Revision 6d3ee8c8
Added by Katja Luther over 12 years ago
| cdmlib-services/src/test/java/eu/etaxonomy/cdm/api/service/SecurityTest.java | ||
|---|---|---|
| 6 | 6 |
|
| 7 | 7 |
|
| 8 | 8 |
import java.util.ArrayList; |
| 9 |
import java.util.Collection; |
|
| 9 | 10 |
import java.util.Iterator; |
| 10 | 11 |
import java.util.List; |
| 11 | 12 |
import java.util.Set; |
| ... | ... | |
| 27 | 28 |
import org.springframework.security.authentication.dao.ReflectionSaltSource; |
| 28 | 29 |
import org.springframework.security.authentication.encoding.Md5PasswordEncoder; |
| 29 | 30 |
import org.springframework.security.core.Authentication; |
| 31 |
import org.springframework.security.core.GrantedAuthority; |
|
| 30 | 32 |
import org.springframework.security.core.context.SecurityContext; |
| 31 | 33 |
import org.springframework.security.core.context.SecurityContextHolder; |
| 32 | 34 |
|
| ... | ... | |
| 95 | 97 |
|
| 96 | 98 |
private UsernamePasswordAuthenticationToken token; |
| 97 | 99 |
|
| 98 |
@Autowired |
|
| 99 |
protected BeanInitializer defaultBeanInitializer; |
|
| 100 |
|
|
| 100 |
|
|
| 101 | 101 |
@Before |
| 102 | 102 |
public void setUp(){
|
| 103 | 103 |
token = new UsernamePasswordAuthenticationToken("ben", "sPePhAz6");
|
| ... | ... | |
| 123 | 123 |
|
| 124 | 124 |
Taxon expectedTaxon = Taxon.NewInstance(BotanicalName.NewInstance(Rank.SPECIES()), null); |
| 125 | 125 |
UUID uuid = taxonService.save(expectedTaxon); |
| 126 |
TaxonBase<?> actualTaxon = taxonService.find(uuid);
|
|
| 126 |
TaxonBase<?> actualTaxon = taxonService.load(uuid);
|
|
| 127 | 127 |
assertEquals(expectedTaxon, actualTaxon); |
| 128 | 128 |
|
| 129 | 129 |
token = new UsernamePasswordAuthenticationToken("taxonEditor", "test2");
|
| ... | ... | |
| 131 | 131 |
context = SecurityContextHolder.getContext(); |
| 132 | 132 |
context.setAuthentication(authentication); |
| 133 | 133 |
expectedTaxon = Taxon.NewInstance(BotanicalName.NewInstance(Rank.GENUS()), null); |
| 134 |
taxonService.save(actualTaxon); |
|
| 134 |
taxonService.saveOrUpdate(actualTaxon);
|
|
| 135 | 135 |
|
| 136 | 136 |
|
| 137 | 137 |
} |
| ... | ... | |
| 160 | 160 |
context.setAuthentication(authentication); |
| 161 | 161 |
Taxon expectedTaxon = Taxon.NewInstance(null, null); |
| 162 | 162 |
UUID uuid = taxonService.save(expectedTaxon); |
| 163 |
TaxonBase<?> actualTaxon = taxonService.find(uuid);
|
|
| 163 |
TaxonBase<?> actualTaxon = taxonService.load(uuid);
|
|
| 164 | 164 |
assertEquals(expectedTaxon, actualTaxon); |
| 165 | 165 |
|
| 166 | 166 |
actualTaxon.setName(BotanicalName.NewInstance(Rank.SPECIES())); |
| ... | ... | |
| 170 | 170 |
authentication = authenticationManager.authenticate(token); |
| 171 | 171 |
context = SecurityContextHolder.getContext(); |
| 172 | 172 |
context.setAuthentication(authentication); |
| 173 |
actualTaxon = taxonService.find(uuid);
|
|
| 173 |
actualTaxon = taxonService.load(uuid);
|
|
| 174 | 174 |
actualTaxon.setName(BotanicalName.NewInstance(Rank.GENUS())); |
| 175 | 175 |
taxonService.saveOrUpdate(actualTaxon); |
| 176 | 176 |
|
| 177 | 177 |
} |
| 178 | 178 |
|
| 179 |
@Test |
|
| 180 |
public void testDeleteTaxon(){
|
|
| 181 |
token = new UsernamePasswordAuthenticationToken("taxonomist", "test3");
|
|
| 182 |
authentication = authenticationManager.authenticate(token); |
|
| 183 |
SecurityContext context = SecurityContextHolder.getContext(); |
|
| 184 |
context.setAuthentication(authentication); |
|
| 185 |
Taxon actualTaxon = (Taxon)taxonService.find(UUID.fromString("7b8b5cb3-37ba-4dba-91ac-4c6ffd6ac331"));
|
|
| 186 |
|
|
| 187 |
taxonService.delete(actualTaxon); |
|
| 188 |
} |
|
| 189 | 179 |
|
| 190 | 180 |
|
| 191 |
@Test |
|
| 192 |
public void testSaveOrUpdateDescription(){
|
|
| 193 |
|
|
| 194 |
authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("descriptionEditor", "test"));
|
|
| 195 |
SecurityContext context = SecurityContextHolder.getContext(); |
|
| 196 |
context.setAuthentication(authentication); |
|
| 197 |
Taxon taxon = (Taxon) taxonService.find(UUID.fromString("7b8b5cb3-37ba-4dba-91ac-4c6ffd6ac331"));
|
|
| 198 |
|
|
| 199 |
Set<TaxonDescription> descriptions = taxon.getDescriptions(); |
|
| 200 |
|
|
| 201 |
Iterator<TaxonDescription> iterator = descriptions.iterator(); |
|
| 202 |
|
|
| 203 |
TaxonDescription description = iterator.next(); |
|
| 204 |
