Commit 2961ea55 authored by michael.simon's avatar michael.simon
Browse files

change roles to session

parent dfbcdfdf
......@@ -22,6 +22,9 @@ import javax.inject.Named;
import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.RoleEntity;
import edu.kit.scc.webreg.service.RoleService;
@Named("accessChecker")
@ApplicationScoped
public class AccessChecker {
......@@ -29,13 +32,17 @@ public class AccessChecker {
@Inject
private Logger logger;
@Inject
private RoleService roleService;
private AccessNode root;
@PostConstruct
public void init() {
logger.info("Initializing accessChecker");
root = new AccessNode();
root.addAllowRole("ROLE_User");
RoleEntity rootRole = roleService.findByName("User");
root.addAllowRole(rootRole.getId());
addAccessNode(root, "user", true);
addAccessNode(root, "service", true);
......@@ -43,22 +50,22 @@ public class AccessChecker {
addAccessNode(root, "service-approver", true);
addAccessNode(root, "service-group-admin", true);
addDenyNode(root, "register", false, "ROLE_User");
addDenyNode(root, "register", false, "User");
AccessNode adminNode = addAccessNode(root, "admin", false, "ROLE_MasterAdmin");
addAccessNode(adminNode, "role", true, "ROLE_RoleAdmin");
addAccessNode(adminNode, "user", true, "ROLE_UserAdmin");
addAccessNode(adminNode, "service", true, "ROLE_ServiceAdmin");
addAccessNode(adminNode, "saml", true, "ROLE_SamlAdmin");
addAccessNode(adminNode, "business-rule", true, "ROLE_BusinessRuleAdmin");
addAccessNode(adminNode, "bulk", true, "ROLE_BulkAdmin");
addAccessNode(adminNode, "timer", true, "ROLE_TimerAdmin");
addAccessNode(adminNode, "audit", true, "ROLE_AuditAdmin");
addAccessNode(adminNode, "group", true, "ROLE_GroupAdmin");
addAccessNode(adminNode, "as", true, "ROLE_AttributeSourceAdmin");
AccessNode adminNode = addAccessNode(root, "admin", false, "MasterAdmin");
addAccessNode(adminNode, "role", true, "RoleAdmin");
addAccessNode(adminNode, "user", true, "UserAdmin");
addAccessNode(adminNode, "service", true, "ServiceAdmin");
addAccessNode(adminNode, "saml", true, "SamlAdmin");
addAccessNode(adminNode, "business-rule", true, "BusinessRuleAdmin");
addAccessNode(adminNode, "bulk", true, "BulkAdmin");
addAccessNode(adminNode, "timer", true, "TimerAdmin");
addAccessNode(adminNode, "audit", true, "AuditAdmin");
addAccessNode(adminNode, "group", true, "GroupAdmin");
addAccessNode(adminNode, "as", true, "AttributeSourceAdmin");
AccessNode restNode = addAccessNode(root, "rest", false, "ROLE_MasterAdmin", "ROLE_RestAdmin");
addAccessNode(restNode, "service-admin", true, "ROLE_RestServiceAdmin");
AccessNode restNode = addAccessNode(root, "rest", false, "MasterAdmin", "RestAdmin");
addAccessNode(restNode, "service-admin", true, "RestServiceAdmin");
AccessNode droolsNode = addAccessNode(restNode, "drools", true);
addAccessNode(droolsNode, "test", true);
......@@ -70,12 +77,12 @@ public class AccessChecker {
addAccessNode(ecpNode, "eppn", true);
AccessNode imageNode = addAccessNode(restNode, "image", true);
addAccessNode(imageNode, "original", true, "ROLE_User");
addAccessNode(imageNode, "small", true, "ROLE_User");
addAccessNode(imageNode, "icon", true, "ROLE_User");
addAccessNode(imageNode, "original", true, "User");
addAccessNode(imageNode, "small", true, "User");
addAccessNode(imageNode, "icon", true, "User");
}
public Boolean check(String path, Set<String> roles) {
public Boolean check(String path, Set<Long> roles) {
if (path.startsWith("/"))
path = path.substring(1);
......@@ -88,7 +95,7 @@ public class AccessChecker {
return evaluate(root, splitList, roles);
}
private Boolean evaluate(AccessNode an, List<String> splitList, Set<String> roles) {
private Boolean evaluate(AccessNode an, List<String> splitList, Set<Long> roles) {
if (splitList.size() == 0) {
return evaluateNode(an, roles);
}
......@@ -99,7 +106,7 @@ public class AccessChecker {
if (subAn == null)
return evaluateNode(an, roles);
for (String role : an.getDenyRoles()) {
for (Long role : an.getDenyRoles()) {
if (roles.contains(role))
return false;
}
......@@ -108,13 +115,13 @@ public class AccessChecker {
}
}
private Boolean evaluateNode(AccessNode an, Set<String> roles) {
for (String role : an.getDenyRoles()) {
private Boolean evaluateNode(AccessNode an, Set<Long> roles) {
for (Long role : an.getDenyRoles()) {
if (roles.contains(role))
return false;
}
for (String role : an.getAllowRoles()) {
for (Long role : an.getAllowRoles()) {
if (roles.contains(role))
return true;
}
......@@ -124,16 +131,22 @@ public class AccessChecker {
private AccessNode addAccessNode(AccessNode parent, String path, Boolean inherit, String... roles) {
AccessNode an = new AccessNode(parent, path, inherit);
for (String role : roles)
an.addAllowRole(role);
for (String roleName : roles) {
RoleEntity role = roleService.findByName(roleName);
if (role != null)
an.addAllowRole(role.getId());
}
return an;
}
private AccessNode addDenyNode(AccessNode parent, String path, Boolean inherit, String... roles) {
AccessNode an = new AccessNode(parent, path, inherit);
for (String role : roles)
an.addDenyRole(role);
for (String roleName : roles) {
RoleEntity role = roleService.findByName(roleName);
if (role != null)
an.addDenyRole(role.getId());
}
return an;
}
......
