svn commit: r727508 - in /ofbiz/trunk: applications/party/config/ applications/party/webapp/part
Locked
svn commit: r727508 - in /ofbiz/trunk: applications/party/config/ applications/party/webapp/part
 
|
Author: jleroux
Date: Wed Dec 17 12:50:11 2008 New Revision: 727508 URL: http://svn.apache.org/viewvc?rev=727508&view=rev Log: Close "Grey list feature for confidential data access" (https://issues.apache.org/jira/browse/OFBIZ-2074) - OFBIZ-2074 I put an explanation in http://docs.ofbiz.org/display/OFBTECH/OFBiz+security Added: ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java Modified: ofbiz/trunk/applications/party/config/PartyUiLabels.xml ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml ofbiz/trunk/applications/party/widget/Menus.xml ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml ofbiz/trunk/applications/securityext/servicedef/services.xml ofbiz/trunk/framework/common/config/CommonUiLabels.xml ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml ofbiz/trunk/framework/common/widget/CommonScreens.xml ofbiz/trunk/framework/security/config/security.properties ofbiz/trunk/framework/security/entitydef/entitymodel.xml ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Modified: ofbiz/trunk/applications/party/config/PartyUiLabels.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/config/PartyUiLabels.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/applications/party/config/PartyUiLabels.xml (original) +++ ofbiz/trunk/applications/party/config/PartyUiLabels.xml Wed Dec 17 12:50:11 2008 @@ -2144,6 +2144,10 @@ <value xml:lang="th">à¹à¸ªà¸à¸à¸à¸£à¸°à¸§à¸±à¸à¸´à¸à¸à¸à¸à¸¥à¸¸à¹à¸¡à¸à¸¹à¹à¹à¸à¹</value> <value xml:lang="zh">æµè§ä¼åæ¡£æ¡</value> </property> + <property key="PartyProtectedViewsForSecurityGroup"> + <value xml:lang="en">Protected Views For SecurityGroup</value> + <value xml:lang="fr">Vues protégées pour le groupe de sécurité</value> + </property> <property key="PageTitleViewPartyRole"> <value xml:lang="de">Akteur Rollen anzeigen</value> <value xml:lang="en">View Party Roles</value> @@ -2345,6 +2349,10 @@ <value xml:lang="th">à¹à¸à¸´à¹à¸¡à¸ªà¸´à¸à¸à¹à¸²à¹à¸à¸£à¸²à¸¢à¸à¸²à¸£</value> <value xml:lang="zh">æ产åæ·»å å°å表</value> </property> + <property key="PartyAddProtectedViewToSecurityGroup"> + <value xml:lang="en">Add a Protected View to SecurityGroup</value> + <value xml:lang="fr">Ajouter une vue protégée à ce groupe de sécurité</value> + </property> <property key="PartyAddPurpose"> <value xml:lang="de">Zweck hinzufügen</value> <value xml:lang="en">Add Purpose</value> @@ -5030,6 +5038,14 @@ <value xml:lang="th">à¹à¸à¹à¸à¸¡à¹à¸²à¸¢</value> <value xml:lang="zh">丧å¶</value> </property> + <property key="PartyMaxHit"> + <value xml:lang="en">Maximum number of visits</value> + <value xml:lang="fr">Nombre maximum de visites</value> + </property> + <property key="PartyMaxHitDuration"> + <value xml:lang="en">Duration during which the visits are considered (in seconds)</value> + <value xml:lang="fr">Durée pendant laquelle les visites sont considérées (en secondes)</value> + </property> <property key="PartyMechPurposeTypeNotFound"> <value xml:lang="de">Zweck Typ nicht gefunden mit der ID</value> <value xml:lang="en">Purpose Type not found with ID</value> @@ -6320,6 +6336,10 @@ <value xml:lang="ru">ÐÑоÑилÑ</value> <value xml:lang="th">à¸à¸£à¸°à¸§à¸±à¸à¸´à¸ªà¹à¸§à¸à¸à¸±à¸§</value> <value xml:lang="zh">ç®ä»</value> + </property> + <property key="PartyProtectedViews"> + <value xml:lang="en">Protected Views</value> + <value xml:lang="fr">Vues protégées</value> </property> <property key="PartyProveinceInCanadaMissing"> <value xml:lang="de">Provinz fehlt und wird benötigt für eine Adresse in Kanada.</value> @@ -7165,6 +7185,10 @@ <value xml:lang="th">à¸à¸¹à¹à¸à¸±à¸à¸«à¸²</value> <value xml:lang="zh">ä¾è´§å</value> </property> + <property key="PartyTarpitDuration"> + <value xml:lang="en">Duration during which the view will not be accessible (in seconds)</value> + <value xml:lang="fr">Durée pendant laquelle la vue ne sera plus accessible (en secondes)</value> + </property> <property key="PartyTaxAddInfo"> <value xml:lang="de">Steuerangaben hinzufügen</value> <value xml:lang="en">Add Tax Info</value> @@ -7732,6 +7756,10 @@ <value xml:lang="th">Security Error: à¹à¸à¸à¸²à¸£à¸£à¸±à¸à¸à¹à¸²à¸£à¸«à¸±à¸ªà¹à¸à¸£à¸©à¸à¸µà¸¢à¹ à¸à¸¸à¸à¸à¹à¸à¸à¹à¸à¹à¸£à¸±à¸à¸à¸à¸¸à¸à¸²à¸à¸à¸²à¸ PARTY_VIEW