From: Maria Odea B. Ching <oching@apache.org>
Date: Wed, 10 Sep 2008 04:15:50 +0000 (+0000)
Subject: merged from -r693694 (MRM-911: check first if guest is enabled for the repository... 
X-Git-Tag: archiva-1.2-M1~64
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=6ec22c4cb2d3e72f638ad705d390c7142b45e808;p=archiva.git

merged from -r693694 (MRM-911: check first if guest is enabled for the repository before failing the authentication) 1.1.x branch


git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@693701 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
index 4e8c040b7..31d1245c9 100644
--- a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
+++ b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
@@ -93,7 +93,7 @@ public class ArchivaServletAuthenticator
         return true;
     }
 
-    public boolean isAuthorizedToAccessVirtualRepository( String principal, String repoId )
+    public boolean isAuthorized( String principal, String repoId )
         throws UnauthorizedException
     {
         try
diff --git a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
index fb39b4bca..2edda8120 100644
--- a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
+++ b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
@@ -41,6 +41,6 @@ public interface ServletAuthenticator
     public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
         boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException;
     
-    public boolean isAuthorizedToAccessVirtualRepository( String principal, String repoId )
+    public boolean isAuthorized( String principal, String repoId )
         throws UnauthorizedException;
 }
diff --git a/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java b/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
index 7af32bee7..032f614fd 100644
--- a/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
+++ b/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
@@ -733,6 +733,22 @@ public class ArchivaDavResourceFactory
         }
         catch ( AuthenticationException e )
         {
+            // safety check for MRM-911            
+            String guest = archivaXworkUser.getGuest();
+            try
+            {
+                if( servletAuth.isAuthorized( guest, 
+                      ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId() ) )
+                {   
+                    return true;
+                }
+            }
+            catch ( UnauthorizedException ae )
+            {
+                throw new UnauthorizedDavException( repositoryId,
+                        "You are not authenticated and authorized to access any repository." );
+            }
+                        
             throw new UnauthorizedDavException( repositoryId, "You are not authenticated" );
         }
         catch ( MustChangePasswordException e )
@@ -801,7 +817,7 @@ public class ArchivaDavResourceFactory
                     // for the current user logged in
                     try
                     {
-                        if( servletAuth.isAuthorizedToAccessVirtualRepository( activePrincipal, repository ) )
+                        if( servletAuth.isAuthorized( activePrincipal, repository ) )
                         {
                             getResource( locator, mergedRepositoryContents, logicalResource, repository );
                         }
@@ -897,7 +913,7 @@ public class ArchivaDavResourceFactory
             {
                 try
                 {
-                    if( servletAuth.isAuthorizedToAccessVirtualRepository( activePrincipal, repository ) )
+                    if( servletAuth.isAuthorized( activePrincipal, repository ) )
                     {
                         allow = true;
                         break;
diff --git a/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java b/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
index ad96939d1..2c5a39d35 100644
--- a/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
+++ b/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
@@ -24,9 +24,11 @@ import org.apache.jackrabbit.webdav.WebdavRequest;
 import org.apache.jackrabbit.webdav.DavException;
 import org.apache.jackrabbit.webdav.DavServletRequest;
 import org.apache.maven.archiva.webdav.util.RepositoryPathUtil;
+import org.apache.maven.archiva.security.ArchivaXworkUser;
 import org.apache.maven.archiva.security.ServletAuthenticator;
 import org.codehaus.plexus.redback.authentication.AuthenticationException;
 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
+import org.codehaus.plexus.redback.authorization.UnauthorizedException;
 import org.codehaus.plexus.redback.policy.MustChangePasswordException;
 import org.codehaus.plexus.redback.policy.AccountLockedException;
 import org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator;
@@ -45,10 +47,13 @@ public class ArchivaDavSessionProvider
 
     private HttpAuthenticator httpAuth;
     
