dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #15168
[Branch ~dhis2-devs-core/dhis2/trunk] Rev 5367: dxf2merge: tightened security for /api, now requires ALL or F_WEBAPI_READ (also added F_WEBAPI_CR...
Merge authors:
Morten Olav Hansen (mortenoh)
------------------------------------------------------------
revno: 5367 [merge]
committer: Morten Olav Hansen <mortenoh@xxxxxxxxx>
branch nick: dhis2
timestamp: Mon 2011-12-12 12:20:20 +0100
message:
dxf2merge: tightened security for /api, now requires ALL or F_WEBAPI_READ (also added F_WEBAPI_CREATE, F_WEBAPI_UPDATE, F_WEBAPI_DELETE ... not currently in use)
added:
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java
modified:
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java
dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java
dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml
dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml
dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml
--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk
Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription
=== added directory 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action'
=== added file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java 1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/action/NoAction.java 2011-12-12 11:18:21 +0000
@@ -0,0 +1,43 @@
+package org.hisp.dhis.api.action;
+
+/*
+ * Copyright (c) 2004-2009, University of Oslo
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * * Neither the name of the HISP project nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import com.opensymphony.xwork2.Action;
+
+/**
+ * @author Morten Olav Hansen <mortenoh@xxxxxxxxx>
+ */
+public class NoAction
+ implements Action
+{
+ public String execute()
+ throws Exception
+ {
+ return SUCCESS;
+ }
+}
\ No newline at end of file
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java 2011-12-09 20:53:07 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/ChartController.java 2011-12-12 11:18:21 +0000
@@ -39,6 +39,7 @@
import org.jfree.chart.ChartUtilities;
import org.jfree.chart.JFreeChart;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.PathVariable;
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java 2011-12-08 14:31:31 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/api/controller/IndexController.java 2011-12-12 11:18:21 +0000
@@ -27,6 +27,7 @@
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml'
--- dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml 2011-12-07 13:44:45 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/resources/META-INF/dhis/servlet.xml 2011-12-12 11:18:21 +0000
@@ -3,10 +3,14 @@
xmlns="http://www.springframework.org/schema/beans";
xmlns:context="http://www.springframework.org/schema/context";
xmlns:mvc="http://www.springframework.org/schema/mvc";
+ xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd";>
+ <sec:global-method-security pre-post-annotations="enabled" />
+
<mvc:annotation-driven />
<context:component-scan base-package="org.hisp.dhis.api" />
=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml'
--- dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml 2011-11-02 11:14:35 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/resources/struts.xml 2011-12-12 11:18:21 +0000
@@ -1,11 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts PUBLIC
-"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
-"http://struts.apache.org/dtds/struts-2.0.dtd";>
+ "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
+ "http://struts.apache.org/dtds/struts-2.0.dtd";>
<struts>
<include file="dhis-web-commons.xml" />
<package name="dhis-web-api" extends="dhis-web-commons" namespace="/dhis-web-api">
+
+ <action name="index" class="org.hisp.dhis.api.action.NoAction">
+ <param name="requiredAuthorities">F_WEBAPI_CREATE, F_WEBAPI_READ, F_WEBAPI_UPDATE, F_WEBAPI_DELETE</param>
+ </action>
+
</package>
</struts>
=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml 2011-10-24 09:55:12 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml 2011-12-12 11:18:21 +0000
@@ -1,13 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:sec="http://www.springframework.org/schema/security";
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
- xsi:schemaLocation="
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";>
- <sec:global-method-security jsr250-annotations="disabled" pre-post-annotations="disabled"
- secured-annotations="disabled" />
