added security checks

2026-03-21 21:37:29 +00:00 · 2013-03-28 17:07:37 +01:00
parent 938ab3c26d
commit b4d4015f4b
12 changed files with 167 additions and 31 deletions
--- a/src/main/java/com/commafeed/frontend/CommaFeedSession.java
+++ b/src/main/java/com/commafeed/frontend/CommaFeedSession.java
@@ -9,7 +9,7 @@ import org.apache.wicket.request.Request;

 import com.commafeed.backend.dao.UserService;
 import com.commafeed.backend.model.User;
-import com.commafeed.frontend.pages.auth.Role;
+import com.commafeed.backend.security.Role;

@SuppressWarnings("serial")
 public class CommaFeedSession extends AuthenticatedWebSession {
--- a/src/main/java/com/commafeed/frontend/pages/HomePage.java
+++ b/src/main/java/com/commafeed/frontend/pages/HomePage.java
@@ -5,7 +5,7 @@ import org.apache.wicket.markup.head.CssHeaderItem;
 import org.apache.wicket.markup.head.IHeaderResponse;
 import org.apache.wicket.markup.head.JavaScriptHeaderItem;

-import com.commafeed.frontend.pages.auth.Role;
+import com.commafeed.backend.security.Role;
 import com.commafeed.frontend.references.angular.AngularReference;
 import com.commafeed.frontend.references.angular.AngularResourceReference;
 import com.commafeed.frontend.references.angular.AngularSanitizeReference;
--- a/src/main/java/com/commafeed/frontend/pages/auth/Role.java
+++ b/src/main/java/com/commafeed/frontend/pages/auth/Role.java
@@ -1,6 +0,0 @@
-package com.commafeed.frontend.pages.auth;
-
-public class Role {
-	public static final String USER = "user";
-	public static final String ADMIN = "admin";
-}
--- a/src/main/java/com/commafeed/frontend/rest/JSONMessageBodyReaderWriter.java
+++ b/src/main/java/com/commafeed/frontend/rest/JSONMessageBodyReaderWriter.java
@@ -32,7 +32,7 @@ import com.google.gson.JsonSerializationContext;
 import com.google.gson.JsonSerializer;

@Provider
-@Produces(MediaType.APPLICATION_JSON)
+@Produces({ MediaType.APPLICATION_JSON, MediaType.TEXT_PLAIN })
@Consumes(MediaType.APPLICATION_JSON)
 public class JSONMessageBodyReaderWriter implements MessageBodyWriter<Object>,
 		MessageBodyReader<Object> {
--- a/src/main/java/com/commafeed/frontend/rest/RESTApplication.java
+++ b/src/main/java/com/commafeed/frontend/rest/RESTApplication.java
@@ -1,27 +1,9 @@
 package com.commafeed.frontend.rest;

-import java.util.Set;
-
 import javax.ws.rs.ApplicationPath;
 import javax.ws.rs.core.Application;

-import com.commafeed.frontend.rest.resources.EntriesREST;
-import com.commafeed.frontend.rest.resources.SettingsREST;
-import com.commafeed.frontend.rest.resources.SubscriptionsREST;
-import com.google.common.collect.Sets;
-
@ApplicationPath("/rest")
 public class RESTApplication extends Application {

-	@Override
-	public Set<Class<?>> getClasses() {
-		Set<Class<?>> set = Sets.newHashSet();
-		set.add(JSONMessageBodyReaderWriter.class);
-
-		set.add(SubscriptionsREST.class);
-		set.add(EntriesREST.class);
-		set.add(SettingsREST.class);
-
-		return set;
-	}
 }
--- a/src/main/java/com/commafeed/frontend/rest/SecurityCheck.java
+++ b/src/main/java/com/commafeed/frontend/rest/SecurityCheck.java
@@ -0,0 +1,23 @@
+package com.commafeed.frontend.rest;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import javax.enterprise.util.Nonbinding;
+import javax.interceptor.InterceptorBinding;
+
+@Inherited
+@InterceptorBinding
+@Target({ ElementType.TYPE, ElementType.METHOD })
+@Retention(RetentionPolicy.RUNTIME)
+public @interface SecurityCheck {
+
+	/**
+	 * Roles needed.
+	 */
+	@Nonbinding
+	String[] value() default {};
+}
--- a/src/main/java/com/commafeed/frontend/rest/resources/AbstractREST.java
+++ b/src/main/java/com/commafeed/frontend/rest/resources/AbstractREST.java
@@ -1,7 +1,12 @@
 package com.commafeed.frontend.rest.resources;

+import java.lang.reflect.Method;
+import java.util.List;
+
 import javax.annotation.PostConstruct;
 import javax.inject.Inject;
+import javax.interceptor.AroundInvoke;
+import javax.interceptor.InvocationContext;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.Consumes;
@@ -9,7 +14,7 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;

 import org.apache.wicket.ThreadContext;
 import org.apache.wicket.authentication.IAuthenticationStrategy;
@@ -22,15 +27,19 @@ import com.commafeed.backend.dao.FeedEntryService;
 import com.commafeed.backend.dao.FeedEntryStatusService;
 import com.commafeed.backend.dao.FeedService;
 import com.commafeed.backend.dao.FeedSubscriptionService;
+import com.commafeed.backend.dao.UserRoleService;
 import com.commafeed.backend.dao.UserService;
 import com.commafeed.backend.dao.UserSettingsService;
 import com.commafeed.backend.feeds.OPMLImporter;
 import com.commafeed.backend.model.User;
+import com.commafeed.backend.security.Role;
 import com.commafeed.frontend.CommaFeedApplication;
 import com.commafeed.frontend.CommaFeedSession;
+import com.commafeed.frontend.rest.SecurityCheck;

@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
+@SecurityCheck(Role.USER)
 public abstract class AbstractREST {

 	@Context
@@ -60,6 +69,9 @@ public abstract class AbstractREST {
 	@Inject
 	UserSettingsService userSettingsService;

+	@Inject
+	UserRoleService userRoleService;
+
 	@Inject
 	OPMLImporter opmlImporter;

@@ -80,14 +92,46 @@ public abstract class AbstractREST {
 			session.signIn(data[0], data[1]);
 		}

-		if (getUser() == null) {
-			throw new WebApplicationException(Response.Status.UNAUTHORIZED);
-		}
-
 	}

 	protected User getUser() {
 		return CommaFeedSession.get().getUser();
 	}

+	@AroundInvoke
+	public Object checkSecurity(InvocationContext context) throws Exception {
+		User user = getUser();
+		if (user == null) {
+			throw new WebApplicationException(Status.UNAUTHORIZED);
+		}
+
+		boolean allowed = false;
+		Method method = context.getMethod();
+
+		if (method.isAnnotationPresent(SecurityCheck.class)) {
+			allowed = checkRole(user, method.getAnnotation(SecurityCheck.class));
+		} else if (method.getDeclaringClass().isAnnotationPresent(
+				SecurityCheck.class)) {
+			allowed = checkRole(
+					user,
+					method.getDeclaringClass().getAnnotation(
+							SecurityCheck.class));
+		}
+		if (!allowed) {
+			throw new WebApplicationException(Status.FORBIDDEN);
+		}
+
+		return context.proceed();
+	}
+
+	private boolean checkRole(User user, SecurityCheck annotation) {
+		List<String> roles = userRoleService.getRoles(user);
+		for (String role : annotation.value()) {
+			if (!roles.contains(role)) {
+				return false;
+			}
+		}
+		return true;
+	}
+
 }