Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: zibhub/GNDMS
...
head fork: zibhub/GNDMS
Checking mergeability… Don't worry, you can still create the pull request.
  • 2 commits
  • 3 files changed
  • 0 commit comments
  • 1 contributor
Commits on Mar 19, 2012
@ggrinder ggrinder Fixed typo
ddf47cd
Commits on Mar 20, 2012
@ggrinder ggrinder Big improvment of the security filter chain
- now the x509 filer accepts hosts, users, and admins
- if an host was accepted the RequestHeaderAF is used to determin the
  role of the user, otherwise its skipped.

=> The service accepts trusted Host-Certs in behalve of a vailed
user-DN or directly the certs of the users (or admins)
86de2ad
View
32 gndms/src/de/zib/gndms/gndms/security/GridMapUserDetailsService.java
@@ -26,8 +26,6 @@
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
/**
* @author Maik Jorra
@@ -45,18 +43,11 @@
*/
public class GridMapUserDetailsService implements UserDetailsService {
+ private String allowedHostsFileName;
private String gridMapfileName;
private String adminGridMapfileName;
- private final Map<String,String> admins;
- private final Map<String, String> users;
-
-
public GridMapUserDetailsService() {
- admins = new ConcurrentHashMap<String,String>( 1 );
- admins.put( "foo", "" );
- users = new ConcurrentHashMap<String,String>( 1 );
- users.put( "bar", "" );
}
@@ -65,18 +56,19 @@ public UserDetails loadUserByUsername( final String dn ) throws UsernameNotFound
List<GrantedAuthority> authorityList = new ArrayList<GrantedAuthority>( 1 );
// search admin
+ boolean isUser = true;
try {
- if( searchInGridMapfile( adminGridMapfileName, dn ) ) {
- //if( admins.containsKey( dn ) )
+ if( searchInGridMapfile( allowedHostsFileName, dn ) )
+ isUser = false;
+ else if( searchInGridMapfile( adminGridMapfileName, dn ) ) {
authorityList.add( adminRole() );
} else if( searchInGridMapfile( gridMapfileName, dn ) )
- //else if ( users.containsKey( dn ) )
authorityList.add( userRole() );
} catch ( Exception e ) {
throw new RuntimeException( e );
}
- if ( authorityList.size() == 0 )
+ if ( isUser && authorityList.size() == 0 )
throw new UsernameNotFoundException( "DN not permitted: " + dn );
GNDMSUserDetails userDetails = new GNDMSUserDetails( );
@@ -140,4 +132,16 @@ public void setAdminGridMapfileName( final String adminGridMapfileName ) {
this.adminGridMapfileName = adminGridMapfileName;
}
+
+
+ public String getAllowedHostsFileName() {
+
+ return allowedHostsFileName;
+ }
+
+
+ public void setAllowedHostsFileName( final String allowedHostsFileName ) {
+
+ this.allowedHostsFileName = allowedHostsFileName;
+ }
}
View
25 gndms/web/WEB-INF/gndms-security.xml
@@ -50,6 +50,9 @@
class="org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter">
<property name="principalExtractor" ref="fullDNExtractor" />
<property name="authenticationManager" ref="authenticationManager" />
+ <property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" />
+ <!-- this flag ensures that the filter chain is only processed further when the x509 proxys
+ dn is accepted -->
</bean>
<bean id="fullDNExtractor"
@@ -62,9 +65,13 @@
"org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="DN"/>
<property name="authenticationManager" ref="authenticationManager" />
+ <property name="checkForPrincipalChanges" value="true"/>
+ <!-- if the x509 cert from the previous filter has a different dn then the header dn the above flag
+ enforces recalculation of the granted authorities -->
</bean>
- <!-- preauthAuthProvider forwards the dn from the request header to the user service -->
+
+ <!-- preauthAuthProvider forwarded from the request header to the user service -->
<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
@@ -80,10 +87,10 @@
class="de.zib.gndms.gndms.security.GridMapUserDetailsService">
<property name="gridMapfileName" value="/etc/grid-security/grid-mapfile" />
<property name="adminGridMapfileName" value="/tmp/gndms-admins" />
+ <property name="allowedHostsFileName" value="/tmp/gndms-allowed-hosts" />
</bean>
-
- <!-- this authentication manager uses a provider ot make authentication desisions -->
+ <!-- this authentication manager uses a provider ot make authentication decisions -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
@@ -124,18 +131,6 @@
class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>
-
- <!--bean id="roleFilter"
- class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
- <property name="authenticationManager" ref="authenticationManager"/>
- <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
- <property name="securityMetadataSource">
- <security:filter-invocation-definition-source>
- <security:intercept-url pattern="/**" />
- </security:filter-invocation-definition-source>
- </property>
- </bean-->
-
<!-- Provide role-hierarchy for role-based decisions -->
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg>
View
2  logic/src/de/zib/gndms/logic/model/TaskAction.java
@@ -79,7 +79,7 @@
private EntityManagerFactory emf;
/**
- * Unserialized version of the order
+ * Deserialized version of the order
*/
private O order;

No commit comments for this range

Something went wrong with that request. Please try again.