From: Mathieu Baudier Date: Sun, 7 Nov 2010 18:39:44 +0000 (+0000) Subject: Adapt security for JSP UI, breaks RIA UI (user natures collection) X-Git-Tag: argeo-commons-2.1.30~1570 X-Git-Url: http://git.argeo.org/?a=commitdiff_plain;h=79d37fb873ba8ebaafe64c924f53bc9c76ea6d8c;p=lgpl%2Fargeo-commons.git Adapt security for JSP UI, breaks RIA UI (user natures collection) git-svn-id: https://svn.argeo.org/commons/trunk@3852 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc --- diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoUser.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoUser.java index 576baf650..d77a29647 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoUser.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ArgeoUser.java @@ -17,14 +17,15 @@ package org.argeo.security; import java.util.List; +import java.util.Map; public interface ArgeoUser { public String getUsername(); - public List getUserNatures(); + public Map getUserNatures(); /** Implementation should refuse to add new user natures via this method. */ - public void updateUserNatures(List userNatures); + public void updateUserNatures(Map userNatures); public List getRoles(); diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/SimpleArgeoUser.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/SimpleArgeoUser.java index 9dd3d6943..19c45dfba 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/SimpleArgeoUser.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/SimpleArgeoUser.java @@ -18,14 +18,16 @@ package org.argeo.security; import java.io.Serializable; import java.util.ArrayList; +import java.util.HashMap; import java.util.List; +import java.util.Map; public class SimpleArgeoUser implements ArgeoUser, Serializable { private static final long serialVersionUID = 1L; private String username; private String password; - private List userNatures = new ArrayList(); + private Map userNatures = new HashMap(); private List roles = new ArrayList(); public SimpleArgeoUser() { @@ -35,15 +37,16 @@ public class SimpleArgeoUser implements ArgeoUser, Serializable { public SimpleArgeoUser(ArgeoUser argeoUser) { username = argeoUser.getUsername(); password = argeoUser.getPassword(); - userNatures = new ArrayList(argeoUser.getUserNatures()); + userNatures = new HashMap( + argeoUser.getUserNatures()); roles = new ArrayList(argeoUser.getRoles()); } - public List getUserNatures() { + public Map getUserNatures() { return userNatures; } - public void updateUserNatures(List userNaturesData) { + public void updateUserNatures(Map userNaturesData) { UserNature.updateUserNaturesWithCheck(userNatures, userNaturesData); } @@ -59,7 +62,7 @@ public class SimpleArgeoUser implements ArgeoUser, Serializable { this.username = username; } - public void setUserNatures(List userNatures) { + public void setUserNatures(Map userNatures) { this.userNatures = userNatures; } diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/UserNature.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/UserNature.java index 52d1cd1fa..25710e405 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/UserNature.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/UserNature.java @@ -18,6 +18,7 @@ package org.argeo.security; import java.io.Serializable; import java.util.List; +import java.util.Map; import org.argeo.ArgeoException; @@ -38,7 +39,8 @@ public class UserNature implements Serializable { } public final static void updateUserNaturesWithCheck( - List userNatures, List userNaturesData) { + Map userNatures, + Map userNaturesData) { if (userNatures.size() != userNaturesData.size()) throw new ArgeoException( "It is forbidden to add or remove user natures via this method"); @@ -55,8 +57,8 @@ public class UserNature implements Serializable { "Could not find a user nature of type " + type); } - for (int i = 0; i < userNatures.size(); i++) { - userNatures.set(i, userNaturesData.get(i)); + for (String key : userNatures.keySet()) { + userNatures.put(key, userNaturesData.get(key)); } } } diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/ArgeoUserDetails.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/ArgeoUserDetails.java index 10f850444..1948d1252 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/ArgeoUserDetails.