Example 21 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class AuthorizationManagerTest method testHasRoleOrPrincipal.
@Test
public void testHasRoleOrPrincipal() throws Exception {
// Create new user Alice and 2 sample roles
final Principal alice = new WikiPrincipal(Users.ALICE);
final Role it = new Role("IT");
final Role finance = new Role("Finance");
// Create Group1 with Alice in it, Group2 without
Session session = WikiSessionTest.adminSession(m_engine);
final Group g1 = m_groupMgr.parseGroup("Group1", "Alice", true);
m_groupMgr.setGroup(session, g1);
final Principal group1 = g1.getPrincipal();
final Group g2 = m_groupMgr.parseGroup("Group2", "Bob", true);
m_groupMgr.setGroup(session, g2);
final Principal group2 = g2.getPrincipal();
// Create anonymous session; not in ANY custom roles or groups
session = WikiSessionTest.anonymousSession(m_engine);
Assertions.assertTrue(m_auth.hasRoleOrPrincipal(session, Role.ANONYMOUS), "Anon anonymous");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, Role.ASSERTED), "Anon not asserted");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, Role.AUTHENTICATED), "Anon not authenticated");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, alice), "Alice not in Anon");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, it), "Anon not in IT");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, finance), "Anon not in Finance");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, group1), "Anon not in Group1");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, group2), "Anon not in Group2");
// Create asserted session with 1 GroupPrincipal & 1 custom Role
// Alice is asserted, and thus not in ANY custom roles or groups
session = WikiSessionTest.assertedSession(m_engine, Users.ALICE, new Principal[] { it });
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, Role.ANONYMOUS), "Alice not anonymous");
Assertions.assertTrue(m_auth.hasRoleOrPrincipal(session, Role.ASSERTED), "Alice asserted");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, Role.AUTHENTICATED), "Alice not authenticated");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, alice), "Alice not in Alice");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, it), "Alice not in IT");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, finance), "Alice not in Finance");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, group1), "Alice not in Group1");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, group2), "Alice not in Group2");
// Create authenticated session with 1 GroupPrincipal & 1 custom Role
// Alice is authenticated, and thus part of custom roles and groups
session = WikiSessionTest.containerAuthenticatedSession(m_engine, Users.ALICE, new Principal[] { it });
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, Role.ANONYMOUS), "Alice not anonymous");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, Role.ASSERTED), "Alice not asserted");
Assertions.assertTrue(m_auth.hasRoleOrPrincipal(session, Role.AUTHENTICATED), "Alice authenticated");
Assertions.assertTrue(m_auth.hasRoleOrPrincipal(session, alice), "Alice in Ernie");
Assertions.assertTrue(m_auth.hasRoleOrPrincipal(session, it), "Alice in IT");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, finance), "Alice not in Finance");
Assertions.assertTrue(m_auth.hasRoleOrPrincipal(session, group1), "Alice in Group1");
Assertions.assertFalse(m_auth.hasRoleOrPrincipal(session, group2), "Alice not in Group2");
// Clean up
m_groupMgr.removeGroup("Group1");
m_groupMgr.removeGroup("Group2");
}
Also used :
Role(org.apache.wiki.auth.authorize.Role)
Group(org.apache.wiki.auth.authorize.Group)
Principal(java.security.Principal)
UnresolvedPrincipal(org.apache.wiki.auth.acl.UnresolvedPrincipal)
Session(org.apache.wiki.api.core.Session)
WikiSessionTest(org.apache.wiki.WikiSessionTest)
Test(org.junit.jupiter.api.Test)
Example 22 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class AuthorizationManagerTest method testStaticPermission.
