1
|
/**
|
2
|
* Copyright (C) 2017 EDIT
|
3
|
* European Distributed Institute of Taxonomy
|
4
|
* http://www.e-taxonomy.eu
|
5
|
*
|
6
|
* The contents of this file are subject to the Mozilla Public License Version 1.1
|
7
|
* See LICENSE.TXT at the top of this package for the full license terms.
|
8
|
*/
|
9
|
package eu.etaxonomy.cdm.api.application;
|
10
|
|
11
|
import java.util.ArrayList;
|
12
|
import java.util.Collection;
|
13
|
|
14
|
import org.apache.log4j.Logger;
|
15
|
import org.springframework.security.access.intercept.RunAsUserToken;
|
16
|
import org.springframework.security.authentication.AnonymousAuthenticationToken;
|
17
|
import org.springframework.security.authentication.AuthenticationProvider;
|
18
|
import org.springframework.security.core.Authentication;
|
19
|
import org.springframework.security.core.GrantedAuthority;
|
20
|
import org.springframework.security.core.context.SecurityContext;
|
21
|
import org.springframework.security.core.context.SecurityContextHolder;
|
22
|
|
23
|
/**
|
24
|
*
|
25
|
* Helper class to work around the apparently broken @RunAs("ROLE_ADMIN")
|
26
|
* in spring see: https://jira.springsource.org/browse/SEC-1671
|
27
|
*
|
28
|
* @author a.kohlbecker
|
29
|
* @since Jul 24, 2017
|
30
|
*
|
31
|
*/
|
32
|
public class RunAsAuthenticator {
|
33
|
|
34
|
public static final Logger logger = Logger.getLogger(FirstDataInserter.class);
|
35
|
|
36
|
/**
|
37
|
* must match the key in eu/etaxonomy/cdm/services_security.xml
|
38
|
*/
|
39
|
private static final String RUN_AS_KEY = "TtlCx3pgKC4l";
|
40
|
|
41
|
// not to be autowired, since the FirstdataInserter must be usable without security
|
42
|
private AuthenticationProvider runAsAuthenticationProvider = null;
|
43
|
|
44
|
|
45
|
private Authentication authentication;
|
46
|
|
47
|
|
48
|
/**
|
49
|
* needed to work around the broken @RunAs("ROLE_ADMIN") which seems to be
|
50
|
* broken in spring see: https://jira.springsource.org/browse/SEC-1671
|
51
|
* @param ga
|
52
|
*/
|
53
|
public void runAsAuthentication(GrantedAuthority ga) {
|
54
|
if(runAsAuthenticationProvider == null){
|
55
|
logger.debug("no RunAsAuthenticationProvider set, skipping run-as authentication");
|
56
|
return;
|
57
|
}
|
58
|
|
59
|
SecurityContext securityContext = SecurityContextHolder.getContext();
|
60
|
authentication = securityContext.getAuthentication();
|
61
|
|
62
|
|
63
|
Collection<GrantedAuthority> rules = new ArrayList<GrantedAuthority>();
|
64
|
rules.add(ga);
|
65
|
RunAsUserToken adminToken = new RunAsUserToken(
|
66
|
RUN_AS_KEY,
|
67
|
"system-admin",
|
68
|
null,
|
69
|
rules,
|
70
|
(authentication != null ? authentication.getClass() : AnonymousAuthenticationToken.class));
|
71
|
|
72
|
Authentication runAsAuthentication = runAsAuthenticationProvider.authenticate(adminToken);
|
73
|
SecurityContextHolder.getContext().setAuthentication(runAsAuthentication);
|
74
|
|
75
|
logger.debug("switched to run-as authentication: " + runAsAuthentication);
|
76
|
}
|
77
|
|
78
|
/**
|
79
|
* needed to work around the broken @RunAs("ROLE_ADMIN") which
|
80
|
* seems to be broken in spring see: https://jira.springsource.org/browse/SEC-1671
|
81
|
*/
|
82
|
public void restoreAuthentication() {
|
83
|
if(runAsAuthenticationProvider == null){
|
84
|
logger.debug("no RunAsAuthenticationProvider set, thus nothing to restore");
|
85
|
}
|
86
|
SecurityContext securityContext = SecurityContextHolder.getContext();
|
87
|
securityContext.setAuthentication(authentication);
|
88
|
logger.debug("last authentication restored: " + (authentication != null ? authentication : "NULL"));
|
89
|
}
|
90
|
|
91
|
/**
|
92
|
* @return the runAsAuthenticationProvider
|
93
|
*/
|
94
|
public AuthenticationProvider getRunAsAuthenticationProvider() {
|
95
|
return runAsAuthenticationProvider;
|
96
|
}
|
97
|
|
98
|
/**
|
99
|
* @param runAsAuthenticationProvider the runAsAuthenticationProvider to set
|
100
|
*/
|
101
|
public void setRunAsAuthenticationProvider(AuthenticationProvider runAsAuthenticationProvider) {
|
102
|
this.runAsAuthenticationProvider = runAsAuthenticationProvider;
|
103
|
}
|
104
|
|
105
|
}
|