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/ArgeoUserDetails.java @@ -19,6 +19,7 @@ package org.argeo.security.core; import java.util.ArrayList; import java.util.Collections; import java.util.List; +import java.util.Map; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -28,6 +29,7 @@ import org.argeo.security.UserNature; import org.springframework.security.Authentication; import org.springframework.security.GrantedAuthority; import org.springframework.security.GrantedAuthorityImpl; +import org.springframework.security.context.SecurityContextHolder; import org.springframework.security.userdetails.User; import org.springframework.security.userdetails.UserDetails; @@ -35,14 +37,14 @@ public class ArgeoUserDetails extends User implements ArgeoUser { private static final long serialVersionUID = 1L; private final static Log log = LogFactory.getLog(ArgeoUserDetails.class); - private final List userNatures; + private final Map userNatures; private final List roles; - public ArgeoUserDetails(String username, List userNatures, + public ArgeoUserDetails(String username, Map userNatures, String password, GrantedAuthority[] authorities) throws IllegalArgumentException { super(username, password, true, true, true, true, authorities); - this.userNatures = Collections.unmodifiableList(userNatures); + this.userNatures = Collections.unmodifiableMap(userNatures); // Roles this.roles = Collections.unmodifiableList(addAuthoritiesToRoles( @@ -54,11 +56,11 @@ public class ArgeoUserDetails extends User implements ArgeoUser { .getPassword(), rolesToAuthorities(argeoUser.getRoles())); } - public List getUserNatures() { + public Map getUserNatures() { return userNatures; } - public void updateUserNatures(List userNaturesData) { + public void updateUserNatures(Map userNaturesData) { UserNature.updateUserNaturesWithCheck(userNatures, userNaturesData); } @@ -93,25 +95,34 @@ public class ArgeoUserDetails extends User implements ArgeoUser { } else { SimpleArgeoUser argeoUser = new SimpleArgeoUser(); argeoUser.setUsername(userDetails.getUsername()); - addAuthoritiesToRoles(userDetails.getAuthorities(), argeoUser - .getRoles()); + addAuthoritiesToRoles(userDetails.getAuthorities(), + argeoUser.getRoles()); return argeoUser; } } + /** Creates an argeo user based on spring authentication */ public static ArgeoUser asArgeoUser(Authentication authentication) { if (authentication == null) return null; if (authentication.getPrincipal() instanceof ArgeoUser) { - return new SimpleArgeoUser((ArgeoUser) authentication - .getPrincipal()); + return new SimpleArgeoUser( + (ArgeoUser) authentication.getPrincipal()); } else { SimpleArgeoUser argeoUser = new SimpleArgeoUser(); argeoUser.setUsername(authentication.getName()); - addAuthoritiesToRoles(authentication.getAuthorities(), argeoUser - .getRoles()); + addAuthoritiesToRoles(authentication.getAuthorities(), + argeoUser.getRoles()); return argeoUser; } } + + /** The Spring security context as an argeo user */ + public static ArgeoUser securityContextUser() { + Authentication authentication = SecurityContextHolder.getContext() + .getAuthentication(); + ArgeoUser argeoUser = ArgeoUserDetails.asArgeoUser(authentication); + return argeoUser; + } } diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultArgeoSecurity.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultArgeoSecurity.java index 009beb97b..494828343 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultArgeoSecurity.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/core/DefaultArgeoSecurity.java @@ -26,7 +26,7 @@ public class DefaultArgeoSecurity implements ArgeoSecurity { public void beforeCreate(ArgeoUser user) { SimpleUserNature simpleUserNature = new SimpleUserNature(); simpleUserNature.setLastName("empty");// to prevent issue with sn in LDAP - user.getUserNatures().add(simpleUserNature); + user.getUserNatures().put("simple",simpleUserNature); } public String getSuperUsername() { diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java index 350050bbc..f9628c3b2 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoSecurityDaoLdap.java @@ -133,9 +133,7 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean } public ArgeoUser getCurrentUser() { - Authentication authentication = SecurityContextHolder.getContext() - .getAuthentication(); - ArgeoUser argeoUser = ArgeoUserDetails.asArgeoUser(authentication); + ArgeoUser argeoUser = ArgeoUserDetails.securityContextUser(); if (argeoUser == null) return null; if (argeoUser.getRoles().contains(defaultRole)) @@ -191,8 +189,8 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean .executeReadWrite(new ContextExecutor() { public Object executeWithContext(DirContext ctx) throws NamingException { - return LdapUtils.getFullDn(usernameMapper - .buildDn(superuserName), ctx); + return LdapUtils.getFullDn( + usernameMapper.buildDn(superuserName), ctx); } }); @@ -202,8 +200,8 @@ public class ArgeoSecurityDaoLdap implements ArgeoSecurityDao, InitializingBean context.setAttributeValue("cn", group); // Add superuser because cannot create empty group - context.setAttributeValue(groupMemberAttributeName, superuserDn - .toString()); + context.setAttributeValue(groupMemberAttributeName, + superuserDn.toString()); ldapTemplate.bind(groupDn, context, null); } diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoUserDetailsContextMapper.