← Back to team overview

dhis2-devs team mailing list archive

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 5367: dxf2merge: tightened security for /api, now requires ALL or F_WEBAPI_READ (also added F_WEBAPI_CR...

 

Merge authors:
  Morten Olav Hansen (mortenoh)
------------------------------------------------------------
revno: 5367 [merge]
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Mon 2011-12-12 12:20:20 +0100
message:
  dxf2merge: tightened security for /api, now requires ALL or F_WEBAPI_READ (also added F_WEBAPI_CREATE, F_WEBAPI_UPDATE, F_WEBAPI_DELETE ... not currently in use)
added:
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java
modified:
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java
  dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml
  dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml
  dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== added directory 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action'
=== added file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java	2011-12-12 11:18:21 +0000
@@ -0,0 +1,43 @@
+package org.hisp.dhis.api.action;
+
+/*
+ * Copyright (c) 2004-2009, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright notice, this
+ *   list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ * * Neither the name of the HISP project nor the names of its contributors may
+ *   be used to endorse or promote products derived from this software without
+ *   specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import com.opensymphony.xwork2.Action;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public class NoAction
+    implements Action
+{
+    public String execute()
+        throws Exception
+    {
+        return SUCCESS;
+    }
+}
\ No newline at end of file

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java	2011-12-09 20:53:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java	2011-12-12 11:18:21 +0000
@@ -39,6 +39,7 @@
 import org.jfree.chart.ChartUtilities;
 import org.jfree.chart.JFreeChart;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.PathVariable;

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java	2011-12-08 14:31:31 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java	2011-12-12 11:18:21 +0000
@@ -27,6 +27,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml'
--- dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml	2011-12-07 13:44:45 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml	2011-12-12 11:18:21 +0000
@@ -3,10 +3,14 @@
        xmlns="http://www.springframework.org/schema/beans";
        xmlns:context="http://www.springframework.org/schema/context";
        xmlns:mvc="http://www.springframework.org/schema/mvc";
+       xmlns:sec="http://www.springframework.org/schema/security";
        xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd";>
 
+  <sec:global-method-security pre-post-annotations="enabled" />
+
   <mvc:annotation-driven />
 
   <context:component-scan base-package="org.hisp.dhis.api" />

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml'
--- dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml	2011-11-02 11:14:35 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml	2011-12-12 11:18:21 +0000
@@ -1,11 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE struts PUBLIC
-"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
-"http://struts.apache.org/dtds/struts-2.0.dtd";>
+    "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
+    "http://struts.apache.org/dtds/struts-2.0.dtd";>
 <struts>
   <include file="dhis-web-commons.xml" />
 
   <package name="dhis-web-api" extends="dhis-web-commons" namespace="/dhis-web-api">
+
+    <action name="index" class="org.hisp.dhis.api.action.NoAction">
+      <param name="requiredAuthorities">F_WEBAPI_CREATE, F_WEBAPI_READ, F_WEBAPI_UPDATE, F_WEBAPI_DELETE</param>
+    </action>
+
   </package>
 
 </struts>

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml	2011-10-24 09:55:12 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml	2011-12-12 11:18:21 +0000
@@ -1,13 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:sec="http://www.springframework.org/schema/security";
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
-  xsi:schemaLocation="
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+       xsi:schemaLocation="
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";>
 
-  <sec:global-method-security jsr250-annotations="disabled" pre-post-annotations="disabled"
-    secured-annotations="disabled" />
-
   <bean id="mappedRedirectStrategy" class="org.hisp.dhis.security.MappedRedirectStrategy">
     <property name="redirectMap">
       <map>
@@ -28,15 +25,18 @@
 