หรืภPARTY_ADMIN à¸à¹à¸à¸</value> <value xml:lang="zh">å®å ¨é误: è¦è¿è¡ getPostalAddressBoundaryï¼ä½ å¿ é¡»å ·æ PARTY_VIEW æ PARTY_ADMIN æé</value> </property> + <property key="PartyViewName"> + <value xml:lang="en">View Name</value> + <value xml:lang="fr">Nom de la vue</value> + </property> <property key="PartyViewSegmentRoles"> <value xml:lang="de">Akteur Segment Rolle anzeigen</value> <value xml:lang="en">View Party Segment Roles</value> Modified: ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml (original) +++ ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml Wed Dec 17 12:50:11 2008 @@ -465,7 +465,26 @@ <response name="success" type="view" value="EditUserLoginSecurityGroups"/> <response name="error" type="view" value="EditUserLoginSecurityGroups"/> </request-map> - + <request-map uri="EditSecurityGroupProtectedViews"><security https="true" auth="true"/><response name="success" type="view" value="EditSecurityGroupProtectedViews"/></request-map> + <request-map uri="addProtectedViewToSecurityGroup"> + <security https="true" auth="true"/> + <event type="service" path="" invoke="addProtectedViewToSecurityGroup"/> + <response name="success" type="view" value="EditSecurityGroupProtectedViews"/> + <response name="error" type="view" value="EditSecurityGroupProtectedViews"/> + </request-map> + <request-map uri="updateProtectedViewToSecurityGroup"> + <security https="true" auth="true"/> + <event type="service" path="" invoke="updateProtectedViewToSecurityGroup"/> + <response name="success" type="view" value="EditSecurityGroupProtectedViews"/> + <response name="error" type="view" value="EditSecurityGroupProtectedViews"/> + </request-map> + <request-map uri="removeProtectedViewFromSecurityGroup"> + <security https="true" auth="true"/> + <event type="service" path="" invoke="removeProtectedViewFromSecurityGroup"/> + <response name="success" type="view" value="EditSecurityGroupProtectedViews"/> + <response name="error" type="view" value="EditSecurityGroupProtectedViews"/> + </request-map> + <request-map uri="createnewlogin"><security https="true" auth="true"/><response name="success" type="view" value="createnewlogin"/></request-map> <request-map uri="createUserLogin"> <security https="true" auth="true"/> @@ -1170,7 +1189,8 @@ <view-map name="EditSecurityGroup" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditSecurityGroup"/> <view-map name="EditSecurityGroupPermissions" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditSecurityGroupPermissions"/> <view-map name="EditSecurityGroupUserLogins" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditSecurityGroupUserLogins"/> - + <view-map name="EditSecurityGroupProtectedViews" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditSecurityGroupProtectedViews"/> + <view-map name="CertIssuerProvisions" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditX509IssuerProvisions"/> <view-map name="ViewCertificate" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#ViewCertificate"/> Modified: ofbiz/trunk/applications/party/widget/Menus.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/Menus.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/applications/party/widget/Menus.xml (original) +++ ofbiz/trunk/applications/party/widget/Menus.xml Wed Dec 17 12:50:11 2008 @@ -32,5 +32,8 @@ <menu-item name="EditSecurityGroupUserLogins" title="${uiLabelMap.PartyUserLogins}"> <link target="EditSecurityGroupUserLogins?groupId=${groupId}"/> </menu-item> + <menu-item name="EditSecurityGroupProtectedViews" title="${uiLabelMap.PartyProtectedViews}"> + <link target="EditSecurityGroupProtectedViews?groupId=${groupId}"/> + </menu-item> </menu> </menus> Modified: ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml (original) +++ ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml Wed Dec 17 12:50:11 2008 @@ -154,7 +154,38 @@ </field> <field name="submitButton" title="${uiLabelMap.CommonAdd}"><submit button-type="button"/></field> </form> - + + <!