directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [directory-fortress-enmasse] branch FC-265 updated: add a switch to turn on / off arbac02 checks.
Date Sat, 16 Mar 2019 00:24:42 GMT
This is an automated email from the ASF dual-hosted git repository.

smckinney pushed a commit to branch FC-265
in repository https://gitbox.apache.org/repos/asf/directory-fortress-enmasse.git


The following commit(s) were added to refs/heads/FC-265 by this push:
     new e66a5e6  add a switch to turn on / off arbac02 checks.
e66a5e6 is described below

commit e66a5e639e3c3d9807bd42676269cac8aa52998a
Author: Shawn McKinney <smckinney@apache.org>
AuthorDate: Fri Mar 15 19:24:36 2019 -0500

    add a switch to turn on / off arbac02 checks.
---
 .../apache/directory/fortress/rest/SecUtils.java   | 73 +++++++++++-----------
 1 file changed, 35 insertions(+), 38 deletions(-)

diff --git a/src/main/java/org/apache/directory/fortress/rest/SecUtils.java b/src/main/java/org/apache/directory/fortress/rest/SecUtils.java
index 3172ba6..4d3981a 100644
--- a/src/main/java/org/apache/directory/fortress/rest/SecUtils.java
+++ b/src/main/java/org/apache/directory/fortress/rest/SecUtils.java
@@ -59,61 +59,58 @@ public class SecUtils
      *
      * @param fortRequest Used to carry the session and other data.
      * @param httpRequest Used to get the security principal.
-     * @return Response containing the RBAC session object if found or error, otherwise (not
arbac02 not enabled) return NULL value.
+     * @return Response will contain the RBAC session object (if found) or a system error
if a problem in the get.  If arbac02 isn't enabled, it will return a NULL.
      */
     static FortResponse initializeSession(FortRequest fortRequest, HttpServletRequest httpRequest)
     {
         Session realmSession;
         FortResponse fortResponse = null;
-        try
+        // Have the fortress arbac02 runtime checks been enabled?.
+        if (Config.getInstance().getBoolean("is.arbac02"))
         {
-            // Only grab RBAC session from realm if needed for ARBAC02 checks later on.
-            if (Config.getInstance().getBoolean("is.arbac02"))
+            if (httpRequest == null)
             {
-                if (httpRequest == null)
-                {
-                    fortResponse = new FortResponse();
-                    fortResponse.setErrorCode(GlobalErrIds.REST_NULL_HTTP_REQ_ERR);
-                    fortResponse.setErrorMessage("initializeSession detected null HTTP Request");
-                    fortResponse.setHttpStatus(403);
-                }
-                else
+                // Improper container config.
+                fortResponse = new FortResponse();
+                fortResponse.setErrorCode(GlobalErrIds.REST_NULL_HTTP_REQ_ERR);
+                fortResponse.setErrorMessage("initializeSession detected null HTTP Request");
+                fortResponse.setHttpStatus(403);
+            }
+            else
+            {
+                try
                 {
-                    try
+                    // Get the security principal from the runtime.
+                    String szPrincipal = httpRequest.getUserPrincipal().toString();
+                    // This has to happen before it can be used by Fortress.
+                    realmSession = j2eePolicyMgr.deserialize(szPrincipal);
+                    if (realmSession != null)
                     {
-                        String szPrincipal = httpRequest.getUserPrincipal().toString();
-                        realmSession = j2eePolicyMgr.deserialize(szPrincipal);
-                        if (realmSession != null)
-                        {
-                            fortRequest.setSession(realmSession);
-                        }
-                        else
-                        {
-                            String error = "initializeSession couldn't get a Security Session
from the runtime.";
-                            fortResponse = new FortResponse();
-                            fortResponse.setErrorCode(GlobalErrIds.USER_SESS_NULL);
-                            fortResponse.setErrorMessage(error);
-                            fortResponse.setHttpStatus(403);
-                            LOG.info(error);
-                        }
+                        // The RBAC Session successfully grabbed from the container.
+                        fortRequest.setSession(realmSession);
                     }
-                    catch (SecurityException se)
+                    else
                     {
-                        String error = "initializeSession caught SecurityException=" + se.getMessage();
+                        String error = "initializeSession couldn't get a Security Session.";
                         fortResponse = new FortResponse();
-                        LOG.info(error);
-                        fortResponse.setErrorCode(se.getErrorId());
+                        fortResponse.setErrorCode(GlobalErrIds.USER_SESS_NULL);
                         fortResponse.setErrorMessage(error);
-                        fortResponse.setHttpStatus(se.getHttpStatus());
+                        fortResponse.setHttpStatus(403);
+                        LOG.info(error);
                     }
                 }
+                catch (SecurityException se)
+                {
+                    // A problem deserializing the security principal.
+                    String error = "initializeSession caught SecurityException=" + se.getMessage();
+                    fortResponse = new FortResponse();
+                    LOG.info(error);
+                    fortResponse.setErrorCode(se.getErrorId());
+                    fortResponse.setErrorMessage(error);
+                    fortResponse.setHttpStatus(se.getHttpStatus());
+                }
             }
         }
-        catch (java.util.NoSuchElementException e )
-        {
-            // Means the config property to turn on/off delegated admin checks wasn't present.
 Allow the request to continue.
-            LOG.info("ARBAC02 checks not enforced on the current request.");
-        }
         return fortResponse;
     }
 }
\ No newline at end of file


Mime
View raw message