From 21ef621475675e3d198bd08e5a2ba9ca3cbc0bb0 Mon Sep 17 00:00:00 2001
From: James William Dumay <jdumay@apache.org>
Date: Fri, 5 Sep 2008 07:43:50 +0000
Subject: [PATCH] Implemented security for XmlRpcServlet.

XmlRpcAuthenticator is injected into the servlet via spring.




git-svn-id: https://svn.apache.org/repos/asf/archiva/branches/MRM-124@692370 13f79535-47bb-0310-9956-ffa450edef68
---
 .../archiva-web/archiva-webapp/pom.xml        |  4 +
 .../webapp/WEB-INF/applicationContext.xml     |  6 ++
 .../src/main/webapp/WEB-INF/web.xml           |  6 +-
 .../archiva-xmlrpc-security/pom.xml           | 32 +++++++
 .../xmlrpc/security/XmlRpcAuthenticator.java  | 91 +++++++++++++++++++
 .../archiva-web/archiva-xmlrpc/pom.xml        |  9 +-
 pom.xml                                       | 10 ++
 7 files changed, 152 insertions(+), 6 deletions(-)
 create mode 100644 archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/pom.xml
 create mode 100644 archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/maven/archiva/xmlrpc/security/XmlRpcAuthenticator.java

diff --git a/archiva-modules/archiva-web/archiva-webapp/pom.xml b/archiva-modules/archiva-web/archiva-webapp/pom.xml
index 6fcd9f6d2..d89bfd11a 100644
--- a/archiva-modules/archiva-web/archiva-webapp/pom.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/pom.xml
@@ -88,6 +88,10 @@
       <groupId>org.apache.archiva</groupId>
       <artifactId>archiva-xmlrpc-services</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.archiva</groupId>
+      <artifactId>archiva-xmlrpc-security</artifactId>
+    </dependency>
     <dependency>
       <groupId>javax.servlet</groupId>
       <artifactId>servlet-api</artifactId>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/applicationContext.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/applicationContext.xml
index 0e3461204..fe37b68a4 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/applicationContext.xml
@@ -40,4 +40,10 @@
     </constructor-arg>
   </bean>
 
+  <bean name="xmlRpcAuthenticator" class="org.apache.maven.archiva.xmlrpc.security.XmlRpcAuthenticator">
+      <constructor-arg>
+         <ref bean="securitySystem"/>
+      </constructor-arg>
+  </bean>
+
 </beans>
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/web.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/web.xml
index 23e276ff8..7c7e8c63f 100644
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/web.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/web.xml
@@ -90,7 +90,11 @@
         <param-name>serviceListBeanName</param-name>
         <param-value>xmlrpcServicesList</param-value>
     </init-param>
-    <load-on-startup>1</load-on-startup>
+        <init-param>
+            <param-name>authHandlerBeanName</param-name>
+            <param-value>xmlRpcAuthenticator</param-value>
+        </init-param>
+        <load-on-startup>1</load-on-startup>
   </servlet>
   
