Commit 80f6185d authored by Daniel Gerhardt's avatar Daniel Gerhardt

Merge branch 'spring-5'

parents 941406c7 cf4b867c
subprojects {
apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'maven'
sourceCompatibility = 1.7
sourceCompatibility = 1.8
group = 'de.thm.arsnova.connector'
version = '0.74.0-SNAPSHOT'
ext {
springVersion = '4.0.9.RELEASE'
springSecurityVersion = '3.2.5.RELEASE'
springBootVersion = '2.1.4.RELEASE'
}
repositories {
jcenter()
mavenCentral()
mavenLocal()
}
dependencies {
compile group: 'org.springframework', name: 'spring-context', version: springVersion
compile group: 'org.springframework.security', name: 'spring-security-config', version: springSecurityVersion
compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.5.0'
implementation platform(group: 'org.springframework.boot', name: 'spring-boot-dependencies', version: springBootVersion)
implementation group: 'org.springframework', name: 'spring-context'
implementation group: 'org.springframework.security', name: 'spring-security-config'
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind'
testCompile group: 'junit', name: 'junit', version: '4.12'
testCompile group: 'org.springframework', name: 'spring-test', version: springVersion
testImplementation group: 'junit', name: 'junit'
testImplementation group: 'org.springframework', name: 'spring-test'
}
test { systemProperties 'property': 'value' }
......
......@@ -5,18 +5,18 @@ jar {
}
repositories {
jcenter()
mavenCentral()
mavenLocal()
}
dependencies {
compile project (':connector-model')
compile group: 'commons-collections', name: 'commons-collections', version: '3.2.1'
compile group: 'commons-codec', name: 'commons-codec', version: '1.10'
compile group: 'org.springframework', name: 'spring-context', version: springVersion
compile group: 'org.springframework', name: 'spring-web', version: springVersion
implementation group: 'commons-codec', name: 'commons-codec'
implementation group: 'org.springframework', name: 'spring-context'
implementation group: 'org.springframework', name: 'spring-web'
testCompile group: 'junit', name: 'junit', version: '4.12'
testImplementation group: 'junit', name: 'junit'
}
test { systemProperties 'property': 'value' }
......
apply plugin: 'eclipse-wtp'
apply plugin: 'com.github.jacobono.jaxb'
jar {
......@@ -11,6 +10,7 @@ buildscript {
repositories {
jcenter()
mavenCentral()
mavenLocal()
}
dependencies { classpath 'com.github.jacobono:gradle-jaxb-plugin:1.3.5' }
......
......@@ -3,7 +3,6 @@ plugins {
id "org.sonarqube" version "2.7"
}
apply plugin: 'eclipse-wtp'
apply plugin: 'war'
apply plugin: 'jacoco'
......@@ -21,25 +20,24 @@ repositories {
dependencies {
compile project (':connector-model')
compile group: 'commons-collections', name: 'commons-collections', version: '3.2.1'
compile group: 'commons-codec', name: 'commons-codec', version: '1.10'
compile group: 'org.springframework', name: 'spring-context', version: springVersion
compile group: 'org.springframework', name: 'spring-webmvc', version: springVersion
compile group: 'org.springframework', name: 'spring-jdbc', version: springVersion
compile group: 'org.springframework.security', name: 'spring-security-web', version: springSecurityVersion
compile group: 'org.springframework.security', name: 'spring-security-config', version: springSecurityVersion
compile group: 'org.springframework.security', name: 'spring-security-ldap', version: springSecurityVersion
compile group: 'mysql', name: 'mysql-connector-java', version: '5.1.34'
compile group: 'cglib', name: 'cglib', version: '3.1'
compile group: 'org.slf4j', name: 'slf4j-log4j12', version: '1.7.10'
compile group: 'org.json', name: 'json', version: '20141113'
implementation group: 'commons-codec', name: 'commons-codec'
implementation group: 'org.springframework', name: 'spring-context'
implementation group: 'org.springframework', name: 'spring-webmvc'
implementation group: 'org.springframework', name: 'spring-jdbc'
implementation group: 'org.springframework.security', name: 'spring-security-web'
implementation group: 'org.springframework.security', name: 'spring-security-config'
implementation group: 'org.springframework.security', name: 'spring-security-ldap'
implementation group: 'cglib', name: 'cglib', version: '3.1'
