Menu
▾
▴
[Openutils-svn] SF.net SVN: openutils: [412] trunk/openutils-hibernate-security
|
From: <fc...@us...> - 2007-08-30 15:40:20
|
Revision: 412
http://openutils.svn.sourceforge.net/openutils/?rev=412&view=rev
Author: fcarone
Date: 2007-08-30 08:40:19 -0700 (Thu, 30 Aug 2007)
Log Message:
-----------
Test app added, but everything is in progress
Modified Paths:
--------------
trunk/openutils-hibernate-security/pom.xml
trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/filter/JavaBeanFilter.java
trunk/openutils-hibernate-security/src/test/resources/hibernate.cfg.xml
trunk/openutils-hibernate-security/src/test/resources/spring-dao.xml
trunk/openutils-hibernate-security/src/test/resources/spring-tests.xml
Added Paths:
-----------
trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateDAOSecurityInterceptor.java
trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/SecurityIntegrationTest.java
trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/
trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDAO.java
trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDaoImpl.java
trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDataobject.java
trunk/openutils-hibernate-security/src/test/resources/spring-security.xml
Removed Paths:
-------------
trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateRUDSecurityInterceptor.java
Modified: trunk/openutils-hibernate-security/pom.xml
===================================================================
--- trunk/openutils-hibernate-security/pom.xml 2007-08-14 12:55:10 UTC (rev 411)
+++ trunk/openutils-hibernate-security/pom.xml 2007-08-30 15:40:19 UTC (rev 412)
@@ -13,8 +13,31 @@
<name>openutils-hibernate-security</name>
<version>0.0.1-SNAPSHOT</version>
<description>Hibernate Security classes</description>
+ <properties>
+ <spring.version>2.0.6</spring.version>
+ </properties>
<dependencies>
<dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-core</artifactId>
+ <version>${spring.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context</artifactId>
+ <version>${spring.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-dao</artifactId>
+ <version>${spring.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-aop</artifactId>
+ <version>${spring.version}</version>
+ </dependency>
+ <dependency>
<groupId>net.sourceforge.openutils</groupId>
<artifactId>openutils-usermanagement</artifactId>
<version>1.1.1</version>
@@ -69,7 +92,7 @@
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
- <version>2.3</version>
+ <version>2.2</version>
</dependency>
<dependency>
<groupId>org.acegisecurity</groupId>
Copied: trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateDAOSecurityInterceptor.java (from rev 393, trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateRUDSecurityInterceptor.java)
===================================================================
--- trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateDAOSecurityInterceptor.java (rev 0)
+++ trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateDAOSecurityInterceptor.java 2007-08-30 15:40:19 UTC (rev 412)
@@ -0,0 +1,132 @@
+/*
+ * Copyright (c) Openmind. All rights reserved. http://www.openmindonline.it
+ */
+package it.openutils.hibernate.security.aop;
+
+import it.openutils.hibernate.security.dataobject.SecurityRule;
+import it.openutils.hibernate.security.services.SecurityRuleManager;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.context.SecurityContextHolder;
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+import org.apache.commons.lang.StringUtils;
+import org.hibernate.Filter;
+import org.hibernate.SessionFactory;
+import org.hibernate.criterion.Criterion;
+import org.hibernate.criterion.Restrictions;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+/**
+ * This is a Hibernate Read-Update-Delete security interceptor. This enforces a DENY_ALL default policy.
+ * @author fcarone
+ * @version $Id: $
+ */
+public class HibernateDAOSecurityInterceptor implements MethodInterceptor
+{
+
+ /**
+ * Logger.