-- SecurityGroupProtectedViews --> + <form name="ListSecurityGroupProtectedViews" type="list" list-name="securityGroupProtectedViewsList" target="updateProtectedViewToSecurityGroup" + odd-row-style="alternate-row" header-row-style="header-row-2" default-table-style="basic-table hover-bar"> + <actions> + <entity-condition entity-name="ProtectedView"> + <condition-expr field-name="groupId" env-name="groupId"/> + <order-by field-name="viewNameId"/> + </entity-condition> + </actions> + <field name="groupId"><hidden/></field> + <field name="viewNameId" title="${uiLabelMap.PartyViewName}"><display/></field> + <field name="maxHits" title="${uiLabelMap.PartyMaxHit}"><text/></field> + <field name="maxHitsDuration" title="${uiLabelMap.PartyMaxHitDuration}"><text/></field> + <field name="tarpitDuration" title="${uiLabelMap.PartyTarpitDuration}"><text/></field> + <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> + <field name="deleteLink" title="${uiLabelMap.CommonEmptyHeader}" widget-style="buttontext"> + <hyperlink description="${uiLabelMap.CommonRemove}" target="removeProtectedViewFromSecurityGroup?groupId=${groupId}&viewNameId=${viewNameId}" also-hidden="false"/> + </field> + </form> + + <form name="AddSecurityGroupProtectedView" type="single" target="addProtectedViewToSecurityGroup" + header-row-style="header-row" default-table-style="basic-table"> + <auto-fields-service service-name="addProtectedViewToSecurityGroup"/> + <field name="groupId"><hidden/></field> + <field name="viewNameId" title="${uiLabelMap.PartyViewName}"><text size="60" maxlength="60"/></field> + <field name="maxHits" title="${uiLabelMap.PartyMaxHit}"><text size="20" maxlength="20"/></field> + <field name="maxHitsDuration" title="${uiLabelMap.PartyMaxHitDuration}"><text size="20" maxlength="20"/></field> + <field name="tarpitDuration" title="${uiLabelMap.PartyTarpitDuration}"><text size="20" maxlength="20"/></field> + <field name="submitButton" title="${uiLabelMap.CommonAdd}"><submit button-type="button"/></field> + </form> + <form name="CertIssuerList" type="list" list-name="issuerProvisions" odd-row-style="alternate-row" default-table-style="basic-table hover-bar"> <actions> Modified: ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml (original) +++ ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml Wed Dec 17 12:50:11 2008 @@ -181,7 +181,29 @@ </widgets> </section> </screen> - + <screen name="EditSecurityGroupProtectedViews"> + <section> + <actions> + <set field="titleProperty" value="PartyAddProtectedViewToSecurityGroup"/> + <set field="tabButtonItem" value="EditSecurityGroupProtectedViews"/> + <set field="labelTitleProperty" value="PartyProtectedViewsForSecurityGroup"/> + + <set field="groupId" from-field="parameters.groupId"/> + <entity-one entity-name="SecurityGroup" value-name="securityGroup"/> + </actions> + <widgets> + <decorator-screen name="SecurityGroupDecorator" location="${parameters.mainDecoratorLocation}"> + <decorator-section name="body"> + <screenlet id="AddSecurityGroupProtectedViewsPanel" title="${uiLabelMap.PartyAddProtectedViewToSecurityGroup}" collapsible="true"> + <include-form name="AddSecurityGroupProtectedView" location="component://party/widget/partymgr/SecurityForms.xml"/> + </screenlet> + <include-form name="ListSecurityGroupProtectedViews" location="component://party/widget/partymgr/SecurityForms.xml"/> + </decorator-section> + </decorator-screen> + </widgets> + </section> + </screen> + <screen name="EditX509IssuerProvisions"> <section> <actions> Modified: ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml (original) +++ ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml Wed Dec 17 12:50:11 2008 @@ -133,4 +133,43 @@ <!-- clear the org.ofbiz.security.Security object's custom cache by userLoginId --> <call-bsh><![CDATA[ org.ofbiz.security.Security.userLoginSecurityGroupByUserLoginId.remove(parameters.get("userLoginId")); ]]></call-bsh> </simple-method> + + <!-- ProtectedView to SecurityGroup methods --> + <simple-method method-name="addProtectedViewToSecurityGroup" short-description="Add ProtectedView To SecurityGroup"> + <check-permission permission="SECURITY" action="_CREATE"><fail-message message="Security Error: to run addProtectedViewToSecurityGroup you must have the SECURITY_CREATE or SECURITY_ADMIN permission"/></check-permission> + <check-errors/> + + <make-value value-name="newEntity" entity-name="ProtectedView"/> + <set-pk-fields map-name="parameters" value-name="newEntity"/> + <set-nonpk-fields map-name="parameters" value-name="newEntity"/> + + <create-value value-name="newEntity"/> + + <!