implementation group: 'ch.qos.logback', name: 'logback-classic'
implementation group: 'org.json', name: 'json', version: '20141113'
implementation group: 'mysql', name: 'mysql-connector-java', version: '5.1.34'
providedCompile group: 'javax.servlet', name: 'javax.servlet-api', version: '3.0.1'
testCompile group: 'junit', name: 'junit', version: '4.12'
testCompile group: 'org.mockito', name: 'mockito-core', version: '1.10.19'
testCompile group: 'org.dbunit', name: 'dbunit', version: '2.5.0'
testCompile group: 'org.hsqldb', name: 'hsqldb', version: '2.3.2'
testImplementation group: 'junit', name: 'junit'
testImplementation group: 'org.mockito', name: 'mockito-core'
testImplementation group: 'org.dbunit', name: 'dbunit', version: '2.5.0'
testImplementation group: 'org.hsqldb', name: 'hsqldb', version: '2.3.2'
}
test { systemProperties 'property': 'value' }
......
......@@ -10,9 +10,9 @@ import javax.servlet.http.HttpServletResponse;
import org.json.JSONObject;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.password.MessageDigestPasswordEncoder;
import org.springframework.stereotype.Service;
import de.thm.arsnova.connector.persistence.domain.User;
......@@ -65,12 +65,9 @@ public class AuthenticationTokenService {
*/
private String generateToken(UserDetails ud) {
Date now = new Date();
Md5PasswordEncoder encoder = new Md5PasswordEncoder();
MessageDigestPasswordEncoder encoder = new MessageDigestPasswordEncoder("MD5");
return encoder.encodePassword(
ud.getUsername() + now.toString() + String.valueOf(Math.random()),
null
);
return encoder.encode(ud.getUsername() + now.toString() + Math.random());
}
......
......@@ -12,8 +12,8 @@ import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
import de.thm.arsnova.connector.auth.AuthenticationFilter;
......@@ -22,7 +22,7 @@ import de.thm.arsnova.connector.auth.AuthenticationTokenService;
import de.thm.arsnova.connector.core.RepoPermissionEvaluator;
@Configuration
@EnableWebMvcSecurity
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@PropertySource("file:///etc/arsnova/connector.properties")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
......@@ -42,7 +42,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser(username)
.password(password).authorities("ADMIN");
.password("{noop}" + password).authorities("ADMIN");
if (!"".equals(ldapServerUrl)) {
auth.ldapAuthentication().contextSource(ldapContextSource())
......
......@@ -4,7 +4,6 @@ import java.io.Serializable;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
public class RepoPermissionEvaluator implements PermissionEvaluator {
@Override
......@@ -27,20 +26,18 @@ public class RepoPermissionEvaluator implements PermissionEvaluator {
final String targetType,
final Object permission
) {
if (authentication.getPrincipal() instanceof String) {
if (authentication == null || targetId == null || targetType == null || !(permission instanceof String)) {
return false;
}
final UserDetails ud = (UserDetails) authentication.getPrincipal();
if (isAdmin(ud)) {
if (isAdmin(authentication)) {
return true;
}
switch (targetType) {
case "membership":
case "courses":
if ("read".equals(permission) && ud.getUsername().equals(targetId)) {
if ("read".equals(permission) && authentication.getName().equals(targetId)) {
return true;
}
break;
......@@ -49,7 +46,7 @@ public class RepoPermissionEvaluator implements PermissionEvaluator {
return false;
}
private boolean isAdmin(final UserDetails user) {
return false;
private boolean isAdmin(final Authentication authentication) {
return authentication.getAuthorities().stream().anyMatch(ga -> ga.getAuthority().equals("ADMIN"));
}
}
......@@ -8,21 +8,21 @@ import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import de.thm.arsnova.connector.core.RepoPermissionEvaluator;
@Configuration
@EnableWebMvcSecurity
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityTestConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin")
.password("secret").authorities("ADMIN")
.and().withUser("user").password("secret").authorities("USER");
auth.inMemoryAuthentication()
.withUser("admin").password("{noop}secret").authorities("ADMIN")
.and().withUser("user").password("{noop}secret").authorities("USER");
}
@Bean
......