-
<bean id="mappedRedirectStrategy" class="org.hisp.dhis.security.MappedRedirectStrategy">
<property name="redirectMap">
<map>
@@ -28,15 +25,18 @@
<sec:http access-decision-manager-ref="accessDecisionManager" use-expressions="true" realm="DHIS2">
<sec:form-login default-target-url="/" always-use-default-target="false"
- login-processing-url="/dhis-web-commons-security/login.action" authentication-failure-url="/dhis-web-commons/security/login.action?failed=true"
- login-page="/dhis-web-commons/security/login.action" authentication-success-handler-ref="defaultAuthenticationSuccessHandler" />
+ login-processing-url="/dhis-web-commons-security/login.action"
+ authentication-failure-url="/dhis-web-commons/security/login.action?failed=true"
+ login-page="/dhis-web-commons/security/login.action"
+ authentication-success-handler-ref="defaultAuthenticationSuccessHandler" />
<sec:http-basic />
<sec:logout logout-url="/dhis-web-commons-security/logout.action" />
-
<sec:intercept-url pattern="/dhis-web-commons/security/**" access="permitAll" />
<sec:intercept-url pattern="/dhis-web-commons/javascripts/**" filters="none" />
<sec:intercept-url pattern="/dhis-web-commons/css/**" filters="none" />
<sec:intercept-url pattern="/favicon.ico" filters="none" />
+ <sec:intercept-url pattern="/api*" access="hasRole('F_WEBAPI_READ')" />
+ <sec:intercept-url pattern="/api/**" access="hasRole('F_WEBAPI_READ')" />
<sec:intercept-url pattern="/**" access="isAuthenticated()" />
<sec:custom-filter ref="automaticAccessFilter" before="LOGOUT_FILTER" />
@@ -44,7 +44,7 @@
<!-- Security : Action -->
<bean id="restrictOrganisationUnitsAction" class="org.hisp.dhis.security.action.RestrictOrganisationUnitsAction"
- scope="prototype">
+ scope="prototype">
<property name="currentUserService" ref="org.hisp.dhis.user.CurrentUserService" />
<property name="selectionManager" ref="org.hisp.dhis.ouwt.manager.OrganisationUnitSelectionManager" />
<property name="selectionTreeManager" ref="org.hisp.dhis.oust.manager.SelectionTreeManager" />
@@ -143,7 +143,8 @@
</property>
</bean>
- <bean id="org.hisp.dhis.security.ActionAccessResolver" class="org.hisp.dhis.security.SpringSecurityActionAccessResolver">
+ <bean id="org.hisp.dhis.security.ActionAccessResolver"
+ class="org.hisp.dhis.security.SpringSecurityActionAccessResolver">
<property name="requiredAuthoritiesProvider" ref="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
</bean>
@@ -158,7 +159,8 @@
</property>
</bean>
- <bean id="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor" class="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor">
+ <bean id="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor"
+ class="org.hisp.dhis.security.intercept.XWorkSecurityInterceptor">
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="validateConfigAttributes" value="false" />
@@ -168,7 +170,8 @@
<!-- Security : AuthorityProvider -->
- <bean id="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" class="org.hisp.dhis.security.authority.DefaultRequiredAuthoritiesProvider">
+ <bean id="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider"
+ class="org.hisp.dhis.security.authority.DefaultRequiredAuthoritiesProvider">
<property name="requiredAuthoritiesKey" value="requiredAuthorities" />
<property name="globalAttributes">
<set>
@@ -177,11 +180,13 @@
</property>
</bean>
- <bean id="org.hisp.dhis.security.authority.SystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.CachingSystemAuthoritiesProvider">
+ <bean id="org.hisp.dhis.security.authority.SystemAuthoritiesProvider"
+ class="org.hisp.dhis.security.authority.CachingSystemAuthoritiesProvider">
<property name="source" ref="compositeSystemAuthoritiesProvider" />
</bean>
- <bean id="compositeSystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.CompositeSystemAuthoritiesProvider">
+ <bean id="compositeSystemAuthoritiesProvider"
+ class="org.hisp.dhis.security.authority.CompositeSystemAuthoritiesProvider">
<property name="sources">
<set>
<ref bean="detectingSystemAuthoritiesProvider" />
@@ -191,7 +196,8 @@
</property>
</bean>
- <bean id="detectingSystemAuthoritiesProvider" class="org.hisp.dhis.security.authority.DetectingSystemAuthoritiesProvider">
+ <bean id="detectingSystemAuthoritiesProvider"
+ class="org.hisp.dhis.security.authority.DetectingSystemAuthoritiesProvider">
<property name="requiredAuthoritiesProvider" ref="org.hisp.dhis.security.authority.RequiredAuthoritiesProvider" />
</bean>