+ */
+ private Logger log = LoggerFactory.getLogger(HibernateDAOSecurityInterceptor.class);
+
+ private SecurityRuleManager securityRuleManager;
+
+ private SessionFactory sessionFactory;
+
+ public HibernateDAOSecurityInterceptor()
+ {
+ super();
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public Object invoke(MethodInvocation invocation) throws Throwable
+ {
+ Object[] arguments = invocation.getArguments();
+ Object checkArgument = arguments[arguments.length - 1];
+ if (!StringUtils.equals(invocation.getMethod().getName(), "findFiltered"))
+ {
+ return invocation.proceed();
+ }
+ if (!(checkArgument instanceof List))
+ {
+ return invocation.proceed();
+ }
+
+ String entity = StringUtils.EMPTY;
+ for (int i = 0; i < arguments.length; i++)
+ {
+ Object argument = arguments[i];
+ if (sessionFactory.getClassMetadata(argument.getClass()) != null)
+ {
+ entity = argument.getClass().getCanonicalName();
+ break;
+ }
+ }
+
+ // the current invocation is not about any session managed entity
+ if (StringUtils.isEmpty(entity))
+ {
+ return invocation.proceed();
+ }
+
+ GrantedAuthority[] authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
+ List<String> roles = new ArrayList<String>();
+ for (int i = 0; i < authorities.length; i++)
+ {
+ roles.add(authorities[i].getAuthority());
+ }
+ List<SecurityRule> rules = securityRuleManager.getRulesForRoles(entity, roles);
+
+ if (rules.isEmpty())
+ {
+ String grantedRoles = StringUtils.EMPTY;
+ for (int i = 0; i < authorities.length; i++)
+ {
+ grantedRoles += authorities[i].getAuthority() + " ";
+ }
+ log.error("Access is denied for entity {}, and roles {}", entity, grantedRoles);
+ throw new SecurityException("Access denied");
+ }
+
+ Filter filter = securityRuleManager.getEntityFilterFromRules(entity, rules);
+
+ Criterion sqlCriterion = Restrictions.sqlRestriction(filter.getFilterDefinition().getDefaultFilterCondition());
+
+ if (StringUtils.equals(invocation.getMethod().getName(), "findFiltered"))
+ {
+ Object argument = arguments[arguments.length - 1];
+ ((List) argument).add(sqlCriterion);
+ }
+
+ Object result = invocation.proceed();
+
+ return result;
+ }
+
+ /**
+ * Sets the securityRuleManager.
+ * @param securityRuleManager the securityRuleManager to set
+ */
+ public void setSecurityRuleManager(SecurityRuleManager securityRuleManager)
+ {
+ this.securityRuleManager = securityRuleManager;
+ }
+
+ /**
+ * Sets the sessionFactory.
+ * @param sessionFactory the sessionFactory to set
+ */
+ public void setSessionFactory(SessionFactory sessionFactory)
+ {
+ this.sessionFactory = sessionFactory;
+ }
+
+}
Deleted: trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateRUDSecurityInterceptor.java
===================================================================
--- trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateRUDSecurityInterceptor.java 2007-08-14 12:55:10 UTC (rev 411)
+++ trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/aop/HibernateRUDSecurityInterceptor.java 2007-08-30 15:40:19 UTC (rev 412)
@@ -1,109 +0,0 @@
-/*
- * Copyright (c) Openmind. All rights reserved. http://www.openmindonline.it
- */
-package it.openutils.hibernate.security.aop;
-
-import it.openutils.hibernate.security.dataobject.SecurityRule;
-import it.openutils.hibernate.security.services.SecurityRuleManager;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.acegisecurity.GrantedAuthority;
-import org.acegisecurity.context.SecurityContextHolder;
-import org.aopalliance.intercept.MethodInterceptor;
-import org.aopalliance.intercept.MethodInvocation;
-import org.apache.commons.lang.StringUtils;
-import org.hibernate.Filter;
-import org.hibernate.SessionFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-
-/**
- * This is a Hibernate Read-Update-Delete security interceptor. This enforces a DENY_ALL default policy.
- * @author fcarone
- * @version $Id: $
- */
-public class HibernateRUDSecurityInterceptor implements MethodInterceptor
-{
-
- /**
- * Logger.
- */
- private Logger log = LoggerFactory.getLogger(HibernateRUDSecurityInterceptor.class);
-
- private SecurityRuleManager securityRuleManager;
-
- private SessionFactory sessionFactory;
-
- /**
- * {@inheritDoc}
- */
- public Object invoke(MethodInvocation invocation) throws Throwable
- {
- Object[] arguments = invocation.getArguments();
-
- String entity = StringUtils.EMPTY;
- for (int i = 0; i < arguments.length; i++)
- {
- Object argument = arguments[i];
- if (sessionFactory.getClassMetadata(argument.getClass()) != null)
- {
- entity = argument.getClass().getCanonicalName();
- break;
- }
- }
-
- // the current invocation is not about any session managed entity
- if (StringUtils.isEmpty(entity))
- {
- return invocation.proceed();
- }
-
- GrantedAuthority[] authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
- List<String> roles = new ArrayList<String>();
- for (int i = 0; i < authorities.length; i++)
- {
- roles.add(authorities[i].getAuthority());
- }
- List<SecurityRule> rules = securityRuleManager.getRulesForRoles(entity, roles);
-
- if (rules.isEmpty())
- {
- String grantedRoles = StringUtils.EMPTY;
- for (int i = 0; i < authorities.length; i++)
- {
- grantedRoles += authorities[i].getAuthority() + " ";
- }
- log.error("Access is denied for entity {}, and roles {}", entity, grantedRoles);
- throw new SecurityException("Access is denied");
- }
-
- Filter filter = securityRuleManager.getEntityFilterFromRules(entity, rules);
-
- sessionFactory.getCurrentSession().enableFilter(filter.getName());
- Object result = invocation.proceed();
- sessionFactory.getCurrentSession().disableFilter(filter.getName());
- return result;
- }
-
- /**
- * Sets the securityRuleManager.
