From 7d0aa76c144689ffe5df4f6b0f5cc0be17128372 Mon Sep 17 00:00:00 2001 From: damien Date: Mon, 6 Sep 2010 03:41:45 +0000 Subject: [PATCH] Enhanced: WfWeb/Designer - secured package deploy & update json api to prevent unauthenticated access (issue #139) git-svn-id: http://dev.joget.org/svn/joget/trunk@666 7ed575d9-8c1d-4629-9338-9e3bd68e044c --- .../java/org/joget/designer/Designer.java | 8 +++ .../java/org/joget/designer/jped/Deploy.java | 2 +- .../java/org/joget/designer/jped/Update.java | 2 +- .../src/main/webapp/designer/webstart.jsp | 4 ++ .../controller/WorkflowJsonController.java | 55 +++++++++++-------- .../controller/WorkflowWebController.java | 5 +- .../jsp/workflow/admin/packageUpload.jsp | 2 +- 7 files changed, 52 insertions(+), 26 deletions(-) diff --git a/wflow-designer/src/main/java/org/joget/designer/Designer.java b/wflow-designer/src/main/java/org/joget/designer/Designer.java index d7b5dba..d4c6693 100644 --- a/wflow-designer/src/main/java/org/joget/designer/Designer.java +++ b/wflow-designer/src/main/java/org/joget/designer/Designer.java @@ -9,6 +9,10 @@ public class Designer { public static String URLPATH = ""; + + public static String USERNAME = ""; + public static String HASH = ""; + public static boolean DEPLOY = false; public static boolean UPDATE = false; @@ -42,6 +46,10 @@ public static void main(String[] args) throws Throwable { DEPLOY = true; } else if (args[i].startsWith("update:")) { UPDATE = true; + } else if (args[i].startsWith("username:")) { + USERNAME = args[i].substring(9, args[i].length()); + } else if (args[i].startsWith("hash:")) { + HASH = args[i].substring(5, args[i].length()); } else if (args[i].startsWith("locale:")) { argument[1] = args[i].substring(7, args[i].length()); } else { diff --git a/wflow-designer/src/main/java/org/joget/designer/jped/Deploy.java b/wflow-designer/src/main/java/org/joget/designer/jped/Deploy.java index 968b372..994d694 100644 --- a/wflow-designer/src/main/java/org/joget/designer/jped/Deploy.java +++ b/wflow-designer/src/main/java/org/joget/designer/jped/Deploy.java @@ -50,7 +50,7 @@ public void actionPerformed(ActionEvent e) { if (checkValidity(jc)) { HttpClient httpClient = new HttpClient(); - String url = Designer.URLPATH + "/web/json/workflow/package/deploy"; + String url = Designer.URLPATH + "/web/json/workflow/package/deploy?j_username=" + Designer.USERNAME + "&hash=" + Designer.HASH; PostMethod post = new PostMethod(url); diff --git a/wflow-designer/src/main/java/org/joget/designer/jped/Update.java b/wflow-designer/src/main/java/org/joget/designer/jped/Update.java index f34d78f..a0a0adb 100644 --- a/wflow-designer/src/main/java/org/joget/designer/jped/Update.java +++ b/wflow-designer/src/main/java/org/joget/designer/jped/Update.java @@ -51,7 +51,7 @@ public void actionPerformed(ActionEvent e) { HttpClient httpClient = new HttpClient(); String packageId = JaWEManager.getInstance().getJaWEController().getMainPackageId(); - String url = Designer.URLPATH + "/web/json/workflow/package/update?packageId=" + packageId; + String url = Designer.URLPATH + "/web/json/workflow/package/update?packageId=" + packageId + "&j_username=" + Designer.USERNAME + "&hash=" + Designer.HASH;; PostMethod post = new PostMethod(url); try { diff --git a/wflow-designerweb/src/main/webapp/designer/webstart.jsp b/wflow-designerweb/src/main/webapp/designer/webstart.jsp index a86e267..5283e66 100644 --- a/wflow-designerweb/src/main/webapp/designer/webstart.jsp +++ b/wflow-designerweb/src/main/webapp/designer/webstart.jsp @@ -73,5 +73,9 @@ response.addDateHeader("Last-Modified", java.util.Calendar.getInstance().getTime locale:${param.locale} + + username:${param.username} + hash:${param.hash} + diff --git a/wflow-wfweb/src/main/java/org/joget/workflow/controller/WorkflowJsonController.java b/wflow-wfweb/src/main/java/org/joget/workflow/controller/WorkflowJsonController.java index f834be4..7462323 100644 --- a/wflow-wfweb/src/main/java/org/joget/workflow/controller/WorkflowJsonController.java +++ b/wflow-wfweb/src/main/java/org/joget/workflow/controller/WorkflowJsonController.java @@ -609,17 +609,23 @@ public void packageDeploy(Writer writer, HttpServletRequest request) throws JSON MultipartFile packageXpdl = FileStore.getFile("packageXpdl"); JSONObject jsonObject = new JSONObject(); - try { - String packageId = workflowFacade.processUpload(null, packageXpdl.getBytes()); + boolean authenticated = !workflowUserManager.isCurrentUserAnonymous(); - List processList = workflowFacade.getProcessList("", Boolean.TRUE, 0, 10000, packageId, Boolean.FALSE, Boolean.FALSE); - for(WorkflowProcess process : processList){ - XpdlImageUtil.generateXpdlImage(workflowFacade.getDesignerwebBaseUrl(request), process.getId(), true); - } + if(authenticated){ + try { + String packageId = workflowFacade.processUpload(null, packageXpdl.getBytes()); + + List processList = workflowFacade.getProcessList("", Boolean.TRUE, 0, 10000, packageId, Boolean.FALSE, Boolean.FALSE); + for(WorkflowProcess process : processList){ + XpdlImageUtil.generateXpdlImage(workflowFacade.getDesignerwebBaseUrl(request), process.getId(), true); + } - jsonObject.accumulate("status", "complete"); - } catch (Exception e) { - jsonObject.accumulate("errorMsg", e.getMessage().replace(":", "")); + jsonObject.accumulate("status", "complete"); + } catch (Exception e) { + jsonObject.accumulate("errorMsg", e.getMessage().replace(":", "")); + } + }else{ + jsonObject.accumulate("errorMsg", "unauthenticated"); } writeJson(writer, jsonObject, null); } @@ -629,23 +635,28 @@ public void packageUpdate(Writer writer, @RequestParam("packageId") String packa MultipartFile packageXpdl = FileStore.getFile("packageXpdlUpdate"); JSONObject jsonObject = new JSONObject(); - try { - if (!workflowFacade.isPackageIdExist(packageId)) { - jsonObject.accumulate("status", "error"); - } else { - workflowFacade.processUpload(packageId, packageXpdl.getBytes()); + boolean authenticated = !workflowUserManager.isCurrentUserAnonymous(); - List processList = workflowFacade.getProcessList("", Boolean.TRUE, 0, 10000, packageId, Boolean.FALSE, Boolean.FALSE); - for(WorkflowProcess process : processList){ - XpdlImageUtil.generateXpdlImage(workflowFacade.getDesignerwebBaseUrl(request), process.getId(), true); - } + if(authenticated){ + try { + if (!workflowFacade.isPackageIdExist(packageId)) { + jsonObject.accumulate("status", "error"); + } else { + workflowFacade.processUpload(packageId, packageXpdl.getBytes()); - jsonObject.accumulate("status", "complete"); + List processList = workflowFacade.getProcessList("", Boolean.TRUE, 0, 10000, packageId, Boolean.FALSE, Boolean.FALSE); + for(WorkflowProcess process : processList){ + XpdlImageUtil.generateXpdlImage(workflowFacade.getDesignerwebBaseUrl(request), process.getId(), true); + } + + jsonObject.accumulate("status", "complete"); + } + } catch (Exception e) { + jsonObject.accumulate("errorMsg", e.getMessage().replace(":", "")); } - } catch (Exception e) { - jsonObject.accumulate("errorMsg", e.getMessage().replace(":", "")); + }else{ + jsonObject.accumulate("errorMsg", "unauthenticated"); } - writeJson(writer, jsonObject, null); } diff --git a/wflow-wfweb/src/main/java/org/joget/workflow/controller/WorkflowWebController.java b/wflow-wfweb/src/main/java/org/joget/workflow/controller/WorkflowWebController.java index 6fe9496..cfcb8f0 100644 --- a/wflow-wfweb/src/main/java/org/joget/workflow/controller/WorkflowWebController.java +++ b/wflow-wfweb/src/main/java/org/joget/workflow/controller/WorkflowWebController.java @@ -736,7 +736,10 @@ public String assignmentEmbeddedViewByProcess(ModelMap map, @RequestParam("proce } @RequestMapping("/admin/package/upload") - public String packageUpload() throws IOException { + public String packageUpload(ModelMap map) throws IOException { + User user = directoryManager.getUserByUsername(workflowUserManager.getCurrentUsername()); + map.addAttribute("loginHash", user.getLoginHash()); + map.addAttribute("username", user.getUsername()); return "workflow/admin/packageUpload"; } diff --git a/wflow-wfweb/src/main/webapp/WEB-INF/jsp/workflow/admin/packageUpload.jsp b/wflow-wfweb/src/main/webapp/WEB-INF/jsp/workflow/admin/packageUpload.jsp index bb15f9b..3e0f0ed 100644 --- a/wflow-wfweb/src/main/webapp/WEB-INF/jsp/workflow/admin/packageUpload.jsp +++ b/wflow-wfweb/src/main/webapp/WEB-INF/jsp/workflow/admin/packageUpload.jsp @@ -80,7 +80,7 @@ %> var path = 'http://${pageContext.request.serverName}:${pageContext.request.serverPort}${pageContext.request.contextPath}'; - document.location = '<%= designerwebBaseUrl %>/wflow-designerweb/designer/webstart.jsp?path=' + encodeURIComponent(path) + '&deploy=deploy&locale=<%= locale %>'; + document.location = '<%= designerwebBaseUrl %>/wflow-designerweb/designer/webstart.jsp?path=' + encodeURIComponent(path) + '&deploy=deploy&locale=<%= locale %>&username=${username}&hash=${loginHash}'; }