From 578564d5a5787848d8795afa01a5d77264370957 Mon Sep 17 00:00:00 2001 From: Alex Rudyy Date: Thu, 19 Sep 2013 10:46:27 +0000 Subject: QPID-5138: Protect user preferences operations with ACL git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1524684 13f79535-47bb-0310-9956-ffa450edef68 --- .../plugin/servlet/rest/PreferencesServlet.java | 21 ++++++++++++ .../servlet/rest/UserPreferencesServlet.java | 39 +++++++++++++++++++++- 2 files changed, 59 insertions(+), 1 deletion(-) (limited to 'qpid/java/broker-plugins/management-http') diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/PreferencesServlet.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/PreferencesServlet.java index 7bcfcbc7f7..bf2a88a2c1 100644 --- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/PreferencesServlet.java +++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/PreferencesServlet.java @@ -1,3 +1,24 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + package org.apache.qpid.server.management.plugin.servlet.rest; import java.io.IOException; diff --git a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/UserPreferencesServlet.java b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/UserPreferencesServlet.java index 3fc0a76efb..808e3210dd 100644 --- a/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/UserPreferencesServlet.java +++ b/qpid/java/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/UserPreferencesServlet.java @@ -1,3 +1,24 @@ +/* + * + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * + */ + package org.apache.qpid.server.management.plugin.servlet.rest; import java.io.IOException; @@ -18,6 +39,7 @@ import org.apache.qpid.server.model.AuthenticationProvider; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.model.PreferencesProvider; import org.apache.qpid.server.model.User; +import org.apache.qpid.server.security.access.Operation; public class UserPreferencesServlet extends AbstractServlet { @@ -46,6 +68,11 @@ public class UserPreferencesServlet extends AbstractServlet private void getUserPreferences(String authenticationProviderName, String userId, HttpServletResponse response) throws IOException { + if (!userPreferencesOperationAuthorized(userId)) + { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Vieweing of preferences is not allowed"); + return; + } Map preferences = null; PreferencesProvider preferencesProvider = getPreferencesProvider(authenticationProviderName); if (preferencesProvider == null) @@ -132,7 +159,7 @@ public class UserPreferencesServlet extends AbstractServlet * removes preferences */ @Override - protected void doDeleteWithSubjectAndActor(HttpServletRequest request, HttpServletResponse response) + protected void doDeleteWithSubjectAndActor(HttpServletRequest request, HttpServletResponse response) throws IOException { final List userData = new ArrayList(); for (String name : request.getParameterValues("user")) @@ -165,6 +192,11 @@ public class UserPreferencesServlet extends AbstractServlet Set usernames = preferencesProvider.listUserIDs(); if (usernames.contains(userId)) { + if (!userPreferencesOperationAuthorized(userId)) + { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Deletion of preferences is not allowed"); + return; + } preferencesProvider.deletePreferences(userId); } } @@ -175,4 +207,9 @@ public class UserPreferencesServlet extends AbstractServlet } } + + private boolean userPreferencesOperationAuthorized(String userId) + { + return getBroker().getSecurityManager().authoriseUserOperation(Operation.UPDATE, userId); + } } -- cgit v1.2.1