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoUserDetailsContextMapper.java index 03af0f49b..12c8a3332 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoUserDetailsContextMapper.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/ArgeoUserDetailsContextMapper.java @@ -18,7 +18,9 @@ package org.argeo.security.ldap; import java.util.ArrayList; import java.util.Collections; +import java.util.HashMap; import java.util.List; +import java.util.Map; import org.argeo.security.ArgeoUser; import org.argeo.security.UserNature; @@ -30,8 +32,8 @@ import org.springframework.security.userdetails.UserDetails; import org.springframework.security.userdetails.ldap.UserDetailsContextMapper; public class ArgeoUserDetailsContextMapper implements UserDetailsContextMapper { -// private final static Log log = LogFactory -// .getLog(ArgeoUserDetailsContextMapper.class); + // private final static Log log = LogFactory + // .getLog(ArgeoUserDetailsContextMapper.class); private List userNatureMappers = new ArrayList(); @@ -41,15 +43,15 @@ public class ArgeoUserDetailsContextMapper implements UserDetailsContextMapper { .first(); String password = new String(arr); - List userNatures = new ArrayList(); + Map userNatures = new HashMap(); for (UserNatureMapper userInfoMapper : userNatureMappers) { UserNature userNature = userInfoMapper.mapUserInfoFromContext(ctx); if (userNature != null) - userNatures.add(userNature); + userNatures.put(userInfoMapper.getName(), userNature); } - return new ArgeoUserDetails(username, Collections - .unmodifiableList(userNatures), password, authorities); + return new ArgeoUserDetails(username, + Collections.unmodifiableMap(userNatures), password, authorities); } public void mapUserToContext(UserDetails user, DirContextAdapter ctx) { @@ -58,7 +60,7 @@ public class ArgeoUserDetailsContextMapper implements UserDetailsContextMapper { ctx.setAttributeValue("userPassword", user.getPassword()); if (user instanceof ArgeoUser) { ArgeoUser argeoUser = (ArgeoUser) user; - for (UserNature userNature : argeoUser.getUserNatures()) { + for (UserNature userNature : argeoUser.getUserNatures().values()) { for (UserNatureMapper userInfoMapper : userNatureMappers) { if (userInfoMapper.supports(userNature)) { userInfoMapper.mapUserInfoToContext(userNature, ctx); diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/UserNatureMapper.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/UserNatureMapper.java index 17138116f..152731cfc 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/UserNatureMapper.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/UserNatureMapper.java @@ -21,6 +21,8 @@ import org.springframework.ldap.core.DirContextAdapter; import org.springframework.ldap.core.DirContextOperations; public interface UserNatureMapper { + public String getName(); + public void mapUserInfoToContext(UserNature userInfo, DirContextAdapter ctx); public UserNature mapUserInfoFromContext(DirContextOperations ctx); diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/nature/CoworkerUserNatureMapper.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/nature/CoworkerUserNatureMapper.java index d7448f914..761d1186c 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/nature/CoworkerUserNatureMapper.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/nature/CoworkerUserNatureMapper.java @@ -24,13 +24,16 @@ import org.springframework.ldap.core.DirContextOperations; public class CoworkerUserNatureMapper implements UserNatureMapper { + public String getName() { + return "coworker"; + } + public UserNature mapUserInfoFromContext(DirContextOperations ctx) { CoworkerNature nature = new CoworkerNature(); nature.setMobile(ctx.getStringAttribute("mobile")); nature.setTelephoneNumber(ctx.getStringAttribute("telephoneNumber")); - if (nature.getMobile() == null - && nature.getTelephoneNumber() == null) + if (nature.getMobile() == null && nature.getTelephoneNumber() == null) return null; else return nature; @@ -44,8 +47,8 @@ public class CoworkerUserNatureMapper implements UserNatureMapper { } if (nature.getTelephoneNumber() == null || !nature.getTelephoneNumber().equals("")) { - ctx.setAttributeValue("telephoneNumber", nature - .getTelephoneNumber()); + ctx.setAttributeValue("telephoneNumber", + nature.getTelephoneNumber()); } } diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/nature/SimpleUserNatureMapper.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/nature/SimpleUserNatureMapper.java index bbca1e10c..60ccafbb9 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/nature/SimpleUserNatureMapper.