use of org.structr.core.entity.Principal in project structr by structr.
the class RestAuthenticator method getUser.
@Override
public Principal getUser(final HttpServletRequest request, final boolean tryLogin) throws FrameworkException {
Principal user = null;
// First, check session (JSESSIONID cookie)
final HttpSession session = request.getSession(false);
if (session != null) {
user = AuthHelper.getPrincipalForSessionId(session.getId());
}
if (user == null) {
// Second, check X-Headers
String userName = request.getHeader("X-User");
String password = request.getHeader("X-Password");
String token = request.getHeader("X-StructrSessionToken");
// Try to authorize with a session token first
if (token != null) {
user = AuthHelper.getPrincipalForSessionId(token);
} else if ((userName != null) && (password != null)) {
if (tryLogin) {
user = AuthHelper.getPrincipalForPassword(AbstractNode.name, userName, password);
}
}
}
return user;
}
use of org.structr.core.entity.Principal in project structr by structr.
the class AccessControlTest method testGroupMembershipVisibility.
@Test
public void testGroupMembershipVisibility() {
Principal user1 = null;
Principal user2 = null;
Group group = null;
try (final Tx tx = app.tx()) {
user1 = createTestNode(Principal.class, "user1");
user2 = createTestNode(Principal.class, "user2");
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
final SecurityContext user1Context = SecurityContext.getInstance(user1, AccessMode.Backend);
final App user1App = StructrApp.getInstance(user1Context);
try (final Tx tx = user1App.tx()) {
group = user1App.create(Group.class, "group");
user1App.create(TestOne.class, "testone");
assertEquals("Invalid group owner", user1, group.getOwnerNode());
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user1App.tx()) {
final TestOne test = user1App.nodeQuery(TestOne.class).getFirst();
assertNotNull(test);
test.grant(Permission.read, group);
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
// ################################################################################################################
// user2 is not yet member of the group, so
// it should not be possible to access the object
final SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Backend);
final App user2App = StructrApp.getInstance(user2Context);
try (final Tx tx = user2App.tx()) {
final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
assertNull(test);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
try (final Tx tx = user1App.tx()) {
group.addMember(user2);
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
assertNotNull("Group should be readable for members", test);
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
assertNotNull("Group should be readable for members", test);
test.setProperty(TestOne.name, "newname");
tx.success();
fail("User should not be able to write an object that it doesn't own.");
} catch (FrameworkException fex) {
assertEquals("Invalid group permissions result", 403, fex.getStatus());
assertEquals("Invalid group permissions result", "Modification not permitted.", fex.getMessage());
}
try (final Tx tx = user1App.tx()) {
final TestOne test = app.nodeQuery(TestOne.class).getFirst();
assertNotNull("Group should be readable for members", test);
test.grant(Permission.write, group);
tx.success();
} catch (FrameworkException t) {
logger.warn("", t);
fail("Unexpected exception.");
}
try (final Tx tx = user2App.tx()) {
final TestOne test = user2App.nodeQuery(TestOne.class).getFirst();
assertNotNull("Group should be readable for members", test);
test.setProperty(TestOne.name, "newname");
tx.success();
} catch (FrameworkException fex) {
logger.warn("", fex);
fail("Unexpected exception.");
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class AccessControlTest method test01WriteAccess.