......@@ -58,26 +58,27 @@ public class ConnectorControllerTest {
public void testShouldReturnEmptyMembership() throws Exception {
mockMvc.perform(get("/ptsr00/membership/12345678").accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
.andExpect(content().contentType(MediaType.APPLICATION_JSON));
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
}
@Test
public void testShouldNotReturnEmptyMembership() throws Exception {
mockMvc.perform(get("/ptsr00/membership/21435678").accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
.andExpect(content().contentType(MediaType.APPLICATION_JSON));
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
}
@Test
public void testShouldReturnEmptyCourses() throws Exception {
mockMvc.perform(get("/ptsr00/courses").accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
.andExpect(content().contentType(MediaType.APPLICATION_JSON));
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
}
@Test
public void testShouldNotReturnEmptyCourses() throws Exception {
mockMvc.perform(get("/ptsr01/courses").accept(MediaType.APPLICATION_JSON).contentType(MediaType.APPLICATION_JSON))
.andExpect(status().isOk());
mockMvc.perform(get("/ptsr01/courses").accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
}
}
......@@ -57,8 +57,8 @@ public class WebDomainIntegrationTest {
public void testShouldReturnCoursesWithoutCredentials() throws Exception {
try {
mockMvc.perform(get("/test/courses").accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
.andExpect(content().contentType(MediaType.APPLICATION_JSON));
.andExpect(status().isOk())
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
} catch (final NestedServletException e) {
assertTrue( e.getCause() instanceof AuthenticationCredentialsNotFoundException );
return;
......@@ -74,8 +74,8 @@ public class WebDomainIntegrationTest {
final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("admin", "secret", ga);
SecurityContextHolder.getContext().setAuthentication(token);
mockMvc.perform(get("/test/membership/42").accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
.andExpect(content().contentType(MediaType.APPLICATION_JSON));
.andExpect(status().isOk())
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
}
@Test
......@@ -86,7 +86,7 @@ public class WebDomainIntegrationTest {
try {
mockMvc.perform(get("/test/membership/42").accept(MediaType.APPLICATION_JSON))
.andExpect(content().contentType(MediaType.APPLICATION_JSON));
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
} catch (final NestedServletException e) {
assertTrue( e.getCause() instanceof AccessDeniedException );
return;
......@@ -102,8 +102,8 @@ public class WebDomainIntegrationTest {
final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("admin", "secret", ga);
SecurityContextHolder.getContext().setAuthentication(token);
mockMvc.perform(get("/test/courses").accept(MediaType.APPLICATION_JSON))
.andExpect(status().isOk())
.andExpect(content().contentType(MediaType.APPLICATION_JSON));
.andExpect(status().isOk())
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
}
@Test
......@@ -114,7 +114,7 @@ public class WebDomainIntegrationTest {
try {
mockMvc.perform(get("/test/courses").accept(MediaType.APPLICATION_JSON))
.andExpect(content().contentType(MediaType.APPLICATION_JSON));
.andExpect(content().contentTypeCompatibleWith(MediaType.APPLICATION_JSON));
} catch (final NestedServletException e) {
assertTrue( e.getCause() instanceof AccessDeniedException );
return;
......@@ -126,6 +126,6 @@ public class WebDomainIntegrationTest {
@Test
public void testShouldRejectRequestNotAcceptingJson() throws Exception {
mockMvc.perform(get("/test/membership/42").accept(MediaType.TEXT_PLAIN))
.andExpect(status().isNotAcceptable());
.andExpect(status().isNotAcceptable());
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment