myfaces-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lof...@apache.org
Subject svn commit: r1797942 - in /myfaces/tobago/trunk: tobago-core/src/main/java/org/apache/myfaces/tobago/config/ tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/ tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/ to...
Date Wed, 07 Jun 2017 15:26:25 GMT
Author: lofwyr
Date: Wed Jun  7 15:26:24 2017
New Revision: 1797942

URL: http://svn.apache.org/viewvc?rev=1797942&view=rev
Log:
TOBAGO-1628: Security (e.g. @RolesAllowed) should be either "disabled" or "hidden"

Added:
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/SecurityAnnotation.java
Modified:
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUICommandBase.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
    myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
    myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-3.1.xsd
    myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-3.1.xml
    myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
(original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
Wed Jun  7 15:26:24 2017
@@ -21,6 +21,7 @@ package org.apache.myfaces.tobago.config
 
 import org.apache.myfaces.tobago.context.Theme;
 import org.apache.myfaces.tobago.internal.config.ContentSecurityPolicy;
+import org.apache.myfaces.tobago.internal.config.SecurityAnnotation;
 import org.apache.myfaces.tobago.sanitizer.Sanitizer;
 
 import javax.faces.application.ProjectStage;
@@ -59,7 +60,7 @@ public abstract class TobagoConfig {
 
   public abstract boolean isSetNosniffHeader();
 
-  public abstract boolean isCheckSecurityAnnotations();
+  public abstract SecurityAnnotation getSecurityAnnotation();
 
   public abstract Sanitizer getSanitizer();
 

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUICommandBase.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUICommandBase.java?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUICommandBase.java
(original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/component/AbstractUICommandBase.java
Wed Jun  7 15:26:24 2017
@@ -21,6 +21,7 @@ package org.apache.myfaces.tobago.intern
 
 import org.apache.myfaces.tobago.config.TobagoConfig;
 import org.apache.myfaces.tobago.event.CollapsibleActionListener;
+import org.apache.myfaces.tobago.internal.config.SecurityAnnotation;
 import org.apache.myfaces.tobago.internal.util.AuthorizationHelper;
 import org.apache.myfaces.tobago.util.ComponentUtils;
 
@@ -93,7 +94,10 @@ public abstract class AbstractUICommandB
 
   @Override
   public boolean isRendered() {
-    return super.isRendered() && isAllowed();
+    final FacesContext facesContext = getFacesContext();
+    final TobagoConfig tobagoConfig = TobagoConfig.getInstance(facesContext);
+    return super.isRendered()
+            && (tobagoConfig.getSecurityAnnotation() != SecurityAnnotation.hide ||
isAllowed());
   }
 
   /**
@@ -101,30 +105,22 @@ public abstract class AbstractUICommandB
    <br>Default: <code>false</code>
    */
   public boolean isDisabled() {
-
-    if (!isAllowed()) {
-      return true;
-    }
-
-    Boolean bool = (Boolean) getStateHelper().eval(AbstractUICommand.PropertyKeys.disabled);
-    if (bool != null) {
-      return bool;
-    }
-    return false;
+    final FacesContext facesContext = getFacesContext();
+    final TobagoConfig tobagoConfig = TobagoConfig.getInstance(facesContext);
+    final Boolean disabled = (Boolean) getStateHelper().eval(AbstractUICommand.PropertyKeys.disabled);
+    return disabled != null && disabled
+            || (tobagoConfig.getSecurityAnnotation() == SecurityAnnotation.disable &&
!isAllowed());
   }
 
   private boolean isAllowed() {
     final FacesContext facesContext = getFacesContext();
-    final TobagoConfig tobagoConfig = TobagoConfig.getInstance(facesContext);
-    if (tobagoConfig.isCheckSecurityAnnotations()) {
-      final AuthorizationHelper authorizationHelper = AuthorizationHelper.getInstance(facesContext);
-      final MethodExpression actionExpression = getActionExpression();
-      if (actionExpression != null) {
-        final boolean authorized =
-            authorizationHelper.isAuthorized(facesContext, actionExpression.getExpressionString());
-        if (!authorized) {
-          return false;
-        }
+    final AuthorizationHelper authorizationHelper = AuthorizationHelper.getInstance(facesContext);
+    final MethodExpression actionExpression = getActionExpression();
+    if (actionExpression != null) {
+      final boolean authorized =
+              authorizationHelper.isAuthorized(facesContext, actionExpression.getExpressionString());
+      if (!authorized) {
+        return false;
       }
     }
     return true;

Added: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/SecurityAnnotation.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/SecurityAnnotation.java?rev=1797942&view=auto
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/SecurityAnnotation.java
(added)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/SecurityAnnotation.java
Wed Jun  7 15:26:24 2017
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.myfaces.tobago.internal.config;
+
+/**
+ * Defines how Tobago should check security annotations like e. g. {@link javax.annotation.security.RolesAllowed}.
+ */
+public enum SecurityAnnotation {
+
+    /**
+     * Hides forbidden commands.
+     */
+    hide,
+
+    /**
+     * Disables forbidden commands.
+     */
+    disable,
+
+    /**
+     * Tobago ignores the role annotation.
+     */
+    ignore
+}

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
(original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigFragment.java
Wed Jun  7 15:26:24 2017
@@ -45,7 +45,7 @@ public class TobagoConfigFragment {
   private Boolean checkSessionSecret;
   private Boolean preventFrameAttacks;
   private ContentSecurityPolicy contentSecurityPolicy;
-  private Boolean checkSecurityAnnotations;
+  private SecurityAnnotation securityAnnotation;
   private Boolean setNosniffHeader;
   private List<ThemeImpl> themeDefinitions;
   private URL url;
@@ -149,12 +149,12 @@ public class TobagoConfigFragment {
     this.contentSecurityPolicy = contentSecurityPolicy;
   }
 
-  public Boolean getCheckSecurityAnnotations() {
-    return checkSecurityAnnotations;
+  public SecurityAnnotation getSecurityAnnotation() {
+    return securityAnnotation;
   }
 
-  public void setCheckSecurityAnnotations(final Boolean checkSecurityAnnotations) {
-    this.checkSecurityAnnotations = checkSecurityAnnotations;
+  public void setSecurityAnnotation(final SecurityAnnotation securityAnnotation) {
+    this.securityAnnotation = securityAnnotation;
   }
 
   public Boolean getSetNosniffHeader() {

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
(original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigImpl.java
Wed Jun  7 15:26:24 2017
@@ -59,7 +59,7 @@ public class TobagoConfigImpl extends To
   private boolean checkSessionSecret;
   private boolean preventFrameAttacks;
   private ContentSecurityPolicy contentSecurityPolicy;
-  private boolean checkSecurityAnnotations;
+  private SecurityAnnotation securityAnnotation;
   private boolean setNosniffHeader;
   private Map<String, String> defaultValidatorInfo;
   private Sanitizer sanitizer;
@@ -75,7 +75,7 @@ public class TobagoConfigImpl extends To
     checkSessionSecret = true;
     preventFrameAttacks = true;
     setNosniffHeader = true;
-    checkSecurityAnnotations = true;
+    securityAnnotation = SecurityAnnotation.disable;
     contentSecurityPolicy = new ContentSecurityPolicy(ContentSecurityPolicy.Mode.OFF.getValue());
     mimeTypes = new HashMap<String, String>();
   }
@@ -295,13 +295,13 @@ public class TobagoConfigImpl extends To
   }
 
   @Override
-  public boolean isCheckSecurityAnnotations() {
-    return checkSecurityAnnotations;
+  public SecurityAnnotation getSecurityAnnotation() {
+    return securityAnnotation;
   }
 
-  public void setCheckSecurityAnnotations(boolean checkSecurityAnnotations) {
+  public void setSecurityAnnotation(final SecurityAnnotation securityAnnotation) {
     checkLocked();
-    this.checkSecurityAnnotations = checkSecurityAnnotations;
+    this.securityAnnotation = securityAnnotation;
   }
 
   public Map<String, String> getDefaultValidatorInfo() {
@@ -317,7 +317,7 @@ public class TobagoConfigImpl extends To
     return sanitizer;
   }
 
-  protected void setSanitizer(Sanitizer sanitizer) {
+  protected void setSanitizer(final Sanitizer sanitizer) {
     checkLocked();
     this.sanitizer = sanitizer;
   }
@@ -357,8 +357,8 @@ public class TobagoConfigImpl extends To
     builder.append(preventFrameAttacks);
     builder.append(", \ncontentSecurityPolicy=");
     builder.append(contentSecurityPolicy);
-    builder.append(", \ncheckSecurityAnnotations=");
-    builder.append(checkSecurityAnnotations);
+    builder.append(", \nsecurityAnnotation=");
+    builder.append(securityAnnotation);
     builder.append(", \nsetNosniffHeader=");
     builder.append(setNosniffHeader);
     builder.append(", \ndefaultValidatorInfo=");

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
(original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigParser.java
Wed Jun  7 15:26:24 2017
@@ -62,7 +62,7 @@ public class TobagoConfigParser extends
   private static final int PREVENT_FRAME_ATTACKS = 270456726;
   private static final int SET_NOSNIFF_HEADER = -1238451304;
   private static final int CONTENT_SECURITY_POLICY = 1207440139;
-  private static final int CHECK_SECURITY_ANNOTATIONS = -1870701636;
+  private static final int SECURITY_ANNOTATION = 1744426972;
   private static final int DIRECTIVE = -962590641;
   private static final int RENDERERS = 1839650832;
   private static final int RENDERER = -494845757;
@@ -235,7 +235,7 @@ public class TobagoConfigParser extends
       case MARKUP:
       case CREATE_SESSION_SECRET:
       case CHECK_SESSION_SECRET:
-      case CHECK_SECURITY_ANNOTATIONS:
+      case SECURITY_ANNOTATION:
       case PREVENT_FRAME_ATTACKS:
       case SET_NOSNIFF_HEADER:
       case DIRECTIVE:
@@ -328,8 +328,8 @@ public class TobagoConfigParser extends
         tobagoConfig.setSetNosniffHeader(Boolean.parseBoolean(text));
         break;
 
-      case CHECK_SECURITY_ANNOTATIONS:
-        tobagoConfig.setCheckSecurityAnnotations(Boolean.parseBoolean(text));
+      case SECURITY_ANNOTATION:
+        tobagoConfig.setSecurityAnnotation(SecurityAnnotation.valueOf(text));
         break;
 
       case DIRECTIVE:

Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
(original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/config/TobagoConfigSorter.java
Wed Jun  7 15:26:24 2017
@@ -116,8 +116,8 @@ public class TobagoConfigSorter implemen
         result.getContentSecurityPolicy().merge(fragment.getContentSecurityPolicy());
       }
 
-      if (fragment.getCheckSecurityAnnotations() != null) {
-        result.setCheckSecurityAnnotations(fragment.getCheckSecurityAnnotations());
+      if (fragment.getSecurityAnnotation() != null) {
+        result.setSecurityAnnotation(fragment.getSecurityAnnotation());
       }
 
       if (fragment.getSetNosniffHeader() != null) {

Modified: myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-3.1.xsd
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-3.1.xsd?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-3.1.xsd
(original)
+++ myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-3.1.xsd
Wed Jun  7 15:26:24 2017
@@ -69,7 +69,7 @@
       <xs:element name="classic-date-time-picker" type="xs:boolean" minOccurs="0" default="false"/>
       <xs:element name="content-security-policy" type="tobago:content-security-policy-type"
minOccurs="0"/>
       <xs:element name="sanitizer" type="tobago:sanitizer-type" minOccurs="0"/>
-      <xs:element name="check-security-annotations" type="xs:boolean" minOccurs="0" default="true"/>
+      <xs:element name="security-annotation" type="tobago:security-annotation-type" minOccurs="0"
default="disable"/>
       <xs:element name="renderers" type="tobago:renderers-type" minOccurs="0"/>
       <xs:element name="theme-definitions" type="tobago:theme-definitions-type" minOccurs="0"/>
     </xs:sequence>
@@ -204,4 +204,12 @@
     </xs:simpleContent>
   </xs:complexType>
 
+  <xs:simpleType name="security-annotation-type">
+    <xs:restriction base="xs:token">
+      <xs:enumeration value="hide"/>
+      <xs:enumeration value="disable"/>
+      <xs:enumeration value="ignore"/>
+    </xs:restriction>
+  </xs:simpleType>
+
 </xs:schema>

Modified: myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-3.1.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-3.1.xml?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-3.1.xml (original)
+++ myfaces/tobago/trunk/tobago-core/src/test/resources/tobago-config-3.1.xml Wed Jun  7 15:26:24
2017
@@ -51,7 +51,7 @@
     <directive>frame-src http://apache.org</directive>
   </content-security-policy>
 
-  <check-security-annotations>false</check-security-annotations>
+  <security-annotation>ignore</security-annotation>
 
   <renderers>
     <renderer>

Modified: myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml?rev=1797942&r1=1797941&r2=1797942&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
(original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/tobago-config.xml
Wed Jun  7 15:26:24 2017
@@ -52,6 +52,9 @@
     <directive>frame-src https://maps.google.com</directive>
   </content-security-policy>
 
+  <!-- "disable" is the default -->
+  <!--<security-annotation>disable</security-annotation>-->
+
 <!-- this is the default...
   <sanitizer>
     <sanitizer-class>org.apache.myfaces.tobago.sanitizer.JsoupSanitizer</sanitizer-class>



Mime
View raw message