Skip to content

Codecrew / Moya

Go to a project
Commit e42c0481 by Tuomas Riihimäki
Options

Permissiopuljausta. Otetaan kiinni PermissionDeniedException ( ja muutama muu ) … 

…BortalExceptionHandler luokalla ja näytetään järkevä virheilmoitus.
1 parent 36d97681
Inline Side-by-side
Showing with 118 additions and 102 deletions
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/BillBean.java
......@@ -13,7 +13,7 @@ import fi.insomnia.bortal.beanutil.AuthorisationBeanLocal.RightType;
import fi.insomnia.bortal.beanutil.PdfPrinter;
import fi.insomnia.bortal.enums.Permission;
import fi.insomnia.bortal.enums.RolePermission;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.exceptions.PermissionDeniedException;
import fi.insomnia.bortal.facade.BillFacade;
import fi.insomnia.bortal.facade.BillLineFacade;
import fi.insomnia.bortal.facade.EventFacade;
......@@ -102,11 +102,11 @@ public class BillBean implements BillBeanLocal {
}
@Override
public Bill createEmptyBill(User shoppingUser) throws EjbPermissionDeniedException {
public Bill createEmptyBill(User shoppingUser) {
if (shoppingUser != null && userBean.hasCurrentUserPermission(Permission.USER_MANAGEMENT, RolePermission.EXECUTE)) {
String msg = new StringBuilder("User tried to shop to ").append(shoppingUser.getId()).append(" another without sufficient rights").toString();
throw new EjbPermissionDeniedException(secubean, userBean.getCurrentUser(), msg);
throw new PermissionDeniedException(secubean, userBean.getCurrentUser(), msg);
}
if (shoppingUser == null) {
shoppingUser = userBean.getCurrentUser();
......
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/PlaceMapBean.java
......@@ -16,7 +16,7 @@ import org.slf4j.LoggerFactory;
import fi.insomnia.bortal.enums.Permission;
import fi.insomnia.bortal.enums.RolePermission;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.exceptions.PermissionDeniedException;
import fi.insomnia.bortal.facade.EventMapFacade;
import fi.insomnia.bortal.facade.PlaceFacade;
import fi.insomnia.bortal.model.EventMap;
......@@ -51,11 +51,11 @@ public class PlaceMapBean implements PlaceMapBeanLocal {
@EJB
private EventBeanLocal eventbean;
public void printPlaceMapToStream(OutputStream outputStream, String filetype, Integer mapId, List<Integer> placeIds) throws IOException, EjbPermissionDeniedException {
public void printPlaceMapToStream(OutputStream outputStream, String filetype, Integer mapId, List<Integer> placeIds) throws IOException {
User user = userbean.getCurrentUser();
if (!userbean.hasPermission(Permission.TICKET_SALES, user, RolePermission.READ)) {
throw new EjbPermissionDeniedException(secubean, user, "User has no right to view placemap ( TICKET_SALES, READ )");
throw new PermissionDeniedException(secubean, user, "User has no right to view placemap ( TICKET_SALES, READ )");
}
long begin = new Date().getTime();
......@@ -84,7 +84,7 @@ public class PlaceMapBean implements PlaceMapBeanLocal {
}
if (map == null) {
throw new EjbPermissionDeniedException(secubean, user, "Map not found with id: " + mapId + " and event id: " + eventbean.getCurrentEvent());
throw new PermissionDeniedException(secubean, user, "Map not found with id: " + mapId + " and event id: " + eventbean.getCurrentEvent());
}
logger.debug("Got map object {}", map);
......
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/ProductBean.java
......@@ -3,6 +3,7 @@ package fi.insomnia.bortal.beans;
import java.math.BigDecimal;
import java.util.List;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJB;
import javax.ejb.Stateless;
......@@ -35,6 +36,7 @@ public class ProductBean implements ProductBeanLocal {
}
@Override
@RolesAllowed("ADMIN_BASE")
public Product createProduct(String name, BigDecimal price) {
Product entity = new Product(eventBean.getCurrentEvent(), name, price);
productFacade.create(entity);
......@@ -47,6 +49,7 @@ public class ProductBean implements ProductBeanLocal {
}
@Override
@RolesAllowed("ADMIN_BASE")
public void mergeChanges(Product product) {
productFacade.merge(product);
}
......
