Merge pull request #2397 from SCADA-LTS/release/2.7.3

Release/2.7.3

.github/workflows/build.yml

@@ -58,7 +58,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 12.x
+          node-version: 14.x
       - name: Cache node modules
         id: nodeCache
         uses: actions/cache@v3

.github/workflows/master.yml

@@ -54,7 +54,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: 12.x
+          node-version: 14.x
       - name: Cache node modules
         id: nodeCache
         uses: actions/cache@v3

WebContent/WEB-INF/jsp/dataSourceEdit/editMqtt.jsp

@@ -55,7 +55,7 @@
     locator.retained = $get("retained");
     locator.qos = $get("qos");
     locator.clientId = $get("clientId");
-    locator.xid = $get("xid");
+    locator.dataPointXid = $get("xid");
 
     DataSourceEditDwr.saveMqttPointLocator(
     currentPoint.id, $get("xid"), $get("name"), locator, savePointCB);

WebContent/WEB-INF/jsp/dataSourceEdit/editSql.jsp

@@ -22,6 +22,7 @@
   function initImpl() {
       sqlTestButton(false);
       rowBasedQueryChange();
+      changeJndiResource();
   }
   
   function sqlTest() {
@@ -31,7 +32,8 @@
       hide("sqlTestResults");
       dwr.util.removeAllRows("sqlTestResults");
       DataSourceEditDwr.sqlTestStatement($get("driverClassname"), $get("connectionUrl"), $get("username"), 
-              $get("password"), $get("selectStatement"), $get("rowBasedQuery"), sqlTestCB);
+              $get("password"), $get("selectStatement"), $get("rowBasedQuery"), $get("jndiResource"),
+              $get("jndiResourceName"), sqlTestCB);
   }
   
   function sqlTestCB() {
@@ -85,7 +87,8 @@
   function saveDataSourceImpl() {
       DataSourceEditDwr.saveSqlDataSource($get("dataSourceName"), $get("dataSourceXid"), $get("updatePeriods"),
               $get("updatePeriodType"), $get("driverClassname"), $get("connectionUrl"), $get("username"),
-              $get("password"), $get("selectStatement"), $get("rowBasedQuery"), saveDataSourceCB);
+              $get("password"), $get("selectStatement"), $get("rowBasedQuery"), $get("jndiResource"),
+              $get("jndiResourceName"), saveDataSourceCB);
   }
   
   function writePointListImpl(points) {
@@ -135,6 +138,16 @@
           show("columnBasedProperties");
       }
   }
+
+  function changeJndiResource() {
+      if ($get("jndiResource")) {
+          show("isJndiResource");
+          hide("isNotJndiResource");
+      } else {
+          hide("isJndiResource");
+          show("isNotJndiResource");
+      }
+  }
 </script>
 
 <c:set var="dsDesc"><fmt:message key="dsEdit.sql.desc"/></c:set>
@@ -149,27 +162,41 @@
             </sst:select>
           </td>
         </tr>
-
-        <tr>
-          <td class="formLabelRequired"><fmt:message key="dsEdit.sql.driverClassName"/></td>
-          <td class="formField"><input id="driverClassname" type="text" value="${dataSource.driverClassname}"/></td>
-        </tr>
-
-        <tr>
-          <td class="formLabelRequired"><fmt:message key="dsEdit.sql.connectionString"/></td>
-          <td class="formField"><input id="connectionUrl" type="text" value="${dataSource.connectionUrl}"
-                  class="formLong"/></td>
-        </tr>
-
+
         <tr>
-          <td class="formLabelRequired"><fmt:message key="dsEdit.sql.username"/></td>
-          <td class="formField"><input id="username" type="text" value="${dataSource.username}"/></td>
+          <td class="formLabelRequired"><fmt:message key="dsEdit.sql.jndiResource"/></td>
+          <td class="formField">
+            <sst:checkbox id="jndiResource" selectedValue="${dataSource.jndiResource}" onclick="changeJndiResource()"/>
+          </td>
         </tr>
-        
-        <tr>
-          <td class="formLabelRequired"><fmt:message key="dsEdit.sql.password"/></td>
-          <td class="formField"><input id="password" type="text" value="${dataSource.password}"/></td>
+
+        <tr id="isJndiResource" style="visible:none">
+          <td class="formLabelRequired"><fmt:message key="dsEdit.sql.jndiResourceName"/></td>
+          <td class="formField"><input id="jndiResourceName" type="text" value="${dataSource.jndiResourceName}"/></td>
         </tr>
+
+        <tbody id="isNotJndiResource">
+            <tr>
+              <td class="formLabelRequired"><fmt:message key="dsEdit.sql.driverClassName"/></td>
+              <td class="formField"><input id="driverClassname" type="text" value="${dataSource.driverClassname}"/></td>
+            </tr>
+
+            <tr>
+              <td class="formLabelRequired"><fmt:message key="dsEdit.sql.connectionString"/></td>
+              <td class="formField"><input id="connectionUrl" type="text" value="${dataSource.connectionUrl}"
+                      class="formLong"/></td>
+            </tr>
+
+            <tr>
+              <td class="formLabelRequired"><fmt:message key="dsEdit.sql.username"/></td>
+              <td class="formField"><input id="username" type="text" value="${dataSource.username}"/></td>
+            </tr>
+
+            <tr>
+              <td class="formLabelRequired"><fmt:message key="dsEdit.sql.password"/></td>
+              <td class="formField"><input id="password" type="text" value="${dataSource.password}"/></td>
+            </tr>
+        </tbody>
 
         <tr>
           <td class="formLabelRequired"><fmt:message key="dsEdit.sql.select"/></td>

WebContent/WEB-INF/spring-security.xml

@@ -2,11 +2,11 @@
 <b:beans xmlns="http://www.springframework.org/schema/security"
          xmlns:b="http://www.springframework.org/schema/beans"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
-						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
+         xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
+						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">
     <http use-expressions="true" disable-url-rewriting="true">
         <headers>
-            <cache-control/>
+            <cache-control disabled="true"/>
             <content-type-options disabled="true"/>
             <hsts/>
             <frame-options policy="SAMEORIGIN"/>
@@ -18,10 +18,6 @@
         <!-- Login Form -->
         <intercept-url pattern="/login.htm" access="permitAll" />
 
-        <!-- REST API -->
-        <intercept-url pattern="/api/auth/**" access="permitAll" />
-        <intercept-url pattern="/api/**" access="isAuthenticated()" />
-
         <!-- DWR -->
         <intercept-url pattern="/dwr/*.js" access="permitAll" />
         <intercept-url pattern="/dwr/interface/*.js" access="permitAll" />
@@ -45,7 +41,97 @@
         <!-- Monitoring -->
         <intercept-url pattern="/monitoring" access="permitAll" />
 
-        <intercept-url pattern="/**" access="isAuthenticated()" />
+        <!-- REST API User -->
+
+        <!-- Auth -->
+        <intercept-url pattern="/api/auth/**" access="permitAll" />
+
+        <!-- WatchList POST/PUT/GET -->
+        <intercept-url pattern="/api/watch-lists" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="POST" />
+        <intercept-url pattern="/api/watch-lists" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="PUT" />
+        <intercept-url pattern="/api/watch-lists/generateXid" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+        <intercept-url pattern="/api/watch-lists/" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+        <intercept-url pattern="/api/watch-lists/{id}" access="@guard.hasWatchListReadPermission(request,#id,false)" method="GET" />
+        <intercept-url pattern="/api/watch-lists/{id}" access="@guard.hasWatchListOwnerPermission(request,#id,false)" method="DELETE" />
+
+        <!-- View POST/PUT/GET -->
+        <!--intercept-url pattern="/api/view/uploads" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="POST" />
+        <intercept-url pattern="/api/view" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="POST" />
+        <intercept-url pattern="/api/view" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="PUT" />
+        <intercept-url pattern="/api/view/generateXid" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" /-->
+        <intercept-url pattern="/api/view/getModificationTime/{id}" access="@guard.hasViewReadPermission(request,#id,false)" method="GET" />
+        <intercept-url pattern="/api/view/getAll" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+        <!--intercept-url pattern="/api/view" access="@guard.hasViewReadPermission(request)" method="GET" /-->
+
+        <!-- Report POST/GET/DELETE -->
+        <intercept-url pattern="/api/reports/save" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="POST" />
+        <intercept-url pattern="/api/reports/search" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="POST" />
+        <intercept-url pattern="/api/reports/sendTestEmails" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="POST" />
+        <intercept-url pattern="/api/reports/instances" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+        <intercept-url pattern="/api/reports/instances/{id}" access="@guard.hasReportInstanceOwnerPermission(request,#id,false)" method="DELETE" />
+        <intercept-url pattern="/api/reports/run/{id}" access="@guard.hasReportOwnerPermission(request,#id,false)" method="GET" />
+        <intercept-url pattern="/api/reports/{id}" access="@guard.hasReportOwnerPermission(request,#id,false)" method="DELETE" />
+
+        <!-- User PUT/GET -->
+        <intercept-url pattern="/api/users/" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="PUT" />
+        <intercept-url pattern="/api/users/password" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="PUT" />
+        <intercept-url pattern="/api/users/{id}" access="@guard.hasUserOwnerPermission(request,#id)" method="GET" />
+
+        <!-- DataPoint GET -->
+        <intercept-url pattern="/api/datapoint/getAll" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+        <intercept-url pattern="/api/datapoint" access="@guard.hasDataPointReadPermission(request)" method="GET" />
+
+        <!-- DataSource GET -->
+        <intercept-url pattern="/api/datasource" access="@guard.hasDataSourceReadPermission(request)" method="GET" />
+
+        <!-- PointHierarchy GET -->
+        <intercept-url pattern="/api/pointHierarchy/{key}" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+
