use of org.apache.shiro.subject.Subject in project ddf by codice.
the class NotificationController method deletePersistentNotification.
@Listener("/notification/action")
public void deletePersistentNotification(ServerSession serverSession, ServerMessage serverMessage) {
LOGGER.debug("\nServerSession: {}\nServerMessage: {}", serverSession, serverMessage);
if (null == serverSession) {
throw new IllegalArgumentException("ServerSession is null");
}
if (null == serverMessage) {
throw new IllegalArgumentException("ServerMessage is null");
}
Subject subject = null;
try {
subject = SecurityUtils.getSubject();
} catch (Exception e) {
LOGGER.debug("Couldn't grab user subject from Shiro.", e);
}
String userId = getUserId(serverSession, subject);
Map<String, Object> dataAsMap = serverMessage.getDataAsMap();
if (dataAsMap != null) {
Object[] notifications = (Object[]) dataAsMap.get("data");
for (Object notificationObject : notifications) {
Map notification = (Map) notificationObject;
String id = (String) notification.get("id");
String action = (String) notification.get("action");
if (action != null) {
if ("remove".equals(action)) {
//You can have a blank id for guest
if (id != null) {
try {
this.persistentStore.delete(PersistentStore.NOTIFICATION_TYPE, "id = '" + id + "'");
} catch (PersistenceException e) {
throw new IllegalArgumentException("Unable to delete notification with id = " + id);
}
} else {
throw new IllegalArgumentException("Message id is null");
}
}
} else {
throw new IllegalArgumentException("Message action is null.");
}
}
} else {
throw new IllegalArgumentException("Server Message is null.");
}
}
use of org.apache.shiro.subject.Subject in project ddf by codice.
the class AuthorizationFilter method doFilter.
@SuppressWarnings("PackageAccessibility")
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
Subject subject = null;
if (request.getAttribute(ContextPolicy.NO_AUTH_POLICY) != null) {
LOGGER.debug("NO_AUTH_POLICY header was found, skipping authorization filter.");
chain.doFilter(request, response);
} else {
try {
subject = SecurityUtils.getSubject();
} catch (Exception e) {
LOGGER.debug("Unable to retrieve user from request.", e);
}
boolean permitted = true;
final String path = httpRequest.getRequestURI();
ContextPolicy policy = contextPolicyManager.getContextPolicy(path);
CollectionPermission permissions = null;
if (policy != null && subject != null) {
permissions = policy.getAllowedAttributePermissions();
if (!permissions.isEmpty()) {
permitted = subject.isPermitted(permissions);
}
} else {
LOGGER.warn("Unable to determine policy for path {}. User is not permitted to continue. Check policy configuration!", path);
permitted = false;
}
if (!permitted) {
SecurityLogger.audit("Subject not authorized to view resource {}", path);
LOGGER.debug("Subject not authorized.");
returnNotAuthorized(httpResponse);
} else {
if (!permissions.isEmpty()) {
SecurityLogger.audit("Subject is authorized to view resource {}", path);
}
LOGGER.debug("Subject is authorized!");
chain.doFilter(request, response);
}
}
}
use of org.apache.shiro.subject.Subject in project ddf by codice.
the class FilterPlugin method processPreCreate.
@Override
public CreateRequest processPreCreate(CreateRequest input) throws StopProcessingException {
KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.CREATE_ACTION);
List<Metacard> metacards = input.getMetacards();
Subject subject = getSubject(input);
Subject systemSubject = getSystemSubject();
List<String> userNotPermittedTitles = new ArrayList<>();
List<String> systemNotPermittedTitles = new ArrayList<>();
for (Metacard metacard : metacards) {
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.CREATE_ACTION)) {
userNotPermittedTitles.add(metacard.getTitle());
}
if (!checkPermissions(attr, securityPermission, systemSubject, CollectionPermission.CREATE_ACTION)) {
systemNotPermittedTitles.add(metacard.getTitle());
}
}
if (!userNotPermittedTitles.isEmpty()) {
throw new StopProcessingException("Metacard creation not permitted for " + SubjectUtils.getName(subject) + ": [ " + listToString(userNotPermittedTitles) + " ]");
}
if (!systemNotPermittedTitles.isEmpty()) {
throw new StopProcessingException("Metacard creation not permitted for this system: [ " + listToString(systemNotPermittedTitles) + " ]");
}
return input;
}
use of org.apache.shiro.subject.Subject in project ddf by codice.
the class FilterPlugin method processPostQuery.
@Override
public QueryResponse processPostQuery(QueryResponse input) throws StopProcessingException {
if (input.getRequest() == null || input.getRequest().getProperties() == null) {
throw new StopProcessingException("Unable to filter contents of current message, no user Subject available.");
}
Subject subject = getSubject(input);
List<Result> results = input.getResults();
List<Result> newResults = new ArrayList<>(results.size());
Metacard metacard;
KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION);
int filteredMetacards = 0;
for (Result result : results) {
metacard = result.getMetacard();
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
for (FilterStrategy filterStrategy : filterStrategies.values()) {
FilterResult filterResult = filterStrategy.process(input, metacard);
if (filterResult.processed()) {
if (filterResult.metacard() != null) {
newResults.add(new ResultImpl(filterResult.metacard()));
}
break;
//returned responses are ignored for queries
}
}
filteredMetacards++;
} else {
newResults.add(result);
}
}
if (filteredMetacards > 0) {
SecurityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
}
input.getResults().clear();
input.getResults().addAll(newResults);
newResults.clear();
return input;
}
use of org.apache.shiro.subject.Subject in project ddf by codice.
the class FilterPlugin method processPostDelete.
@Override
public DeleteResponse processPostDelete(DeleteResponse input) throws StopProcessingException {
if (input.getRequest() == null || input.getRequest().getProperties() == null) {
throw new StopProcessingException("Unable to filter contents of current message, no user Subject available.");
}
Subject subject = getSubject(input);
List<Metacard> results = input.getDeletedMetacards();
List<Metacard> newResults = new ArrayList<>(results.size());
KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION);
int filteredMetacards = 0;
for (Metacard metacard : results) {
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
for (FilterStrategy filterStrategy : filterStrategies.values()) {
FilterResult filterResult = filterStrategy.process(input, metacard);
if (filterResult.processed()) {
if (filterResult.metacard() != null) {
newResults.add(filterResult.metacard());
}
break;
//returned responses are ignored for deletes
}
}
filteredMetacards++;
} else {
newResults.add(metacard);
}
}
if (filteredMetacards > 0) {
SecurityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
}
input.getDeletedMetacards().clear();
input.getDeletedMetacards().addAll(newResults);
newResults.clear();
return input;
}
Aggregations