Merge branch 'master' of https://git.bukova.info/repos/git/isspst
commit
a22be88e47
@ -0,0 +1,10 @@
|
|||||||
|
package info.bukova.isspst.security;
|
||||||
|
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
public interface Evaluator {
|
||||||
|
|
||||||
|
public boolean evaluate(Authentication authentication,
|
||||||
|
Object targetDomainObject, String permission);
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,41 @@
|
|||||||
|
package info.bukova.isspst.security;
|
||||||
|
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
public class EvaluatorsHolder {
|
||||||
|
|
||||||
|
private Map<Class<?>, Evaluator> globalEvaluators;
|
||||||
|
private Map<Class<?>, Evaluator> specialEvaluators;
|
||||||
|
|
||||||
|
public void setGlobalEvaluators(Map<Class<?>, Evaluator> globalEvaluators) {
|
||||||
|
this.globalEvaluators = globalEvaluators;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setSpecialEvaluators(Map<Class<?>, Evaluator> specialEvaluators) {
|
||||||
|
this.specialEvaluators = specialEvaluators;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Evaluator getForObject(Object object, boolean special) {
|
||||||
|
Map<Class<?>, Evaluator> evals;
|
||||||
|
|
||||||
|
if (special) {
|
||||||
|
evals = specialEvaluators;
|
||||||
|
} else {
|
||||||
|
evals = globalEvaluators;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (Class<?> key : evals.keySet()) {
|
||||||
|
if (key.equals(object.getClass())) {
|
||||||
|
return evals.get(key);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (Class<?> key : evals.keySet()) {
|
||||||
|
if (key.isAssignableFrom(object.getClass())) {
|
||||||
|
return evals.get(key);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,44 @@
|
|||||||
|
package info.bukova.isspst.security;
|
||||||
|
|
||||||
|
import info.bukova.isspst.Constants;
|
||||||
|
import info.bukova.isspst.data.Permission;
|
||||||
|
import info.bukova.isspst.data.PermissionType;
|
||||||
|
|
||||||
|
import java.io.Serializable;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.security.access.PermissionEvaluator;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
public class IsPermissionEvaluator implements PermissionEvaluator {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private EvaluatorsHolder evalHolder;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean hasPermission(Authentication authentication,
|
||||||
|
Object targetDomainObject, Object permission) {
|
||||||
|
|
||||||
|
Permission appPermission = null;
|
||||||
|
for (Permission p : Constants.SPECIAL_PERMISSIONS) {
|
||||||
|
if (p.getAuthority().equals(permission)) {
|
||||||
|
appPermission = p;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Evaluator eval = evalHolder.getForObject(targetDomainObject, appPermission != null && appPermission.getType() != PermissionType.GLOBAL);
|
||||||
|
|
||||||
|
if (eval != null) {
|
||||||
|
return eval.evaluate(authentication, targetDomainObject, (String)permission);
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean hasPermission(Authentication authentication,
|
||||||
|
Serializable targetId, String targetType, Object permission) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,68 @@
|
|||||||
|
package info.bukova.isspst.security;
|
||||||
|
|
||||||
|
import info.bukova.isspst.Constants;
|
||||||
|
import info.bukova.isspst.data.Permission;
|
||||||
|
import info.bukova.isspst.data.PermissionType;
|
||||||
|
import info.bukova.isspst.data.RequirementBase;
|
||||||
|
import info.bukova.isspst.data.Role;
|
||||||
|
import info.bukova.isspst.data.User;
|
||||||
|
import info.bukova.isspst.data.Workgroup;
|
||||||
|
import info.bukova.isspst.services.workgroups.WorkgroupService;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
public class RequirementFilterEvaluator implements Evaluator {
|
||||||
|
|
||||||
|
private WorkgroupService wgService;
|
||||||
|
|
||||||
|
public RequirementFilterEvaluator(WorkgroupService wgService) {
|
||||||
|
this.wgService = wgService;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean evaluate(Authentication authentication,
|
||||||
|
Object targetDomainObject, String permission) {
|
||||||
|
|
||||||
|
RequirementBase req = (RequirementBase) targetDomainObject;
|
||||||
|
Workgroup reqWg;
|
||||||
|
|
||||||
|
if (!(authentication.getPrincipal() instanceof User)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
User user = (User)authentication.getPrincipal();
|
||||||
|
|
||||||
|
Permission appPermission = null;
|
||||||
|
for (Permission p : Constants.SPECIAL_PERMISSIONS) {
|
||||||
|