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/ldap/nature/SimpleUserNatureMapper.java @@ -23,6 +23,9 @@ import org.springframework.ldap.core.DirContextAdapter; import org.springframework.ldap.core.DirContextOperations; public class SimpleUserNatureMapper implements UserNatureMapper { + public String getName() { + return "simple"; + } public UserNature mapUserInfoFromContext(DirContextOperations ctx) { SimpleUserNature nature = new SimpleUserNature(); @@ -36,8 +39,8 @@ public class SimpleUserNatureMapper implements UserNatureMapper { public void mapUserInfoToContext(UserNature userInfoArg, DirContextAdapter ctx) { SimpleUserNature nature = (SimpleUserNature) userInfoArg; - ctx.setAttributeValue("cn", nature.getFirstName() + " " - + nature.getLastName()); + ctx.setAttributeValue("cn", + nature.getFirstName() + " " + nature.getLastName()); ctx.setAttributeValue("sn", nature.getLastName()); ctx.setAttributeValue("givenName", nature.getFirstName()); ctx.setAttributeValue("mail", nature.getEmail()); diff --git a/security/runtime/org.argeo.security.core/src/test/java/org/argeo/security/json/ArgeoUserJsonTest.java b/security/runtime/org.argeo.security.core/src/test/java/org/argeo/security/json/ArgeoUserJsonTest.java index c48a9b889..4e9f8ebc8 100644 --- a/security/runtime/org.argeo.security.core/src/test/java/org/argeo/security/json/ArgeoUserJsonTest.java +++ b/security/runtime/org.argeo.security.core/src/test/java/org/argeo/security/json/ArgeoUserJsonTest.java @@ -17,8 +17,8 @@ package org.argeo.security.json; import java.io.StringWriter; -import java.util.ArrayList; -import java.util.List; +import java.util.HashMap; +import java.util.Map; import junit.framework.TestCase; @@ -44,16 +44,14 @@ public class ArgeoUserJsonTest extends TestCase { private static Log log = LogFactory.getLog(ArgeoUserJsonTest.class); public void testMapper() throws Exception { - List natures = new ArrayList(); - + Map natures = new HashMap(); SimpleUserNature sun = new SimpleUserNature(); sun.setFirstName("Mickey"); sun.setEmail("username@domain.com"); - natures.add(sun); - + natures.put("simple",sun); CoworkerNature cwn = new CoworkerNature(); cwn.setMobile("+123456789"); - natures.add(cwn); + natures.put("coworker",cwn); GrantedAuthority[] roles = { new GrantedAuthorityImpl("ROLE1"), new GrantedAuthorityImpl("ROLE2") }; @@ -105,17 +103,17 @@ public class ArgeoUserJsonTest extends TestCase { } public void testSeriDeserialize() { - List natures = new ArrayList(); + Map natures = new HashMap(); JSONArray naturesJo = new JSONArray(); SimpleUserNature sun = new SimpleUserNature(); sun.setEmail("username@domain.com"); - natures.add(sun); + natures.put("simple",sun); naturesJo.put(new JSONObject(sun)); CoworkerNature cwn = new CoworkerNature(); cwn.setMobile("+123456789"); - natures.add(cwn); + natures.put("coworker",cwn); naturesJo.put(new JSONObject(cwn)); GrantedAuthority[] roles = { new GrantedAuthorityImpl("ROLE1"), diff --git a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/ArgeoUserInterceptor.java b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/ArgeoUserInterceptor.java new file mode 100644 index 000000000..74e97a53a --- /dev/null +++ b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/ArgeoUserInterceptor.java @@ -0,0 +1,25 @@ +package org.argeo.security.mvc; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.argeo.security.ArgeoSecurityService; +import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; + +/** Add the current argeo user as an attribute to the request. */ +public class ArgeoUserInterceptor extends HandlerInterceptorAdapter { + private ArgeoSecurityService securityService; + + @Override + public boolean preHandle(HttpServletRequest request, + HttpServletResponse response, Object handler) throws Exception { + request.setAttribute("argeoUser", securityService.getSecurityDao() + .getCurrentUser()); + return super.preHandle(request, response, handler); + } + + public void setSecurityService(ArgeoSecurityService securityService) { + this.securityService = securityService; + } + +} diff --git a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java index 1f9ae609b..4d59fc500 100644 --- a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java +++ b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java @@ -17,8 +17,11 @@ package org.argeo.security.mvc; import java.io.Reader; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.util.List; +import org.apache.commons.codec.binary.Base64; import org.argeo.security.ArgeoSecurityService; import org.argeo.security.ArgeoUser; import org.argeo.security.SimpleArgeoUser; @@ -36,14 +39,16 @@ public class UsersRolesController implements MvcConstants { // private final static Log log = LogFactory // .getLog(UsersRolesController.class); + private String digestType = "SHA"; + private ArgeoSecurityService securityService; private Deserializer userDeserializer = null; /* USER */ - @RequestMapping("/getCredentials.ria") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/getCredentials.