use of org.apereo.portal.security.IPerson in project uPortal by Jasig.
the class MarketplaceService method onApplicationEvent.
/**
* Handle the portal LoginEvent. If marketplace caching is enabled, will preload marketplace
* entries for the currently logged in user.
*
* @param loginEvent the login event.
*/
@Override
public void onApplicationEvent(LoginEvent loginEvent) {
if (enableMarketplacePreloading) {
final IPerson person = loginEvent.getPerson();
/*
* Passing an empty collection pre-loads an unfiltered collection;
* instances of PortletMarketplace that specify filtering will
* trigger a new collection to be loaded.
*/
final Set<PortletCategory> empty = Collections.emptySet();
loadMarketplaceEntriesFor(person, empty);
}
}
use of org.apereo.portal.security.IPerson in project uPortal by Jasig.
the class PortletRendererImpl method enforceConfigPermission.
/**
* Enforces config mode access control. If requesting user does not have CONFIG permission, and
* the PortletWindow specifies config mode, throws AuthorizationException. Otherwise does
* nothing.
*
* @param httpServletRequest the non-null current HttpServletRequest (for determining requesting
* user)
* @param portletWindow a non-null portlet window that might be in config mode
* @throws AuthorizationException if the user is not permitted to access config mode yet portlet
* window specifies config mode
* @throws java.lang.IllegalArgumentException if the request or window are null
* @since 4.0.13.1, 4.0.14, 4.1.
*/
protected void enforceConfigPermission(final HttpServletRequest httpServletRequest, final IPortletWindow portletWindow) {
Validate.notNull(httpServletRequest, "Servlet request must not be null to determine remote user.");
Validate.notNull(portletWindow, "Portlet window must not be null to determine its mode.");
final PortletMode portletMode = portletWindow.getPortletMode();
if (portletMode != null) {
if (IPortletRenderer.CONFIG.equals(portletMode)) {
final IPerson person = this.personManager.getPerson(httpServletRequest);
final EntityIdentifier ei = person.getEntityIdentifier();
final AuthorizationServiceFacade authorizationServiceFacade = AuthorizationServiceFacade.instance();
final IAuthorizationPrincipal ap = authorizationServiceFacade.newPrincipal(ei.getKey(), ei.getType());
final IPortletEntity portletEntity = portletWindow.getPortletEntity();
final IPortletDefinition portletDefinition = portletEntity.getPortletDefinition();
if (!ap.canConfigure(portletDefinition.getPortletDefinitionId().getStringId())) {
logger.error("User {} attempted to use portlet {} in {} but lacks permission to use that mode. " + "THIS MAY BE AN ATTEMPT TO EXPLOIT A HISTORICAL SECURITY FLAW. " + "You should probably figure out who this user is and why they are trying to access " + "unauthorized portlet modes.", person.getUserName(), portletDefinition.getFName(), portletMode);
throw new AuthorizationException(person.getUserName() + " does not have permission to render '" + portletDefinition.getFName() + "' in " + portletMode + " PortletMode.");
}
}
}
}
use of org.apereo.portal.security.IPerson in project uPortal by Jasig.
the class PortletDelegationLocatorImpl method createRequestDispatcher.
/* (non-Javadoc)
* @see org.apereo.portal.api.portlet.PortletDelegationLocator#createRequestDispatcher(org.apereo.portal.portlet.om.IPortletDefinitionId)
*/
@Override
public PortletDelegationDispatcher createRequestDispatcher(PortletRequest portletRequest, IPortletDefinitionId delegatePortletDefinitionId) {
final HttpServletRequest request = this.portalRequestUtils.getPortletHttpRequest(portletRequest);
final String windowID = portletRequest.getWindowID();
final IPortletWindowId parentPortletWindowId = this.portletWindowRegistry.getPortletWindowId(request, windowID);
final IPortletEntity delegatePortletEntity = this.portletEntityRegistry.getOrCreateDelegatePortletEntity(request, parentPortletWindowId, delegatePortletDefinitionId);
final IPortletEntityId delegatePortletEntityId = delegatePortletEntity.getPortletEntityId();
final IPortletWindow delegatePortletWindow = this.portletWindowRegistry.createDelegatePortletWindow(request, delegatePortletEntityId, parentPortletWindowId);
final IPerson person = this.personManager.getPerson(request);
final int userId = person.getID();
return new PortletDelegationDispatcherImpl(delegatePortletWindow, userId, portalRequestUtils, personManager, portletRenderer, portalUrlProvider, portletDelegationManager);
}
use of org.apereo.portal.security.IPerson in project uPortal by Jasig.
