Response toResponse(AccessDeniedException ex) { log.info("Access denied", ex); SystemMessage message = new SystemMessage(); message.setDescription("Sorry, access denied: " + ex.getLocalizedMessage()); message.setType(MessageType.error); return Response.status(Status.UNAUTHORIZED) .entity(message) .type(MediaType.APPLICATION_JSON) .build(); }
@ExceptionHandler(AccessDeniedException.class) @ResponseStatus(HttpStatus.FORBIDDEN) @ResponseBody public ErrorDTO processAccessDeniedExcpetion(AccessDeniedException e) { return new ErrorDTO(ErrorConstants.ERR_ACCESS_DENIED, e.getMessage()); }
@RequestMapping(method = RequestMethod.POST) public String onSubmit( final User user, final BindingResult errors, final HttpServletRequest request, final HttpServletResponse response) throws Exception { if (request.getParameter("cancel") != null) { return getCancelView(); } if (validator != null) { // validator is null during testing validator.validate(user, errors); if (StringUtils.isBlank(user.getPassword())) { errors.rejectValue( "password", "errors.required", new Object[] {getText("user.password", request.getLocale())}, "Password is a required field."); } if (errors.hasErrors()) { return "signup"; } } final Locale locale = request.getLocale(); user.setEnabled(true); // Set the default user role on this new user user.addRole(roleManager.getRole(Constants.USER_ROLE)); // unencrypted users password to log in user automatically final String password = user.getPassword(); try { this.getUserManager().saveUser(user); } catch (final AccessDeniedException ade) { // thrown by UserSecurityAdvice configured in aop:advisor userManagerSecurity log.warn(ade.getMessage()); response.sendError(HttpServletResponse.SC_FORBIDDEN); return null; } catch (final UserExistsException e) { errors.rejectValue( "username", "errors.existing.user", new Object[] {user.getUsername(), user.getEmail()}, "duplicate user"); return "signup"; } saveMessage(request, getText("user.registered", user.getUsername(), locale)); request.getSession().setAttribute(Constants.REGISTERED, Boolean.TRUE); // log user in automatically final UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken( user.getUsername(), password, user.getAuthorities()); auth.setDetails(user); SecurityContextHolder.getContext().setAuthentication(auth); // Send user an e-mail if (log.isDebugEnabled()) { log.debug("Sending user '" + user.getUsername() + "' an account information e-mail"); } // Send an account information e-mail message.setSubject(getText("signup.email.subject", locale)); try { sendUserMessage( user, getText("signup.email.message", locale), RequestUtil.getAppURL(request)); } catch (final MailException me) { saveError(request, me.getMostSpecificCause().getMessage()); } return getSuccessView(); }
@ExceptionHandler(AccessDeniedException.class) public String handleAccessException(AccessDeniedException ex) { ex.printStackTrace(); return "denied"; }
@RequestMapping(method = RequestMethod.POST) public String onSubmit( User user, BindingResult errors, HttpServletRequest request, HttpServletResponse response) throws Exception { if (request.getParameter("cancel") != null) { if (!StringUtils.equals(request.getParameter("from"), "list")) { return getCancelView(); } else { return getSuccessView(); } } if (validator != null) { // validator is null during testing validator.validate(user, errors); if (errors.hasErrors() && request.getParameter("delete") == null) { // don't validate when deleting return "userform"; } } log.info(request.getRemoteUser() + " is modifying user := "******"delete") != null) { getUserManager().removeUser(user.getId().toString()); saveMessage(request, getText("user.deleted", user.getUsername(), locale)); return getSuccessView(); } else { // only attempt to change roles if user is admin for other users, // showForm() method will handle populating if (request.isUserInRole(Constants.ADMIN_ROLE)) { String[] userRoles = request.getParameterValues("userRoles"); if (userRoles != null) { user.getRoles().clear(); for (String roleName : userRoles) { user.addRole(roleManager.getRole(roleName)); } } } else { // if user is not an admin then load roles from the database // (or any other user properties that should not be editable // by users without admin role) User cleanUser = getUserManager().getUserByUsername(request.getRemoteUser()); user.setRoles(cleanUser.getRoles()); } Integer originalVersion = user.getVersion(); try { getUserManager().saveUser(user); } catch (AccessDeniedException ade) { // thrown by UserSecurityAdvice configured in aop:advisor userManagerSecurity log.warn(ade.getMessage()); response.sendError(HttpServletResponse.SC_FORBIDDEN); return null; } catch (UserExistsException e) { errors.rejectValue( "username", "errors.existing.user", new Object[] {user.getUsername(), user.getEmail()}, "duplicate user"); // redisplay the unencrypted passwords user.setPassword(user.getConfirmPassword()); // reset the version # to what was passed in user.setVersion(originalVersion); return "userform"; } if (!StringUtils.equals(request.getParameter("from"), "list")) { saveMessage(request, getText("user.saved", user.getUsername(), locale)); // return to main Menu return getCancelView(); } else { if (StringUtils.isBlank(request.getParameter("version"))) { saveMessage(request, getText("user.added", user.getUsername(), locale)); // // Send an account information e-mail // message.setSubject(getText("signup.email.subject", // locale)); // // try { // sendUserMessage(user, getText("newuser.email.message", // user.getUsername(), locale), // RequestUtil.getAppURL(request)); // } catch (MailException me) { // saveError(request, me.getCause().getLocalizedMessage()); // } return getSuccessView(); } else { saveMessage(request, getText("user.updated.byAdmin", user.getUsername(), locale)); } } } return "userform"; }
