fixed a bug with the security extension configuration which broke sec…

…urity of some urls

jeeves/src/main/java/jeeves/config/springutil/GeonetworkFilterSecurityInterceptor.java

@@ -0,0 +1,44 @@
+package jeeves.config.springutil;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+
+import org.springframework.security.access.intercept.InterceptorStatusToken;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+
+/**
+ * This class is used in spring configuration to allow custom applications to add security mappings
+ * to the spring configuration without having to edit the main mappings file.  The primary reason for
+ * this need is to keep the application specific concerns separated.  This allows an application to 
+ * easier merge changes from the core system.  
+ * 
+ * This class is needed because the {@link FilterSecurityInterceptor} puts an attribute on the
+ * request so only 1 {@link FilterSecurityInterceptor} will be consulted per request.  This class
+ * is essentially the same but sets a different attribute.
+ * 
+ * @author jeichar
+ *
+ */
+public class GeonetworkFilterSecurityInterceptor extends FilterSecurityInterceptor {
+    private static final String GN_FILTER_APPLIED = "__geonetwork_spring_security_filterSecurityInterceptor_filterApplied";
+    public void invoke(FilterInvocation fi) throws IOException, ServletException {
+        if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(GN_FILTER_APPLIED) != null)) {
+            // filter already applied to this request and user wants us to observe
+            // once-per-request handling, so don't re-do security checking
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+        } else {
+            // first time this request being called, so perform security checking
+            if (fi.getRequest() != null) {
+                fi.getRequest().setAttribute(GN_FILTER_APPLIED, Boolean.TRUE);
+            }
+
+            InterceptorStatusToken token = super.beforeInvocation(fi);
+
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+
+            super.afterInvocation(token, null);
+        }
+    }
+}

web/src/main/webapp/WEB-INF/config-security-mapping-overrides.xml

@@ -7,7 +7,7 @@
 
      <!-- This is a filter that is called before the default filterSecurityInterceptor allowing overriding or adding new
      	  url intercept mappings/expressions. -->
-    <bean class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor" id="overridefilterSecurityInterceptor">
+    <bean class="jeeves.config.springutil.GeonetworkFilterSecurityInterceptor" id="overridefilterSecurityInterceptor">
         <property name="authenticationManager" ref="authenticationManager"></property>
         <property name="accessDecisionManager" ref="accessDecisionManager"></property>
         <property name="securityMetadataSource">

web/src/main/webapp/WEB-INF/config-security.xml

@@ -9,7 +9,7 @@ xsi:schemaLocation="http://www.springframework.org/schema/beans
           xmlns:ctx="http://www.springframework.org/schema/context"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
           xmlns="http://www.springframework.org/schema/beans">
-     <!-- <sec:debug/> -->
+    <sec:debug/>
     <import resource="config-security-core.xml"/>
     <import resource="config-security-mapping.xml"/>
     <import resource="config-security-mapping-overrides.xml"/>

web/src/main/webapp/WEB-INF/log4j.cfg

@@ -28,6 +28,7 @@ log4j.logger.geonetwork.data.directory  = WARN
 
 log4j.logger.org.springframework = WARN, console, jeeves
 log4j.logger.org.springframework.* = WARN
+log4j.logger.org.springframework.security = INFO, console, jeeves
 log4j.logger.org.springframework.security.ldap = WARN
 
 ### JEEVES SETTINGS ############################################################