svn commit: r789490 - in /ofbiz/trunk: applications/workeffort/src/or
Locked
svn commit: r789490 - in /ofbiz/trunk: applications/workeffort/src/or
 
|
Author: adrianc
Date: Mon Jun 29 23:28:37 2009 New Revision: 789490 URL: http://svn.apache.org/viewvc?rev=789490&view=rev Log: More iCalendar improvements. Added HTTP challenge/response authentication, enforce SSL. Modified: ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalConverter.java ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalWorker.java ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/webdav/WebDavUtil.java Modified: ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalConverter.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalConverter.java?rev=789490&r1=789489&r2=789490&view=diff ============================================================================== --- ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalConverter.java (original) +++ ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalConverter.java Mon Jun 29 23:28:37 2009 @@ -360,8 +360,13 @@ Debug.logInfo("WorkEffort calendar is not published: " + workEffortId, module); return ICalWorker.createNotFoundResponse(null); } - if (!"WES_PUBLIC".equals(publishProperties.get("scopeEnumId")) && !hasPermission(workEffortId, "VIEW", context)) { - return ICalWorker.createNotFoundResponse(null); + if (!"WES_PUBLIC".equals(publishProperties.get("scopeEnumId"))) { + if (context.get("userLogin") == null) { + return ICalWorker.createNotAuthorizedResponse(null); + } + if (!hasPermission(workEffortId, "VIEW", context)) { + return ICalWorker.createForbiddenResponse(null); + } } Calendar calendar = makeCalendar(publishProperties, context); ComponentList components = calendar.getComponents(); @@ -677,9 +682,12 @@ Debug.logInfo("WorkEffort calendar is not published: " + workEffortId, module); return ICalWorker.createNotFoundResponse(null); } - if (!hasPermission(workEffortId, "UPDATE", context)) { + if (context.get("userLogin") == null) { return ICalWorker.createNotAuthorizedResponse(null); } + if (!hasPermission(workEffortId, "UPDATE", context)) { + return ICalWorker.createForbiddenResponse(null); + } boolean hasCreatePermission = hasPermission(workEffortId, "CREATE", context); List<GenericValue> workEfforts = getRelatedWorkEfforts(publishProperties, context); if (workEfforts != null && workEfforts.size() > 0) { @@ -788,7 +796,7 @@ return ICalWorker.createNotFoundResponse(null); } if (!hasPermission(workEffortId, "UPDATE", context)) { - return ICalWorker.createNotAuthorizedResponse(null); + return null; } Map<String, Object> serviceMap = FastMap.newInstance(); serviceMap.put("workEffortId", workEffortId); Modified: ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalWorker.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalWorker.java?rev=789490&r1=789489&r2=789490&view=diff ============================================================================== --- ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalWorker.java (original) +++ ofbiz/trunk/applications/workeffort/src/org/ofbiz/workeffort/workeffort/ICalWorker.java Mon Jun 29 23:28:37 2009 @@ -41,15 +41,13 @@ import org.ofbiz.base.util.Debug; import org.ofbiz.base.util.UtilHttp; import org.ofbiz.base.util.UtilJ2eeCompat; -import org.ofbiz.base.util.UtilMisc; -import org.ofbiz.base.util.UtilProperties; import org.ofbiz.base.util.UtilValidate; import org.ofbiz.base.util.UtilXml; import org.ofbiz.entity.GenericEntityException; import org.ofbiz.entity.GenericValue; import org.ofbiz.service.GenericServiceException; import org.ofbiz.service.LocalDispatcher; -import org.ofbiz.service.ModelService; +import org.ofbiz.service.ServiceUtil; import org.ofbiz.webapp.stats.VisitHandler; import org.ofbiz.webapp.webdav.PropFindHelper; import org.ofbiz.webapp.webdav.ResponseHelper; @@ -118,13 +116,10 @@ } public static void handleGetRequest(HttpServletRequest request, HttpServletResponse response, ServletContext context) throws ServletException, IOException { - setupRequest(request, response); - String workEffortId = (String) request.getAttribute("workEffortId"); - if (workEffortId == null) { - Debug.logInfo("[handleGetRequest] workEffortId missing", module); - response.sendError(HttpServletResponse.SC_BAD_REQUEST); + if (!isValidRequest(request, response)) { return; } + String workEffortId = (String) request.getAttribute("workEffortId"); Debug.logInfo("[handleGetRequest] workEffortId = " + workEffortId, module); ResponseProperties responseProps = null; try { @@ -137,17 +132,14 @@ if (responseProps.statusCode == HttpServletResponse.SC_OK) { response.setContentType("text/calendar"); } - writeResponse(responseProps, response, context); + writeResponse(responseProps, request, response, context); } public static void handlePropFindRequest(HttpServletRequest request, HttpServletResponse response, ServletContext context) throws ServletException, IOException { - setupRequest(request, response); - String workEffortId = (String) request.getAttribute("workEffortId"); - if (workEffortId == null) { - Debug.logInfo("[handlePropFindRequest] workEffortId missing", module); - response.sendError(HttpServletResponse.SC_BAD_REQUEST); + if (!isValidRequest(request, response)) { return; } + String workEffortId = (String) request.getAttribute("workEffortId"); Debug.logInfo("[handlePropFindRequest] workEffortId = " + workEffortId, module); try { Document requestDocument = WebDavUtil.getDocumentFromRequest(request); @@ -208,20 +200,16 @@ } public static void handlePutRequest(HttpServletRequest request, HttpServletResponse response, ServletContext context) throws ServletException, IOException { + if (!isValidRequest(request, response)) { + return; + } String contentType = request.getContentType(); - Debug.logInfo("[handlePutRequest] content type = " + contentType, module); if (contentType != null && !"text/calendar".equals(contentType)) { Debug.logInfo("[handlePutRequest] invalid content type", module); response.sendError(HttpServletResponse.SC_CONFLICT); return; } - setupRequest(request, response); String workEffortId = (String) request.getAttribute("workEffortId"); - if (workEffortId == null) { - Debug.logInfo("[handlePutRequest] workEffortId missing", module); - response.sendError(HttpServletResponse.SC_BAD_REQUEST); - return; - } Debug.logInfo("[handlePutRequest] workEffortId = " + workEffortId, module); ResponseProperties responseProps = null; try { @@ -231,37 +219,50 @@ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return; } - writeResponse(responseProps, response, context); + writeResponse(responseProps, request, response, context); } - protected static void logInUser(HttpServletRequest request, HttpServletResponse response) throws GenericServiceException, GenericEntityException { - GenericValue userLogin = null; - String username = request.getParameter("USERNAME"); - String password = request.getParameter("PASSWORD"); - if (UtilValidate.isEmpty(username) || UtilValidate.isEmpty(password)) { - return; + protected static boolean isValidRequest(HttpServletRequest request, HttpServletResponse response) throws IOException { + if (!request.isSecure()) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST); + return false; } - if ("true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "username.lowercase"))) { - username = username.toLowerCase(); + setupRequest(request, response); + String workEffortId = (String) request.getAttribute("workEffortId"); + if (workEffortId == null) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST); + return false; } - if ("true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "password.lowercase"))) { - password = password.toLowerCase(); + return true; + } + + @SuppressWarnings("unchecked") + protected static void logInUser(HttpServletRequest request, HttpServletResponse response) throws GenericServiceException, GenericEntityException { + Map<String, Object> serviceMap = (Map<String, Object>) WebDavUtil.getCredentialsFromRequest(request); + if (serviceMap == null) { + return; } + serviceMap.put("locale", UtilHttp.getLocale(request)); + GenericValue userLogin = null; HttpSession session = request.getSession(); LocalDispatcher dispatcher = (LocalDispatcher) request.getAttribute("dispatcher"); - Map<String, Object> result = dispatcher.runSync("userLogin", UtilMisc.toMap("login.username", username, "login.password", password, "locale", UtilHttp.getLocale(request))); - if (ModelService.RESPOND_SUCCESS.equals(result.get(ModelService.RESPONSE_MESSAGE))) { - userLogin = (GenericValue) result.get("userLogin"); - request.setAttribute("userLogin", userLogin); - session.setAttribute("userLogin", userLogin); - VisitHandler.getVisitor(request, response); - } else { + Map<String, Object> result = dispatcher.runSync("userLogin", serviceMap); + if (ServiceUtil.isError(result) || ServiceUtil.isFailure(result)) { return; } + userLogin = (GenericValue) result.get("userLogin"); + request.setAttribute("userLogin", userLogin); + session.setAttribute("userLogin", userLogin); + VisitHandler.getVisitor(request, response); GenericValue person = userLogin.getRelatedOne("Person"); - GenericValue partyGroup = userLogin.getRelatedOne("PartyGroup"); - if (person != null) request.setAttribute("person", person); - if (partyGroup != null) request.setAttribute("partyGroup", partyGroup); + if (person != null) { + request.setAttribute("person", person); + } else { + GenericValue partyGroup = userLogin.getRelatedOne("PartyGroup"); + if (partyGroup != null) { + request.setAttribute("partyGroup", partyGroup); + } + } } protected static void setupRequest(HttpServletRequest request, HttpServletResponse response) { @@ -284,12 +285,15 @@ } } - protected static void writeResponse(ResponseProperties responseProps, HttpServletResponse response, ServletContext context) throws IOException { + protected static void writeResponse(ResponseProperties responseProps, HttpServletRequest request, HttpServletResponse response, ServletContext context) throws IOException { if (Debug.verboseOn()) { Debug.logVerbose("Returning response: code = " + responseProps.statusCode + ", message = " + responseProps.statusMessage, module); } response.setStatus(responseProps.statusCode); + if (responseProps.statusCode == HttpServletResponse.SC_UNAUTHORIZED) { + response.setHeader("WWW-Authenticate", "Basic realm=\"OFBiz iCalendar " + request.getAttribute("workEffortId") + "\""); + } if (responseProps.statusMessage != null) { Writer writer = getWriter(response, context); try { Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/webdav/WebDavUtil.java URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/webdav/WebDavUtil.java?rev=789490&r1=789489&r2=789490&view=diff ============================================================================== --- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/webdav/WebDavUtil.java (original) +++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/webdav/WebDavUtil.java Mon Jun 29 23:28:37 2009 @@ -23,11 +23,18 @@ import java.text.DateFormat; import java.text.SimpleDateFormat; import java.util.Date; +import java.util.Map; import java.util.TimeZone; import javax.servlet.http.HttpServletRequest; import javax.xml.parsers.ParserConfigurationException; +import javolution.util.FastMap; + +import org.ofbiz.base.util.Base64; +import org.ofbiz.base.util.Debug; +import org.ofbiz.base.util.UtilProperties; +import org.ofbiz.base.util.UtilValidate; import org.ofbiz.base.util.UtilXml; import org.w3c.dom.Document; import org.xml.sax.SAXException; @@ -35,6 +42,7 @@ /** Utility methods needed to implement a WebDAV servlet. */ public class WebDavUtil { + public static final String module = WebDavUtil.class.getName(); public static final TimeZone GMT_TIMEZONE = TimeZone.getTimeZone("GMT"); public static final String RFC1123_DATE_FORMAT = "EEE, dd MMM yyyy HH:mm:ss zzz"; @@ -51,4 +59,44 @@ return document; } + /** Returns a <code>Map</code> containing user credentials found in the request. Returns + * <code>null</code> if no user credentials were found. The returned <code>Map</code> is + * intended to be used as parameters for the <code>userLogin</code> service. <p>The method + * checks for the request parameters <code>USERNAME</code> and <code>PASSWORD</code>. If + * those aren't found, then the request is checked for the HTTP Authorization header. + * Currently, only Basic authorization is supported.</p> + * + * @param request + * @return A <code>Map</code> containing <code>login.username</code> and + * <code>login.password</code> elements. + */ + public static Map<String, Object> getCredentialsFromRequest(HttpServletRequest request) { + String username = request.getParameter("USERNAME"); + String password = request.getParameter("PASSWORD"); + if (UtilValidate.isEmpty(username) || UtilValidate.isEmpty(password)) { + String credentials = request.getHeader("Authorization"); + if (credentials != null && credentials.startsWith("Basic ")) { + credentials = Base64.base64Decode(credentials.replace("Basic ", "")); + Debug.logVerbose("Found HTTP Basic credentials", module); + String[] parts = credentials.split(":"); + if (parts.length < 2) { + return null; + } + username = parts[0]; + password = parts[1]; + } else { + return null; + } + } + if ("true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "username.lowercase"))) { + username = username.toLowerCase(); + } + if ("true".equalsIgnoreCase(UtilProperties.getPropertyValue("security.properties", "password.lowercase"))) { + password = password.toLowerCase(); + } + Map<String, Object> result = FastMap.newInstance(); + result.put("login.username", username); + result.put("login.password", password); + return result; + } } |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |