Fixing ui#all authorization (MID-3193)

Evolveum · Jun 20, 2016 · f73d022 · f73d022
1 parent 8afe4cd
commit f73d022
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 3 deletions.
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java
@@ -243,6 +243,8 @@ public static boolean isAuthorized(Collection<String> actions) {
 			return true;
 		}
 		Roles roles = new Roles(AuthorizationConstants.AUTZ_ALL_URL);
+		roles.add(AuthorizationConstants.AUTZ_GUI_ALL_URL);
+		roles.add(AuthorizationConstants.AUTZ_GUI_ALL_DEPRECATED_URL);
 		roles.addAll(actions);
 		if (((AuthenticatedWebApplication) AuthenticatedWebApplication.get()).hasAnyRole(roles)) {
 			return true;

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/DescriptorLoader.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/DescriptorLoader.java
@@ -129,7 +129,7 @@ private void loadActions(PageDescriptor descriptor) {
                 }
             }
 
-            //add http://.../..#guAll authorization only for displayable pages, not for pages used for development..
+            //add http://.../..#guiAll authorization only for displayable pages, not for pages used for development..
             if (canAccess) {
 
                 actions.add(new AuthorizationActionValue(AuthorizationConstants.AUTZ_GUI_ALL_DEPRECATED_URL,

diff --git a/...i/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java b/...i/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java
@@ -143,8 +143,19 @@ public void decide(Authentication authentication, Object object, Collection<Conf
         if (guiConfigAttr.isEmpty()) {
         	configAttributesToUse = configAttributes;
         }
-
-    	securityEnforcer.decide(authentication, object, configAttributesToUse);
+
+        try {
+        	securityEnforcer.decide(authentication, object, configAttributesToUse);
+
+        	if (LOGGER.isTraceEnabled()) {
+            	LOGGER.trace("DECIDE: authentication={}, object={}, configAttributesToUse={}: OK", authentication, object, configAttributesToUse);
+            }
+        } catch (AccessDeniedException | InsufficientAuthenticationException e) {
+        	if (LOGGER.isTraceEnabled()) {
+            	LOGGER.trace("DECIDE: authentication={}, object={}, configAttributesToUse={}: {}", authentication, object, configAttributesToUse, e);
+            }
+        	throw e;
+        }
     }
 
     private void addSecurityConfig(FilterInvocation filterInvocation, Collection<ConfigAttribute> guiConfigAttr,