Search in sources :

Example 36 with Subject

use of org.apache.shiro.subject.Subject in project ddf by codice.

the class NotificationController method deletePersistentNotification.

@Listener("/notification/action")
public void deletePersistentNotification(ServerSession serverSession, ServerMessage serverMessage) {
    LOGGER.debug("\nServerSession: {}\nServerMessage: {}", serverSession, serverMessage);
    if (null == serverSession) {
        throw new IllegalArgumentException("ServerSession is null");
    }
    if (null == serverMessage) {
        throw new IllegalArgumentException("ServerMessage is null");
    }
    Subject subject = null;
    try {
        subject = SecurityUtils.getSubject();
    } catch (Exception e) {
        LOGGER.debug("Couldn't grab user subject from Shiro.", e);
    }
    String userId = getUserId(serverSession, subject);
    Map<String, Object> dataAsMap = serverMessage.getDataAsMap();
    if (dataAsMap != null) {
        Object[] notifications = (Object[]) dataAsMap.get("data");
        for (Object notificationObject : notifications) {
            Map notification = (Map) notificationObject;
            String id = (String) notification.get("id");
            String action = (String) notification.get("action");
            if (action != null) {
                if ("remove".equals(action)) {
                    //You can have a blank id for guest
                    if (id != null) {
                        try {
                            this.persistentStore.delete(PersistentStore.NOTIFICATION_TYPE, "id = '" + id + "'");
                        } catch (PersistenceException e) {
                            throw new IllegalArgumentException("Unable to delete notification with id = " + id);
                        }
                    } else {
                        throw new IllegalArgumentException("Message id is null");
                    }
                }
            } else {
                throw new IllegalArgumentException("Message action is null.");
            }
        }
    } else {
        throw new IllegalArgumentException("Server Message is null.");
    }
}
Also used : PersistenceException(org.codice.ddf.persistence.PersistenceException) HashMap(java.util.HashMap) Map(java.util.Map) Subject(org.apache.shiro.subject.Subject) PersistenceException(org.codice.ddf.persistence.PersistenceException) Listener(org.cometd.annotation.Listener)

Example 37 with Subject

use of org.apache.shiro.subject.Subject in project ddf by codice.

the class AuthorizationFilter method doFilter.

@SuppressWarnings("PackageAccessibility")
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    Subject subject = null;
    if (request.getAttribute(ContextPolicy.NO_AUTH_POLICY) != null) {
        LOGGER.debug("NO_AUTH_POLICY header was found, skipping authorization filter.");
        chain.doFilter(request, response);
    } else {
        try {
            subject = SecurityUtils.getSubject();
        } catch (Exception e) {
            LOGGER.debug("Unable to retrieve user from request.", e);
        }
        boolean permitted = true;
        final String path = httpRequest.getRequestURI();
        ContextPolicy policy = contextPolicyManager.getContextPolicy(path);
        CollectionPermission permissions = null;
        if (policy != null && subject != null) {
            permissions = policy.getAllowedAttributePermissions();
            if (!permissions.isEmpty()) {
                permitted = subject.isPermitted(permissions);
            }
        } else {
            LOGGER.warn("Unable to determine policy for path {}. User is not permitted to continue. Check policy configuration!", path);
            permitted = false;
        }
        if (!permitted) {
            SecurityLogger.audit("Subject not authorized to view resource {}", path);
            LOGGER.debug("Subject not authorized.");
            returnNotAuthorized(httpResponse);
        } else {
            if (!permissions.isEmpty()) {
                SecurityLogger.audit("Subject is authorized to view resource {}", path);
            }
            LOGGER.debug("Subject is authorized!");
            chain.doFilter(request, response);
        }
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) CollectionPermission(ddf.security.permission.CollectionPermission) Subject(org.apache.shiro.subject.Subject) ServletException(javax.servlet.ServletException) IOException(java.io.IOException) ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)

Example 38 with Subject

use of org.apache.shiro.subject.Subject in project ddf by codice.

the class FilterPlugin method processPreCreate.

@Override
public CreateRequest processPreCreate(CreateRequest input) throws StopProcessingException {
    KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.CREATE_ACTION);
    List<Metacard> metacards = input.getMetacards();
    Subject subject = getSubject(input);
    Subject systemSubject = getSystemSubject();
    List<String> userNotPermittedTitles = new ArrayList<>();
    List<String> systemNotPermittedTitles = new ArrayList<>();
    for (Metacard metacard : metacards) {
        Attribute attr = metacard.getAttribute(Metacard.SECURITY);
        if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.CREATE_ACTION)) {
            userNotPermittedTitles.add(metacard.getTitle());
        }
        if (!checkPermissions(attr, securityPermission, systemSubject, CollectionPermission.CREATE_ACTION)) {
            systemNotPermittedTitles.add(metacard.getTitle());
        }
    }
    if (!userNotPermittedTitles.isEmpty()) {
        throw new StopProcessingException("Metacard creation not permitted for " + SubjectUtils.getName(subject) + ": [ " + listToString(userNotPermittedTitles) + " ]");
    }
    if (!systemNotPermittedTitles.isEmpty()) {
        throw new StopProcessingException("Metacard creation not permitted for this system: [ " + listToString(systemNotPermittedTitles) + " ]");
    }
    return input;
}
Also used : KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Metacard(ddf.catalog.data.Metacard) Attribute(ddf.catalog.data.Attribute) ArrayList(java.util.ArrayList) StopProcessingException(ddf.catalog.plugin.StopProcessingException) Subject(org.apache.shiro.subject.Subject)

Example 39 with Subject

use of org.apache.shiro.subject.Subject in project ddf by codice.

the class FilterPlugin method processPostQuery.