if (p.getAuthority().equals(permission)) {
|
||||||
|
appPermission = p;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (appPermission == null) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (appPermission.getType() == PermissionType.CENTRE) {
|
||||||
|
reqWg = req.getCentre();
|
||||||
|
} else {
|
||||||
|
reqWg = req.getWorkgroup();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (wgService.isMember(reqWg, user)) {
|
||||||
|
List<Role> roles = wgService.getUserWorkgroupRoles(reqWg, user);
|
||||||
|
for (Role r : roles) {
|
||||||
|
for (Permission p : r.getPermissions()) {
|
||||||
|
if (p.getAuthority().equals(appPermission.getAuthority())) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,46 @@
|
|||||||
|
package info.bukova.isspst.security;
|
||||||
|
|
||||||
|
import info.bukova.isspst.Constants;
|
||||||
|
import info.bukova.isspst.Module;
|
||||||
|
import info.bukova.isspst.data.Role;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
public class ServiceEvaluator implements Evaluator {
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
@Override
|
||||||
|
public boolean evaluate(Authentication authentication,
|
||||||
|
Object targetDomainObject, String permission) {
|
||||||
|
|
||||||
|
List<Role> roles = (List<Role>) authentication.getAuthorities();
|
||||||
|
String moduleId = "";
|
||||||
|
String perm = permission;
|
||||||
|
|
||||||
|
for (Module m : Constants.MODULES) {
|
||||||
|
if (m.getServiceClass() != null && m.getServiceClass().isAssignableFrom(targetDomainObject.getClass())) {
|
||||||
|
moduleId = m.getId();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
perm += "_" + moduleId;
|
||||||
|
|
||||||
|
for (int i = 0; i < roles.size(); i++) {
|
||||||
|
if (!(roles.get(i) instanceof Role)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (roles.get(i).getAuthority().equals(perm)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (roles.get(i).getAuthority().equals(Constants.ROLE_ADMIN)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,71 @@
|
|||||||
|
package info.bukova.isspst.security;
|
||||||
|
|
||||||
|
import info.bukova.isspst.Constants;
|
||||||
|
import info.bukova.isspst.data.Permission;
|
||||||
|
import info.bukova.isspst.data.PermissionType;
|
||||||
|
import info.bukova.isspst.data.Role;
|
||||||
|
import info.bukova.isspst.data.User;
|
||||||
|
import info.bukova.isspst.data.Workgroup;
|
||||||
|
import info.bukova.isspst.services.workgroups.WorkgroupService;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
|
||||||
|
public class WorkgroupAwareServiceEvaluator implements Evaluator {
|
||||||
|
|
||||||
|
private WorkgroupService wgService;
|
||||||
|
|
||||||
|
public WorkgroupAwareServiceEvaluator(WorkgroupService wgService) {
|
||||||
|
this.wgService = wgService;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean evaluate(Authentication authentication,
|
||||||
|
Object targetDomainObject, String permission) {
|
||||||
|
|
||||||
|
List<Workgroup> userWorkgroups;
|
||||||
|
|
||||||
|
if (!(authentication.getPrincipal() instanceof User)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
User user = (User)authentication.getPrincipal();
|
||||||
|
|
||||||
|
Permission appPermission = null;
|
||||||
|
for (Permission p : Constants.SPECIAL_PERMISSIONS) {
|
||||||
|
if (p.getAuthority().equals(permission)) {
|
||||||
|
appPermission = p;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (appPermission == null) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (appPermission.getType() == PermissionType.CENTRE) {
|
||||||
|
userWorkgroups = wgService.getUserCentres(user);
|
||||||
|
} else {
|
||||||
|
userWorkgroups = wgService.getUserWorkgroups(user);
|
||||||
|
}
|
||||||
|
|
||||||
|
for (Workgroup wg : userWorkgroups) {
|
||||||
|
List<Role> wgRoles = wgService.getUserWorkgroupRoles(wg, user);
|
||||||
|
|
||||||
|
if (wgRoles == null) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (Role r : wgRoles) {
|
||||||
|
for (Permission p : r.getPermissions()) {
|
||||||
|
if (p.getAuthority().equals(appPermission.getAuthority())) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,93 @@
|
|||||||
|
package info.bukova.isspst.services.users;
|
||||||
|
|
||||||
|
import info.bukova.isspst.Constants;
|
||||||
|
import info.bukova.isspst.data.Role;
|
||||||
|
import info.bukova.isspst.data.User;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import org.slf4j.Logger;
|
||||||
|
import org.slf4j.LoggerFactory;
|
||||||
|
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
|
||||||
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
|
