diff --git a/build.xml b/build.xml
index 6992c23..12fb010 100644
--- a/build.xml
+++ b/build.xml
@@ -5,7 +5,7 @@
-
+
diff --git a/src/java/cricket.properties b/src/java/cricket.properties
index a77e242..49949a1 100644
--- a/src/java/cricket.properties
+++ b/src/java/cricket.properties
@@ -1,2 +1,2 @@
-#Fri, 16 Feb 2018 00:20:13 +0100
-version=1.2.36
+#Tue, 06 Mar 2018 02:18:12 +0100
+version=1.2.37
diff --git a/src/java/org/cricketmsf/microsite/auth/SecurityFilter.java b/src/java/org/cricketmsf/microsite/auth/SecurityFilter.java
index 3cece15..cb7292e 100644
--- a/src/java/org/cricketmsf/microsite/auth/SecurityFilter.java
+++ b/src/java/org/cricketmsf/microsite/auth/SecurityFilter.java
@@ -33,27 +33,27 @@
* @author Grzegorz Skorupa
*/
public class SecurityFilter extends Filter {
-
+
private static final String PERMANENT_TOKEN_PREFIX = "==";
-
+
private String[] restrictedPost = null;
private String[] restrictedPut = null;
private String[] restrictedGet = null;
private String[] restrictedDelete = null;
-
+
private boolean authRequired = false;
-
+
@Override
public String description() {
return "Default security filter";
}
-
+
private void initialize() {
ArrayList aPost = new ArrayList<>();
ArrayList aPut = new ArrayList<>();
ArrayList aGet = new ArrayList<>();
ArrayList aDelete = new ArrayList<>();
-
+
String restr = (String) Kernel.getInstance().getProperties().getOrDefault("restricted-resources", "");
if (!restr.isEmpty()) {
String r[] = restr.split(" ");
@@ -115,7 +115,7 @@ private void initialize() {
}
}
}
-
+
private boolean isRestrictedPath(String method, String path) {
if (restrictedPost == null) {
initialize();
@@ -174,27 +174,27 @@ public SecurityFilterResult checkRequest(HttpExchange exchange) {
String path = exchange.getRequestURI().getPath();
//System.out.println("CHECK REQUEST FOR PATH:" + path);
- Kernel.getInstance().dispatchEvent(Event.logInfo(getClass().getSimpleName(), "PATH="+path));
+ Kernel.getInstance().dispatchEvent(Event.logInfo(getClass().getSimpleName(), "PATH=" + path));
boolean authorizationNotRequired = true;
try {
authorizationNotRequired = !isRestrictedPath(exchange.getRequestMethod(), path);
} catch (Exception e) {
e.printStackTrace();
}
-
+
Map parameters = (Map) exchange.getAttribute("parameters");
-
+
SecurityFilterResult result = new SecurityFilterResult();
if (authorizationNotRequired) {
//System.out.println("AUTHORIZATION NOT REQUIRED");
String inParamsToken = null;
-
+
try {
if (parameters != null) {
inParamsToken = (String) parameters.get("tid");
}
- //System.out.println(">>> INPARAMSTOKEN="+inParamsToken);
-
+ //System.out.println(">>> INPARAMSTOKEN="+inParamsToken);
+
} catch (NullPointerException e) {
}
if (inParamsToken != null) {
@@ -231,11 +231,15 @@ public SecurityFilterResult checkRequest(HttpExchange exchange) {
} else {
try {
user = getUser(tokenID, tokenID.startsWith(PERMANENT_TOKEN_PREFIX));
- if("public".equalsIgnoreCase(user.getUid())){
+ if ("public".equalsIgnoreCase(user.getUid())) {
issuer = getIssuer(tokenID);
}
} catch (AuthException e) {
- result.code = e.getCode();
+ result.code = 403;
+ result.message = e.getMessage();
+ return result;
+ } catch (Exception e) {
+ result.code = 403;
result.message = e.getMessage();
return result;
}
@@ -252,7 +256,7 @@ public SecurityFilterResult checkRequest(HttpExchange exchange) {
}
return result;
}
-
+
