2 * Copyright (C) 2017 EDIT
3 * European Distributed Institute of Taxonomy
4 * http://www.e-taxonomy.eu
6 * The contents of this file are subject to the Mozilla Public License Version 1.1
7 * See LICENSE.TXT at the top of this package for the full license terms.
9 package eu
.etaxonomy
.cdm
.api
.application
;
11 import java
.util
.ArrayList
;
12 import java
.util
.Collection
;
14 import org
.apache
.log4j
.Logger
;
15 import org
.springframework
.security
.access
.intercept
.RunAsUserToken
;
16 import org
.springframework
.security
.authentication
.AnonymousAuthenticationToken
;
17 import org
.springframework
.security
.authentication
.AuthenticationProvider
;
18 import org
.springframework
.security
.core
.Authentication
;
19 import org
.springframework
.security
.core
.GrantedAuthority
;
20 import org
.springframework
.security
.core
.context
.SecurityContext
;
21 import org
.springframework
.security
.core
.context
.SecurityContextHolder
;
25 * Helper class to work around the apparently broken @RunAs("ROLE_ADMIN")
26 * in spring see: https://jira.springsource.org/browse/SEC-1671
28 * @author a.kohlbecker
32 public class RunAsAuthenticator
{
34 public static final Logger logger
= Logger
.getLogger(RunAsAuthenticator
.class);
37 * must match the key in eu/etaxonomy/cdm/services_security.xml
39 private static final String RUN_AS_KEY
= "TtlCx3pgKC4l";
41 // not to be autowired, since the FirstdataInserter must be usable without security
42 private AuthenticationProvider runAsAuthenticationProvider
= null;
45 private Authentication authentication
;
49 * needed to work around the broken @RunAs("ROLE_ADMIN") which seems to be
50 * broken in spring see: https://jira.springsource.org/browse/SEC-1671
53 public void runAsAuthentication(GrantedAuthority ga
) {
54 if(runAsAuthenticationProvider
== null){
55 logger
.debug("no RunAsAuthenticationProvider set, skipping run-as authentication");
59 SecurityContext securityContext
= SecurityContextHolder
.getContext();
60 authentication
= securityContext
.getAuthentication();
63 Collection
<GrantedAuthority
> rules
= new ArrayList
<GrantedAuthority
>();
65 RunAsUserToken adminToken
= new RunAsUserToken(
70 (authentication
!= null ? authentication
.getClass() : AnonymousAuthenticationToken
.class));
72 Authentication runAsAuthentication
= runAsAuthenticationProvider
.authenticate(adminToken
);
73 SecurityContextHolder
.getContext().setAuthentication(runAsAuthentication
);
75 logger
.debug("switched to run-as authentication: " + runAsAuthentication
);
79 * needed to work around the broken @RunAs("ROLE_ADMIN") which
80 * seems to be broken in spring see: https://jira.springsource.org/browse/SEC-1671
82 public void restoreAuthentication() {
83 if(runAsAuthenticationProvider
== null){
84 logger
.debug("no RunAsAuthenticationProvider set, thus nothing to restore");
86 SecurityContext securityContext
= SecurityContextHolder
.getContext();
87 securityContext
.setAuthentication(authentication
);
88 logger
.debug("last authentication restored: " + (authentication
!= null ? authentication
: "NULL"));
92 * @return the runAsAuthenticationProvider
94 public AuthenticationProvider
getRunAsAuthenticationProvider() {
95 return runAsAuthenticationProvider
;
99 * @param runAsAuthenticationProvider the runAsAuthenticationProvider to set
101 public void setRunAsAuthenticationProvider(AuthenticationProvider runAsAuthenticationProvider
) {
102 this.runAsAuthenticationProvider
= runAsAuthenticationProvider
;