Example 11 with SecuritySession
use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.
the class SecuritySystemStub method authenticate.
@Override
public SecuritySession authenticate(AuthenticationDataSource source) throws AuthenticationException, UserNotFoundException, AccountLockedException {
AuthenticationResult result = null;
SecuritySession session = null;
if (users.get(source.getUsername()) != null) {
result = new AuthenticationResult(true, source.getUsername(), null);
User user = new JpaUser();
user.setUsername(source.getUsername());
user.setPassword(users.get(source.getUsername()));
session = new DefaultSecuritySession(result, user);
} else {
result = new AuthenticationResult(false, source.getUsername(), null);
session = new DefaultSecuritySession(result);
}
return session;
}
Also used :
User(org.apache.archiva.redback.users.User)
JpaUser(org.apache.archiva.redback.users.jpa.model.JpaUser)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
JpaUser(org.apache.archiva.redback.users.jpa.model.JpaUser)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
Example 12 with SecuritySession
use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.
the class ArchivaDavResourceFactory method isAuthorized.
protected boolean isAuthorized(DavServletRequest request, String repositoryId) throws DavException {
try {
AuthenticationResult result = httpAuth.getAuthenticationResult(request, null);
SecuritySession securitySession = httpAuth.getSecuritySession(request.getSession(true));
return //
servletAuth.isAuthenticated(request, result) && //
servletAuth.isAuthorized(//
request, //
securitySession, //
repositoryId, WebdavMethodUtil.getMethodPermission(request.getMethod()));
} catch (AuthenticationException e) {
// safety check for MRM-911
String guest = UserManager.GUEST_USERNAME;
try {
if (servletAuth.isAuthorized(guest, ((ArchivaDavResourceLocator) request.getRequestLocator()).getRepositoryId(), WebdavMethodUtil.getMethodPermission(request.getMethod()))) {
return true;
}
} catch (UnauthorizedException ae) {
throw new UnauthorizedDavException(repositoryId, "You are not authenticated and authorized to access any repository.");
}
throw new UnauthorizedDavException(repositoryId, "You are not authenticated");
} catch (MustChangePasswordException e) {
throw new UnauthorizedDavException(repositoryId, "You must change your password.");
} catch (AccountLockedException e) {
throw new UnauthorizedDavException(repositoryId, "User account is locked.");
} catch (AuthorizationException e) {
throw new DavException(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Fatal Authorization Subsystem Error.");
} catch (UnauthorizedException e) {
throw new UnauthorizedDavException(repositoryId, e.getMessage());
}
}
Also used :
MustChangePasswordException(org.apache.archiva.redback.policy.MustChangePasswordException)
AccountLockedException(org.apache.archiva.redback.policy.AccountLockedException)
AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException)
AuthorizationException(org.apache.archiva.redback.authorization.AuthorizationException)
DavException(org.apache.jackrabbit.webdav.DavException)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
Example 13 with SecuritySession
use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.
the class RssFeedServlet method isAllowed.
/**
* Basic authentication.
*
* @param req
* @param repositoryId TODO
* @param groupId TODO
* @param artifactId TODO
* @return
*/
private boolean isAllowed(HttpServletRequest req, String repositoryId, String groupId, String artifactId) throws UserNotFoundException, AccountLockedException, AuthenticationException, MustChangePasswordException, UnauthorizedException {
String auth = req.getHeader("Authorization");
List<String> repoIds = new ArrayList<>();
if (repositoryId != null) {
repoIds.add(repositoryId);
} else if (artifactId != null && groupId != null) {
if (auth != null) {
if (!auth.toUpperCase().startsWith("BASIC ")) {
return false;
}
Decoder dec = new Base64();
String usernamePassword = "";
try {
usernamePassword = new String((byte[]) dec.decode(auth.substring(6).getBytes()));
} catch (DecoderException ie) {
log.warn("Error decoding username and password: {}", ie.getMessage());
}
if (usernamePassword == null || usernamePassword.trim().equals("")) {
repoIds = getObservableRepos(UserManager.GUEST_USERNAME);
} else {
String[] userCredentials = usernamePassword.split(":");
repoIds = getObservableRepos(userCredentials[0]);
}
} else {
repoIds = getObservableRepos(UserManager.GUEST_USERNAME);
}
} else {
return false;
}
for (String repoId : repoIds) {
try {
AuthenticationResult result = httpAuth.getAuthenticationResult(req, null);
SecuritySession securitySession = httpAuth.getSecuritySession(req.getSession(true));
if (//
servletAuth.isAuthenticated(req, result) && //
servletAuth.isAuthorized(//
req, //
securitySession, //
repoId, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS)) {
return true;
}
} catch (AuthorizationException e) {
log.debug("AuthorizationException for repoId: {}", repoId);
} catch (UnauthorizedException e) {
log.debug("UnauthorizedException for repoId: {}", repoId);
}
}
throw new UnauthorizedException("Access denied.");
}
Also used :
DecoderException(org.apache.commons.codec.DecoderException)
Base64(org.apache.commons.codec.binary.Base64)
AuthorizationException(org.apache.archiva.redback.authorization.AuthorizationException)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
ArrayList(java.util.ArrayList)
UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException)
Decoder(org.apache.commons.codec.Decoder)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
Example 14 with SecuritySession
use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.