@Test
public void testStaticPermission() throws Exception {
Session s = WikiSessionTest.anonymousSession(m_engine);
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.VIEW), "Anonymous view");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.EDIT), "Anonymous edit");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.COMMENT), "Anonymous comment");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.MODIFY), "Anonymous modify");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.UPLOAD), "Anonymous upload");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.RENAME), "Anonymous rename");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.DELETE), "Anonymous delete");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.EDIT_PREFERENCES), "Anonymous prefs");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.EDIT_PROFILE), "Anonymous profile");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.CREATE_PAGES), "Anonymous pages");
Assertions.assertFalse(m_auth.checkStaticPermission(s, WikiPermission.CREATE_GROUPS), "Anonymous groups");
s = WikiSessionTest.assertedSession(m_engine, "Jack Sparrow");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.VIEW), "Asserted view");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.EDIT), "Asserted edit");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.COMMENT), "Asserted comment");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.MODIFY), "Asserted modify");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.UPLOAD), "Asserted upload");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.RENAME), "Asserted rename");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.DELETE), "Asserted delete");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.EDIT_PREFERENCES), "Asserted prefs");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.EDIT_PROFILE), "Asserted profile");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.CREATE_PAGES), "Asserted pages");
Assertions.assertFalse(m_auth.checkStaticPermission(s, WikiPermission.CREATE_GROUPS), "Asserted groups");
s = WikiSessionTest.authenticatedSession(m_engine, Users.JANNE, Users.JANNE_PASS);
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.VIEW), "Authenticated view");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.EDIT), "Authenticated edit");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.COMMENT), "Authenticated comment");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.MODIFY), "Authenticated modify");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.UPLOAD), "Authenticated upload");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.RENAME), "Authenticated rename");
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.DELETE), "Authenticated delete");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.EDIT_PREFERENCES), "Authenticated prefs");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.EDIT_PROFILE), "Authenticated profile");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.CREATE_PAGES), "Authenticated pages");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.CREATE_GROUPS), "Authenticated groups");
s = WikiSessionTest.adminSession(m_engine);
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.VIEW), "Admin view");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.EDIT), "Admin edit");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.COMMENT), "Admin comment");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.MODIFY), "Admin modify");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.UPLOAD), "Admin upload");
Assertions.assertTrue(m_auth.checkStaticPermission(s, PagePermission.RENAME), "Admin rename");
// Even though we grant AllPermission in the policy, 'delete' isn't explicit so the check
// for delete privileges will Assertions.fail (but it will succeed if requested via the checkPermission())
Assertions.assertFalse(m_auth.checkStaticPermission(s, PagePermission.DELETE), "Admin delete");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.EDIT_PREFERENCES), "Admin prefs");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.EDIT_PROFILE), "Admin profile");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.CREATE_PAGES), "Admin pages");
Assertions.assertTrue(m_auth.checkStaticPermission(s, WikiPermission.CREATE_GROUPS), "Admin groups");
}
Also used :
Session(org.apache.wiki.api.core.Session)
WikiSessionTest(org.apache.wiki.WikiSessionTest)
Test(org.junit.jupiter.api.Test)
Example 23 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class AuthorizationManagerTest method testDefaultPermissions.
/**
* Tests the default policy. Anonymous users can read, Authenticated can
* edit, etc. Uses the default tests/etc/jspwiki.policy file installed by
* the JRE at startup.
*
* @throws Exception test failed
*/
@Test
public void testDefaultPermissions() throws Exception {
// Save a page without an ACL
m_engine.saveText("TestDefaultPage", "Foo");
final Permission view = PermissionFactory.getPagePermission("*:TestDefaultPage", "view");
final Permission edit = PermissionFactory.getPagePermission("*:TestDefaultPage", "edit");
// Alice is asserted
Session session = WikiSessionTest.assertedSession(m_engine, Users.ALICE);
Assertions.assertTrue(m_auth.checkPermission(session, view), "Alice view");
Assertions.assertTrue(m_auth.checkPermission(session, edit), "Alice edit");
// Bob is logged in
session = WikiSessionTest.authenticatedSession(m_engine, Users.BOB, Users.BOB_PASS);
Assertions.assertTrue(m_auth.checkPermission(session, view), "Bob view");
Assertions.assertTrue(m_auth.checkPermission(session, edit), "Bob edit");
// Delete the test page
try {
m_engine.getManager(PageManager.class).deletePage("TestDefaultPage");
} catch (final ProviderException e) {
Assertions.fail(e.getMessage());
}
}
Also used :
PageManager(org.apache.wiki.pages.PageManager)
ProviderException(org.apache.wiki.api.exceptions.ProviderException)
WikiPermission(org.apache.wiki.auth.permissions.WikiPermission)
PagePermission(org.apache.wiki.auth.permissions.PagePermission)
AllPermission(org.apache.wiki.auth.permissions.AllPermission)
Permission(java.security.Permission)
Session(org.apache.wiki.api.core.Session)
WikiSessionTest(org.apache.wiki.WikiSessionTest)
Test(org.junit.jupiter.api.Test)
Example 24 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class UserBean method doPost.
@Override
public String doPost(final Context context) {
final HttpServletRequest request = context.getHttpRequest();
final Session session = context.getWikiSession();
final UserManager mgr = context.getEngine().getManager(UserManager.class);
final String loginid = request.getParameter("loginid");
final String loginname = request.getParameter("loginname");
final String fullname = request.getParameter("fullname");
final String password = request.getParameter("password");
final String password2 = request.getParameter("password2");
final String email = request.getParameter("email");
if (request.getParameter("action").equalsIgnoreCase("remove")) {
try {
mgr.getUserDatabase().deleteByLoginName(loginid);
session.addMessage("User profile " + loginid + " (" + fullname + ") has been deleted");
} catch (final NoSuchPrincipalException e) {
session.addMessage("User profile has already been removed");
} catch (final WikiSecurityException e) {
session.addMessage("Security problem: " + e);
}
return "";
}
if (password != null && password.length() > 0 && !password.equals(password2)) {
session.addMessage("Passwords do not match!");
return "";
}
final UserProfile p;
if (loginid.equals("--New--")) {
// Create new user
p = mgr.getUserDatabase().newProfile();
p.setCreated(new Date());
} else {
try {
p = mgr.getUserDatabase().findByLoginName(loginid);
} catch (final NoSuchPrincipalException e) {
session.addMessage("I could not find user profile " + loginid);
return "";
}
}
p.setEmail(email);
p.setFullname(fullname);
if (password != null && !password.isEmpty()) {
p.setPassword(password);
}
p.setLoginName(loginname);
try {
mgr.getUserDatabase().save(p);
} catch (final WikiSecurityException e) {
session.addMessage("Unable to save " + e.getMessage());
}
session.addMessage("User profile has been updated");
return "";
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
WikiSecurityException(org.apache.wiki.auth.WikiSecurityException)
UserProfile(org.apache.wiki.auth.user.UserProfile)
UserManager(org.apache.wiki.auth.UserManager)
NoSuchPrincipalException(org.apache.wiki.auth.NoSuchPrincipalException)
Date(java.util.Date)
Session(org.apache.wiki.api.core.Session)
Example 25 with Session
use of org.apache.wiki.api.core.Session in project jspwiki by apache.
the class WikiServletFilter method doFilter.
/**
* Checks that the Engine is running ok, wraps the current HTTP request, and sets the correct authentication state for the users's
* Session. First, the method {@link org.apache.wiki.auth.AuthenticationManager#login(HttpServletRequest)}
* executes, which sets the authentication state. Then, the request is wrapped with a
* {@link WikiRequestWrapper}.
* @param request the current HTTP request object
* @param response the current HTTP response object
* @param chain The Filter chain passed down.
* @throws ServletException if {@link org.apache.wiki.auth.AuthenticationManager#login(HttpServletRequest)} fails for any reason
* @throws IOException If writing to the servlet response fails.
*/
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {
// Sanity check; it might be true in some conditions, but we need to know where.
if (chain == null) {
throw new ServletException("FilterChain is null, even if it should not be. Please report this to the jspwiki development team.");
}
if (m_engine == null) {
final PrintWriter out = response.getWriter();
out.print("<!DOCTYPE html><html lang=\"en\"><head><title>Fatal problem with JSPWiki</title></head>");
out.print("<body>");
out.print("<h1>JSPWiki has not been started</h1>");
out.print("<p>JSPWiki is not running. This is probably due to a configuration error in your jspwiki.properties file, ");
out.print("or a problem with your servlet container. Please double-check everything before issuing a bug report ");
out.print("at jspwiki.apache.org.</p>");
out.print("<p>We apologize for the inconvenience. No, really, we do. We're trying to ");
out.print("JSPWiki as easy as we can, but there is only so much we have time to test ");
out.print("platforms.</p>");
out.print("<p>Please go to the <a href='Install.jsp'>installer</a> to continue.</p>");
out.print("</body></html>");
return;
}
// If we haven't done so, wrap the request
HttpServletRequest httpRequest = (HttpServletRequest) request;
// Set the character encoding
httpRequest.setCharacterEncoding(m_engine.getContentEncoding().displayName());
if (!isWrapped(request)) {
// Prepare the Session
try {
m_engine.getManager(AuthenticationManager.class).login(httpRequest);
final Session wikiSession = SessionMonitor.getInstance(m_engine).find(httpRequest.getSession());
httpRequest = new WikiRequestWrapper(m_engine, httpRequest);
log.debug("Executed security filters for user={}, path={}", wikiSession.getLoginPrincipal().getName(), httpRequest.getRequestURI());
} catch (final WikiSecurityException e) {
throw new ServletException(e);
}
}
try {
ThreadContext.push(m_engine.getApplicationName() + ":" + httpRequest.getRequestURL());
chain.doFilter(httpRequest, response);
} finally {
ThreadContext.pop();
ThreadContext.remove(m_engine.getApplicationName() + ":" + httpRequest.getRequestURL());
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AuthenticationManager(org.apache.wiki.auth.AuthenticationManager)
WikiSecurityException(org.apache.wiki.auth.WikiSecurityException)
PrintWriter(java.io.PrintWriter)
Session(org.apache.wiki.api.core.Session)
Aggregations
Session (org.apache.wiki.api.core.Session)51
Test (org.junit.jupiter.api.Test)25
WikiSessionTest (org.apache.wiki.WikiSessionTest)19
Principal (java.security.Principal)18
MockHttpServletRequest (net.sourceforge.stripes.mock.MockHttpServletRequest)11
AllPermission (org.apache.wiki.auth.permissions.AllPermission)9
PageManager (org.apache.wiki.pages.PageManager)9
HttpSession (javax.servlet.http.HttpSession)8
Group (org.apache.wiki.auth.authorize.Group)8
PagePermission (org.apache.wiki.auth.permissions.PagePermission)8
Permission (java.security.Permission)7
Page (org.apache.wiki.api.core.Page)7
AuthenticationManager (org.apache.wiki.auth.AuthenticationManager)7
WikiPermission (org.apache.wiki.auth.permissions.WikiPermission)7
UnresolvedPrincipal (org.apache.wiki.auth.acl.UnresolvedPrincipal)6
UserProfile (org.apache.wiki.auth.user.UserProfile)6
GroupPrincipal (org.apache.wiki.auth.GroupPrincipal)5
WikiPrincipal (org.apache.wiki.auth.WikiPrincipal)5
Role (org.apache.wiki.auth.authorize.Role)5
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
