snichol 2002/09/05 23:14:11
Modified: java/docs changes.html
java/src/org/apache/soap/server/http
MessageRouterServlet.java RPCRouterServlet.java
ServerHTTPUtils.java
Log:
Add per-service authorization based on roles. Authorized roles
are specified in the deployment descriptor. The container must be
configured for authentication through its configuration and/or the Apache
SOAP web.xml deployment descriptor.
There is no sample for demonstration/test at this time.
Revision Changes Path
1.45 +4 -0 xml-soap/java/docs/changes.html
Index: changes.html
===================================================================
RCS file: /home/cvs/xml-soap/java/docs/changes.html,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- changes.html 5 Sep 2002 16:50:51 -0000 1.44
+++ changes.html 6 Sep 2002 06:14:10 -0000 1.45
@@ -76,6 +76,10 @@
interop hack).</li>
<li>Support gzip encoding for HTTP. This is enabled through SOAPContext
for clients and the deployment descriptor for services.</li>
+ <li>Add per-service authorization based on roles. Authorized roles
+ are specified in the deployment descriptor. The container must be
+ configured for authentication through its configuration and/or the Apache
+ SOAP web.xml deployment descriptor.</li>
</ul>
</li>
</ul>
1.37 +5 -1
xml-soap/java/src/org/apache/soap/server/http/MessageRouterServlet.java
Index: MessageRouterServlet.java
===================================================================
RCS file:
/home/cvs/xml-soap/java/src/org/apache/soap/server/http/MessageRouterServlet.java,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- MessageRouterServlet.java 5 Sep 2002 16:50:52 -0000 1.36
+++ MessageRouterServlet.java 6 Sep 2002 06:14:10 -0000 1.37
@@ -292,7 +292,11 @@
// is this a valid message?
dd = serviceManager.query (targetID);
reqCtx.setProperty( Constants.BAG_DEPLOYMENTDESCRIPTOR, dd );
-
+
+ // is user authorized to use this service?
+ if (!ServerHTTPUtils.isUserAuthorized(dd, req, res))
+ return;
+
// Get the session, but only create a new session if the scope
// is session or there is no deployment descriptor option
// SessionRequired with a value of false (i.e. the desire to
1.41 +4 -0
xml-soap/java/src/org/apache/soap/server/http/RPCRouterServlet.java
Index: RPCRouterServlet.java
===================================================================
RCS file:
/home/cvs/xml-soap/java/src/org/apache/soap/server/http/RPCRouterServlet.java,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- RPCRouterServlet.java 5 Sep 2002 16:50:52 -0000 1.40
+++ RPCRouterServlet.java 6 Sep 2002 06:14:10 -0000 1.41
@@ -338,6 +338,10 @@
dd = serviceManager.query (targetID);
reqCtx.setProperty( Constants.BAG_DEPLOYMENTDESCRIPTOR, dd );
+ // is user authorized to use this service?
+ if (!ServerHTTPUtils.isUserAuthorized(dd, req, res))
+ return;
+
// Get the session, but only create a new session if the scope
// is session or there is no deployment descriptor option
// SessionRequired with a value of false (i.e. the desire to
1.26 +40 -0
xml-soap/java/src/org/apache/soap/server/http/ServerHTTPUtils.java
Index: ServerHTTPUtils.java
===================================================================
RCS file:
/home/cvs/xml-soap/java/src/org/apache/soap/server/http/ServerHTTPUtils.java,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- ServerHTTPUtils.java 5 Sep 2002 16:50:52 -0000 1.25
+++ ServerHTTPUtils.java 6 Sep 2002 06:14:10 -0000 1.26
@@ -465,6 +465,46 @@
}
/**
+ * Checks authorization to use service.
+ *
+ * @return Whether the user is authorized, true if the user is, false if
+ * the user is not due to not being authenticated.
+ * @exception IOException If an error occurs writing a response.
+ * @exception SOAPException If the user is authenticated but not authorized.
+ */
+ public static boolean isUserAuthorized(DeploymentDescriptor dd,
+ HttpServletRequest req,
+ HttpServletResponse res
+ ) throws IOException, SOAPException {
+ // Get roles required for this service
+ Hashtable props = dd.getProps();
+ String roles = props != null ? (String) props.get("roles") : null;
+
+ // If there are no roles, no authorization is required
+ if (roles == null)
+ return true;
+
+ // If user is in any roles, he is authorized
+ StringTokenizer st = new StringTokenizer(roles, ",");
+ while (st.hasMoreTokens()) {
+ if (req.isUserInRole(st.nextToken()))
+ return true;
+ }
+
+ // If user is not authenticated, let him know he needs to be
+ if (req.getRemoteUser() == null && req.getUserPrincipal() == null) {
+ res.setHeader("WWW-Authenticate", "Basic realm=\"Apache SOAP\"");
+ res.setContentType("text/html");
+ res.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
+ return false;
+ }
+
+ // Authenticated but not authorized
+ throw new SOAPException(Constants.FAULT_CODE_SERVER,
+ "Not authorized for this SOAP service.");
+ }
+
+ /**
* Gets the HTTP headers for a request.
*/
public static Hashtable getHeaders(HttpServletRequest req) {
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
