/**
* Retrieves the AuthorizationInfo for the given principals (the CAS previously authenticated user
* : id + attributes).
*
* @param principals the primary identifying principals of the AuthorizationInfo that should be
* retrieved.
* @return the AuthorizationInfo associated with this principals.
*/
@Override
@SuppressWarnings("unchecked")
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// retrieve user information
SimplePrincipalCollection principalCollection = (SimplePrincipalCollection) principals;
String userName = (String) principalCollection.getPrimaryPrincipal();
User user = getUserRepository().getByName(userName);
Set<String> roles = user.getRolesName();
Set<String> permissions = user.getPermissions();
List<Object> listPrincipals = principalCollection.asList();
Map<String, String> attributes = (Map<String, String>) listPrincipals.get(1);
// create simple authorization info
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
// add default roles
simpleAuthorizationInfo.addRoles(roles);
// add default permissions
simpleAuthorizationInfo.addStringPermissions(permissions);
// get roles from attributes
List<String> attributeNames = split(roleAttributeNames);
for (String attributeName : attributeNames) {
String value = attributes.get(attributeName);
addRoles(simpleAuthorizationInfo, split(value));
}
// get permissions from attributes
attributeNames = split(permissionAttributeNames);
for (String attributeName : attributeNames) {
String value = attributes.get(attributeName);
addPermissions(simpleAuthorizationInfo, split(value));
}
return simpleAuthorizationInfo;
}
@Override
@SuppressWarnings("unchecked")
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
logger.trace("resolve authorization info");
// retrieve user information
SimplePrincipalCollection principalCollection = (SimplePrincipalCollection) principals;
List<Object> listPrincipals = principalCollection.asList();
Map<String, String> attributes = (Map<String, String>) listPrincipals.get(1);
// create simple authorization info
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
// add default roles
addRoles(simpleAuthorizationInfo, split(getDefaultRoles()));
// add default permissions
addPermissions(simpleAuthorizationInfo, split(getDefaultPermissions()));
// get roles from attributes
List<String> attributeNames = split(getRoleAttributeNames());
for (String attributeName : attributeNames) {
final Object value = attributes.get(attributeName);
if (value instanceof Collection<?>) {
for (final Object valueEntry : (Collection<?>) value) {
addRoles(simpleAuthorizationInfo, split((String) valueEntry));
}
} else {
addRoles(simpleAuthorizationInfo, split((String) value));
}
}
// get permissions from attributes
attributeNames = split(getPermissionAttributeNames());
for (String attributeName : attributeNames) {
final Object value = attributes.get(attributeName);
if (value instanceof Collection<?>) {
for (final Object valueEntry : (Collection<?>) value) {
addPermissions(simpleAuthorizationInfo, split((String) valueEntry));
}
} else {
addPermissions(simpleAuthorizationInfo, split((String) value));
}
}
if (simpleAuthorizationInfo.getRoles() != null
&& simpleAuthorizationInfo.getRoles().contains(configuration.getAdministratorRole())) {
simpleAuthorizationInfo.addRole(Roles.ADMINISTRATOR);
}
return simpleAuthorizationInfo;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
throws AuthenticationException {
User user = (User) token.getPrincipal();
if (user == null) {
throw new UnknownAccountException(
ConstantsUtility.ERROR_MESSAGES.getString("userDoesNotExist"));
} else if (!user.isActive()) {
throw new LockedAccountException(ConstantsUtility.ERROR_MESSAGES.getString("userInactive"));
} else if (user.isLocked()) {
throw new LockedAccountException(ConstantsUtility.ERROR_MESSAGES.getString("userLocked"));
}
SimplePrincipalCollection principles = new SimplePrincipalCollection();
principles.add(user, ConstantsUtility.OAUTH_REALM_NAME);
return new SimpleAuthenticationInfo(principles, token.getCredentials());
}
public void testAuthorization() throws Exception {
SecuritySystem security = lookup(SecuritySystem.class);
security.start();
// LDAP user
SimplePrincipalCollection principals = new SimplePrincipalCollection();
principals.add("cstamas", new NexusLdapAuthenticationRealm().getName());
Assert.assertTrue(security.hasRole(principals, "developer"));
Assert.assertFalse(security.hasRole(principals, "JUNK"));
// xml user
principals = new SimplePrincipalCollection();
// users must be from the correct realm now!
principals.add("deployment", new XmlAuthenticatingRealm().getName());
Assert.assertTrue(security.hasRole(principals, "deployment"));
Assert.assertFalse(security.hasRole(principals, "JUNK"));
}
public void testAuthorizationPriv() throws Exception {
SecuritySystem security = lookup(SecuritySystem.class);
security.start();
// LDAP
SimplePrincipalCollection principals = new SimplePrincipalCollection();
principals.add("cstamas", new NexusLdapAuthenticationRealm().getName());
Assert.assertTrue(security.isPermitted(principals, "security:usersforgotpw:create"));
Assert.assertFalse(security.isPermitted(principals, "security:usersforgotpw:delete"));
// XML
principals = new SimplePrincipalCollection();
principals.add("test-user", new XmlAuthenticatingRealm().getName());
Assert.assertTrue(security.isPermitted(principals, "security:usersforgotpw:create"));
Assert.assertFalse(security.isPermitted(principals, "security:usersforgotpw:delete"));
Assert.assertTrue(security.isPermitted(principals, "nexus:target:1:*:delete"));
}
/**
* Retrieves the AuthorizationInfo for the given principals (the CAS previously authenticated user
* : id + attributes).
*
* @param principals the primary identifying principals of the AuthorizationInfo that should be
* retrieved.
* @return the AuthorizationInfo associated with this principals.