- * @param securityRuleManager the securityRuleManager to set
- */
- public void setSecurityRuleManager(SecurityRuleManager securityRuleManager)
- {
- this.securityRuleManager = securityRuleManager;
- }
-
- /**
- * Sets the sessionFactory.
- * @param sessionFactory the sessionFactory to set
- */
- public void setSessionFactory(SessionFactory sessionFactory)
- {
- this.sessionFactory = sessionFactory;
- }
-
-}
Modified: trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/filter/JavaBeanFilter.java
===================================================================
--- trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/filter/JavaBeanFilter.java 2007-08-14 12:55:10 UTC (rev 411)
+++ trunk/openutils-hibernate-security/src/main/java/it/openutils/hibernate/security/filter/JavaBeanFilter.java 2007-08-30 15:40:19 UTC (rev 412)
@@ -41,6 +41,7 @@
* @throws SecurityException If the bean class cannot be accessed
* @throws NoSuchFieldException If the property contained in the security rule refers to a bean non-existent field
*/
+ @SuppressWarnings("unchecked")
public JavaBeanFilter(String bean, List<SecurityRule> securityRules)
throws ClassNotFoundException,
InstantiationException,
@@ -165,6 +166,7 @@
/**
* {@inheritDoc}
*/
+ @SuppressWarnings("unchecked")
public Filter setParameterList(String name, Collection values)
{
return this;
Added: trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/SecurityIntegrationTest.java
===================================================================
--- trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/SecurityIntegrationTest.java (rev 0)
+++ trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/SecurityIntegrationTest.java 2007-08-30 15:40:19 UTC (rev 412)
@@ -0,0 +1,37 @@
+package it.openutils.hibernate.security;
+
+import it.openutils.hibernate.security.apptest.DummyDAO;
+import it.openutils.hibernate.security.apptest.DummyDataobject;
+import it.openutils.testing.junit.SpringTestCase;
+
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+/*
+ * Copyright (c) Openmind. All rights reserved. http://www.openmindonline.it
+ */
+
+/**
+ * @author fcarone
+ * @version $Id: $
+ */
+public class SecurityIntegrationTest extends SpringTestCase
+{
+
+ private DummyDAO securedObject;
+
+ /**
+ * @throws Exception Any exception
+ */
+ @Test
+ public void testRulesApplication() throws Exception
+ {
+ securedObject = (DummyDAO) ctx.getBean("dummyDAO");
+ DummyDataobject filter = new DummyDataobject();
+ List<DummyDataobject> dummyObjects = securedObject.findFiltered(filter);
+ Assert.assertNotNull(dummyObjects);
+ }
+
+}
Added: trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDAO.java
===================================================================
--- trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDAO.java (rev 0)
+++ trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDAO.java 2007-08-30 15:40:19 UTC (rev 412)
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) Openmind. All rights reserved. http://www.openmindonline.it
+ */
+package it.openutils.hibernate.security.apptest;
+
+import it.openutils.dao.hibernate.HibernateDAO;
+
+
+/**
+ * @author fcarone
+ * @version $Id: $
+ */
+public interface DummyDAO extends HibernateDAO<DummyDataobject, Long>
+{
+
+}
Added: trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDaoImpl.java
===================================================================
--- trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDaoImpl.java (rev 0)
+++ trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDaoImpl.java 2007-08-30 15:40:19 UTC (rev 412)
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) Openmind. All rights reserved. http://www.openmindonline.it
+ */
+package it.openutils.hibernate.security.apptest;
+
+import it.openutils.dao.hibernate.HibernateDAOImpl;
+
+
+/**
+ * @author fcarone
+ * @version $Id: $
+ */
+public class DummyDaoImpl extends HibernateDAOImpl<DummyDataobject, Long> implements DummyDAO
+{
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ protected Class<DummyDataobject> getReferenceClass()
+ {
+ return DummyDataobject.class;
+ }
+
+}
Added: trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDataobject.java
===================================================================
--- trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDataobject.java (rev 0)
+++ trunk/openutils-hibernate-security/src/test/java/it/openutils/hibernate/security/apptest/DummyDataobject.java 2007-08-30 15:40:19 UTC (rev 412)
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) Openmind. All rights reserved. http://www.openmindonline.it
+ */
+package it.openutils.hibernate.security.apptest;
+
+import javax.persistence.Column;
+import javax.persistence.Id;
+
+
+/**
+ * @author fcarone
+ * @version $Id: $
+ */
+public class DummyDataobject
+{
+
+ /**
+ * serial version UID
+ */
+ private static final long serialVersionUID = 1867418705382284287L;
+
+ @Id
+ @Column(name = "ID", precision = 18)
+ private Long id;
+
+ @Column(name = "INTVALUE", precision = 10)
+ private Integer intValue;
+
+ @Column(name = "STRINGVALUE", length = 16)
+ private String stringValue;
+
+
+ /**
+ * Returns the stringValue.