......@@ -23,8 +23,8 @@ public class AccessNode {
private Map<String, AccessNode> children;
private Set<String> allowRoles;
private Set<String> denyRoles;
private Set<Long> allowRoles;
private Set<Long> denyRoles;
public AccessNode() {
this(null, "", false);
......@@ -34,8 +34,8 @@ public class AccessNode {
this.parent = parent;
this.path = path;
children = new HashMap<String, AccessNode>();
allowRoles = new HashSet<String>();
denyRoles = new HashSet<String>();
allowRoles = new HashSet<Long>();
denyRoles = new HashSet<Long>();
if (inherit) {
allowRoles.addAll(parent.getAllowRoles());
......@@ -50,11 +50,11 @@ public class AccessNode {
return children.get(path);
}
public void addAllowRole(String role) {
public void addAllowRole(Long role) {
allowRoles.add(role);
}
public void addDenyRole(String role) {
public void addDenyRole(Long role) {
denyRoles.add(role);
}
......@@ -64,11 +64,11 @@ public class AccessNode {
children.put(an.getPath(), an);
}
public Set<String> getAllowRoles() {
public Set<Long> getAllowRoles() {
return allowRoles;
}
public Set<String> getDenyRoles() {
public Set<Long> getDenyRoles() {
return denyRoles;
}
......
......@@ -51,7 +51,6 @@ public class AuthorizationBean implements Serializable {
private List<ServiceEntity> serviceAdminList;
private List<ServiceEntity> serviceHotlineList;
private List<ServiceEntity> serviceGroupAdminList;
private List<RoleEntity> roleList;
@Inject
private RegistryService registryService;
......@@ -124,9 +123,10 @@ public class AuthorizationBean implements Serializable {
}
unregisteredServiceList.removeAll(serviceToRemove);
roleList = roleService.findByUser(user);
List<RoleEntity> roleList = roleService.findByUser(user);
for (RoleEntity role : roleList) {
sessionManager.addRole(role.getId());
if (role instanceof AdminRoleEntity) {
serviceAdminList.addAll(serviceService.findByAdminRole(role));
serviceHotlineList.addAll(serviceService.findByHotlineRole(role));
......@@ -140,16 +140,23 @@ public class AuthorizationBean implements Serializable {
}
}
public boolean isUserInRole(RoleEntity role) {
public boolean isUserInRole(String roleName) {
if (roleName.startsWith("ROLE_"))
roleName = roleName.substring(5);
RoleEntity role = roleService.findByName(roleName);
if (role == null)
return false;
for (RoleEntity r : roleList) {
if (role.equals(r))
return true;
}
return sessionManager.isUserInRole(role.getId());
}
public boolean isUserInRole(RoleEntity role) {
if (role == null)
return false;
return false;
return sessionManager.isUserInRole(role.getId());
}
public boolean isUserInRoles(Set<RoleEntity> roles) {
......
......@@ -11,10 +11,8 @@
package edu.kit.scc.webreg.sec;
import java.io.IOException;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.faces.bean.ApplicationScoped;
import javax.inject.Inject;
......@@ -116,9 +114,8 @@ public class Saml2PostHandlerServlet {
if (user == null) {
logger.info("New User detected, sending to register Page");
Set<String> newRoles = new HashSet<String>();
newRoles.add("ROLE_New");
session.setRoles(newRoles);
// Role -1 is for new users
session.addRole(-1L);
response.sendRedirect("/register/register.xhtml");
return;
}
......