-- clear the org.ofbiz.security.Security object's custom cache by newEntity --> + <call-bsh><![CDATA[ org.ofbiz.security.Security.userLoginSecurityGroupByUserLoginId.remove(newEntity); ]]></call-bsh> + </simple-method> + <simple-method method-name="updateProtectedViewToSecurityGroup" short-description="Update ProtectedView to SecurityGroup"> + <check-permission permission="SECURITY" action="_UPDATE"><fail-message message="Security Error: to run updateProtectedViewToSecurityGroup you must have the SECURITY_UPDATE or SECURITY_ADMIN permission"/></check-permission> + <check-errors/> + <make-value entity-name="ProtectedView" value-name="lookupPKMap"/> + <set-pk-fields map-name="parameters" value-name="lookupPKMap"/> + <find-by-primary-key entity-name="ProtectedView" map-name="lookupPKMap" value-name="lookedUpValue"/> + <set-nonpk-fields map-name="parameters" value-name="lookedUpValue"/> + <store-value value-name="lookedUpValue"/> + + <!-- clear the org.ofbiz.security.Security object's custom cache by lookupPKMap --> + <call-bsh><![CDATA[ org.ofbiz.security.Security.userLoginSecurityGroupByUserLoginId.remove(lookupPKMap); ]]></call-bsh> + </simple-method> + <simple-method method-name="removeProtectedViewFromSecurityGroup" short-description="Remove ProtectedView From SecurityGroup"> + <check-permission permission="SECURITY" action="_DELETE"><fail-message message="Security Error: to run removeProtectedViewFromSecurityGroup you must have the SECURITY_DELETE or SECURITY_ADMIN permission"/></check-permission> + <check-errors/> + + <make-value entity-name="ProtectedView" value-name="lookupPKMap"/> + <set-pk-fields map-name="parameters" value-name="lookupPKMap"/> + <find-by-primary-key entity-name="ProtectedView" map-name="lookupPKMap" value-name="lookedUpValue"/> + <remove-value value-name="lookedUpValue"/> + + <!-- clear the org.ofbiz.security.Security object's custom cache by lookupPKMap --> + <call-bsh><![CDATA[ org.ofbiz.security.Security.userLoginSecurityGroupByUserLoginId.remove(lookupPKMap); ]]></call-bsh> + </simple-method> </simple-methods> Modified: ofbiz/trunk/applications/securityext/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/servicedef/services.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/applications/securityext/servicedef/services.xml (original) +++ ofbiz/trunk/applications/securityext/servicedef/services.xml Wed Dec 17 12:50:11 2008 @@ -80,7 +80,30 @@ <attribute name="groupId" type="String" mode="IN" optional="false"/> <attribute name="fromDate" type="Timestamp" mode="IN" optional="false"/> </service> - + + <!-- ProtectedView to SecurityGroup services --> + <service name="addProtectedViewToSecurityGroup" engine="simple" location="org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml" invoke="addProtectedViewToSecurityGroup" auth="true"> + <description>Add a ProtectedView to a SecurityGroup</description> + <attribute name="viewNameId" type="String" mode="IN" optional="false"/> + <attribute name="groupId" type="String" mode="IN" optional="false"/> + <attribute name="maxHits" type="Integer" mode="IN" optional="false"/> + <attribute name="maxHitsDuration" type="Long" mode="IN" optional="false"/> + <attribute name="tarpitDuration" type="Long" mode="IN" optional="false"/> + </service> + <service name="updateProtectedViewToSecurityGroup" engine="simple" location="org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml" invoke="updateProtectedViewToSecurityGroup" auth="true"> + <description>Update a ProtectedView to SecurityGroup Appl</description> + <attribute name="viewNameId" type="String" mode="IN" optional="false"/> + <attribute name="groupId" type="String" mode="IN" optional="false"/> + <attribute name="maxHits" type="Integer" mode="IN" optional="false"/> + <attribute name="maxHitsDuration" type="Long" mode="IN" optional="false"/> + <attribute name="tarpitDuration" type="Long" mode="IN" optional="false"/> + </service> + <service name="removeProtectedViewFromSecurityGroup" engine="simple" location="org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml" invoke="removeProtectedViewFromSecurityGroup" auth="true"> + <description>Remove a ProtectedView from a SecurityGroup</description> + <attribute name="viewNameId" type="String" mode="IN" optional="false"/> + <attribute name="groupId" type="String" mode="IN" optional="false"/> + </service> + <!-- certificate services --> <service name="importIssuerProvision" engine="java" auth="true" location="org.ofbiz.securityext.cert.CertificateServices" invoke="importIssuerCertificate"> Modified: ofbiz/trunk/framework/common/config/CommonUiLabels.