+ * @return the stringValue
+ */
+ public String getStringValue()
+ {
+ return stringValue;
+ }
+
+
+ /**
+ * Sets the stringValue.
+ * @param stringValue the stringValue to set
+ */
+ public void setStringValue(String stringValue)
+ {
+ this.stringValue = stringValue;
+ }
+
+
+
+ /**
+ * Returns the id.
+ * @return the id
+ */
+ public Long getId()
+ {
+ return id;
+ }
+
+
+
+ /**
+ * Sets the id.
+ * @param id the id to set
+ */
+ public void setId(Long id)
+ {
+ this.id = id;
+ }
+
+
+
+ /**
+ * Returns the intValue.
+ * @return the intValue
+ */
+ public Integer getIntValue()
+ {
+ return intValue;
+ }
+
+
+
+ /**
+ * Sets the intValue.
+ * @param intValue the intValue to set
+ */
+ public void setIntValue(Integer intValue)
+ {
+ this.intValue = intValue;
+ }
+
+
+
+}
Modified: trunk/openutils-hibernate-security/src/test/resources/hibernate.cfg.xml
===================================================================
--- trunk/openutils-hibernate-security/src/test/resources/hibernate.cfg.xml 2007-08-14 12:55:10 UTC (rev 411)
+++ trunk/openutils-hibernate-security/src/test/resources/hibernate.cfg.xml 2007-08-30 15:40:19 UTC (rev 412)
@@ -3,6 +3,7 @@
"http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
<hibernate-configuration>
<session-factory>
- <mapping class="it.openutils.hibernate.security.dataobject.SecurityRule" />
+ <mapping class="it.openutils.hibernate.security.dataobject.SecurityRule" />
+ <mapping class="it.openutils.hibernate.security.apptest.DummyDataobject" />
</session-factory>
</hibernate-configuration>
\ No newline at end of file
Modified: trunk/openutils-hibernate-security/src/test/resources/spring-dao.xml
===================================================================
--- trunk/openutils-hibernate-security/src/test/resources/spring-dao.xml 2007-08-14 12:55:10 UTC (rev 411)
+++ trunk/openutils-hibernate-security/src/test/resources/spring-dao.xml 2007-08-30 15:40:19 UTC (rev 412)
@@ -4,9 +4,16 @@
<beans>
<bean id="securityRuleDAO" parent="txProxyTemplate">
<property name="target">
- <bean class="it.openutils.hibernate.security.dao.SecurityRuleDAOImpl">
+ <bean class="it.openutils.hibernate.security.dao.impl.SecurityRuleDAOImpl">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
</property>
+ </bean>
+ <bean id="dummyDAO" parent="txProxyTemplate">
+ <property name="target">
+ <bean class="it.openutils.hibernate.security.apptest.DummyDaoImpl">
+ <property name="sessionFactory" ref="sessionFactory" />
+ </bean>
+ </property>
</bean>
</beans>
\ No newline at end of file
Added: trunk/openutils-hibernate-security/src/test/resources/spring-security.xml
===================================================================
--- trunk/openutils-hibernate-security/src/test/resources/spring-security.xml (rev 0)
+++ trunk/openutils-hibernate-security/src/test/resources/spring-security.xml 2007-08-30 15:40:19 UTC (rev 412)
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
+"http://www.springframework.org/dtd/spring-beans.dtd">
+<beans>
+ <bean id="securityInterceptor" class="it.openutils.hibernate.security.aop.HibernateDAOSecurityInterceptor">
+ <property name="securityRuleManager" ref="securityRuleManager" />
+ <property name="sessionFactory" ref="sessionFactory" />
+ </bean>
+ <bean class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
+ <property name="beanNames">
+ <list>
+ <idref bean="dummyDAO" />
+ </list>
+ </property>
+ <property name="interceptorNames">
+ <list>
+ <value>securityInterceptor</value>
+ </list>
+ </property>
+ </bean>
+</beans>
Modified: trunk/openutils-hibernate-security/src/test/resources/spring-tests.xml
===================================================================
--- trunk/openutils-hibernate-security/src/test/resources/spring-tests.xml 2007-08-14 12:55:10 UTC (rev 411)
+++ trunk/openutils-hibernate-security/src/test/resources/spring-tests.xml 2007-08-30 15:40:19 UTC (rev 412)
@@ -4,5 +4,8 @@
<import resource="classpath:spring-database.xml" />
<import resource="classpath:spring-hibernate.xml" />
<import resource="classpath:spring-dao.xml" />
- <import resource="classpath:spring-managers.xml" />
+ <import resource="classpath:spring-managers.xml" />
+ <import resource="classpath:spring-security.xml" />
+
+
</beans>
\ No newline at end of file
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