description = (TaxonDescription) descriptionService.find(description.getUuid()); |
|
| 205 |
|
|
| 206 |
TextData textData = new TextData(); |
|
| 207 |
textData.setFeature(Feature.ECOLOGY()); |
|
| 208 |
Media media = Media.NewInstance(); |
|
| 209 |
textData.addMedia(media); |
|
| 210 |
|
|
| 211 |
|
|
| 212 |
|
|
| 213 |
//descriptionService.saveDescriptionElement(textData); |
|
| 214 |
description.addElement(textData); |
|
| 215 |
|
|
| 216 |
descriptionService.saveOrUpdate(description); |
|
| 217 |
|
|
| 218 |
taxon = (Taxon) taxonService.find(UUID.fromString("7b8b5cb3-37ba-4dba-91ac-4c6ffd6ac331"));
|
|
| 219 |
descriptions = taxon.getDescriptions(); |
|
| 220 |
|
|
| 221 |
iterator = descriptions.iterator(); |
|
| 222 |
|
|
| 223 |
description = iterator.next(); |
|
| 224 |
assertEquals(1, descriptions.size()); |
|
| 225 |
assertEquals(2,description.getElements().size()); |
|
| 226 |
|
|
| 227 |
|
|
| 228 |
|
|
| 229 |
} |
|
| 230 |
|
|
| 231 |
@Test |
|
| 232 |
public void testAllowOnlyAccessToPartOfTree(){
|
|
| 233 |
authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("partEditor", "test4"));
|
|
| 234 |
SecurityContext context = SecurityContextHolder.getContext(); |
|
| 235 |
context.setAuthentication(authentication); |
|
| 236 |
|
|
| 237 |
Taxon tribe = (Taxon)taxonService.find(UUID.fromString("928a0167-98cd-4555-bf72-52116d067625"));
|
|
| 238 |
Taxon taxon = (Taxon)taxonService.find(UUID.fromString("bc09aca6-06fd-4905-b1e7-cbf7cc65d783"));
|
|
| 239 |
Iterator<TaxonNode> it = tribe.getTaxonNodes().iterator(); |
|
| 240 |
TaxonNode node = it.next(); |
|
| 241 |
|
|
| 242 |
CdmPermissionEvaluator permissionEvaluator = new CdmPermissionEvaluator(); |
|
| 243 |
assertFalse(permissionEvaluator.hasPermission(authentication, node, "UPDATE")); |
|
| 244 |
node = node.getChildNodes().iterator().next(); |
|
| 245 |
System.err.println(node.getUuid()); |
|
| 246 |
assertTrue(permissionEvaluator.hasPermission(authentication, node, "UPDATE")); |
|
| 247 |
node = node.getChildNodes().iterator().next(); |
|
| 248 |
assertTrue(permissionEvaluator.hasPermission(authentication, node, "UPDATE")); |
|
| 249 |
TaxonDescription description = TaxonDescription.NewInstance(taxon); |
|
| 250 |
|
|
| 251 |
taxonNodeService.saveOrUpdate(node); |
|
| 252 |
assertFalse(permissionEvaluator.hasPermission(authentication, description, "UPDATE")); |
|
| 253 |
|
|
| 254 |
|
|
| 255 |
} |
|
| 256 |
|
|
| 257 | 181 |
@Test(expected=EvaluationFailedException.class) |
| 258 | 182 |
public void testCascadingInSpringSecurityAccesDenied(){
|
| 259 | 183 |
authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken("partEditor", "test4"));
|
| ... | ... | |
| 263 | 187 |
|
| 264 | 188 |
Taxon taxon =(Taxon) taxonService.load(UUID.fromString("bc09aca6-06fd-4905-b1e7-cbf7cc65d783"));
|
| 265 | 189 |
TaxonDescription description = TaxonDescription.NewInstance(taxon); |
| 190 |
description.setTitleCache("test");
|
|
| 266 | 191 |
assertFalse(permissionEvaluator.hasPermission(authentication, description, "UPDATE")); |
| 267 |
//during cascading the permissions are not evaluated |
|
| 268 |
|
|
| 192 |
System.err.println(permissionEvaluator.hasPermission(authentication, taxon, "UPDATE")); |
|
| 193 |
Collection<GrantedAuthority> authorities = authentication.getAuthorities(); |
|
| 194 |
for (GrantedAuthority authority: authorities){
|
|
| 195 |
System.err.println(authority.getAuthority()); |
|
| 196 |
} |
|
| 197 |
//during cascading the permissions are not evaluated, but with hibernate listener every database transaction can be interrupted, but how to manage it, |
|
| 198 |
//when someone has the rights to save descriptions, but not taxa (the editor always saves everything by saving the taxon) |
|
| 269 | 199 |
taxonService.saveOrUpdate(taxon); |
| 200 |
//descriptionService.saveOrUpdate(description); |
|
| 201 |
descriptionService.getSession().flush(); |
|
| 202 |
descriptionService.saveOrUpdate(description); |
|
| 270 | 203 |
|
| 271 | 204 |
|
| 272 | 205 |
|
| ... | ... | |
| 299 | 232 |
taxonService.saveOrUpdate(syn); |
| 300 | 233 |
|
| 301 | 234 |
} |
| 235 |
|
|
| 302 | 236 |
public static void main(String[] args){
|
| 303 | 237 |
Md5PasswordEncoder encoder =new Md5PasswordEncoder(); |
| 304 | 238 |
|
Also available in: Unified diff
Cascading problems for users having the rights to update taxa but not the explicit right for descriptions fixed