   <servlet>
diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/pom.xml b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/pom.xml
new file mode 100644
index 000000000..bc3f57294
--- /dev/null
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/pom.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.apache.archiva</groupId>
+        <artifactId>archiva-xmlrpc</artifactId>
+        <version>1.2-SNAPSHOT</version>
+    </parent>
+    <artifactId>archiva-xmlrpc-security</artifactId>
+    <version>1.2-SNAPSHOT</version>
+    <name>Archiva Web :: XML-RPC Security</name>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.xmlrpc</groupId>
+            <artifactId>xmlrpc-server</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-logging</groupId>
+                    <artifactId>commons-logging</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.plexus.redback</groupId>
+            <artifactId>redback-system</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.archiva</groupId>
+            <artifactId>archiva-security</artifactId>
+        </dependency>
+    </dependencies>
+</project>
diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/maven/archiva/xmlrpc/security/XmlRpcAuthenticator.java b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/maven/archiva/xmlrpc/security/XmlRpcAuthenticator.java
new file mode 100644
index 000000000..3e3762673
--- /dev/null
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/maven/archiva/xmlrpc/security/XmlRpcAuthenticator.java
@@ -0,0 +1,91 @@
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.maven.archiva.xmlrpc.security;
+
+import org.apache.maven.archiva.security.ArchivaRoleConstants;
+import org.apache.xmlrpc.XmlRpcException;
+import org.apache.xmlrpc.XmlRpcRequest;
+import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;
+import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping.AuthenticationHandler;
+import org.codehaus.plexus.redback.authentication.AuthenticationException;
+import org.codehaus.plexus.redback.authentication.PasswordBasedAuthenticationDataSource;
+import org.codehaus.plexus.redback.authorization.AuthorizationException;
+import org.codehaus.plexus.redback.authorization.AuthorizationResult;
+import org.codehaus.plexus.redback.policy.AccountLockedException;
+import org.codehaus.plexus.redback.system.SecuritySession;
+import org.codehaus.plexus.redback.system.SecuritySystem;
+import org.codehaus.plexus.redback.users.UserNotFoundException;
+
+public class XmlRpcAuthenticator implements AuthenticationHandler
+{
+    private final SecuritySystem securitySystem;
+
+    public XmlRpcAuthenticator(SecuritySystem securitySystem)
+    {
+        this.securitySystem = securitySystem;
+    }
+
+    public boolean isAuthorized(XmlRpcRequest pRequest) throws XmlRpcException {
+        if (pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl)
+        {
+            XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl)pRequest.getConfig();
+            SecuritySession session = authenticate(new PasswordBasedAuthenticationDataSource(config.getBasicUserName(), config.getBasicPassword()));
+            AuthorizationResult result = authorize(session);
+            return result.isAuthorized();
+        }
+
+        throw new XmlRpcException("Unsupported transport (must be http)");
+    }
+    
+    private SecuritySession authenticate(PasswordBasedAuthenticationDataSource authenticationDataSource)
+        throws XmlRpcException
+    {
+        try
+        {
+            return securitySystem.authenticate(authenticationDataSource);
+        }
+        catch (AccountLockedException e)
+        {
+            throw new XmlRpcException(401, e.getMessage(), e);
+        }
+        catch (AuthenticationException e)
+        {
+            throw new XmlRpcException(401, e.getMessage(), e);
+        }
+        catch (UserNotFoundException e)
+        {
+            throw new XmlRpcException(401, e.getMessage(), e);
+        }
+    }
+    
+    private AuthorizationResult authorize(SecuritySession session)
+        throws XmlRpcException
+    {
+        try
+        {
+            return securitySystem.authorize(session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE);
+        }
+        catch (AuthorizationException e)
+        {
+            throw new XmlRpcException(401, e.getMessage(), e);
+        }
+    }
+}
diff --git a/archiva-modules/archiva-web/archiva-xmlrpc/pom.xml b/archiva-modules/archiva-web/archiva-xmlrpc/pom.xml
index 33c4e9da4..93eae9ba5 100644
--- a/archiva-modules/archiva-web/archiva-xmlrpc/pom.xml
+++ b/archiva-modules/archiva-web/archiva-xmlrpc/pom.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0"?>
+<?xml version="1.0" encoding="UTF-8"?>
 <!--
   ~ Licensed to the Apache Software Foundation (ASF) under one
   ~ or more contributor license agreements.  See the NOTICE file
@@ -16,9 +16,7 @@
   ~ KIND, either express or implied.  See the License for the
   ~ specific language governing permissions and limitations
   ~ under the License.
-  -->
-
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  --><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <parent>
     <groupId>org.apache.archiva</groupId>
@@ -32,5 +30,6 @@
   <modules>
     <module>archiva-xmlrpc-api</module>
     <module>archiva-xmlrpc-services</module>
+    <module>archiva-xmlrpc-security</module>
   </modules>
-</project>
+</project>
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 62b6a2cf6..5f5d23e91 100644
--- a/pom.xml
+++ b/pom.xml
@@ -391,6 +391,11 @@
         <artifactId>archiva-xmlrpc-services</artifactId>
         <version>1.2-SNAPSHOT</version>        
       </dependency>
+      <dependency>
+        <groupId>org.apache.archiva</groupId>
+        <artifactId>archiva-xmlrpc-security</artifactId>
+        <version>1.2-SNAPSHOT</version>
+      </dependency>
       <dependency>
         <groupId>org.apache.archiva</groupId>
         <artifactId>archiva-rss</artifactId>
@@ -511,6 +516,11 @@
         <artifactId>mail</artifactId>
         <version>1.4</version>
       </dependency>
+      <dependency>
+        <groupId>org.apache.xmlrpc</groupId>
+        <artifactId>xmlrpc-server</artifactId>
+        <version>3.1</version>
+      </dependency>
       <dependency>
         <groupId>org.apache.maven</groupId>
         <artifactId>maven-artifact-manager</artifactId>
-- 
2.39.5