+        <!-- PointValue GET -->
+        <intercept-url pattern="/api/point_value/getValue/id/{id}" access="@guard.hasDataPointReadPermission(request,#id,false)" method="GET" />
+        <intercept-url pattern="/api/point_value/getValue/{xid}" access="@guard.hasDataPointReadPermission(request,#xid,true)" method="GET" />
+
+        <!-- Event POST/GET -->
+        <intercept-url pattern="/api/events/search" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="POST" />
+        <intercept-url pattern="/api/events/highestUnsilencedLevelAlarm" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+        <intercept-url pattern="/api/events/datapoint/{id}" access="@guard.hasDataPointReadPermission(request,#id,false)" method="GET" />
+
+        <!-- Alarm GET -->
+        <intercept-url pattern="/api/alarms/live/{offset}/{limit}" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+
+        <!-- Chart GET -->
+        <intercept-url pattern="/api/amcharts/by-id" access="@guard.hasDataPointReadPermission(request,false,'ids')" method="GET" />
+        <intercept-url pattern="/api/amcharts/by-xid" access="@guard.hasDataPointReadPermission(request,true,'ids')" method="GET" />
+
+        <!-- Config GET -->
+        <intercept-url pattern="/api/config/replacealert" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+
+        <!-- IsAlive POST/GET -->
+        <intercept-url pattern="/api/is_alive/watchdog" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="POST" />
+        <intercept-url pattern="/api/is_alive/time" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+        <intercept-url pattern="/api/is_alive/time2" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+
+        <!-- Cmp GET -->
+        <intercept-url pattern="/api/cmp/get/{xids}" access="@guard.hasDataPointReadPermission(request,#xids,true)" method="GET" />
+        <intercept-url pattern="/api/cmp/history/{xIdViewAndIdCmp}" access="@guard.hasViewReadPermission(request,@guard.viewIdentifier(#xIdViewAndIdCmp),false)" method="GET" />
+
+        <!-- SystemSettings GET -->
+        <intercept-url pattern="/api/systemSettings/getSystemInfo" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" method="GET" />
+
+        <!-- REST API Admin -->
+        <intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" method="POST" />
+        <intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" method="GET" />
+        <intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" method="PUT" />
+        <intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" method="PATCH" />
+        <intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" method="OPTIONS" />
+        <intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" method="HEAD" />
+        <intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" method="TRACE" />
+
+        <!-- Only Admin -->
+        <intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" method="DELETE" />
+
+        <!-- Other -->
+        <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_USER')" />
 
         <form-login authentication-success-handler-ref="loginAuthenticationSuccessHandler"
                     authentication-failure-url="/login.htm?error" login-page="/login.htm"
@@ -68,8 +154,8 @@
         <authentication-provider>
             <password-encoder ref="scadaPasswordEncoder" />
             <jdbc-user-service data-source-ref="dataSourceForSecurity"
-                               users-by-username-query="select username, password, disabled = 'N' as enabled from users where username = ?"
-                               authorities-by-username-query="select username, 'USER' from users where username = ?"/>
+                               users-by-username-query="SELECT username, password, disabled = 'N' AS enabled FROM users WHERE username = ?"
+                               authorities-by-username-query="SELECT username, IF(admin = 'Y', 'ROLE_ADMIN', 'ROLE_USER') AS role FROM users WHERE username = ?"/>
         </authentication-provider>
     </authentication-manager>
 
@@ -91,4 +177,16 @@
     </b:bean>
 
     <b:bean id="setDataSessionFilter" class="org.scada_lts.session.SetDataSessionFilter"/>
+
+    <b:bean id="hasPermissionOperations" class="org.scada_lts.web.mvc.api.security.HasPermissionOperations" />
+    <b:bean id="withIdentifierGuard" class="org.scada_lts.web.mvc.api.security.WithIdentifierGuard" >
+        <b:constructor-arg ref="hasPermissionOperations"/>
+    </b:bean>
+    <b:bean id="getIdentifierFromHttpParameterGuard" class="org.scada_lts.web.mvc.api.security.GetIdentifierFromHttpParameterGuard" >
+        <b:constructor-arg ref="hasPermissionOperations"/>
+    </b:bean>
+    <b:bean id="guard" class="org.scada_lts.web.mvc.api.security.Guard" >
+        <b:constructor-arg ref="withIdentifierGuard"/>
+        <b:constructor-arg ref="getIdentifierFromHttpParameterGuard"/>
+    </b:bean>
 </b:beans>