@Test
public void test01WriteAccess() {
// remove auto-generated resource access objects
clearResourceAccess();
try {
final Principal owner = createTestNode(Principal.class);
final Principal user = createTestNode(Principal.class);
// create new node
final TestOne t1 = createTestNode(TestOne.class, owner);
final SecurityContext ownerContext = SecurityContext.getInstance(owner, AccessMode.Frontend);
final SecurityContext userContext = SecurityContext.getInstance(user, AccessMode.Frontend);
final App ownerAppContext = StructrApp.getInstance(ownerContext);
final App userAppContext = StructrApp.getInstance(userContext);
// test with owner, expect success
try (final Tx tx = ownerAppContext.tx()) {
final TestOne t = StructrApp.getInstance(ownerContext).nodeQuery(TestOne.class).getFirst();
assertNotNull(t);
t.setProperty(TestOne.aString, "aString");
assertEquals("aString", t.getProperty(TestOne.aString));
tx.success();
}
// test with foreign user, expect failure, node should not be found
try (final Tx tx = userAppContext.tx()) {
// node should not be found
assertNull(StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst());
tx.success();
}
// test with foreign user, expect failure, node should not be found
try (final Tx tx = ownerAppContext.tx()) {
// make node visible to user
t1.grant(Permission.read, user);
tx.success();
}
// try to grant read permissions in user context, should fail because user doesn't have access control permission
try (final Tx tx = userAppContext.tx()) {
try {
final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
t.grant(Permission.read, user);
fail("Non-owner should not be allowed to change permissions on object");
} catch (FrameworkException fex) {
// expect status 403 forbidden
assertEquals(fex.getStatus(), 403);
}
tx.success();
}
// try to grant read permissions in owner context, should succeed (?)
try (final Tx tx = ownerAppContext.tx()) {
// important lesson here: the context under which the node is constructed defines the security context
final TestOne t = StructrApp.getInstance(ownerContext).nodeQuery(TestOne.class).getFirst();
t.grant(Permission.accessControl, user);
tx.success();
}
// test with foreign user, expect failure
try (final Tx tx = userAppContext.tx()) {
final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
// node should be found because it's public
assertNotNull(t);
// setProperty should fail because of missing write permissions
try {
t.setProperty(TestOne.aString, "aString");
fail("setProperty should not be allowed for non-owner on publicly visible nodes");
} catch (FrameworkException fex) {
// expect status 403 forbidden
assertEquals(fex.getStatus(), 403);
}
tx.success();
}
// grant write
try (final Tx tx = app.tx()) {
// make t1 visible to public users explicitely
t1.setProperty(GraphObject.visibleToPublicUsers, true);
tx.success();
}
} catch (FrameworkException ex) {
logger.warn("", ex);
fail("Unexpected exception");
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class AccessControlTest method test05FrontendUserAccessToProtectedNode.
@Test
public void test05FrontendUserAccessToProtectedNode() {
// remove auto-generated resource access objects
clearResourceAccess();
try {
List<Principal> users = createTestNodes(Principal.class, 2);
Principal user1 = (Principal) users.get(0);
Principal user2 = (Principal) users.get(1);
PropertyMap props = new PropertyMap();
props.put(AbstractNode.visibleToPublicUsers, true);
// Create two nodes with user context, one of them is visible to public users
Class type = TestOne.class;
TestOne t1 = createTestNode(TestOne.class, props, user1);
props = new PropertyMap();
props.put(AbstractNode.visibleToAuthenticatedUsers, true);
TestOne t2 = createTestNode(TestOne.class, props, user1);
// Let another user search
SecurityContext user2Context = SecurityContext.getInstance(user2, AccessMode.Frontend);
try (final Tx tx = app.tx()) {
Result result = StructrApp.getInstance(user2Context).nodeQuery(type).getResult();
assertEquals(2, result.size());
}
} catch (FrameworkException ex) {
logger.warn("", ex);
fail("Unexpected exception");
}
}
use of org.structr.core.entity.Principal in project structr by structr.
the class AccessControlTest method test08WriteAccess.
@Test
public void test08WriteAccess() {
// remove auto-generated resource access objects
clearResourceAccess();
try {
final Principal owner = createTestNode(Principal.class);
// create new node
createTestNode(TestOne.class, owner);
final SecurityContext userContext = SecurityContext.getInstance(owner, AccessMode.Frontend);
final App userApp = StructrApp.getInstance(userContext);
try (final Tx tx = userApp.tx()) {
final TestOne t = StructrApp.getInstance(userContext).nodeQuery(TestOne.class).getFirst();
assertNotNull(t);
t.setProperty(TestOne.aString, "aString");
assertEquals("aString", t.getProperty(TestOne.aString));
tx.success();
}
} catch (FrameworkException ex) {
logger.warn("", ex);
fail("Unexpected exception");
}
}
Aggregations