......@@ -105,13 +105,13 @@ public class SecurityFilter implements Filter {
&& (httpSession == null || (! session.isLoggedIn()))) {
processRestLogin(path, request, response, chain);
}
else if (path.startsWith("/register/") && session != null && session.isUserInRole("ROLE_New")) {
else if (path.startsWith("/register/") && session != null && session.isUserInRole(-1L)) {
chain.doFilter(servletRequest, servletResponse);
}
else if (session != null && session.isLoggedIn()) {
Set<String> roles = convertRoles(roleService.findByUserId(session.getUserId()));
session.setRoles(roles);
Set<Long> roles = convertRoles(roleService.findByUserId(session.getUserId()));
session.addRoles(roles);
if (accessChecker.check(path, roles)) {
request.setAttribute(USER_ID, session.getUserId());
......@@ -142,10 +142,10 @@ public class SecurityFilter implements Filter {
}
}
private Set<String> convertRoles(List<RoleEntity> roleList) {
Set<String> roles = new HashSet<String>();
private Set<Long> convertRoles(List<RoleEntity> roleList) {
Set<Long> roles = new HashSet<Long>();
for (RoleEntity role : roleList)
roles.add("ROLE_" + role.getName());
roles.add(role.getId());
return roles;
}
......@@ -182,10 +182,10 @@ public class SecurityFilter implements Filter {
if (adminUser != null && passwordsMatch(adminUser.getPassword(), credentials[1])) {
List<RoleEntity> roleList = adminUserService.findRolesForUserById(adminUser.getId());
Set<String> roles = convertRoles(roleList);
Set<Long> roles = convertRoles(roleList);
if (setRoles && session != null)
session.setRoles(roles);
session.addRoles(roles);
if (accessChecker.check(path, roles)) {
request.setAttribute(ADMIN_USER_ID, adminUser.getId());
......
......@@ -11,6 +11,7 @@
package edu.kit.scc.webreg.util;
import java.io.Serializable;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
......@@ -37,7 +38,7 @@ public class SessionManager implements Serializable {
private String originalRequestPath;
private String originalIdpEntityId;
private Set<String> roles;
private Set<Long> roles;
private String theme;
......@@ -55,6 +56,20 @@ public class SessionManager implements Serializable {
}
public void addRole(Long role) {
if (roles == null) roles = new HashSet<Long>();
roles.add(role);
}
public void addRoles(Set<Long> rolesToAdd) {
if (roles == null) roles = new HashSet<Long>();
roles.addAll(rolesToAdd);
}
public boolean isUserInRole(Long role) {
return roles.contains(role);
}
public Long getIdpId() {
return idpId;
}
......@@ -91,14 +106,6 @@ public class SessionManager implements Serializable {
this.persistentId = persistentId;
}
public void setRoles(Set<String> roles) {
this.roles = roles;
}
public boolean isUserInRole(String role) {
return roles.contains(role);
}
public void setTheme(String theme) {
this.theme = theme;
}
......
......@@ -64,7 +64,7 @@
</div>
</div>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_GroupAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_GroupAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.groups}</div>
<div class="submenu-content">
......@@ -86,7 +86,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_SamlAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_SamlAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.saml_props}</div>
<div class="submenu-content">
......@@ -104,7 +104,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_AttributeSourceAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_AttributeSourceAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.attribute_sources}</div>
<div class="submenu-content">
......@@ -119,7 +119,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_BusinessRuleAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_BusinessRuleAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.business_rules}</div>
<div class="submenu-content">
......@@ -134,7 +134,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_BulkAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_BulkAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.bulk_ops}</div>
<div class="submenu-content">
......@@ -152,7 +152,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_TimerAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_TimerAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.scheduler_admin}</div>
<div class="submenu-content">
......@@ -173,7 +173,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_AuditAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_AuditAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.audit_admin}</div>
<div class="submenu-content">
......
......@@ -63,7 +63,7 @@
</div>
</div>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_GroupAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_GroupAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.groups}</div>
<div class="submenu-content">
......@@ -85,7 +85,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_SamlAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_SamlAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.saml_props}</div>
<div class="submenu-content">
......@@ -103,7 +103,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_AttributeSourceAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_AttributeSourceAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.attribute_sources}</div>
<div class="submenu-content">
......@@ -118,7 +118,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_BusinessRuleAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_BusinessRuleAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.business_rules}</div>
<div class="submenu-content">
......@@ -133,7 +133,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_BulkAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_BulkAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.bulk_ops}</div>
<div class="submenu-content">
......@@ -151,7 +151,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_TimerAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_TimerAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.scheduler_admin}</div>
<div class="submenu-content">
......@@ -172,7 +172,7 @@
</div>
</h:panelGroup>
<h:panelGroup rendered="#{sessionManager.isUserInRole('ROLE_AuditAdmin') or sessionManager.isUserInRole('ROLE_MasterAdmin')}">
<h:panelGroup rendered="#{authorizationBean.isUserInRole('ROLE_AuditAdmin') or authorizationBean.isUserInRole('ROLE_MasterAdmin')}">
<div class="submenu">
<div class="submenu-title">#{messages.audit_admin}</div>
<div class="submenu-content">
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment