ws-soap-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From snic...@apache.org
Subject cvs commit: xml-soap/java/src/org/apache/soap/server/http MessageRouterServlet.java RPCRouterServlet.java ServerHTTPUtils.java
Date Fri, 06 Sep 2002 06:14:11 GMT
snichol     2002/09/05 23:14:11

  Modified:    java/docs changes.html
               java/src/org/apache/soap/server/http
                        MessageRouterServlet.java RPCRouterServlet.java
                        ServerHTTPUtils.java
  Log:
  Add per-service authorization based on roles.  Authorized roles
  are specified in the deployment descriptor.  The container must be
  configured for authentication through its configuration and/or the Apache
  SOAP web.xml deployment descriptor.
  
  There is no sample for demonstration/test at this time.
  
  Revision  Changes    Path
  1.45      +4 -0      xml-soap/java/docs/changes.html
  
  Index: changes.html
  ===================================================================
  RCS file: /home/cvs/xml-soap/java/docs/changes.html,v
  retrieving revision 1.44
  retrieving revision 1.45
  diff -u -r1.44 -r1.45
  --- changes.html	5 Sep 2002 16:50:51 -0000	1.44
  +++ changes.html	6 Sep 2002 06:14:10 -0000	1.45
  @@ -76,6 +76,10 @@
         interop hack).</li>
         <li>Support gzip encoding for HTTP.  This is enabled through SOAPContext
         for clients and the deployment descriptor for services.</li>
  +      <li>Add per-service authorization based on roles.  Authorized roles
  +      are specified in the deployment descriptor.  The container must be
  +      configured for authentication through its configuration and/or the Apache
  +      SOAP web.xml deployment descriptor.</li>
       </ul>
     </li>
   </ul>
  
  
  
  1.37      +5 -1      xml-soap/java/src/org/apache/soap/server/http/MessageRouterServlet.java
  
  Index: MessageRouterServlet.java
  ===================================================================
  RCS file: /home/cvs/xml-soap/java/src/org/apache/soap/server/http/MessageRouterServlet.java,v
  retrieving revision 1.36
  retrieving revision 1.37
  diff -u -r1.36 -r1.37
  --- MessageRouterServlet.java	5 Sep 2002 16:50:52 -0000	1.36
  +++ MessageRouterServlet.java	6 Sep 2002 06:14:10 -0000	1.37
  @@ -292,7 +292,11 @@
           // is this a valid message?
           dd = serviceManager.query (targetID);
           reqCtx.setProperty( Constants.BAG_DEPLOYMENTDESCRIPTOR, dd );
  -  
  +
  +        // is user authorized to use this service?
  +        if (!ServerHTTPUtils.isUserAuthorized(dd, req, res))
  +          return;
  +
           // Get the session, but only create a new session if the scope
           // is session or there is no deployment descriptor option
           // SessionRequired with a value of false (i.e. the desire to
  
  
  
  1.41      +4 -0      xml-soap/java/src/org/apache/soap/server/http/RPCRouterServlet.java
  
  Index: RPCRouterServlet.java
  ===================================================================
  RCS file: /home/cvs/xml-soap/java/src/org/apache/soap/server/http/RPCRouterServlet.java,v
  retrieving revision 1.40
  retrieving revision 1.41
  diff -u -r1.40 -r1.41
  --- RPCRouterServlet.java	5 Sep 2002 16:50:52 -0000	1.40
  +++ RPCRouterServlet.java	6 Sep 2002 06:14:10 -0000	1.41
  @@ -338,6 +338,10 @@
           dd = serviceManager.query (targetID);
           reqCtx.setProperty( Constants.BAG_DEPLOYMENTDESCRIPTOR, dd );
   
  +        // is user authorized to use this service?
  +        if (!ServerHTTPUtils.isUserAuthorized(dd, req, res))
  +          return;
  +
           // Get the session, but only create a new session if the scope
           // is session or there is no deployment descriptor option
           // SessionRequired with a value of false (i.e. the desire to
  
  
  
  1.26      +40 -0     xml-soap/java/src/org/apache/soap/server/http/ServerHTTPUtils.java
  
  Index: ServerHTTPUtils.java
  ===================================================================
  RCS file: /home/cvs/xml-soap/java/src/org/apache/soap/server/http/ServerHTTPUtils.java,v
  retrieving revision 1.25
  retrieving revision 1.26
  diff -u -r1.25 -r1.26
  --- ServerHTTPUtils.java	5 Sep 2002 16:50:52 -0000	1.25
  +++ ServerHTTPUtils.java	6 Sep 2002 06:14:10 -0000	1.26
  @@ -465,6 +465,46 @@
     }
   
     /**
  +   * Checks authorization to use service.
  +   *
  +   * @return Whether the user is authorized, true if the user is, false if
  +   *         the user is not due to not being authenticated.
  +   * @exception IOException If an error occurs writing a response.
  +   * @exception SOAPException If the user is authenticated but not authorized.
  +   */
  +  public static boolean isUserAuthorized(DeploymentDescriptor dd,
  +                                         HttpServletRequest req,
  +                                         HttpServletResponse res
  +                                        ) throws IOException, SOAPException {
  +    // Get roles required for this service
  +    Hashtable props = dd.getProps();
  +    String roles = props != null ? (String) props.get("roles") : null;
  +
  +    // If there are no roles, no authorization is required
  +    if (roles == null)
  +      return true;
  +
  +    // If user is in any roles, he is authorized
  +    StringTokenizer st = new StringTokenizer(roles, ",");
  +    while (st.hasMoreTokens()) {
  +      if (req.isUserInRole(st.nextToken()))
  +        return true;
  +    }
  +
  +    // If user is not authenticated, let him know he needs to be
  +    if (req.getRemoteUser() == null && req.getUserPrincipal() == null) {
  +      res.setHeader("WWW-Authenticate", "Basic realm=\"Apache SOAP\"");
  +      res.setContentType("text/html");
  +      res.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
  +      return false;
  +    }
  +
  +    // Authenticated but not authorized
  +    throw new SOAPException(Constants.FAULT_CODE_SERVER,
  +                            "Not authorized for this SOAP service.");
  +  }
  +     
  +  /**
      * Gets the HTTP headers for a request.
      */
     public static Hashtable getHeaders(HttpServletRequest req) {
  
  
  

Mime
View raw message