Skip to Content.
Sympa Menu

idok-commit - [idok-commit] idok commit r385 - trunk/java/ch/idok/service/server/search/rest

idok-commit AT lists.psi.ch

Subject: Commit emails of the iDok project

List archive

[idok-commit] idok commit r385 - trunk/java/ch/idok/service/server/search/rest


Chronological Thread 
  • From: "AFS account Florian Huebner" <huebner AT savannah.psi.ch>
  • To: idok-commit AT lists.psi.ch
  • Subject: [idok-commit] idok commit r385 - trunk/java/ch/idok/service/server/search/rest
  • Date: Wed, 30 Sep 2009 14:27:03 +0200
  • List-archive: <https://lists.web.psi.ch/pipermail/idok-commit/>
  • List-id: Commit emails of the iDok project <idok-commit.lists.psi.ch>

Author: huebner
Date: Wed Sep 30 14:27:02 2009
New Revision: 385

Log:
Now correctly checks for the proper permissions

Modified:

trunk/java/ch/idok/service/server/search/rest/RestSearchServiceResource.java

Modified:
trunk/java/ch/idok/service/server/search/rest/RestSearchServiceResource.java
==============================================================================
---
trunk/java/ch/idok/service/server/search/rest/RestSearchServiceResource.java
(original)
+++
trunk/java/ch/idok/service/server/search/rest/RestSearchServiceResource.java
Wed Sep 30 14:27:02 2009
@@ -23,11 +23,13 @@
package ch.idok.service.server.search.rest;

import java.io.StringWriter;
+import java.security.AccessControlException;
import java.util.Iterator;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;

+import javax.security.auth.Subject;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
@@ -53,15 +55,23 @@
import org.w3c.dom.Element;

import ch.idok.common.errorhandling.DmsException;
+import ch.idok.common.errorhandling.ErrorType;
+import ch.idok.common.util.AuthUtil;
import ch.idok.common.util.Base64Coder;
import ch.idok.common.util.DmsCredentials;
+import ch.idok.common.util.DmsPermission;
import ch.idok.common.util.Pair;
+import ch.idok.common.util.PermissionChecker;
+import ch.idok.service.common.common.corba.CredentialsConverter;
+import ch.idok.service.common.common.corba.obj.CredentialsType;
import ch.idok.service.common.search.QueryMatch;
import ch.idok.service.common.search.SearchService;
import ch.idok.service.server.admin.Admin;
+import ch.idok.service.server.admin.PermissionAdapterFactory;
import ch.idok.service.server.rest.IdokNegotiateFilter;
import ch.idok.service.server.rest.RestExceptionResponse;
import ch.idok.service.server.rest.RestServer;
+import ch.psi.idok.common.util.MyKrb5LoginModule;

/**
* JAX-RS resource class for the iDok search service
@@ -113,7 +123,14 @@
/** The search service used to produce results. */
static SearchService searchService;

+ /** The local logger. */
static Logger logger;
+
+ /**
+ * The permission checker used for authentication related
+ * functionality.
+ */
+ static PermissionChecker permChecker;

/**
* Cache for Iterator<QueryMatch> objects, that allows to handle requests
@@ -134,10 +151,23 @@
@Context
UriInfo uriInfo;

+
+
static public void init(RestServer server) throws DmsException {
searchService = server.serviceProvider.getSearchService();
logger = server.getLogger();
iteratorCache = IteratorCache.getIteratorCache(searchService,
logger);
+ try {
+ permChecker = PermissionAdapterFactory.getAdapter();
+ if (permChecker == null)
+ DmsException
+ .throwIt(ErrorType.AUTHENTICATION, null,
+ "Acces denied",
+ "Authentication system failure, cannot
initialize the permission checker");
+ } catch (Throwable th) {
+ DmsException.throwIt(ErrorType.INTERNAL, null, "Bug detected",
+ "Unexpected exception", th);
+ }
}

/**
@@ -173,9 +203,9 @@
folder = sa[2];

// parse and validate query parameters
- if (query == null)
- return Response.status(Status.BAD_REQUEST).entity(
- "empty query string").build();
+// if (query == null)
+// return Response.status(Status.BAD_REQUEST).entity(
+// "empty query string").build();
int num = Integer.parseInt(numString);
if (num < 1 || num > 100)
return Response.status(Status.BAD_REQUEST).entity(
@@ -208,6 +238,17 @@
if (securityContext.getUserPrincipal() != null) {
cred = IdokNegotiateFilter.getDmsCredentials();
}
+ Subject subject = AuthUtil.authenticate(cred);
+ if (subject == null) {
+ logger.finer("Could not authenticate user");
+ DmsException.throwIt(ErrorType.AUTHENTICATION, cred,
+ "Could not authenticate user", "");
+ }
+ permChecker.complementSubject(subject);
+ logger.finest("Createing query for "
+ +
AuthUtil.principalSetToString(subject.getPrincipals()));
+
+

// build Lucene query string
String luceneQuery;
@@ -234,14 +275,22 @@
if (folderArray.length > 1){
result = "auto\\:relpath:"+folderArray[0];
for(int i = 1; i < folderArray.length; i++){
- result += " AND
auto\\:relpath:"+folderArray[i];
+// result += " AND
auto\\:relpath:"+folderArray[i];
+ result += "/" +folderArray[i];
}
}else
result = "auto\\:relpath:"+folder;

- luceneQuery = String.format(
- "%s/%s::(%s) AND (%s)", project,
+ if (query == null){
+ luceneQuery = String.format(
+ "%s/%s::(%s*)", project,
+ repository, result);
+ }else{
+ luceneQuery = String.format(
+ "%s/%s::(%s*) AND (%s)", project,
repository, result, query);
+ }
+
//e.g: ait/intern::(auto\\:relpath:Events AND
auto\\:relpath:ProgrammMeetings) AND (geus)
//for a search in
https://dms02.psi.ch/api/v1/search/ait/intern/Events/ProgrammMeetings/
}
@@ -273,6 +322,17 @@
break;
QueryMatch hit = hits.next();

+ try {
+ permChecker.checkPermission(subject,
+ new DmsPermission(path+"/"+hit.getId(),
"read"));
+ } catch (AccessControlException ex) {
+ logger.finest("User " + subject
+ + ": No permission to read " + path);
+ continue;
+ }
+
+
+
// update DOM tree
Element hitElement = doc.createElement("Hit");
root.appendChild(hitElement);
@@ -322,9 +382,13 @@
.encode(hit.getContent())));
hitElement.appendChild(contentElement);
}
+
+
+

}

+
iteratorCache.submit(cred, luceneQuery, metaFields, resultType,
start + num, hits);




  • [idok-commit] idok commit r385 - trunk/java/ch/idok/service/server/search/rest, AFS account Florian Huebner, 09/30/2009

Archive powered by MHonArc 2.6.19.

Top of Page