Permalink
Browse files

#3846 removed security check on internal access to file catalog

  • Loading branch information...
1 parent abf27da commit e8e1b5ab30a9267a654cc74a19ab4e43b4795acb @ddossot ddossot committed Oct 16, 2013
@@ -48,7 +48,7 @@ protected CatalogManager getCatalogManager()
protected File getJobConfigurationFile(final String applicationName, final String jobConfigurationFileName)
{
- return getCatalogManager().getCatalogFile(CatalogSection.JOB_CONFIGURATIONS, applicationName,
+ return getCatalogManager().internalGetCatalogFile(CatalogSection.JOB_CONFIGURATIONS, applicationName,
jobConfigurationFileName);
}
}
@@ -106,6 +106,7 @@
private final List<SourcePollingChannelAdapter> channelAdapters = new ArrayList<SourcePollingChannelAdapter>();
+ @Override
public void setBeanFactory(final BeanFactory beanFactory) throws BeansException
{
this.beanFactory = beanFactory;
@@ -300,7 +301,7 @@ private Serializable getResponseBody(final DepositEmailConfiguration depositEmai
return getMessages().getMessage("email.result.body", null, null);
}
- return getCatalogManager().getCatalogFile(CatalogSection.EMAIL_REPLIES,
+ return getCatalogManager().internalGetCatalogFile(CatalogSection.EMAIL_REPLIES,
depositEmailConfiguration.getApplicationName(), depositEmailConfiguration.getResponseFileName());
}
@@ -135,8 +135,8 @@ public void process(final MultiFilesJob job) throws Exception
if (sweaveFileFromCatalog != null)
{
- final File sweaveFile = getCatalogManager().getCatalogFile(CatalogSection.SWEAVE_FILES,
- job.getApplicationName(), sweaveFileFromCatalog);
+ final File sweaveFile = getCatalogManager().internalGetCatalogFile(
+ CatalogSection.SWEAVE_FILES, job.getApplicationName(), sweaveFileFromCatalog);
if (!sweaveFile.isFile())
{
@@ -207,7 +207,7 @@ private File getRScriptFile(final MultiFilesJob job)
private File getRScriptFileFromCatalog(final String rScriptFromCatalog, final MultiFilesJob job)
{
- final File rScriptFile = getCatalogManager().getCatalogFile(CatalogSection.R_SCRIPTS,
+ final File rScriptFile = getCatalogManager().internalGetCatalogFile(CatalogSection.R_SCRIPTS,
job.getApplicationName(), rScriptFromCatalog);
if ((rScriptFile == null) || (!rScriptFile.isFile()))
@@ -92,6 +92,7 @@ public Response handleJsonFunctionCallJob(final String jsonArgument,
{
return handleNewRestJob(httpHeaders, uriInfo, new JobBuilder()
{
+ @Override
public AbstractJob build(final String applicationName,
final UUID jobId,
final GregorianCalendar submissionTime)
@@ -121,6 +122,7 @@ public Response handleXmlFunctionCallJob(final String xmlArgument,
return handleNewRestJob(httpHeaders, uriInfo, new JobBuilder()
{
+ @Override
public AbstractJob build(final String applicationName,
final UUID jobId,
final GregorianCalendar submissionTime)
@@ -149,6 +151,7 @@ public Response handleZipJob(final InputStream in,
return handleNewRestJob(httpHeaders, uriInfo, new JobBuilder()
{
+ @Override
public AbstractJob build(final String applicationName,
final UUID jobId,
final GregorianCalendar submissionTime) throws IOException
@@ -181,7 +184,6 @@ public Response handleMultipartFormJob(final List<Attachment> parts,
@Context final UriInfo uriInfo)
throws URISyntaxException, IOException
{
-
String applicationName = null;
final Map<String, Serializable> jobMeta = new HashMap<String, Serializable>();
@@ -208,6 +210,7 @@ else if (StringUtils.startsWith(partName, Constants.RSB_META_HEADER_HTTP_PREFIX)
return handleNewJob(finalApplicationName, httpHeaders, uriInfo, new JobBuilder()
{
+ @Override
public AbstractJob build(final String applicationName,
final UUID jobId,
final GregorianCalendar submissionTime) throws IOException
@@ -158,16 +158,17 @@ private static PersistedConfigurationAdapter loadConfigurationStream(final URL c
if (depositEmailAccount.getResponseFileName() != null)
{
- final File responseFile = fileCatalogManager.getCatalogFile(CatalogSection.EMAIL_REPLIES,
- applicationName, depositEmailAccount.getResponseFileName());
+ final File responseFile = fileCatalogManager.internalGetCatalogFile(
+ CatalogSection.EMAIL_REPLIES, applicationName,
+ depositEmailAccount.getResponseFileName());
validateIsTrue(responseFile.exists(), "missing response file: " + responseFile,
validationErrors);
}
if (depositEmailAccount.getJobConfigurationFileName() != null)
{
- final File jobConfigurationFile = fileCatalogManager.getCatalogFile(
+ final File jobConfigurationFile = fileCatalogManager.internalGetCatalogFile(
CatalogSection.JOB_CONFIGURATIONS, applicationName,
depositEmailAccount.getJobConfigurationFileName());
@@ -43,6 +43,12 @@
File getCatalogFile(CatalogSection catalogSection, String applicationName, String fileName);
+ /**
+ * This must only be called when it's impossible to have a security context (ie after going
+ * through JMS)
+ */
+ File internalGetCatalogFile(CatalogSection catalogSection, String applicationName, String fileName);
+
enum PutCatalogFileResult
{
CREATED, UPDATED
@@ -104,6 +104,7 @@ public void createCatalogTree() throws IOException
return applicationNames;
}
+ @Override
@PreAuthorize("hasPermission(#applicationName, 'CATALOG_USER')")
public Map<Pair<CatalogSection, File>, List<File>> getCatalog(final String applicationName)
{
@@ -120,15 +121,25 @@ public void createCatalogTree() throws IOException
return catalog;
}
+ @Override
@PreAuthorize("hasPermission(#applicationName, 'CATALOG_USER')")
public File getCatalogFile(final CatalogSection catalogSection,
final String applicationName,
final String fileName)
{
+ return internalGetCatalogFile(catalogSection, applicationName, fileName);
+ }
+
+ @Override
+ public File internalGetCatalogFile(final CatalogSection catalogSection,
+ final String applicationName,
+ final String fileName)
+ {
final File catalogSectionDirectory = getCatalogSectionDirectory(catalogSection, applicationName);
return new File(catalogSectionDirectory, fileName);
}
+ @Override
@PreAuthorize("hasPermission(#applicationName, 'CATALOG_ADMIN')")
public Pair<PutCatalogFileResult, File> putCatalogFile(final CatalogSection catalogSection,
final String applicationName,

0 comments on commit e8e1b5a

Please sign in to comment.