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||||
|
import org.springframework.security.openid.OpenIDAttribute;
|
||||||
|
import org.springframework.security.openid.OpenIDAuthenticationToken;
|
||||||
|
|
||||||
|
public class GmailUserService implements AuthenticationUserDetailsService<OpenIDAuthenticationToken> {
|
||||||
|
|
||||||
|
private static final Logger logger = LoggerFactory.getLogger(GmailUserService.class);
|
||||||
|
|
||||||
|
private UserService userService;
|
||||||
|
private RoleService roleService;
|
||||||
|
private String restrictDomain;
|
||||||
|
|
||||||
|
public GmailUserService(UserService userService, RoleService roleService) {
|
||||||
|
this.userService = userService;
|
||||||
|
this.roleService = roleService;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public UserDetails loadUserDetails(OpenIDAuthenticationToken token)
|
||||||
|
throws UsernameNotFoundException {
|
||||||
|
|
||||||
|
String email = null;
|
||||||
|
String firstName = null;
|
||||||
|
String lastName = null;
|
||||||
|
List<OpenIDAttribute> attributes = token.getAttributes();
|
||||||
|
|
||||||
|
for (OpenIDAttribute attribute : attributes) {
|
||||||
|
if (attribute.getName().equals("email")) {
|
||||||
|
email = attribute.getValues().get(0);
|
||||||
|
}
|
||||||
|
if (attribute.getName().equals("firstName")) {
|
||||||
|
firstName = attribute.getValues().get(0);
|
||||||
|
}
|
||||||
|
if (attribute.getName().equals("lastName")) {
|
||||||
|
lastName = attribute.getValues().get(0);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
String userAndDomain[] = email.split("@");
|
||||||
|
String username = userAndDomain[0];
|
||||||
|
String domain = userAndDomain[1];
|
||||||
|
|
||||||
|
if (restrictDomain != null && !restrictDomain.isEmpty() && !restrictDomain.equals(domain)) {
|
||||||
|
logger.warn("Try to login from foreign domain");
|
||||||
|
|
||||||
|
throw new UsernameNotFoundException("Email from foreign domain");
|
||||||
|
}
|
||||||
|
|
||||||
|
UserDetails user;
|
||||||
|
|
||||||
|
try {
|
||||||
|
user = userService.loadUserByUsername(username);
|
||||||
|
} catch (UsernameNotFoundException e) {
|
||||||
|
logger.info("Username not found in database. Creating one");
|
||||||
|
|
||||||
|
User usr = new User();
|
||||||
|
usr.setUsername(username);
|
||||||
|
usr.setFirstName(firstName);
|
||||||
|
usr.setLastName(lastName);
|
||||||
|
usr.setEmail(email);
|
||||||
|
usr.setEnabled(true);
|
||||||
|
usr.setNotify(true);
|
||||||
|
|
||||||
|
Role role = roleService.getRoleByAuthority(Constants.ROLE_USER);
|
||||||
|
usr.addAuthority(role);
|
||||||
|
|
||||||
|
userService.grantAdmin();
|
||||||
|
userService.add(usr);
|
||||||
|
userService.removeAccess();
|
||||||
|
|
||||||
|
user = userService.loadUserByUsername(username);
|
||||||
|
}
|
||||||
|
|
||||||
|
return user;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setRestrictDomain(String restrictDomain) {
|
||||||
|
this.restrictDomain = restrictDomain;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1 @@
|
|||||||
|
gmail.restrictDomain=
|
Binary file not shown.
Binary file not shown.
@ -0,0 +1,14 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xmlns:security="http://www.springframework.org/schema/security"
|
||||||
|
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
|
||||||
|
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
|
||||||
|
|
||||||
|
<bean id="gmailUserService" class="info.bukova.isspst.services.users.GmailUserService">
|
||||||
|
<constructor-arg ref="userService"/>
|
||||||
|
<constructor-arg ref="roleService"/>
|
||||||
|
<property name="restrictDomain" value="${gmail.restrictDomain}"/>
|
||||||
|
</bean>
|
||||||
|
|
||||||
|
</beans>
|
Binary file not shown.
After Width: | Height: | Size: 7.6 KiB |
@ -0,0 +1,21 @@
|
|||||||
|
<html
|
||||||
|
xmlns="native"
|
||||||
|
xmlns:u="zul"
|
||||||
|
xmlns:zk="zk">
|
||||||
|
<head>
|
||||||
|
<title>${labels.Loggingin}</title>
|
||||||
|
</head>
|
||||||
|
<body style="height: 100%; padding: 0 5px;">
|
||||||
|
<div style="height: 15%" />
|
||||||
|
<div align="center">
|
||||||
|
<u:include src="login.zul" />
|
||||||
|
<br/>
|
||||||
|
<img src="img/google.png" alt="Google"/>
|
||||||
|
<form action="j_spring_openid_security_check" method="post">
|
||||||
|
<input name="openid_identifier" type="hidden" value="https://www.google.com/accounts/o8/id"/>
|
||||||
|
<input type="submit" value="${labels.LoginViaGoogle}" class="nicebutton"/>
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
</body>
|
||||||
|
</html>
|
Loading…
Reference in New Issue