From: Mathieu Baudier <mbaudier@argeo.org>
Date: Wed, 24 Feb 2010 14:19:02 +0000 (+0000)
Subject: Improve security
X-Git-Tag: argeo-commons-2.1.30~1643
X-Git-Url: http://git.argeo.org/?a=commitdiff_plain;h=00a5c6cc0b5ed08afba5b34567acd5a4fec4826f;p=lgpl%2Fargeo-commons.git

Improve security

git-svn-id: https://svn.argeo.org/commons/trunk@3402 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---

diff --git a/security/modules/org.argeo.security.manager.ldap/META-INF/MANIFEST.MF b/security/modules/org.argeo.security.manager.ldap/META-INF/MANIFEST.MF
index 900ffba97..6c29e7347 100644
--- a/security/modules/org.argeo.security.manager.ldap/META-INF/MANIFEST.MF
+++ b/security/modules/org.argeo.security.manager.ldap/META-INF/MANIFEST.MF
@@ -4,6 +4,8 @@ Import-Package: com.sun.jndi.ldap;resolution:=optional,
  org.argeo.security,
  org.argeo.security.ldap,
  org.argeo.security.ldap.nature,
+ org.argeo.security.nature,
+ org.argeo.server.json,
  org.springframework.beans.factory.config,
  org.springframework.ldap.core.support,
  org.springframework.security,
diff --git a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap-osgi.xml b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap-osgi.xml
index 49ad482ce..8c4cfb43f 100644
--- a/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap-osgi.xml
+++ b/security/modules/org.argeo.security.manager.ldap/META-INF/spring/ldap-osgi.xml
@@ -10,8 +10,15 @@
 		interface="org.springframework.security.AuthenticationManager"
 		context-class-loader="service-provider" />
 
-	<service ref="securityDao" interface="org.argeo.security.ArgeoSecurityDao" />
+	<service ref="securityDao" interface="org.argeo.security.ArgeoSecurityDao"
+		context-class-loader="service-provider" />
 
 	<list id="userNatureMappers" interface="org.argeo.security.ldap.UserNatureMapper"
 		cardinality="0..N" />
+
+	<!-- Provides deserialization -->
+	<service interface="org.argeo.server.json.JsonObjectFactory">
+		<beans:bean class="org.argeo.server.json.JsonObjectFactoryImpl" />
+	</service>
+
 </beans:beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.services/META-INF/MANIFEST.MF b/security/modules/org.argeo.security.services/META-INF/MANIFEST.MF
index f11855ca5..4135ebdc1 100644
--- a/security/modules/org.argeo.security.services/META-INF/MANIFEST.MF
+++ b/security/modules/org.argeo.security.services/META-INF/MANIFEST.MF
@@ -1,8 +1,5 @@
 Bundle-SymbolicName: org.argeo.security.services
 Bundle-Version: 0.1.3.SNAPSHOT
 Import-Package: org.argeo.security,
- org.argeo.security.core,
- org.argeo.security.ldap,
- org.argeo.security.nature,
- org.argeo.server.json
+ org.argeo.security.core
 Bundle-Name: Security Services
diff --git a/security/modules/org.argeo.security.services/META-INF/spring/natures.xml b/security/modules/org.argeo.security.services/META-INF/spring/natures.xml
deleted file mode 100644
index b2ac1178b..000000000
--- a/security/modules/org.argeo.security.services/META-INF/spring/natures.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="
-       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
-
-	<bean id="jsonObjectFactory" class="org.argeo.server.json.JsonObjectFactoryImpl">
-	</bean>
-</beans>
\ No newline at end of file
diff --git a/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml b/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
index 4cd0f21f1..e7e64a9fb 100644
--- a/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
+++ b/security/modules/org.argeo.security.services/META-INF/spring/osgi.xml
@@ -6,9 +6,8 @@
        http://www.springframework.org/schema/beans   
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
 
-	<service ref="jsonObjectFactory" interface="org.argeo.server.json.JsonObjectFactory" />
 	<service ref="securityService" interface="org.argeo.security.ArgeoSecurityService" />
 
