Skip to content
Permalink
Browse files
FC-245 - Silently rejects invocations with invalid service name
  • Loading branch information
shawnmckinney committed Oct 2, 2018
1 parent 6825e52 commit c9a711b1207f3073b0c800dfc0d055bb3a72ef25
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 3 deletions.
@@ -7161,4 +7161,13 @@
* @return reference to {@code FortResponse}
*/
public FortResponse rolePermissionAttributeSets( FortRequest request );


/**
* If matching jax-rs service was not found, the client will be returned a response with an error generated by this method.
*
* @param request contains a reference to {@code FortRequest}
* @return reference to {@code FortResponse}
*/
FortResponse invalid( FortRequest request );
}
@@ -20,12 +20,16 @@
package org.apache.directory.fortress.rest;

import javax.annotation.security.RolesAllowed;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.core.Context;

import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.model.FortRequest;
import org.apache.directory.fortress.core.model.FortResponse;
import org.apache.directory.fortress.core.rest.HttpIds;
import org.apache.log4j.Logger;
import org.springframework.stereotype.Service;

/**
@@ -36,6 +40,7 @@
@Service("fortressService")
public class FortressServiceImpl implements FortressService
{
private static final Logger log = Logger.getLogger( FortressServiceImpl.class.getName() );
// Instantiate the implementation classes where the actual work is done:
private final ReviewMgrImpl reviewMgrImpl = new ReviewMgrImpl();
private final AdminMgrImpl adminMgrImpl = new AdminMgrImpl();
@@ -60,6 +65,9 @@ public class FortressServiceImpl implements FortressService
private static final String AUDIT_MGR_USER = "fortress-rest-audit-user";
private static final String CONFIG_MGR_USER = "fortress-rest-config-user";

@Context
private HttpServletRequest httpRequest;

/**
* ************************************************************************************************************************************
* BEGIN ADMINMGR
@@ -2083,4 +2091,33 @@ public FortResponse deassignGroup(FortRequest request)
{
return groupMgrImpl.deassignGroup( request );
}

/**
* {@inheritDoc}
*/
@POST
@Path("/{any : .*}")
@RolesAllowed(
{
SUPER_USER,
ACCESS_MGR_USER,
ADMIN_MGR_USER,
REVIEW_MGR_USER,
DELEGATED_ACCESS_MGR_USER,
DELEGATED_ADMIN_MGR_USER,
DELEGATED_REVIEW_MGR_USER,
PASSWORD_MGR_USER,
AUDIT_MGR_USER,
CONFIG_MGR_USER
} )
@Override
public FortResponse invalid(FortRequest request)
{
String szError = "Could not find a matching service. HTTP request URI:" + httpRequest.getRequestURI() + ". User: " + httpRequest.getRemoteUser();
log.warn( szError );
FortResponse response = new FortResponse();
response.setErrorCode( GlobalErrIds.REST_NOT_FOUND_ERR );
response.setErrorMessage( szError );
return response;
}
}
@@ -25,6 +25,7 @@
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.transport.http.AbstractHTTPDestination;
import org.apache.log4j.Logger;

import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@@ -36,20 +37,22 @@
*/
public class SecurityOutFaultInterceptor extends AbstractPhaseInterceptor<Message>
{
private static final Logger LOG = Logger.getLogger(SecurityOutFaultInterceptor.class.getName());

public SecurityOutFaultInterceptor()
{
super( Phase.PRE_STREAM );

}


public void handleMessage( Message message ) throws Fault
{
Fault fault = (Fault) message.getContent( Exception.class );
Throwable ex = fault.getCause();

if ( !(ex instanceof SecurityException) )
{
LOG.warn("SecurityOutFaultInterceptor caught invalid exception: " + ex );
throw new RuntimeException( "Security Exception is expected:" + ex );
}

@@ -65,7 +68,7 @@ public void handleMessage( Message message ) throws Fault
}
catch ( IOException iex )
{
// ignore
LOG.warn("SecurityOutFaultInterceptor caught IOException: " + iex);
}

message.getInterceptorChain().abort();

0 comments on commit c9a711b

Please sign in to comment.