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/config/CommonUiLabels.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/framework/common/config/CommonUiLabels.xml (original) +++ ofbiz/trunk/framework/common/config/CommonUiLabels.xml Wed Dec 17 12:50:11 2008 @@ -826,6 +826,10 @@ <value xml:lang="zh">åæ¥</value> <value xml:lang="zh_CN">让å©</value> </property> + <property key="CommonViewBlocked"> + <value xml:lang="en">Access to this view has been blocked.</value> + <value xml:lang="fr">L'accès à cette page a été bloqué.</value> + </property> <property key="CommonBeLogged"> <value xml:lang="ar">دخÙÙ</value> <value xml:lang="cs">PÅihlásit</value> @@ -7640,6 +7644,10 @@ <value xml:lang="zh">æ°å»ºæ°æ®æºç±»å</value> <value xml:lang="zh_CN">å¢å æ°æ°æ®æºç±»å</value> </property> + <property key="PageTitleViewBlocked"> + <value xml:lang="en">View Blocked</value> + <value xml:lang="en">Page bloquée</value> + </property> <property key="PageTitleEditDataSource"> <value xml:lang="ar">تØرÙر ٠صدر اÙ٠عÙÙ٠ات</value> <value xml:lang="de">Datenquelle bearbeiten</value> Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original) +++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Wed Dec 17 12:50:11 2008 @@ -52,6 +52,7 @@ <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="check509CertLogin"/> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/> + <event type="java" path="org.ofbiz.webapp.control.ProtectViewWorker" invoke="checkProtectedView"/> </preprocessor> <postprocessor> <!-- Events to run on every request after all other processing (chains exempt) --> @@ -136,6 +137,10 @@ <response name="success" type="view" value="main"/> </request-map> + <request-map uri="viewBlocked"> + <response name="success" type="view" value="viewBlocked"/> + </request-map> + <!-- View Mappings --> <view-map name="error" page="/error/error.jsp"/> <view-map name="main" type="none"/> @@ -150,4 +155,6 @@ <view-map name="ajaxAutocompleteOptions" type="screen" page="component://common/widget/CommonScreens.xml#ajaxAutocompleteOptions"/> <view-map name="help" type="screen" page="component://common/widget/CommonScreens.xml#help"/> + + <view-map name="viewBlocked" type="screen" page="component://common/widget/CommonScreens.xml#viewBlocked"/> </site-conf> Added: ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl?rev=727508&view=auto ============================================================================== --- ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl (added) +++ ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl Wed Dec 17 12:50:11 2008 @@ -0,0 +1,32 @@ +<#-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + +<center> + <div class="screenlet login-screenlet"> + <div class="screenlet-title-bar"> + <h3>${uiLabelMap.CommonViewBlocked}</h3> + </div> + <div class="screenlet-body"> + ${errorMessage?if_exists} + <br/> + </div> + </div> +</center> + + Modified: ofbiz/trunk/framework/common/widget/CommonScreens.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/widget/CommonScreens.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/framework/common/widget/CommonScreens.xml (original) +++ ofbiz/trunk/framework/common/widget/CommonScreens.xml Wed Dec 17 12:50:11 2008 @@ -436,4 +436,17 @@ </section> </screen> + <screen name="viewBlocked"> + <section> + <actions> + <set field="titleProperty" value="PageTitleViewBlocked"></set> + <property-map resource="CommonUiLabels" map-name="uiLabelMap" global="true"/> + </actions> + <widgets> + <platform-specific><html><html-template location="component://common/webcommon/viewBlocked.ftl"/></html></platform-specific> + <platform-specific><html><html-template location="component://common/webcommon/includes/messages.ftl"/></html></platform-specific> + </widgets> + </section> + </screen> + </screens> Modified: ofbiz/trunk/framework/security/config/security.properties URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/framework/security/config/security.properties (original) +++ ofbiz/trunk/framework/security/config/security.properties Wed Dec 17 12:50:11 2008 @@ -77,3 +77,10 @@ # -- Hours after which EmailAdressVerification should expire email_verification.expire.hours=48 + +# -- Name of the protect-view preprocessor method (this should not change, but in case...) +protect-view.preprocessor=java.org.