 	<reference id="securityDao" interface="org.argeo.security.ArgeoSecurityDao"
-		context-class-loader="service-provider" />
+		 />
 </beans:beans>
\ No newline at end of file
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityDao.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityDao.java
index 470c20478..c49b4ccbc 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityDao.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityDao.java
@@ -19,8 +19,6 @@ public interface ArgeoSecurityDao {
 
 	public void deleteRole(String role);
 
-	public void updatePassword(String oldPassword, String newPassword);
-
 	public Boolean userExists(String username);
 
 	public ArgeoUser getUser(String username);
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityService.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityService.java
index 9470e1d59..73f2908bd 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityService.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoSecurityService.java
@@ -7,6 +7,8 @@ public interface ArgeoSecurityService {
 
 	public void updateUserPassword(String username, String password);
 
+	public void updateCurrentUserPassword(String oldPassword, String newPassword);
+
 	public void newRole(String role);
 
 	public ArgeoSecurityDao getSecurityDao();
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
index 0467de8cb..ef64337eb 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultSecurityService.java
@@ -1,5 +1,6 @@
 package org.argeo.security.core;
 
+import org.argeo.ArgeoException;
 import org.argeo.security.ArgeoSecurity;
 import org.argeo.security.ArgeoSecurityDao;
 import org.argeo.security.ArgeoSecurityService;
@@ -25,6 +26,14 @@ public class DefaultSecurityService implements ArgeoSecurityService {
 		securityDao.update(user);
 	}
 
+	public void updateCurrentUserPassword(String oldPassword, String newPassword) {
+		SimpleArgeoUser user = new SimpleArgeoUser(securityDao.getCurrentUser());
+		if (!user.getPassword().equals(oldPassword))
+			throw new ArgeoException("Old password is not correct.");
+		user.setPassword(newPassword);
+		securityDao.update(user);
+	}
+
 	public void newUser(ArgeoUser user) {
 		user.getUserNatures().clear();
 		argeoSecurity.beforeCreate(user);
diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
index 2fa2ce8b9..29c2e743d 100644
--- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java
@@ -150,10 +150,6 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean
 		userDetailsManager.deleteUser(username);
 	}
 
-	public void updatePassword(String oldPassword, String newPassword) {
-		userDetailsManager.changePassword(oldPassword, newPassword);
-	}
-
 	public Boolean userExists(String username) {
 		return userDetailsManager.userExists(username);
 	}
diff --git a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java
index d553c31c3..0366096aa 100644
--- a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java
+++ b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java
@@ -36,20 +36,6 @@ public class UsersRolesController implements MvcConstants {
 			return argeoUser;
 	}
 
-	// @RequestMapping("/login.security")
-	// @ModelAttribute(ANSWER_MODEL_KEY)
-	// public ArgeoUser login(@RequestParam("username") String username,
-	// @RequestParam("password") String password) {
-	// //SecurityContextHolder.getContext().getAuthentication().
-	// return securityService.getSecurityDao().getCurrentUser();
-	// }
-	//
-	// @RequestMapping("/logout.security")
-	// @ModelAttribute(ANSWER_MODEL_KEY)
-	// public ServerAnswer logout() {
-	// return ServerAnswer.ok("Logged out");
-	// }
-
 	@RequestMapping("/getUsersList.security")
 	@ModelAttribute(ANSWER_MODEL_KEY)
 	public List<ArgeoUser> getUsersList() {
@@ -140,9 +126,9 @@ public class UsersRolesController implements MvcConstants {
 	@RequestMapping("/updatePassword.security")
 	@ModelAttribute(ANSWER_MODEL_KEY)
 	public ServerAnswer updatePassword(
-			@RequestParam("password") String password,
-			@RequestParam("oldPassword") String oldPassword) {
-		securityService.getSecurityDao().updatePassword(oldPassword, password);
+			@RequestParam("oldPassword") String oldPassword,
+			@RequestParam("password") String password) {
+		securityService.updateCurrentUserPassword(oldPassword, password);
 		return ServerAnswer.ok("Password updated");
 	}