*/
@Override
@SuppressWarnings("unchecked")
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// retrieve user information
SimplePrincipalCollection principalCollection = (SimplePrincipalCollection) principals;
List<Object> listPrincipals = principalCollection.asList();
Map<String, String> attributes = (Map<String, String>) listPrincipals.get(1);
// create simple authorization info
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
// add default roles
addRoles(simpleAuthorizationInfo, split(defaultRoles));
/* // add default permissions
addPermissions(simpleAuthorizationInfo, split(defaultPermissions));
// get roles from attributes
List<String> attributeNames = split(roleAttributeNames);
for (String attributeName : attributeNames) {
String value = attributes.get(attributeName);
addRoles(simpleAuthorizationInfo, split(value));
}
// get permissions from attributes
attributeNames = split(permissionAttributeNames);
for (String attributeName : attributeNames) {
String value = attributes.get(attributeName);
addPermissions(simpleAuthorizationInfo, split(value));
}*/
User user = User.findUserByUsername(attributes.get("username"));
if (user == null) {
throw new UnknownAccountException("没有该用户");
}
Set<Role> roleSet = user.getRoles();
List<String> roleList = new ArrayList<String>();
for (Role role : roleSet) {
log.info("role:" + role.getName());
roleList.add(role.getName());
}
addRoles(simpleAuthorizationInfo, roleList);
return simpleAuthorizationInfo;
}
/**
* Retrieves the AuthorizationInfo for the given principals (the CAS previously authenticated user
* : id + attributes).
*
* @param principals the primary identifying principals of the AuthorizationInfo that should be
* retrieved.
* @return the AuthorizationInfo associated with this principals.
*/
@Override
@SuppressWarnings("unchecked")
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
// retrieve user information
SimplePrincipalCollection principalCollection = (SimplePrincipalCollection) principals;
List<Object> listPrincipals = principalCollection.asList();
Map<String, String> attributes = (Map<String, String>) listPrincipals.get(1);
String authorityStr = attributes.get("authority");
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
try {
String username = URLDecoder.decode(attributes.get("username"), "UTF-8");
if ("admin".equals(username)) {
simpleAuthorizationInfo.addRole("admin");
}
if (authorityStr != null) {
ObjectMapper objectMapper = new ObjectMapper();
authorityStr = java.net.URLDecoder.decode(authorityStr, "UTF-8").replace(""", "\"");
List<Map<String, Object>> authorityList = objectMapper.readValue(authorityStr, List.class);
for (Map<String, Object> auth : authorityList) {
String appCode = auth.get("appCode").toString();
if (simpleAuthorizationInfo.getRoles() == null) {
simpleAuthorizationInfo.addRole(appCode);
} else if (!simpleAuthorizationInfo.getRoles().contains(appCode)) {
simpleAuthorizationInfo.addRole(appCode);
}
simpleAuthorizationInfo.addStringPermission(appCode + ":" + auth.get("url").toString());
// simpleAuthorizationInfo.addRole(auth.get("role").toString());
}
}
} catch (JsonParseException e) {
e.printStackTrace();
} catch (JsonMappingException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return simpleAuthorizationInfo;
}
@Test
public void testAuthorizationPriv() throws Exception {
SecuritySystem security = lookup(SecuritySystem.class);
security.start();
// LDAP
SimplePrincipalCollection principals = new SimplePrincipalCollection();
principals.add("cstamas", new NexusLdapAuthenticationRealm().getName());
// if realm is not configured, the user should not be able to be authorized
Assert.assertFalse(security.isPermitted(principals, "security:usersforgotpw:create"));
// XML
principals = new SimplePrincipalCollection();
// TODO: bdemers or dbradicich, this "fix" is wrong, it relies on imple details!
// was: principals.add( "test-user", new XmlAuthenticatingRealm().getName() );
principals.add("test-user", XmlAuthenticatingRealm.ROLE);
Assert.assertTrue(security.isPermitted(principals, "security:usersforgotpw:create"));
Assert.assertFalse(security.isPermitted(principals, "security:usersforgotpw:delete"));
Assert.assertTrue(security.isPermitted(principals, "nexus:target:1:*:delete"));
}
@Test
public void testAuthorization() throws Exception {
SecuritySystem security = lookup(SecuritySystem.class);
security.start();
// LDAP should fail
SimplePrincipalCollection principals = new SimplePrincipalCollection();
principals.add("cstamas", new NexusLdapAuthenticationRealm().getName());
// if realm is not configured, the user should not be able to be authorized
Assert.assertFalse(security.hasRole(principals, "nx-developer"));
Assert.assertFalse(security.hasRole(principals, "JUNK"));
// xml user
principals = new SimplePrincipalCollection();
// TODO: bdemers or dbradicich, this "fix" is wrong, it relies on imple details!
// was: principals.add( "deployment", new XmlAuthenticatingRealm().getName() );
principals.add("deployment", XmlAuthenticatingRealm.ROLE);
Assert.assertTrue(security.hasRole(principals, "nx-deployment"));
Assert.assertFalse(security.hasRole(principals, "JUNK"));
}
public IkanowV1AuthenticationInfo(AuthenticationBean ab) {
this.authenticationBean = ab;
String realmName = IkanowV1Realm.class.getSimpleName();
this.principalCollection = new SimplePrincipalCollection(ab.getProfileId(), realmName);
principalCollection.add(ab.get_id(), realmName);
}
public void removeUserAuthorizationInfoCache(String username) {
SimplePrincipalCollection pc = new SimplePrincipalCollection();
pc.add(username, super.getName());
super.clearCachedAuthorizationInfo(pc);
}
private boolean doesUserHaveAllRoles(String username, String... roles) {
SimplePrincipalCollection principals = new SimplePrincipalCollection();
principals.add(username, this.realm.getName());
return this.realm.hasAllRoles(principals, Arrays.asList(roles));
}