@Override
public QueryResponse processPostQuery(QueryResponse input) throws StopProcessingException {
    if (input.getRequest() == null || input.getRequest().getProperties() == null) {
        throw new StopProcessingException("Unable to filter contents of current message, no user Subject available.");
    }
    Subject subject = getSubject(input);
    List<Result> results = input.getResults();
    List<Result> newResults = new ArrayList<>(results.size());
    Metacard metacard;
    KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION);
    int filteredMetacards = 0;
    for (Result result : results) {
        metacard = result.getMetacard();
        Attribute attr = metacard.getAttribute(Metacard.SECURITY);
        if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
            for (FilterStrategy filterStrategy : filterStrategies.values()) {
                FilterResult filterResult = filterStrategy.process(input, metacard);
                if (filterResult.processed()) {
                    if (filterResult.metacard() != null) {
                        newResults.add(new ResultImpl(filterResult.metacard()));
                    }
                    break;
                //returned responses are ignored for queries
                }
            }
            filteredMetacards++;
        } else {
            newResults.add(result);
        }
    }
    if (filteredMetacards > 0) {
        SecurityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
    }
    input.getResults().clear();
    input.getResults().addAll(newResults);
    newResults.clear();
    return input;
}
Also used : Metacard(ddf.catalog.data.Metacard) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Attribute(ddf.catalog.data.Attribute) ArrayList(java.util.ArrayList) FilterStrategy(ddf.catalog.security.FilterStrategy) ResultImpl(ddf.catalog.data.impl.ResultImpl) StopProcessingException(ddf.catalog.plugin.StopProcessingException) FilterResult(ddf.catalog.security.FilterResult) Subject(org.apache.shiro.subject.Subject) FilterResult(ddf.catalog.security.FilterResult) Result(ddf.catalog.data.Result)

Example 40 with Subject

use of org.apache.shiro.subject.Subject in project ddf by codice.

the class FilterPlugin method processPostDelete.

@Override
public DeleteResponse processPostDelete(DeleteResponse input) throws StopProcessingException {
    if (input.getRequest() == null || input.getRequest().getProperties() == null) {
        throw new StopProcessingException("Unable to filter contents of current message, no user Subject available.");
    }
    Subject subject = getSubject(input);
    List<Metacard> results = input.getDeletedMetacards();
    List<Metacard> newResults = new ArrayList<>(results.size());
    KeyValueCollectionPermission securityPermission = new KeyValueCollectionPermission(CollectionPermission.READ_ACTION);
    int filteredMetacards = 0;
    for (Metacard metacard : results) {
        Attribute attr = metacard.getAttribute(Metacard.SECURITY);
        if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
            for (FilterStrategy filterStrategy : filterStrategies.values()) {
                FilterResult filterResult = filterStrategy.process(input, metacard);
                if (filterResult.processed()) {
                    if (filterResult.metacard() != null) {
                        newResults.add(filterResult.metacard());
                    }
                    break;
                //returned responses are ignored for deletes
                }
            }
            filteredMetacards++;
        } else {
            newResults.add(metacard);
        }
    }
    if (filteredMetacards > 0) {
        SecurityLogger.audit("Filtered " + filteredMetacards + " metacards, returned " + newResults.size(), subject);
    }
    input.getDeletedMetacards().clear();
    input.getDeletedMetacards().addAll(newResults);
    newResults.clear();
    return input;
}
Also used : Metacard(ddf.catalog.data.Metacard) KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission) Attribute(ddf.catalog.data.Attribute) ArrayList(java.util.ArrayList) FilterStrategy(ddf.catalog.security.FilterStrategy) StopProcessingException(ddf.catalog.plugin.StopProcessingException) FilterResult(ddf.catalog.security.FilterResult) Subject(org.apache.shiro.subject.Subject)

Aggregations

Subject (org.apache.shiro.subject.Subject)78 UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)11 Test (org.junit.Test)9 IOException (java.io.IOException)8 Map (java.util.Map)8 Path (javax.ws.rs.Path)8 StopProcessingException (ddf.catalog.plugin.StopProcessingException)7 ArrayList (java.util.ArrayList)7 HashMap (java.util.HashMap)7 HttpServletRequest (javax.servlet.http.HttpServletRequest)7 AccountVO (com.netsteadfast.greenstep.vo.AccountVO)5 Attribute (ddf.catalog.data.Attribute)5 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)5 GET (javax.ws.rs.GET)5 AuthenticationException (org.apache.shiro.authc.AuthenticationException)5 ServiceException (com.netsteadfast.greenstep.base.exception.ServiceException)4 Metacard (ddf.catalog.data.Metacard)4 ApiOperation (io.swagger.annotations.ApiOperation)4 POST (javax.ws.rs.POST)4 PersistenceException (org.codice.ddf.persistence.PersistenceException)4