-    public ArchivaDavSessionProvider( ServletAuthenticator servletAuth, HttpAuthenticator httpAuth )
+    private ArchivaXworkUser archivaXworkUser;
+    
+    public ArchivaDavSessionProvider( ServletAuthenticator servletAuth, HttpAuthenticator httpAuth, ArchivaXworkUser archivaXworkUser )
     {
         this.servletAuth = servletAuth;
         this.httpAuth = httpAuth;
+        this.archivaXworkUser = archivaXworkUser;
     }
 
     public boolean attachSession( WebdavRequest request )
@@ -67,7 +72,24 @@ public class ArchivaDavSessionProvider
         }
         catch ( AuthenticationException e )
         {   
-            throw new UnauthorizedDavException( repositoryId, "You are not authenticated" );            
+            // safety check for MRM-911            
+            String guest = archivaXworkUser.getGuest();
+            try
+            {
+                if( servletAuth.isAuthorized( guest, 
+                      ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId() ) )
+                {
+                    request.setDavSession(new ArchivaDavSession());
+                    return true;
+                }
+            }
+            catch ( UnauthorizedException ae )
+            {
+                throw new UnauthorizedDavException( repositoryId,
+                    "You are not authenticated and authorized to access any repository." );
+            }
+            
+            throw new UnauthorizedDavException( repositoryId, "You are not authenticated." );            
         }
         catch ( MustChangePasswordException e )
         {         
diff --git a/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/RepositoryServlet.java b/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/RepositoryServlet.java
index ca9aa5aed..a73e72d5e 100644
--- a/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/RepositoryServlet.java
+++ b/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/RepositoryServlet.java
@@ -44,6 +44,7 @@ import org.apache.maven.archiva.configuration.ArchivaConfiguration;
 import org.apache.maven.archiva.configuration.ConfigurationEvent;
 import org.apache.maven.archiva.configuration.ConfigurationListener;
 import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
+import org.apache.maven.archiva.security.ArchivaXworkUser;
 import org.apache.maven.archiva.security.ServletAuthenticator;
 import org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator;
 import org.codehaus.plexus.spring.PlexusToSpringUtils;
@@ -195,7 +196,9 @@ public class RepositoryServlet
         HttpAuthenticator httpAuth =
             (HttpAuthenticator) wac.getBean( PlexusToSpringUtils.buildSpringId( HttpAuthenticator.ROLE, "basic" ) );
         
-        sessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
+        ArchivaXworkUser archivaXworkUser =
+            (ArchivaXworkUser) wac.getBean( PlexusToSpringUtils.buildSpringId( ArchivaXworkUser.class.getName() ) );
+        sessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth, archivaXworkUser );
     }
 
     public void configurationEvent( ConfigurationEvent event )
diff --git a/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java b/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
index 2a53bf99d..e882c5ad6 100644
--- a/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
+++ b/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
@@ -59,7 +59,7 @@ public class ArchivaDavSessionProviderTest extends TestCase
         throws Exception
     {
         super.setUp();
-        sessionProvider = new ArchivaDavSessionProvider(new ServletAuthenticatorMock(), new HttpAuthenticatorMock());
+        sessionProvider = new ArchivaDavSessionProvider(new ServletAuthenticatorMock(), new HttpAuthenticatorMock(), null);
         request = new WebdavRequestImpl(new HttpServletRequestMock(), null);
     }
     
@@ -362,7 +362,7 @@ public class ArchivaDavSessionProviderTest extends TestCase
             return true;
         }
 
-        public boolean isAuthorizedToAccessVirtualRepository(String arg0, String arg1)
+        public boolean isAuthorized(String arg0, String arg1)
             throws UnauthorizedException
         {
             return true;
diff --git a/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/UnauthenticatedDavSessionProvider.java b/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/UnauthenticatedDavSessionProvider.java
index 13082cf4d..082d62dfc 100644
--- a/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/UnauthenticatedDavSessionProvider.java
+++ b/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/UnauthenticatedDavSessionProvider.java
@@ -29,7 +29,7 @@ public class UnauthenticatedDavSessionProvider extends ArchivaDavSessionProvider
 {
     public UnauthenticatedDavSessionProvider()
     {
-        super(null, null);
+        super(null, null, null);
     }
     
     @Override