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/RoleBean.java
......@@ -59,7 +59,6 @@ public class RoleBean implements RoleBeanLocal {
public List<Role> getPossibleParents(Role role) {
List<Role> roleList = listRoles();
if (role == null)
return roleList;
......
code/LanBortalBeans/ejbModule/fi/insomnia/bortal/beans/UserBean.java
......@@ -17,7 +17,7 @@ import org.slf4j.LoggerFactory;
import fi.insomnia.bortal.enums.Permission;
import fi.insomnia.bortal.enums.RolePermission;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.exceptions.PermissionDeniedException;
import fi.insomnia.bortal.facade.RoleFacade;
import fi.insomnia.bortal.facade.UserFacade;
import fi.insomnia.bortal.model.AccessRight;
......@@ -73,10 +73,10 @@ public class UserBean implements UserBeanLocal {
return returnUser;
}
public List<User> getUsers() throws EjbPermissionDeniedException {
public List<User> getUsers() {
User curruser = getCurrentUser();
if (curruser == null || !hasPermission(Permission.USER_MANAGEMENT, curruser, RolePermission.READ)) {
throw new EjbPermissionDeniedException(secubean, curruser, "User tried to execute getUsers function with insufficient permissions");
throw new PermissionDeniedException(secubean, curruser, "User tried to execute getUsers function with insufficient permissions");
}
List<User> ret = userFacade.findAll();
......@@ -85,10 +85,10 @@ public class UserBean implements UserBeanLocal {
}
@Override
public User mergeChanges(User user) throws EjbPermissionDeniedException {
public User mergeChanges(User user) {
User curruser = getCurrentUser();
if (curruser == null || !hasPermission(Permission.USER_MANAGEMENT, curruser, RolePermission.WRITE) || !user.equals(curruser)) {
throw new EjbPermissionDeniedException(secubean, curruser, "User tried to merge someone others data with insufficient permissions");
throw new PermissionDeniedException(secubean, curruser, "User tried to merge someone others data with insufficient permissions");
}
return userFacade.merge(user);
}
......
code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/BillBeanLocal.java
......@@ -5,7 +5,6 @@ import java.util.List;
import javax.ejb.Local;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.model.Bill;
import fi.insomnia.bortal.model.BillLine;
import fi.insomnia.bortal.model.Product;
......@@ -18,7 +17,7 @@ public interface BillBeanLocal {
ByteArrayOutputStream getPdfBillStream(Bill bill);
Bill createEmptyBill(User shoppingUser) throws EjbPermissionDeniedException;
Bill createEmptyBill(User shoppingUser);
BillLine addProductToBill(Bill bill, Product product, BigDecimal count);
......
code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/PlaceMapBeanLocal.java
......@@ -8,7 +8,6 @@ import javax.ejb.Local;
import org.granite.messaging.service.annotations.RemoteDestination;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.model.EventMap;
import fi.insomnia.bortal.model.Place;
import fi.insomnia.bortal.model.User;
......@@ -17,7 +16,7 @@ import fi.insomnia.bortal.model.User;
@RemoteDestination
public interface PlaceMapBeanLocal {
void printPlaceMapToStream(OutputStream outputStream, String filetype, Integer mapId, List<Integer> placeIds) throws EjbPermissionDeniedException,IOException;
void printPlaceMapToStream(OutputStream outputStream, String filetype, Integer mapId, List<Integer> placeIds) throws IOException;
public String getSelectPlaceMapUrl(EventMap activeMap, List<Place> selectedPlaces, User user);
public long selectablePlaceCount(User user);
......
code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/beans/UserBeanLocal.java
......@@ -6,7 +6,6 @@ import javax.ejb.Local;
import fi.insomnia.bortal.enums.Permission;
import fi.insomnia.bortal.enums.RolePermission;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.model.User;
......@@ -15,11 +14,11 @@ public interface UserBeanLocal {
User createNewUser(String nick, String password);
List<User> getUsers() throws EjbPermissionDeniedException;
List<User> getUsers();
User getUser(String nick);
User mergeChanges(User currentUser) throws EjbPermissionDeniedException;
User mergeChanges(User currentUser);
User getCurrentUser();
......
code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/enums/BeanRole.java
......@@ -5,6 +5,7 @@ import java.util.Set;
public enum BeanRole {
// If modified update to sun-web.xml
// Bean level access
ANONYMOUS, // Unauthenticated web user
USER_BASE, // JAAS access for logged in user
......