the class DefaultUserRepositories method getAccessibleRepositories.
private List<ManagedRepository> getAccessibleRepositories(String principal, String operation) throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException {
SecuritySession securitySession = createSession(principal);
List<ManagedRepository> managedRepositories = new ArrayList<>();
try {
List<ManagedRepository> repos = managedRepositoryAdmin.getManagedRepositories();
for (ManagedRepository repo : repos) {
try {
String repoId = repo.getId();
if (securitySystem.isAuthorized(securitySession, operation, repoId)) {
managedRepositories.add(repo);
}
} catch (AuthorizationException e) {
// swallow.
log.debug("Not authorizing '{}' for repository '{}': {}", principal, repo.getId(), e.getMessage());
}
}
return managedRepositories;
} catch (RepositoryAdminException e) {
throw new ArchivaSecurityException(e.getMessage(), e);
}
}
Also used :
ManagedRepository(org.apache.archiva.admin.model.beans.ManagedRepository)
AuthorizationException(org.apache.archiva.redback.authorization.AuthorizationException)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
ArrayList(java.util.ArrayList)
RepositoryAdminException(org.apache.archiva.admin.model.RepositoryAdminException)
Example 15 with SecuritySession
use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.
the class ArchivaServletAuthenticatorTest method testIsAuthorizedUserHasWriteAccess.
@Test
public void testIsAuthorizedUserHasWriteAccess() throws Exception {
createUser(USER_ALPACA, "Al 'Archiva' Paca");
assignRepositoryManagerRole(USER_ALPACA, "corporate");
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser(USER_ALPACA);
AuthenticationResult result = new AuthenticationResult(true, USER_ALPACA, null);
SecuritySession session = new DefaultSecuritySession(result, user);
boolean isAuthorized = servletAuth.isAuthorized(request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD);
assertTrue(isAuthorized);
restoreGuestInitialValues(USER_ALPACA);
}
Also used :
User(org.apache.archiva.redback.users.User)
UserManager(org.apache.archiva.redback.users.UserManager)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
Test(org.junit.Test)
Aggregations
SecuritySession (org.apache.archiva.redback.system.SecuritySession)16
AuthenticationResult (org.apache.archiva.redback.authentication.AuthenticationResult)15
DefaultSecuritySession (org.apache.archiva.redback.system.DefaultSecuritySession)14
Test (org.junit.Test)10
User (org.apache.archiva.redback.users.User)8
UnauthorizedException (org.apache.archiva.redback.authorization.UnauthorizedException)7
HttpServletRequest (javax.servlet.http.HttpServletRequest)6
HttpServletResponse (javax.servlet.http.HttpServletResponse)6
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)6
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)6
AuthorizationException (org.apache.archiva.redback.authorization.AuthorizationException)5
Path (java.nio.file.Path)4
HttpSession (javax.servlet.http.HttpSession)4
UserManager (org.apache.archiva.redback.users.UserManager)4
SimpleUser (org.apache.archiva.redback.users.memory.SimpleUser)4
InputStream (java.io.InputStream)3
AuthenticationException (org.apache.archiva.redback.authentication.AuthenticationException)3
ArrayList (java.util.ArrayList)2
RepositoryAdminException (org.apache.archiva.admin.model.RepositoryAdminException)2
ManagedRepository (org.apache.archiva.admin.model.beans.ManagedRepository)2
