BGBM BDI Projects / cdmlib.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fixing usage of wrong logger in RunAsAuthenticator
[cdmlib.git] / cdmlib-services / src / main / java / eu / etaxonomy / cdm / api / application / RunAsAuthenticator.java
1 /**
2 * Copyright (C) 2017 EDIT
3 * European Distributed Institute of Taxonomy
4 * http://www.e-taxonomy.eu
5 *
6 * The contents of this file are subject to the Mozilla Public License Version 1.1
7 * See LICENSE.TXT at the top of this package for the full license terms.
8 */
9 package eu.etaxonomy.cdm.api.application;
10
11 import java.util.ArrayList;
12 import java.util.Collection;
13
14 import org.apache.log4j.Logger;
15 import org.springframework.security.access.intercept.RunAsUserToken;
16 import org.springframework.security.authentication.AnonymousAuthenticationToken;
17 import org.springframework.security.authentication.AuthenticationProvider;
18 import org.springframework.security.core.Authentication;
19 import org.springframework.security.core.GrantedAuthority;
20 import org.springframework.security.core.context.SecurityContext;
21 import org.springframework.security.core.context.SecurityContextHolder;
22
23 /**
24 *
25 * Helper class to work around the apparently broken @RunAs("ROLE_ADMIN")
26 * in spring see: https://jira.springsource.org/browse/SEC-1671
27 *
28 * @author a.kohlbecker
29 * @since Jul 24, 2017
30 *
31 */
32 public class RunAsAuthenticator {
33
34 public static final Logger logger = Logger.getLogger(RunAsAuthenticator.class);
35
36 /**
37 * must match the key in eu/etaxonomy/cdm/services_security.xml
38 */
39 private static final String RUN_AS_KEY = "TtlCx3pgKC4l";
40
41 // not to be autowired, since the FirstdataInserter must be usable without security
42 private AuthenticationProvider runAsAuthenticationProvider = null;
43
44
45 private Authentication authentication;
46
47
48 /**
49 * needed to work around the broken @RunAs("ROLE_ADMIN") which seems to be
50 * broken in spring see: https://jira.springsource.org/browse/SEC-1671
51 * @param ga
52 */
53 public void runAsAuthentication(GrantedAuthority ga) {
54 if(runAsAuthenticationProvider == null){
55 logger.debug("no RunAsAuthenticationProvider set, skipping run-as authentication");
56 return;
57 }
58
59 SecurityContext securityContext = SecurityContextHolder.getContext();
60 authentication = securityContext.getAuthentication();
61
62
63 Collection<GrantedAuthority> rules = new ArrayList<GrantedAuthority>();
64 rules.add(ga);
65 RunAsUserToken adminToken = new RunAsUserToken(
66 RUN_AS_KEY,
67 "system-admin",
68 null,
69 rules,
70 (authentication != null ? authentication.getClass() : AnonymousAuthenticationToken.class));
71
72 Authentication runAsAuthentication = runAsAuthenticationProvider.authenticate(adminToken);
73 SecurityContextHolder.getContext().setAuthentication(runAsAuthentication);
74
75 logger.debug("switched to run-as authentication: " + runAsAuthentication);
76 }
77
78 /**
79 * needed to work around the broken @RunAs("ROLE_ADMIN") which
80 * seems to be broken in spring see: https://jira.springsource.org/browse/SEC-1671
81 */
82 public void restoreAuthentication() {
83 if(runAsAuthenticationProvider == null){
84 logger.debug("no RunAsAuthenticationProvider set, thus nothing to restore");
85 }
86 SecurityContext securityContext = SecurityContextHolder.getContext();
87 securityContext.setAuthentication(authentication);
88 logger.debug("last authentication restored: " + (authentication != null ? authentication : "NULL"));
89 }
90
91 /**
92 * @return the runAsAuthenticationProvider
93 */
94 public AuthenticationProvider getRunAsAuthenticationProvider() {
95 return runAsAuthenticationProvider;
96 }
97
98 /**
99 * @param runAsAuthenticationProvider the runAsAuthenticationProvider to set
100 */
101 public void setRunAsAuthenticationProvider(AuthenticationProvider runAsAuthenticationProvider) {
102 this.runAsAuthenticationProvider = runAsAuthenticationProvider;
103 }
104
105 }