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView + +# -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java) +#default.error.response.view=none: +default.error.response.view=view:viewBlocked Modified: ofbiz/trunk/framework/security/entitydef/entitymodel.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/entitydef/entitymodel.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/framework/security/entitydef/entitymodel.xml (original) +++ ofbiz/trunk/framework/security/entitydef/entitymodel.xml Wed Dec 17 12:50:11 2008 @@ -191,4 +191,44 @@ <key-map field-name="groupId"/> </relation> </entity> + <entity entity-name="ProtectedView" + package-name="org.ofbiz.security.securitygroup" + title="Security Component - Protected View Entity"> + <description>Defines views protected from data leakage</description> + <field name="groupId" type="id-ne"></field> + <field name="viewNameId" type="id-long-ne"><description>name of view to protect from data theft</description></field> + <field name="maxHits" type="numeric"><description>number of hits before tarpitting a login for a view</description></field> + <field name="maxHitsDuration" type="numeric"><description>period of time associated with maxHits (in seconds)</description></field> + <field name="tarpitDuration" type="numeric"><description>period of time a login will not be able to acces this view again (in seconds)</description></field> + <prim-key field="groupId"/> + <prim-key field="viewNameId"/> + <relation type="one" fk-name="VIEW_SECGRP_GRP" rel-entity-name="SecurityGroup"> + <key-map field-name="groupId"/> + </relation> + <relation type="many" rel-entity-name="SecurityGroupPermission"> + <key-map field-name="groupId"/> + </relation> + </entity> + <view-entity entity-name="UserLoginAndProtectedView" + package-name="org.ofbiz.security.securitygroup" + never-cache="true" + title="UserLogin And ProtectedView View Entity"> + <member-entity entity-alias="ULSGPV" entity-name="UserLoginSecurityGroup"/> + <member-entity entity-alias="PV" entity-name="ProtectedView"/> + <alias-all entity-alias="ULSGPV"/> + <alias-all entity-alias="PV"/> + <view-link entity-alias="ULSGPV" rel-entity-alias="PV"> + <key-map field-name="groupId"/> + </view-link> + </view-entity> + <entity entity-name="TarpittedLoginView" + package-name="org.ofbiz.security.securitygroup" + title="Security Component - Protected View Entity"> + <description>Login View couple currently tarpitted : any access to the view for the login is denied</description> + <field name="viewNameId" type="id-long-ne"><description>name of view protected from data theft</description></field> + <field name="userLoginId" type="id-ne"/> + <field name="tarpitReleaseDateTime" type="numeric"><description>Date/Time at which the login will gain anew access to the view (in milliseconds from midnight, January 1, 1970 UTC , 0 meaning no tarpit to allow the admin to free a view and to keep history</description></field> + <prim-key field="viewNameId"/> + <prim-key field="userLoginId"/> + </entity> </entitymodel> Modified: ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml (original) +++ ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml Wed Dec 17 12:50:11 2008 @@ -169,6 +169,7 @@ <property key="coreEvents.no_fields_in_session"> <value xml:lang="de">Keine 'previous fields' auf der Session gefunden</value> <value xml:lang="en">No previous fields found in session</value> + <value xml:lang="fr">Aucun champ précédent appartenant à la session</value> <value xml:lang="ru">ÐÑедÑдÑÑие Ð¿Ð¾Ð»Ñ Ð² ÑеÑÑии не найденÑ</value> <value xml:lang="th">à¹à¸¡à¹à¸à¸à¸à¹à¸à¸¡à¸¹à¸¥à¸à¹à¸à¸à¸«à¸à¹à¸²à¸à¸µà¹à¹à¸ session </value> @@ -290,6 +291,14 @@ <value xml:lang="th">à¸à¸·à¹à¸à¸à¸¹à¹à¹à¸à¹à¹à¸à¹à¸à¸à¹à¸²à¸§à¹à¸²à¸ à¸à¸£à¸¸à¸à¸²à¸à¸£à¸à¸à¸à¸µà¸à¸à¸£à¸±à¹à¸</value> <value xml:lang="zh">ç¨æ·åæ¯ç©ºçï¼è¯·éæ°è¾å ¥ã</value> </property> + <property key="protectedviewevents.blocked_message"> + <value xml:lang="en">This is the blocked message (to be adapted).</value> + <value xml:lang="fr">Ceci est le message de bloquage (à adapter).</value> + </property> + <property key="protectedviewevents.tarpitted_message"> + <value xml:lang="en">This is the tarpitted message (to be adapted).</value> + <value xml:lang="fr">Ceci est le message d'engluage (à adapter).</value> + </property> <property key="requestHandler.error_call_event"> <value xml:lang="de">Fehler beim Aufruf eines Events</value> <value xml:lang="en">Error calling event</value> Added: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java?rev=727508&view=auto ============================================================================== --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java (added) +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java Wed Dec 17 12:50:11 2008 @@ -0,0 +1,141 @@ +/******************************************************************************* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + *******************************************************************************/ +package org.ofbiz.webapp.control; + +import java.util.List; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; + +import javolution.util.FastMap; + +import org.ofbiz.base.util.Debug; +import org.ofbiz.base.util.UtilHttp; +import org.ofbiz.base.util.UtilMisc; +import org.ofbiz.base.util.UtilProperties; +import org.ofbiz.base.util.UtilValidate; +import org.ofbiz.entity.GenericDelegator; +import org.ofbiz.entity.GenericEntityException; +import org.ofbiz.entity.GenericValue; +import org.ofbiz.service.ServiceUtil; + +/** + * Common Workers + */ +public class ProtectViewWorker { + + private final static String module = ProtectViewWorker.class.getName(); + private static final String resourceWebapp = "WebappUiLabels"; + private static final FastMap<String, Long> hitsByViewAccessed = FastMap.newInstance(); + private static final FastMap<String, Long> durationByViewAccessed = FastMap.newInstance(); + private static final Long one = new Long(1); + + /** + * An HTTP WebEvent handler that checks to see if an userLogin should be tarpitted + * The decision is made in regard of number of hits in last period of time + * + * @param request The HTTP request object for the current JSP or Servlet request. + * @param response The HTTP response object for the current JSP or Servlet request. + * @return String + */ + public static String checkProtectedView(HttpServletRequest request, HttpServletResponse response) { + HttpSession session = request.getSession(); + String viewNameId = RequestHandler.getRequestUri(request.getPathInfo()); + GenericValue userLogin = (GenericValue) session.getAttribute("userLogin"); + GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator"); + String returnValue = "success"; + + if (userLogin != null) { + String userLoginId = userLogin.getString("userLoginId"); + try { + List<GenericValue> protectedViews = delegator.findByAnd("UserLoginAndProtectedView", + UtilMisc.toMap("userLoginId", userLoginId, "viewNameId", viewNameId)); + // Any views to deal with ? + if (UtilValidate.isNotEmpty(protectedViews)) { + Long now = System.currentTimeMillis(); // we are not in a margin of some milliseconds + + // Is this login/view couple already tarpitted ? (ie denied access to view for login for a period of time) + List<GenericValue> tarpittedLoginViews = delegator.findByAnd("TarpittedLoginView", + UtilMisc.toMap("userLoginId", userLoginId, "viewNameId", viewNameId)); + if (UtilValidate.isNotEmpty(tarpittedLoginViews)) { + GenericValue tarpittedLoginView = tarpittedLoginViews.get(0); + Long tarpitReleaseDateTime = (Long) tarpittedLoginView.get("tarpitReleaseDateTime"); + if (now < tarpitReleaseDateTime) { + String tarpittedMessage = UtilProperties.getMessage(resourceWebapp, "protectedviewevents.tarpitted_message", UtilHttp.getLocale(request)); + // reset since now protected by the tarpit duration + hitsByViewAccessed.put(viewNameId, new Long(0)); + return ":_protect_:" + tarpittedMessage; + } + } + GenericValue protectedView = protectedViews.get(0); + // 1st hit ? + if (UtilValidate.isEmpty(hitsByViewAccessed.get(viewNameId))) { + hitsByViewAccessed.put(viewNameId, one); + Long maxHitsDuration = (Long) protectedView.get("maxHitsDuration") * 1000; + durationByViewAccessed.put(viewNameId, now + maxHitsDuration); + } else { + Long maxHits = protectedView.getLong("maxHits"); + Long maxDuration = (Long) durationByViewAccessed.get(viewNameId); + Long newMaxHits = (Long) hitsByViewAccessed.get(viewNameId) + one; + hitsByViewAccessed.put(viewNameId, newMaxHits); + // Are we in a period of time where we need to check if there was too much hits ? + if (now < maxDuration) { + // Too much hits ? + if (newMaxHits > maxHits) { // yes : block and set tarpitReleaseDateTime + String blockedMessage = UtilProperties.getMessage(resourceWebapp, "protectedviewevents.blocked_message", UtilHttp.getLocale(request)); + returnValue = ":_protect_:" + blockedMessage; + + Long tarpitDuration = (Long) protectedView.get("tarpitDuration") * 1000; + + GenericValue tarpittedLoginView = delegator.makeValue("TarpittedLoginView"); + tarpittedLoginView.set("userLoginId", userLoginId); + tarpittedLoginView.set("viewNameId", viewNameId); + tarpittedLoginView.set("tarpitReleaseDateTime", now + tarpitDuration); + + try { + delegator.createOrStore(tarpittedLoginView); + } catch (GenericEntityException e) { + Debug.logError(e, "Could not save TarpittedLoginView:", module); + } + } + } else { + // The period of time is revolved, we begin a new one. + // Actually it's not a discrete process but we do as it was... + // We don't need precision here, a theft will be catch anyway ! + // We could also take an average of hits in the last x periods of time as initial value, + // but it would does not make much more sense. + // Of course for this to works well the tarpitting period must be long enough... + hitsByViewAccessed.put(viewNameId, one); + Long maxHitsDuration = (Long) protectedView.get("maxHitsDuration") * 1000; + durationByViewAccessed.put(viewNameId, now + maxHitsDuration); + } + } + } + } catch (GenericEntityException e) { + Map<String, String> messageMap = UtilMisc.toMap("errMessage", e.getMessage()); + String errMsg = UtilProperties.getMessage("CommonUiLabels", "CommonDatabaseProblem", messageMap, UtilHttp.getLocale(request)); + Debug.logError(e, errMsg, module); + } + } + + return returnValue; + } +} Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=727508&r1=727507&r2=727508&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original) +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Wed Dec 17 12:50:11 2008 @@ -49,6 +49,7 @@ /** * RequestHandler - Request Processor Object */ +@SuppressWarnings("serial") public class RequestHandler implements Serializable { public static final String module = RequestHandler.class.getName(); @@ -106,6 +107,8 @@ } } + String eventReturnString = null; + // Check for chained request. if (chain != null) { requestUri = RequestHandler.getRequestUri(chain); @@ -217,7 +220,17 @@ try { String returnString = this.runEvent(request, response, eType, ePath, eMeth); if (returnString != null && !returnString.equalsIgnoreCase("success")) { - throw new EventHandlerException("Pre-Processor event did not return 'success'."); + if (!returnString.contains(":_protect_:")) { + throw new EventHandlerException("Pre-Processor event did not return 'success'."); + } else { // protect the view normally rendered and redirect to error response view + returnString = returnString.replace(":_protect_:", ""); + request.setAttribute("_ERROR_MESSAGE_", returnString); + eventReturnString = "protect"; + // check to see if there is an "protect" response, if so it's ok else show the default_error_response_view + if (null == requestManager.getRequestAttribute(requestUri, "protect")) { + nextView = UtilProperties.getPropertyValue("security.properties", "default.error.response.view"); + } + } } else if (returnString == null) { nextView = "none:"; } @@ -238,7 +251,6 @@ if (Debug.infoOn()) Debug.logInfo("[Processing Request]: " + requestUri + " sessionId=" + UtilHttp.getSessionId(request), module); request.setAttribute("thisRequestUri", requestUri); // store the actual request URI - String eventReturnString = null; // Perform security check. if (requestManager.requiresAuth(requestUri)) { @@ -295,7 +307,7 @@ String errMsg = UtilProperties.getMessage(RequestHandler.err_resource, "requestHandler.error_call_event", locale); request.setAttribute("_ERROR_MESSAGE_", errMsg + ": " + e.toString()); } else { - throw new RequestHandlerException("Error calling event and no error repsonse was specified", e); + throw new RequestHandlerException("Error calling event and no error response was specified", e); } } } @@ -524,6 +536,7 @@ return nextPage; } + @SuppressWarnings("unchecked") private void callRedirect(String url, HttpServletResponse resp, HttpServletRequest req) throws RequestHandlerException { if (Debug.infoOn()) Debug.logInfo("[Sending redirect]: " + url + " sessionId=" + UtilHttp.getSessionId(req), module); // set the attributes in the session so we can access it. @@ -908,5 +921,5 @@ } else { return false; } - } + } } |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |