Loading cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +1 −1 Original line number Diff line number Diff line Loading @@ -322,7 +322,7 @@ public class LdapUserDAO extends LdapDAO } catch (LDAPException e) { logger.error("addUserRequest Exception: " + e, e); logger.error("addUser Exception: " + e, e); LdapUserDAO.checkUserLDAPResult(e.getResultCode()); throw new RuntimeException("Unexpected LDAP exception", e); } Loading cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/UserServlet.java +30 −3 Original line number Diff line number Diff line Loading @@ -84,6 +84,7 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import ca.nrc.cadc.ac.server.web.users.CreateUserAction; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.server.PluginFactory; Loading Loading @@ -177,15 +178,41 @@ public class UserServlet extends HttpServlet { log.info(logInfo.start()); AbstractUserAction action = factory.createAction(request); log.debug("create action " + action.getClass().getSimpleName()); action.setAcceptedContentType(getAcceptedContentType(request)); log.debug("content-type: " + getAcceptedContentType(request)); profiler.checkpoint("created action"); // Special case: if the calling subject has a privileged X500Principal, // AND it is a GET request, do not augment the subject. Subject subject; Subject privilegedSubject = getPrivilegedSubject(request); if (action instanceof GetUserAction && privilegedSubject != null) log.debug("privileged subject: " + privilegedSubject); // If the calling subject is not a PrivilegedSubject, // AND it is a PUT request, throw an AccessControlException if (action instanceof CreateUserAction) { profiler.checkpoint("check non-privileged user"); if (privilegedSubject == null) { action.setPrivilegedSubject(false); subject = AuthenticationUtil.getSubject(request); logInfo.setSubject(subject); log.debug("augmented subject: " + subject); profiler.checkpoint("augment subject"); } else { action.setPrivilegedSubject(true); log.debug("subject not augmented: " + privilegedSubject); subject = privilegedSubject; logInfo.setSubject(privilegedSubject); profiler.checkpoint("set privileged user"); } } // If the calling subject has a privileged X500Principal, // AND it is a GET request, do not augment the subject. else if (action instanceof GetUserAction && privilegedSubject != null) { profiler.checkpoint("check privileged user"); subject = Subject.getSubject(AccessController.getContext()); Loading cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java +11 −0 Original line number Diff line number Diff line Loading @@ -105,6 +105,7 @@ public abstract class AbstractUserAction implements PrivilegedExceptionAction<Ob private Profiler profiler = new Profiler(AbstractUserAction.class); protected boolean isAugmentUser; protected boolean isPrivilegedSubject; protected UserLogInfo logInfo; protected SyncOutput syncOut; protected UserPersistence userPersistence; Loading @@ -128,6 +129,16 @@ public abstract class AbstractUserAction implements PrivilegedExceptionAction<Ob return this.isAugmentUser; } public void setPrivilegedSubject(final boolean isPrivilegedSubject) { this.isPrivilegedSubject = isPrivilegedSubject; } public boolean isPrivilegedSubject() { return this.isPrivilegedSubject; } public void setLogInfo(UserLogInfo logInfo) { this.logInfo = logInfo; Loading cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/CreateUserAction.java +6 −0 Original line number Diff line number Diff line Loading @@ -71,6 +71,7 @@ package ca.nrc.cadc.ac.server.web.users; import ca.nrc.cadc.ac.User; import java.io.InputStream; import java.security.AccessControlException; public class CreateUserAction extends AbstractUserAction { Loading @@ -85,6 +86,11 @@ public class CreateUserAction extends AbstractUserAction public void doAction() throws Exception { if (!isPrivilegedSubject) { throw new AccessControlException("non-privileged user cannot create a user"); } final User user = readUser(this.inputStream); userPersistence.addUser(user); Loading Loading
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java +1 −1 Original line number Diff line number Diff line Loading @@ -322,7 +322,7 @@ public class LdapUserDAO extends LdapDAO } catch (LDAPException e) { logger.error("addUserRequest Exception: " + e, e); logger.error("addUser Exception: " + e, e); LdapUserDAO.checkUserLDAPResult(e.getResultCode()); throw new RuntimeException("Unexpected LDAP exception", e); } Loading
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/UserServlet.java +30 −3 Original line number Diff line number Diff line Loading @@ -84,6 +84,7 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import ca.nrc.cadc.ac.server.web.users.CreateUserAction; import org.apache.log4j.Logger; import ca.nrc.cadc.ac.server.PluginFactory; Loading Loading @@ -177,15 +178,41 @@ public class UserServlet extends HttpServlet { log.info(logInfo.start()); AbstractUserAction action = factory.createAction(request); log.debug("create action " + action.getClass().getSimpleName()); action.setAcceptedContentType(getAcceptedContentType(request)); log.debug("content-type: " + getAcceptedContentType(request)); profiler.checkpoint("created action"); // Special case: if the calling subject has a privileged X500Principal, // AND it is a GET request, do not augment the subject. Subject subject; Subject privilegedSubject = getPrivilegedSubject(request); if (action instanceof GetUserAction && privilegedSubject != null) log.debug("privileged subject: " + privilegedSubject); // If the calling subject is not a PrivilegedSubject, // AND it is a PUT request, throw an AccessControlException if (action instanceof CreateUserAction) { profiler.checkpoint("check non-privileged user"); if (privilegedSubject == null) { action.setPrivilegedSubject(false); subject = AuthenticationUtil.getSubject(request); logInfo.setSubject(subject); log.debug("augmented subject: " + subject); profiler.checkpoint("augment subject"); } else { action.setPrivilegedSubject(true); log.debug("subject not augmented: " + privilegedSubject); subject = privilegedSubject; logInfo.setSubject(privilegedSubject); profiler.checkpoint("set privileged user"); } } // If the calling subject has a privileged X500Principal, // AND it is a GET request, do not augment the subject. else if (action instanceof GetUserAction && privilegedSubject != null) { profiler.checkpoint("check privileged user"); subject = Subject.getSubject(AccessController.getContext()); Loading
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/AbstractUserAction.java +11 −0 Original line number Diff line number Diff line Loading @@ -105,6 +105,7 @@ public abstract class AbstractUserAction implements PrivilegedExceptionAction<Ob private Profiler profiler = new Profiler(AbstractUserAction.class); protected boolean isAugmentUser; protected boolean isPrivilegedSubject; protected UserLogInfo logInfo; protected SyncOutput syncOut; protected UserPersistence userPersistence; Loading @@ -128,6 +129,16 @@ public abstract class AbstractUserAction implements PrivilegedExceptionAction<Ob return this.isAugmentUser; } public void setPrivilegedSubject(final boolean isPrivilegedSubject) { this.isPrivilegedSubject = isPrivilegedSubject; } public boolean isPrivilegedSubject() { return this.isPrivilegedSubject; } public void setLogInfo(UserLogInfo logInfo) { this.logInfo = logInfo; Loading
cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/CreateUserAction.java +6 −0 Original line number Diff line number Diff line Loading @@ -71,6 +71,7 @@ package ca.nrc.cadc.ac.server.web.users; import ca.nrc.cadc.ac.User; import java.io.InputStream; import java.security.AccessControlException; public class CreateUserAction extends AbstractUserAction { Loading @@ -85,6 +86,11 @@ public class CreateUserAction extends AbstractUserAction public void doAction() throws Exception { if (!isPrivilegedSubject) { throw new AccessControlException("non-privileged user cannot create a user"); } final User user = readUser(this.inputStream); userPersistence.addUser(user); Loading