code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/exceptions/EjbPermissionDeniedException.java code/LanBortalBeansClient/ejbModule/fi/insomnia/bortal/exceptions/PermissionDeniedException.java
......@@ -3,9 +3,9 @@ package fi.insomnia.bortal.exceptions;
import fi.insomnia.bortal.beans.SecurityBeanLocal;
import fi.insomnia.bortal.model.User;
public class EjbPermissionDeniedException extends Exception {
public class PermissionDeniedException extends RuntimeException {
public EjbPermissionDeniedException(SecurityBeanLocal bean, User user, String message) {
public PermissionDeniedException(SecurityBeanLocal bean, User user, String message) {
super(message);
bean.logPermissionDenied(user, this);
......
code/LanBortalWeb/WebContent/WEB-INF/sun-web.xml
......@@ -3,6 +3,15 @@
<sun-web-app error-url="/auth/login.jsf">
<context-root>/LanBortalWeb</context-root>
<security-role-mapping>
<role-name>ANONYMOUS</role-name>
<group-name>ANONYMOUS</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ORGANIZATION_ROOT</role-name>
<group-name>ORGANIZATION_ROOT</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>SUPERADMIN</role-name>
<group-name>SUPERADMIN</group-name>
</security-role-mapping>
......
code/LanBortalWeb/WebContent/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>LanBortalWeb</display-name>
<session-config>
......@@ -56,15 +59,38 @@
<security-role>
<role-name>ADMIN_BASE</role-name>
</security-role>
<security-role>
<role-name>ANONYMOUS</role-name>
</security-role>
<security-role>
<role-name>ORGANIZATION_ROOT</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>forbidden</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
<url-pattern>/layout/*</url-pattern>
<url-pattern>/resources/tools/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Thou shall not read the sources or use utils directly</description>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Forbidden resource</display-name>
<web-resource-collection>
<web-resource-name>Forbidden</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
<url-pattern>/layout/*</url-pattern>
<url-pattern>/resources/tools/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Thou shall not read the sources..</description>
<description>Thou shall not read the sources or use utils directly</description>
</auth-constraint>
</security-constraint>
<servlet>
<description></description>
<display-name>PrintBill</display-name>
......
code/LanBortalWeb/WebContent/permissionDenied.xhtml
......@@ -7,13 +7,11 @@
<title></title>
</h:head>
<h:body>
<ui:composition template="/layout/default-template.xhtml">
<ui:define name="title">HelloWorld</ui:define>
<ui:define name="header">Header</ui:define>
<ui:composition template="/layout/insomnia1/template.xhtml">
<ui:param name="thispage" value="page.permissionDenied" />
<ui:define name="content">
<h1>Permission Denied!</h1>
</ui:define>
<ui:define name="footer">footer</ui:define>
</ui:composition>
</h:body>
</html>
\ No newline at end of file
code/LanBortalWeb/src/fi/insomnia/bortal/HostnameFilter.java
......@@ -66,7 +66,7 @@ public class HostnameFilter implements Filter {
String hostname = url.substring(beginindex, lastindex);
logger.debug("Setting hostname to {} ", hostname);
httpRequest.getSession().setAttribute(EventBeanLocal.HTTP_URL_HOSTNAME, hostname);
ThreadLocalContextHolder.put(EventBeanLocal.HTTP_URL_HOSTNAME, hostname);
}
// pass the request along the filter chain
......
code/LanBortalWeb/src/fi/insomnia/bortal/exceptions/BortalExceptionHandler.java
......@@ -3,6 +3,7 @@ package fi.insomnia.bortal.exceptions;
import java.util.Iterator;
import java.util.Map;
import javax.ejb.EJBAccessException;
import javax.faces.FacesException;
import javax.faces.application.NavigationHandler;
import javax.faces.application.ViewExpiredException;
......@@ -32,21 +33,31 @@ public class BortalExceptionHandler extends ExceptionHandlerWrapper {
@Override
public void handle() throws FacesException {
logger.debug("Handling exceptions");
for (Iterator<ExceptionQueuedEvent> i = getUnhandledExceptionQueuedEvents().iterator(); i.hasNext();) {
ExceptionQueuedEvent event = i.next();
ExceptionQueuedEventContext context = (ExceptionQueuedEventContext) event.getSource();
Throwable t = context.getException();
logger.debug("Found exception! handing it: {}", t.getClass().toString());
if (t instanceof ViewExpiredException) {
errorpage(i, t, "viewExpired");
} else if (t instanceof PermissionDeniedException) {
errorpage(i, t, "permissionDenied");
}
Throwable cause = t;
while (cause != null) {
logger.debug("Cause not null, but {}, checking" + t.getClass().toString());
if (cause instanceof PermissionDeniedException ||
cause instanceof EJBAccessException ||
cause instanceof PermissionDeniedException ) {
logger.debug("Found Permission Denied cause: {}", cause);
errorpage(i, t, "permissionDenied");
break;
}
cause = cause.getCause();
}
}
// At this point, the queue will not contain any ViewExpiredEvents.