the class PortletDelegationDispatcherImpl method doAction.
@Override
public DelegationActionResponse doAction(ActionRequest actionRequest, ActionResponse actionResponse, DelegationRequest delegationRequest) throws IOException {
final HttpServletRequest request = this.portalRequestUtils.getPortletHttpRequest(actionRequest);
final HttpServletResponse response = this.portalRequestUtils.getOriginalPortalResponse(actionRequest);
// Sanity check that the dispatch is being called by the same user it was created for
final IPerson person = this.personManager.getPerson(request);
if (this.userId != person.getID()) {
throw new IllegalStateException("This dispatcher was created for userId " + this.userId + " but is being executed for userId " + person.getID());
}
this.setupDelegateRequestInfo(request, delegationRequest);
final IPortletWindowId portletWindowId = this.portletWindow.getPortletWindowId();
try {
// TODO canRender permission checks!
this.portletRenderer.doAction(portletWindowId, request, response);
} catch (RuntimeException e) {
this.logger.error("Failed to execute action on delegate", e);
throw e;
}
// Get the portal URL builders for this request and check if a redirect was sent
final IPortalActionUrlBuilder portalActionUrlBuilder = this.portalUrlProvider.getPortalActionUrlBuilder(request);
final String redirectLocation = portalActionUrlBuilder.getRedirectLocation();
if (redirectLocation != null) {
final String renderUrlParamName = portalActionUrlBuilder.getRenderUrlParamName();
// clear out the redirect from the delegate, leave it up to the parent if the redirect
// should happen
portalActionUrlBuilder.setRedirectLocation(null, null);
return new DelegationActionResponse(this.getDelegateState(), redirectLocation, renderUrlParamName);
}
// No redirect so get the portlet's url builder and copy the state-changing data into the
// delegate response
final IPortletUrlBuilder portletUrlBuilder = portalActionUrlBuilder.getPortletUrlBuilder(portletWindowId);
final WindowState windowState = portletUrlBuilder.getWindowState();
final PortletMode portletMode = portletUrlBuilder.getPortletMode();
final Map<String, String[]> parameters = portletUrlBuilder.getParameters();
return new DelegationActionResponse(this.getDelegateState(), portletMode, windowState, parameters);
}
use of org.apereo.portal.security.IPerson in project uPortal by Jasig.
the class PortletDelegationDispatcherImpl method doRender.
@Override
public DelegationResponse doRender(RenderRequest renderRequest, RenderResponse renderResponse, DelegationRequest delegationRequest, PortletOutputHandler portletOutputHandler) throws IOException {
final HttpServletRequest request = this.portalRequestUtils.getPortletHttpRequest(renderRequest);
final HttpServletResponse response = this.portalRequestUtils.getOriginalPortalResponse(renderRequest);
// Sanity check that the dispatch is being called by the same user it was created for
final IPerson person = this.personManager.getPerson(request);
if (this.userId != person.getID()) {
throw new IllegalStateException("This dispatcher was created for userId " + this.userId + " but is being executed for userId " + person.getID());
}
this.setupDelegateRequestInfo(request, delegationRequest);
try {
// TODO canRender permission checks!
this.portletRenderer.doRenderMarkup(this.portletWindow.getPortletWindowId(), request, response, portletOutputHandler);
} catch (RuntimeException e) {
this.logger.error("Failed to render delegate", e);
throw e;
} finally {
portletOutputHandler.flushBuffer();
}
return new DelegationResponse(this.getDelegateState());
}
Aggregations