private User getUser(String token, boolean permanentToken) throws AuthException {
//ask dedicated adapter
AuthAdapterIface authAdapter = (AuthAdapterIface) Kernel.getInstance().getAdaptersMap().getOrDefault("authAdapter", null);
@@ -262,7 +266,7 @@ private User getUser(String token, boolean permanentToken) throws AuthException
return null;
}
}
-
+
private User getIssuer(String token) throws AuthException {
//ask dedicated adapter
AuthAdapterIface authAdapter = (AuthAdapterIface) Kernel.getInstance().getAdaptersMap().getOrDefault("authAdapter", null);
@@ -272,12 +276,23 @@ private User getIssuer(String token) throws AuthException {
return null;
}
}
-
+
@Override
public void doFilter(HttpExchange exchange, Chain chain)
throws IOException {
- SecurityFilterResult result = checkRequest(exchange);
+ SecurityFilterResult result = null;
+ try {
+ result = checkRequest(exchange);
+ } catch (Exception e) {
+ exchange.sendResponseHeaders(400, e.getMessage().length());
+ exchange.getResponseBody().write(e.getMessage().getBytes());
+ exchange.getResponseBody().close();
+ exchange.close();
+ }
if (result.code != 200) {
+ if (result.message == null) {
+ result.message = "authentication error";
+ }
exchange.sendResponseHeaders(result.code, result.message.length());
exchange.getResponseBody().write(result.message.getBytes());
exchange.getResponseBody().close();
@@ -297,5 +312,5 @@ public void doFilter(HttpExchange exchange, Chain chain)
}
}
}
-
+
}
diff --git a/src/java/org/cricketmsf/microsite/user/User.java b/src/java/org/cricketmsf/microsite/user/User.java
index 51512cb..5e7bd1d 100644
--- a/src/java/org/cricketmsf/microsite/user/User.java
+++ b/src/java/org/cricketmsf/microsite/user/User.java
@@ -1,7 +1,17 @@
/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
+ * Copyright 2017 Grzegorz Skorupa .
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
package org.cricketmsf.microsite.user;
diff --git a/src/java/org/cricketmsf/microsite/user/UserBusinessLogic.java b/src/java/org/cricketmsf/microsite/user/UserBusinessLogic.java
index 0d7d40d..d784a90 100644
--- a/src/java/org/cricketmsf/microsite/user/UserBusinessLogic.java
+++ b/src/java/org/cricketmsf/microsite/user/UserBusinessLogic.java
@@ -40,11 +40,7 @@ public static UserBusinessLogic getInstance() {
return self;
}
- public Object handleGetRequest(Event event, UserAdapterIface userAdapter) {
- RequestObject request = event.getRequest();
- //handle(Event.logFinest(this.getClass().getSimpleName(), request.pathExt));
- String uid = request.pathExt;
- String requesterID = request.headers.getFirst("X-user-id");
+ private boolean isAdmin(RequestObject request) {
List requesterRoles = request.headers.get("X-user-role");
//String requesterRole = request.headers.getFirst("X-user-role");
boolean admin = false;
@@ -54,6 +50,14 @@ public Object handleGetRequest(Event event, UserAdapterIface userAdapter) {
break;
}
}
+ return admin;
+ }
+
+ public Object handleGetRequest(Event event, UserAdapterIface userAdapter) {
+ RequestObject request = event.getRequest();
+ String uid = request.pathExt;
+ String requesterID = request.headers.getFirst("X-user-id");
+ boolean admin = isAdmin(request);
StandardResult result = new StandardResult();
try {
@@ -77,8 +81,8 @@ public Object handleRegisterRequest(Event event, UserAdapterIface userAdapter, b
//TODO: check requester rights
//only admin can set: role or type differ than default (plus APPLICATION type)
RequestObject request = event.getRequest();
- //handle(Event.logFinest(this.getClass().getSimpleName(), request.pathExt));
//System.out.println("X-cms-user="+request.headers.getFirst("X-user-id"));
+ boolean admin = isAdmin(request);
StandardResult result = new StandardResult();
String uid = request.pathExt;
if (uid != null && !uid.isEmpty()) {
@@ -157,7 +161,7 @@ public Object handleDeleteRequest(Event event, UserAdapterIface userAdapter, boo
RequestObject request = event.getRequest();
String uid = request.pathExt;
StandardResult result = new StandardResult();
- if (uid == null) {
+ if (uid == null || !isAdmin(request)) {
result.setCode(HttpAdapter.SC_BAD_REQUEST);
return result;
}
@@ -197,9 +201,15 @@ public Object handleUpdateRequest(Event event, UserAdapterIface userAdapter) {
if (email != null) {
user.setEmail(email);
}
- if (role != null) {
+ if (role != null && isAdmin(request)) {
user.setRole(role);
}
+ if (type != null && isAdmin(request)) {
+ try {
+ user.setType(Integer.parseInt(type));
+ } catch (NumberFormatException e) {
+ }
+ }
if (password != null) {
user.setPassword(HashMaker.md5Java(event.getRequestParameter("password")));
}
diff --git a/src/java/org/cricketmsf/microsite/user/UserEvent.java b/src/java/org/cricketmsf/microsite/user/UserEvent.java
index f67c6ae..3909d1b 100644
--- a/src/java/org/cricketmsf/microsite/user/UserEvent.java
+++ b/src/java/org/cricketmsf/microsite/user/UserEvent.java
@@ -1,7 +1,17 @@
/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
+ * Copyright 2017 Grzegorz Skorupa .
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
package org.cricketmsf.microsite.user;
diff --git a/www/admin/js/app.js b/www/admin/js/app.js
index 24781ff..d2a7ab6 100644
--- a/www/admin/js/app.js
+++ b/www/admin/js/app.js
@@ -22,28 +22,19 @@ var app = {
"name": "",
"token": "",
"status": "logged-out",
- "alerts": [],
- "dashboardID": '',
- "dashboards": []
+ "alerts": []
},
"offline": false,
- "authAPI": "http://signode.unicloud.pl/api/auth",
- "csAPI": "http://signode.unicloud.pl/api/cs",
- "cmAPI": "http://signode.unicloud.pl/api/cm",
- "userAPI": "http://signode.unicloud.pl/api/user",
+ "authAPI": "http://localhost:8080/api/auth",
+ "csAPI": "http://localhost:8080/api/cs",
+ "cmAPI": "http://localhost:8080/api/cm",
+ "userAPI": "http://localhost:8080/api/user",
"currentPage": "main",
"language": "en",
"languages": ["en", "pl", "fr"],
"debug": false,
"localUid": 0,
- "dconf": {"widgets":[]}, // configurations of user's widgets on the dashboard page
- // {},{},{},{},{},{},{},{},{},{},{},{}
- //],
- "widgets": [ // widgets on the dashboard page - hardcoded structure
- [{}, {}, {}, {}],
- [{}, {}, {}, {}],
- [{}, {}, {}, {}]
- ],
+ "requests": 0,
"log": function(message){if(app.debug){console.log(message)}}
}
diff --git a/www/js/data-api.js b/www/js/data-api.js
index 06dd8ea..f358aec 100644
--- a/www/js/data-api.js
+++ b/www/js/data-api.js
@@ -10,6 +10,15 @@ function getData(url, query, token, callback, eventListener, errorEventName) {
app.log("onerror " + this.status + " " + oEvent.toString())
eventListener.trigger("auth"+this.status);
}
+ oReq.onloadend = function(oEvent){
+ app.requests--;
+ }
+ oReq.onabort = function(oEvent){
+ app.requests--;
+ }
+ oReq.timeout = function(oEvent){
+ app.requests--;
+ }
oReq.onreadystatechange = function () {
if (this.readyState == 4) {
if (this.status == 200) {