From 4ef19c632b66c28403a1ec6f8ffbb34beaf4cfc1 Mon Sep 17 00:00:00 2001 From: Jesse McConnell Date: Thu, 14 Sep 2006 21:56:43 +0000 Subject: [PATCH] UserManagementAction is now implementing the SecureAction interface from plexus-security, all action statements in the xwork.xml using this Action now require authenticated sessions and that the user using them has edit-user or edit-all-users operations granted. Before we go any further on these I am hoping folks can take a peek and see if its too clunky or if perhaps we should change the interfaces for this type of functionality. git-svn-id: https://svn.apache.org/repos/asf/maven/archiva/trunk@443495 13f79535-47bb-0310-9956-ffa450edef68 --- .../action/admin/UserManagementAction.java | 121 ++++++++++++------ archiva-webapp/src/main/resources/xwork.xml | 6 + .../webapp/WEB-INF/jsp/admin/findUser.jsp | 3 + .../src/main/webapp/WEB-INF/jsp/alert.jsp | 42 ++++++ 4 files changed, 136 insertions(+), 36 deletions(-) create mode 100644 archiva-webapp/src/main/webapp/WEB-INF/jsp/alert.jsp diff --git a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/UserManagementAction.java b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/UserManagementAction.java index d2f2b0e48..47410926c 100644 --- a/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/UserManagementAction.java +++ b/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/admin/UserManagementAction.java @@ -1,21 +1,20 @@ package org.apache.maven.archiva.web.action.admin; - /* - * Copyright 2005 The Apache Software Foundation. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ +* Copyright 2005 The Apache Software Foundation. +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ import com.opensymphony.xwork.Preparable; import org.codehaus.plexus.security.rbac.RBACManager; @@ -23,6 +22,9 @@ import org.codehaus.plexus.security.system.SecuritySession; import org.codehaus.plexus.security.user.User; import org.codehaus.plexus.security.user.UserManager; import org.codehaus.plexus.security.user.UserNotFoundException; +import org.codehaus.plexus.security.user.UserManagerException; +import org.codehaus.plexus.security.authorization.rbac.web.interceptor.SecureAction; +import org.codehaus.plexus.security.authorization.rbac.web.interceptor.SecureActionException; import org.codehaus.plexus.xwork.action.PlexusActionSupport; import java.util.ArrayList; @@ -38,7 +40,8 @@ import java.util.List; * role-hint="userManagement" */ public class UserManagementAction - extends PlexusActionSupport implements Preparable + extends PlexusActionSupport + implements Preparable, SecureAction { /** * @plexus.requirement @@ -73,38 +76,51 @@ public class UserManagementAction public void prepare() throws Exception { - if ( username == null || "".equals( username ) ) - { - user = userManager.findUser( (String) session.get( "MANAGED_USERNAME" ) ); - username = user.getUsername(); - } - else + try { - user = userManager.findUser( username ); - } + if ( username == null || "".equals( username ) ) + { + user = userManager.findUser( (String) session.get( "MANAGED_USERNAME" ) ); + username = user.getUsername(); + } + else + { + user = userManager.findUser( username ); + } - session.put( "MANAGED_USERNAME", username ); + session.put( "MANAGED_USERNAME", username ); - principal = user.getPrincipal().toString(); - fullName = user.getFullName(); - email = user.getEmail(); + principal = user.getPrincipal().toString(); + fullName = user.getFullName(); + email = user.getEmail(); - if ( principal != null && rbacManager.userAssignmentExists( principal ) ) + if ( principal != null && rbacManager.userAssignmentExists( principal ) ) + { + assignedRoles = new ArrayList( rbacManager.getAssignedRoles( principal ) ); + availableRoles = new ArrayList( rbacManager.getUnassignedRoles( principal ) ); + } + else + { + assignedRoles = new ArrayList(); + availableRoles = rbacManager.getAllAssignableRoles(); + } + } + catch ( UserNotFoundException ne ) { - assignedRoles = new ArrayList( rbacManager.getAssignedRoles( principal ) ); - availableRoles = new ArrayList( rbacManager.getUnassignedRoles( principal ) ); + addActionError( "user cound not found" ); + assignedRoles = new ArrayList(); + availableRoles = new ArrayList(); } - else + catch ( UserManagerException ume ) { assignedRoles = new ArrayList(); - availableRoles = rbacManager.getAllAssignableRoles(); + availableRoles = new ArrayList(); } - } /** * for this method username should be populated - * + * * @return */ public String findUser() @@ -124,7 +140,7 @@ public class UserManagementAction } catch ( UserNotFoundException ne ) { - addActionError( "user could not be found " + username ); + addActionError( "user could not be found " + username ); return ERROR; } } @@ -162,6 +178,39 @@ public class UserManagementAction return SUCCESS; } + + public List getRequiredOperations() + throws SecureActionException + { + List operations = new ArrayList(); + operations.add( "edit-all-users" ); + operations.add( "edit-user" ); + return operations; + } + + public String getRequiredResource() + throws SecureActionException + { + SecuritySession securitySession = (SecuritySession) session.get( SecuritySession.ROLE ); + + User user = securitySession.getUser(); + + if ( user != null ) + { + return user.getPrincipal().toString(); + } + else + { + throw new SecureActionException( "unable to obtain principal from users session" ); + } + } + + public boolean authenticationRequired() + throws SecureActionException + { + return true; + } + public String getUsername() { return username; diff --git a/archiva-webapp/src/main/resources/xwork.xml b/archiva-webapp/src/main/resources/xwork.xml index e43734cf4..c4552137a 100644 --- a/archiva-webapp/src/main/resources/xwork.xml +++ b/archiva-webapp/src/main/resources/xwork.xml @@ -26,13 +26,16 @@ + + + @@ -57,6 +60,8 @@ input /WEB-INF/jsp/generalError.jsp + /WEB-INF/jsp/alert.jsp + /WEB-INF/jsp/alert.jsp @@ -67,6 +72,7 @@ + diff --git a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/findUser.jsp b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/findUser.jsp index 067693e15..258ac3864 100644 --- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/findUser.jsp +++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/findUser.jsp @@ -28,6 +28,9 @@