......@@ -58,14 +69,21 @@ public class BortalExceptionHandler extends ExceptionHandlerWrapper {
}
private void errorpage(Iterator<ExceptionQueuedEvent> i, Throwable t, String navigateTo) {
ViewExpiredException vee = (ViewExpiredException) t;
logger.info("navigating to {} because root exception: {}", navigateTo, t.getClass());
ViewExpiredException vee = null;
if (t instanceof ViewExpiredException) {
vee = (ViewExpiredException) t;
}
FacesContext fc = FacesContext.getCurrentInstance();
Map<String, Object> requestMap = fc.getExternalContext().getRequestMap();
NavigationHandler nav = fc.getApplication().getNavigationHandler();
try {
// Push some useful stuff to the request scope for
// use in the page
requestMap.put("currentViewId", vee.getViewId());
if (vee != null) {
requestMap.put("currentViewId", vee.getViewId());
}
nav.handleNavigation(fc, null, navigateTo);
fc.renderResponse();
} finally {
......
code/LanBortalWeb/src/fi/insomnia/bortal/exceptions/PermissionDeniedException.java deleted 100644 → 0
package fi.insomnia.bortal.exceptions;
import fi.insomnia.bortal.beans.SecurityBeanLocal;
import fi.insomnia.bortal.model.User;
public class PermissionDeniedException extends RuntimeException {
public PermissionDeniedException(SecurityBeanLocal bean, User user, String message) {
super(message);
bean.logPermissionDenied(user, this);
}
public PermissionDeniedException(EjbPermissionDeniedException e)
{
super(e.getMessage());
// Let's not log. EJB already logged...
}
/**
*
*/
private static final long serialVersionUID = 7909254489997475124L;
}
code/LanBortalWeb/src/fi/insomnia/bortal/handler/SessionHandler.java
......@@ -151,7 +151,6 @@ public class SessionHandler {
{
boolean ret = userbean.isLoggedIn();
logger.info("Is logged in: {}", ret);
return ret;
}
}
code/LanBortalWeb/src/fi/insomnia/bortal/servlet/PlaceMap.java
......@@ -20,7 +20,7 @@ import org.slf4j.LoggerFactory;
import fi.insomnia.bortal.beans.EventBeanLocal;
import fi.insomnia.bortal.beans.PlaceMapBeanLocal;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.exceptions.PermissionDeniedException;
/**
*
......@@ -84,7 +84,7 @@ public class PlaceMap extends HttpServlet {
* out.println("<h1>Servlet PlaceMap at " + request.getContextPath
* () + "</h1>"); out.println("</body>"); out.println("</html>");
*/
} catch (EjbPermissionDeniedException e) {
} catch (PermissionDeniedException e) {
logger.debug("Permission deniedn. Returning SC_NOT_FOUND!");
response.setContentType("text/html;charset=UTF-8");
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
......
code/LanBortalWeb/src/fi/insomnia/bortal/view/ProductShopView.java
......@@ -23,7 +23,6 @@ import fi.insomnia.bortal.beans.BillBeanLocal;
import fi.insomnia.bortal.beans.EventBeanLocal;
import fi.insomnia.bortal.beans.ProductBeanLocal;
import fi.insomnia.bortal.beans.UserBeanLocal;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.exceptions.PermissionDeniedException;
import fi.insomnia.bortal.model.Bill;
import fi.insomnia.bortal.model.Product;
......@@ -54,24 +53,21 @@ public class ProductShopView {
return items;
}
public ActionListener getBillCommitAL()
{
public ActionListener getBillCommitAL() {
logger.info("Fetching billCommitAl()");
return new ActionListener(){
@Override
public void processAction(ActionEvent event) throws AbortProcessingException {
logger.info("Executing BillCommit AL");
}};
return new ActionListener() {
@Override
public void processAction(ActionEvent event) throws AbortProcessingException {
logger.info("Executing BillCommit AL");
}
};
}
public void commitBillCart() {
logger.debug("Committing billCart");
Iterator<ProductShopItem> cartIter = billCart.iterator();
Bill bill = null;
try {
bill = billBean.createEmptyBill(getShoppingUser());
} catch (EjbPermissionDeniedException e) {
throw new PermissionDeniedException(e);
}
bill = billBean.createEmptyBill(getShoppingUser());
bill.setOurReference(eventBean.getCurrentEvent().getName());
while (cartIter.hasNext()) {
......