@RequestMapping(method = RequestMethod.POST) public String onSubmit( User user, BindingResult errors, HttpServletRequest request, HttpServletResponse response) throws Exception { if (request.getParameter("cancel") != null) { if (!StringUtils.equals(request.getParameter("from"), "list")) { return getCancelView(); } else { return getSuccessView(); } } if (validator != null) { // validator is null during testing validator.validate(user, errors); if (errors.hasErrors() && request.getParameter("delete") == null) { // don't validate when deleting return "/userform"; } } log.debug("entering 'onSubmit' method..."); Locale locale = request.getLocale(); if (request.getParameter("delete") != null) { getUserManager().removeUser(user.getId().toString()); saveMessage(request, getText("user.deleted", user.getFullName(), locale)); return getSuccessView(); } else { // only attempt to change roles if user is admin for other users, // showForm() method will handle populating if (request.isUserInRole(Constants.ADMIN_ROLE)) { String[] userRoles = request.getParameterValues("userRoles"); if (userRoles != null) { user.getRoles().clear(); for (String roleName : userRoles) { user.addRole(roleManager.getRole(roleName)); } } } Integer originalVersion = user.getVersion(); try { User userx = roleManager.getUserByUsername(user.getUsername()); if (userx != null) { if (!userx.getPassword().equals(user.getPassword())) { user.setPassword(AeSimpleSHA1.SHA1(user.getPassword())); } } else { user.setPassword(AeSimpleSHA1.SHA1(user.getPassword())); } // user.setOriginalPassword(user.getOriginalPassword());//new // String pass = AeSimpleSHA1.SHA1(user.getOriginalPassword()); //new // user.setPassword(pass);//new getUserManager().saveUser(user); } catch (AccessDeniedException ade) { // thrown by UserSecurityAdvice configured in aop:advisor userManagerSecurity log.warn(ade.getMessage()); response.sendError(HttpServletResponse.SC_FORBIDDEN); return null; } catch (UserExistsException e) { errors.rejectValue( "username", "errors.existing.user", new Object[] {user.getUsername(), user.getEmail()}, "duplicate user"); // reset the version # to what was passed in user.setVersion(originalVersion); return "/userform"; } if (!StringUtils.equals(request.getParameter("from"), "list")) { saveMessage(request, getText("user.saved", user.getFullName(), locale)); // return to main Menu return getCancelView(); } else { if (StringUtils.isBlank(request.getParameter("version"))) { saveMessage(request, getText("user.added", user.getFullName(), locale)); // Send an account information e-mail // Aun no podemos enviar correos :( // message.setSubject(getText("signup.email.subject", locale)); // try { // sendUserMessage(user, getText("newuser.email.message", // user.getFullName(), locale), // RequestUtil.getAppURL(request)); // } catch (MailException me) { // saveError(request, me.getCause().getLocalizedMessage()); // } return getSuccessView(); } else { saveMessage(request, getText("user.updated.byAdmin", user.getFullName(), locale)); } } } return getSuccessView(); }
@Override public Response toResponse(AccessDeniedException e) { LOGGER.debug("Spring security threw a " + e.getClass().getName(), e); throw new MappableContainerException(e); }
/** * Gets the content and defers to registered viewers to generate the markup. * * @param request servlet request * @param response servlet response * @throws ServletException if a servlet-specific error occurs * @throws IOException if an I/O error occurs */ @Override protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { // specify the charset in a response header response.addHeader("Content-Type", "text/html; charset=UTF-8"); // get the content final ServletContext servletContext = request.getServletContext(); final ContentAccess contentAccess = (ContentAccess) servletContext.getAttribute("nifi-content-access"); final ContentRequestContext contentRequest = getContentRequest(request); if (contentRequest.getDataUri() == null) { request.setAttribute("title", "Error"); request.setAttribute("messages", "The data reference must be specified."); // forward to the error page final ServletContext viewerContext = servletContext.getContext("/nifi"); viewerContext.getRequestDispatcher("/message").forward(request, response); return; } // get the content final DownloadableContent downloadableContent; try { downloadableContent = contentAccess.getContent(contentRequest); } catch (final ResourceNotFoundException rnfe) { request.setAttribute("title", "Error"); request.setAttribute("messages", "Unable to find the specified content"); // forward to the error page final ServletContext viewerContext = servletContext.getContext("/nifi"); viewerContext.getRequestDispatcher("/message").forward(request, response); return; } catch (final AccessDeniedException ade) { request.setAttribute("title", "Acess Denied"); request.setAttribute( "messages", "Unable to approve access to the specified content: " + ade.getMessage()); // forward to the error page final ServletContext viewerContext = servletContext.getContext("/nifi"); viewerContext.getRequestDispatcher("/message").forward(request, response); return; } catch (final Exception e) { request.setAttribute("title", "Error"); request.setAttribute("messages", "An unexcepted error has occurred: " + e.getMessage()); // forward to the error page final ServletContext viewerContext = servletContext.getContext("/nifi"); viewerContext.getRequestDispatcher("/message").forward(request, response); return; } // determine how we want to view the data String mode = request.getParameter("mode"); // if the name isn't set, use original if (mode == null) { mode = DisplayMode.Original.name(); } // determine the display mode final DisplayMode displayMode; try { displayMode = DisplayMode.valueOf(mode); } catch (final IllegalArgumentException iae) { request.setAttribute("title", "Error"); request.setAttribute("messages", "Invalid display mode: " + mode); // forward to the error page final ServletContext viewerContext = servletContext.getContext("/nifi"); viewerContext.getRequestDispatcher("/message").forward(request, response); return; } // buffer the content to support reseting in case we need to detect the content type or char // encoding try (final BufferedInputStream bis = new BufferedInputStream(downloadableContent.getContent()); ) { final String mimeType; // when standalone and we don't know the type is null as we were able to directly access the // content bypassing the rest endpoint, // when clustered and we don't know the type set to octet stream since the content was // retrieved from the node's rest endpoint if (downloadableContent.getType() == null || downloadableContent.getType().equals(MediaType.OCTET_STREAM.toString())) { // attempt to detect the content stream if we don't know what it is () final DefaultDetector detector = new DefaultDetector(); // create the stream for tika to process, buffered to support reseting final TikaInputStream tikaStream = TikaInputStream.get(bis); // provide a hint based on the filename final Metadata metadata = new Metadata(); metadata.set(Metadata.RESOURCE_NAME_KEY, downloadableContent.getFilename()); // Get mime type final MediaType mediatype = detector.detect(tikaStream, metadata); mimeType = mediatype.toString(); } else { mimeType = downloadableContent.getType(); } // add attributes needed for the header request.setAttribute("filename", downloadableContent.getFilename()); request.setAttribute("contentType", mimeType); // generate the header request.getRequestDispatcher("/WEB-INF/jsp/header.jsp").include(request, response); // remove the attributes needed for the header request.removeAttribute("filename"); request.removeAttribute("contentType"); // generate the markup for the content based on the display mode if (DisplayMode.Hex.equals(displayMode)) { final byte[] buffer = new byte[BUFFER_LENGTH]; final int read = StreamUtils.fillBuffer(bis, buffer, false); // trim the byte array if necessary byte[] bytes = buffer; if (read != buffer.length) { bytes = new byte[read]; System.arraycopy(buffer, 0, bytes, 0, read); } // convert bytes into the base 64 bytes final String base64 = Base64.encodeBase64String(bytes); // defer to the jsp request.setAttribute("content", base64); request.getRequestDispatcher("/WEB-INF/jsp/hexview.jsp").include(request, response); } else { // lookup a viewer for the content final String contentViewerUri = servletContext.getInitParameter(mimeType); // handle no viewer for content type if (contentViewerUri == null) { request.getRequestDispatcher("/WEB-INF/jsp/no-viewer.jsp").include(request, response); } else { // create a request attribute for accessing the content request.setAttribute( ViewableContent.CONTENT_REQUEST_ATTRIBUTE, new ViewableContent() { @Override public InputStream getContentStream() { return bis; } @Override public String getContent() throws IOException { // detect the charset final CharsetDetector detector = new CharsetDetector(); detector.setText(bis); detector.enableInputFilter(true); final CharsetMatch match = detector.detect(); // ensure we were able to detect the charset if (match == null) { throw new IOException("Unable to detect character encoding."); } // convert the stream using the detected charset return IOUtils.toString(bis, match.getName()); } @Override public ViewableContent.DisplayMode getDisplayMode() { return displayMode; } @Override public String getFileName() { return downloadableContent.getFilename(); } @Override public String getContentType() { return mimeType; } }); try { // generate the content final ServletContext viewerContext = servletContext.getContext(contentViewerUri); viewerContext.getRequestDispatcher("/view-content").include(request, response); } catch (final Exception e) { String message = e.getMessage() != null ? e.getMessage() : e.toString(); message = "Unable to generate view of data: " + message; // log the error logger.error(message); if (logger.isDebugEnabled()) { logger.error(StringUtils.EMPTY, e); } // populate the request attributes request.setAttribute("title", "Error"); request.setAttribute("messages", message); // forward to the error page final ServletContext viewerContext = servletContext.getContext("/nifi"); viewerContext.getRequestDispatcher("/message").forward(request, response); return; } // remove the request attribute request.removeAttribute(ViewableContent.CONTENT_REQUEST_ATTRIBUTE); } } // generate footer request.getRequestDispatcher("/WEB-INF/jsp/footer.jsp").include(request, response); } }