   <sec:http access-decision-manager-ref="accessDecisionManager" use-expressions="true" realm="DHIS2">
     <sec:form-login default-target-url="/" always-use-default-target="false"
-      login-processing-url="/dhis-web-commons-security/login.action" authentication-failure-url="/dhis-web-commons/security/login.action?failed=true"
-      login-page="/dhis-web-commons/security/login.action" authentication-success-handler-ref="defaultAuthenticationSuccessHandler" />
+                    login-processing-url="/dhis-web-commons-security/login.action"
+                    authentication-failure-url="/dhis-web-commons/security/login.action?failed=true"
+                    login-page="/dhis-web-commons/security/login.action"
+                    authentication-success-handler-ref="defaultAuthenticationSuccessHandler" />
     <sec:http-basic />
     <sec:logout logout-url="/dhis-web-commons-security/logout.action" />
-
     <sec:intercept-url pattern="/dhis-web-commons/security/**" access="permitAll" />
     <sec:intercept-url pattern="/dhis-web-commons/javascripts/**" filters="none" />
     <sec:intercept-url pattern="/dhis-web-commons/css/**" filters="none" />
     <sec:intercept-url pattern="/favicon.ico" filters="none" />
+    <sec:intercept-url pattern="/api*" access="hasRole('F_WEBAPI_READ')" />
+    <sec:intercept-url pattern="/api/**" access="hasRole('F_WEBAPI_READ')" />
     <sec:intercept-url pattern="/**" access="isAuthenticated()" />
 
     <sec:custom-filter ref="automaticAccessFilter" before="LOGOUT_FILTER" />
@@ -44,7 +44,7 @@
 
   <!-- Security : Action -->
   <bean id="restrictOrganisationUnitsAction" class="org.hisp.dhis.security.action.RestrictOrganisationUnitsAction"
-    scope="prototype">
+        scope="prototype">
     <property name="currentUserService" ref="org.hisp.dhis.user.CurrentUserService" />
     <property name="selectionManager" ref="org.hisp.dhis.ouwt.manager.OrganisationUnitSelectionManager" />
     <property name="selectionTreeManager" ref="org.hisp.dhis.oust.manager.SelectionTreeManager" />
@@ -143,7 +143,8 @@
     </property>
   </bean>
 
-  <bean id="org.hisp.dhis.security.ActionAccessResolver" class="org.hisp.dhis.security.SpringSecurityActionAccessResolver">
+  <bean id="org.hisp.dhis.security.ActionAccessResolver"
+        class="org.hisp.dhis.security.SpringSecurityActionAccessResolver">
     <property name="requiredAuthoritiesProvider" ref="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" />
     <property name="accessDecisionManager" ref="accessDecisionManager" />
   </bean>
@@ -158,7 +159,8 @@
     </property>
   </bean>
 
-  <bean id="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor" class="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor">
+  <bean id="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor"
+        class="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor">
     <property name="accessDecisionManager" ref="accessDecisionManager" />
     <property name="authenticationManager" ref="authenticationManager" />
     <property name="validateConfigAttributes" value="false" />
@@ -168,7 +170,8 @@
 
   <!-- Security : AuthorityProvider -->
 
-  <bean id="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" class="org.hisp.dhis.security.authority.DefaultRequiredAuthoritiesProvider">
+  <bean id="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider"
+        class="org.hisp.dhis.security.authority.DefaultRequiredAuthoritiesProvider">
     <property name="requiredAuthoritiesKey" value="requiredAuthorities" />
     <property name="globalAttributes">
       <set>
@@ -177,11 +180,13 @@
     </property>
   </bean>
 
-  <bean id="org.hisp.dhis.security.authority.SystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.CachingSystemAuthoritiesProvider">
+  <bean id="org.hisp.dhis.security.authority.SystemAuthoritiesProvider"
+        class="org.hisp.dhis.security.authority.CachingSystemAuthoritiesProvider">
     <property name="source" ref="compositeSystemAuthoritiesProvider" />
   </bean>
 
-  <bean id="compositeSystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.CompositeSystemAuthoritiesProvider">
+  <bean id="compositeSystemAuthoritiesProvider"
+        class="org.hisp.dhis.security.authority.CompositeSystemAuthoritiesProvider">
     <property name="sources">
       <set>
         <ref bean="detectingSystemAuthoritiesProvider" />
@@ -191,7 +196,8 @@
     </property>
   </bean>
 
-  <bean id="detectingSystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.DetectingSystemAuthoritiesProvider">
+  <bean id="detectingSystemAuthoritiesProvider"
+        class="org.hisp.dhis.security.authority.DetectingSystemAuthoritiesProvider">
     <property name="requiredAuthoritiesProvider" ref="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" />
   </bean>