X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.mvc%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fmvc%2FUsersRolesController.java;h=cd954644aecff4ddb4e266efcf85fe2aad3173b2;hb=43e77c157692d040ad20ea9c15d236b57ce0a9ac;hp=505f0094f118829ef37a25aa4389f50d6785db3b;hpb=8220766ace9f3bde3a9d69890cd8307c34fe8ddd;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java index 505f0094f..cd954644a 100644 --- a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java +++ b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java @@ -1,65 +1,179 @@ +/* + * Copyright (C) 2010 Mathieu Baudier + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package org.argeo.security.mvc; +import java.io.Reader; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.util.List; +import org.apache.commons.codec.binary.Base64; +import org.argeo.security.ArgeoSecurityService; import org.argeo.security.ArgeoUser; -import org.argeo.security.core.ArgeoUserDetails; -import org.argeo.security.dao.RoleDao; -import org.argeo.security.dao.UserDao; +import org.argeo.security.SimpleArgeoUser; import org.argeo.server.BooleanAnswer; +import org.argeo.server.Deserializer; import org.argeo.server.ServerAnswer; -import org.springframework.security.Authentication; -import org.springframework.security.context.SecurityContextHolder; +import org.argeo.server.mvc.MvcConstants; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; @Controller -public class UsersRolesController { - private UserDao userDao; - private RoleDao roleDao; +public class UsersRolesController implements MvcConstants { + // private final static Log log = LogFactory + // .getLog(UsersRolesController.class); - @RequestMapping("/getCredentials.security") - @ModelAttribute("getCredentials") - public ArgeoUser getCredentials() { - Authentication authentication = SecurityContextHolder.getContext() - .getAuthentication(); + private String digestType = "SHA"; + + private ArgeoSecurityService securityService; + + private Deserializer userDeserializer = null; - return ArgeoUserDetails.asArgeoUser(authentication); + /* USER */ + + @RequestMapping("/getCredentials.*") + @ModelAttribute("user") + public ArgeoUser getCredentials() { + ArgeoUser argeoUser = securityService.getCurrentUser(); + if (argeoUser == null) + return new SimpleArgeoUser(); + else + return argeoUser; } - @RequestMapping("/getUsersList.security") - @ModelAttribute("getUsersList") + @RequestMapping("/getUsersList.*") + @ModelAttribute("users") public List getUsersList() { - return userDao.listUsers(); + return securityService.getSecurityDao().listUsers(); } - @RequestMapping("/userExists.security") - @ModelAttribute("userExists") + @RequestMapping("/userExists.*") public BooleanAnswer userExists(@RequestParam("username") String username) { - return new BooleanAnswer(userDao.userExists(username)); + return new BooleanAnswer(securityService.getSecurityDao().userExists( + username)); } - @RequestMapping("/deleteUser.security") - @ModelAttribute("deleteUser") + @RequestMapping("/createUser.*") + @ModelAttribute("user") + public ArgeoUser createUser(Reader reader) { + ArgeoUser user = userDeserializer.deserialize(reader, + SimpleArgeoUser.class); + // cleanUserBeforeCreate(user); + securityService.newUser(user); + return securityService.getSecurityDao().getUser(user.getUsername()); + } + + @RequestMapping("/updateUser.*") + @ModelAttribute("user") + public ArgeoUser updateUser(Reader reader) { + ArgeoUser user = userDeserializer.deserialize(reader, + SimpleArgeoUser.class); + securityService.updateUser(user); + return securityService.getSecurityDao().getUser(user.getUsername()); + } + + @RequestMapping("/updateUserSelf.*") + @ModelAttribute("user") + /** Will only update the user natures.*/ + public ArgeoUser updateUserSelf(Reader reader) { + ArgeoUser user = securityService.getCurrentUser(); + ArgeoUser userForNatures = userDeserializer.deserialize(reader, + SimpleArgeoUser.class); + user.updateUserNatures(userForNatures.getUserNatures()); + securityService.updateUser(user); + return securityService.getSecurityDao().getUser(user.getUsername()); + } + + @RequestMapping("/deleteUser.*") public ServerAnswer deleteUser(@RequestParam("username") String username) { - userDao.delete(username); - return ServerAnswer.ok(username + " deleted"); + securityService.getSecurityDao().delete(username); + return ServerAnswer.ok("User " + username + " deleted"); } - @RequestMapping("/getUserDetails.security") - @ModelAttribute("getUserDetails") + @RequestMapping("/getUserDetails.*") + @ModelAttribute("user") public ArgeoUser getUserDetails(@RequestParam("username") String username) { - return userDao.getUser(username); + return securityService.getSecurityDao().getUser(username); + } + + /* ROLE */ + @RequestMapping("/getRolesList.*") + @ModelAttribute("roles") + public List getEditableRolesList() { + return securityService.getSecurityDao().listEditableRoles(); + } + + @RequestMapping("/createRole.*") + public ServerAnswer createRole(@RequestParam("role") String role) { + securityService.newRole(role); + return ServerAnswer.ok("Role " + role + " created"); + } + + @RequestMapping("/deleteRole.*") + public ServerAnswer deleteRole(@RequestParam("role") String role) { + securityService.getSecurityDao().deleteRole(role); + return ServerAnswer.ok("Role " + role + " deleted"); + } + + @RequestMapping("/updateUserPassword.*") + public ServerAnswer updateUserPassword( + @RequestParam("username") String username, + @RequestParam("password") String password) { + securityService.updateUserPassword(username, + digestIfNecessary(password)); + return ServerAnswer.ok("Password updated for user " + username); + } + + @RequestMapping("/updatePassword.*") + public ServerAnswer updatePassword( + @RequestParam("oldPassword") String oldPassword, + @RequestParam("password") String password) { + securityService.updateCurrentUserPassword( + digestIfNecessary(oldPassword), digestIfNecessary(password)); + return ServerAnswer.ok("Password updated"); + } + + protected String digestIfNecessary(String str) { + if (!str.startsWith("{" + digestType + "}")) + return digest(str); + else + return str; + } + + protected String digest(String nonEncrypted) { + try { + MessageDigest md = MessageDigest.getInstance(digestType); + byte[] dig = md.digest(nonEncrypted.getBytes()); + return "{" + digestType + "}" + + new String(Base64.encodeBase64(dig)); + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException( + "Unexpected exception while digesting password"); + } } - public void setUserDao(UserDao userDao) { - this.userDao = userDao; + public void setUserDeserializer(Deserializer userDeserializer) { + this.userDeserializer = userDeserializer; } - public void setRoleDao(RoleDao roleDao) { - this.roleDao = roleDao; + public void setSecurityService(ArgeoSecurityService securityService) { + this.securityService = securityService; } }