*") + @ModelAttribute("user") public ArgeoUser getCredentials() { ArgeoUser argeoUser = securityService.getSecurityDao().getCurrentUser(); if (argeoUser == null) @@ -52,21 +57,20 @@ public class UsersRolesController implements MvcConstants { return argeoUser; } - @RequestMapping("/getUsersList.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/getUsersList.*") + @ModelAttribute("users") public List getUsersList() { return securityService.getSecurityDao().listUsers(); } - @RequestMapping("/userExists.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/userExists.*") public BooleanAnswer userExists(@RequestParam("username") String username) { return new BooleanAnswer(securityService.getSecurityDao().userExists( username)); } - @RequestMapping("/createUser.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/createUser.*") + @ModelAttribute("user") public ArgeoUser createUser(Reader reader) { ArgeoUser user = userDeserializer.deserialize(reader, SimpleArgeoUser.class); @@ -75,8 +79,8 @@ public class UsersRolesController implements MvcConstants { return securityService.getSecurityDao().getUser(user.getUsername()); } - @RequestMapping("/updateUser.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/updateUser.*") + @ModelAttribute("user") public ArgeoUser updateUser(Reader reader) { ArgeoUser user = userDeserializer.deserialize(reader, SimpleArgeoUser.class); @@ -84,8 +88,8 @@ public class UsersRolesController implements MvcConstants { return securityService.getSecurityDao().getUser(user.getUsername()); } - @RequestMapping("/updateUserSelf.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/updateUserSelf.*") + @ModelAttribute("user") /** Will only update the user natures.*/ public ArgeoUser updateUserSelf(Reader reader) { ArgeoUser user = securityService.getSecurityDao().getCurrentUser(); @@ -96,58 +100,74 @@ public class UsersRolesController implements MvcConstants { return securityService.getSecurityDao().getUser(user.getUsername()); } - @RequestMapping("/deleteUser.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/deleteUser.*") public ServerAnswer deleteUser(@RequestParam("username") String username) { securityService.getSecurityDao().delete(username); return ServerAnswer.ok("User " + username + " deleted"); } - @RequestMapping("/getUserDetails.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/getUserDetails.*") + @ModelAttribute("user") public ArgeoUser getUserDetails(@RequestParam("username") String username) { return securityService.getSecurityDao().getUser(username); } /* ROLE */ - @RequestMapping("/getRolesList.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/getRolesList.*") + @ModelAttribute("roles") public List getEditableRolesList() { return securityService.getSecurityDao().listEditableRoles(); } - @RequestMapping("/createRole.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/createRole.*") public ServerAnswer createRole(@RequestParam("role") String role) { securityService.newRole(role); return ServerAnswer.ok("Role " + role + " created"); } - @RequestMapping("/deleteRole.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/deleteRole.*") public ServerAnswer deleteRole(@RequestParam("role") String role) { securityService.getSecurityDao().deleteRole(role); return ServerAnswer.ok("Role " + role + " deleted"); } - @RequestMapping("/updateUserPassword.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/updateUserPassword.*") public ServerAnswer updateUserPassword( @RequestParam("username") String username, @RequestParam("password") String password) { - securityService.updateUserPassword(username, password); + securityService.updateUserPassword(username, + digestIfNecessary(password)); return ServerAnswer.ok("Password updated for user " + username); } - @RequestMapping("/updatePassword.security") - @ModelAttribute(ANSWER_MODEL_KEY) + @RequestMapping("/updatePassword.*") public ServerAnswer updatePassword( @RequestParam("oldPassword") String oldPassword, @RequestParam("password") String password) { - securityService.updateCurrentUserPassword(oldPassword, password); + securityService.updateCurrentUserPassword( + digestIfNecessary(oldPassword), digestIfNecessary(password)); return ServerAnswer.ok("Password updated"); } + protected String digestIfNecessary(String str) { + if (!str.startsWith("{" + digestType + "}")) + return digest(str); + else + return str; + } + + protected String digest(String nonEncrypted) { + try { + MessageDigest md = MessageDigest.getInstance(digestType); + byte[] dig = md.digest(nonEncrypted.getBytes()); + return "{" + digestType + "}" + + new String(Base64.encodeBase64(dig)); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException( + "Unexpected exception while digesting password"); + } + } + public void setUserDeserializer(Deserializer userDeserializer) { this.userDeserializer = userDeserializer; }