code/LanBortalWeb/src/fi/insomnia/bortal/view/UserView.java
......@@ -13,13 +13,11 @@ import javax.faces.model.ListDataModel;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import fi.insomnia.bortal.I18n;
import fi.insomnia.bortal.beans.SecurityBeanLocal;
import fi.insomnia.bortal.beans.JaasBeanLocal;
import fi.insomnia.bortal.beans.UserBeanLocal;
import fi.insomnia.bortal.enums.Permission;
import fi.insomnia.bortal.exceptions.EjbPermissionDeniedException;
import fi.insomnia.bortal.exceptions.PermissionDeniedException;
import fi.insomnia.bortal.handler.SessionHandler;
import fi.insomnia.bortal.model.User;
......@@ -46,25 +44,22 @@ public class UserView {
public String edit() {
setUser(items.getRowData());
logger.info("Editing: Firstname: {} ",getUser().getFirstnames());
logger.info("Editing: Firstname: {} ", getUser().getFirstnames());
return "userEdit";
}
public void initSelfedit()
{
public void initSelfedit() {
user = userBean.getCurrentUser();
}
public String createUser() {
if (!getSessionhandler().canWrite(Permission.USER_MANAGEMENT)) {
// Give message to administration what happened here.
throw new PermissionDeniedException(securitybean, getSessionhandler().getUser(), "User " + getSessionhandler().getUser() + " does not have permission to create user!");
}
if(null != userBean.getUser(login))
{
if (null != userBean.getUser(login)) {
FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(I18n.get("userview.userExists")));
return "create";
}
......@@ -85,22 +80,16 @@ public class UserView {
}
public String saveUser() {
try {
setUser(userBean.mergeChanges(getUser()));
logger.info("Firstname: {} ",getUser().getFirstnames());
} catch (EjbPermissionDeniedException e) {
throw new PermissionDeniedException(e);
}
setUser(userBean.mergeChanges(getUser()));
logger.info("Firstname: {} ", getUser().getFirstnames());
return "userSave";
}
public ListDataModel<User> getUsers() {
List<User> users;
try {
users = userBean.getUsers();
} catch (EjbPermissionDeniedException e) {
throw new PermissionDeniedException(e);
}
users = userBean.getUsers();
items = new ListDataModel<User>(users);
logger.info("Fetching users. Found {}", items.getRowCount());
......
code/LanBortalWeb/src/resources/i18n.properties
......@@ -21,6 +21,8 @@ page.auth.notauthorized.pagegroup=frontpage
page.bill.list.pagegroup=user
page.viewexpired.pagegroup=frontpage
page.product.create.pagegroup=admin
page.product.createBill.pagegroup=shop
page.product.edit.pagegroup=admin
......@@ -37,7 +39,8 @@ page.user.edit.pagegroup=user
page.user.list.pagegroup=user
page.user.editself.pagegroup=user
page.auth.login.loginerror=frontpage
page.auth.login.logout=frontpage
page.auth.login.loginerror.pagegroup=frontpage
page.auth.login.logout.pagegroup=frontpage
page.viewexpired=frontpage
\ No newline at end of file
page.viewexpired.pagegroup=frontpage
page.permissionDenied.pagegroup=frontpage
\ No newline at end of file
code/LanBortalWeb/src/resources/i18n_en.properties
......@@ -50,6 +50,8 @@ product.save=Save
product.sort=Sort
product.unitName=Product unit
product.vat=VAT
product.cart.count=Count
role.create=Create role
role.edit=Edit
role.name=Name
......@@ -96,4 +98,5 @@ sidebar.product.list=List products
sidebar.product.createBill=Create bill
sidebar.role.create=Create role
sidebar.role.list=List roles
sidebar.map.placemap=Select places
\ No newline at end of file
sidebar.map.placemap=Select places
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!