Skip to content
Snippets Groups Projects
Commit 10cf4f58 authored by Tucker Gary Siegel's avatar Tucker Gary Siegel
Browse files

update

parent 002e7a56
No related branches found
No related tags found
No related merge requests found
package edu.umd.dawn.common.annotations;
import jakarta.servlet.http.HttpServletRequest;
import java.lang.annotation.Annotation;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.reflect.MethodSignature;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
/**
* base class for custom aspects for annotations. includes some helper functions
......@@ -29,4 +32,7 @@ public class AspectBase<T extends Annotation> {
((MethodSignature) jointPoint.getSignature()).getDeclaringType().getAnnotation(clazz);
}
protected HttpServletRequest grabRequest() {
return ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
}
}
package edu.umd.dawn.common.annotations;
import edu.umd.dawn.common.enums.Role;
import edu.umd.dawn.common.exceptions.BaseExceptions;
import edu.umd.dawn.common.exceptions.DawnException;
import edu.umd.dawn.common.jwt.Claims;
import edu.umd.dawn.common.services.UserAuthService;
import jakarta.servlet.http.HttpServletRequest;
import lombok.RequiredArgsConstructor;
import lombok.extern.log4j.Log4j2;
......@@ -16,10 +18,10 @@ import org.springframework.stereotype.Component;
@Aspect
@Component
@Log4j2
@RequiredArgsConstructor(onConstructor = @__(@Autowired)) // Autowired annotated lombok generated constructor
public class RoleRestrictionAspect extends AspectBase<RoleRestriction> {
private final HttpServletRequest request;
@Autowired
private UserAuthService service;
@Value("${config.local}")
private boolean local = false;
......@@ -27,12 +29,16 @@ public class RoleRestrictionAspect extends AspectBase<RoleRestriction> {
@Around("@annotation(RoleRestriction) && within(edu.umd.dawn..**)")
public Object run(ProceedingJoinPoint jointPoint) throws Exception, Throwable {
RoleRestriction annotation = grabAnnotation(jointPoint, RoleRestriction.class);
HttpServletRequest request = grabRequest();
if (!local) {
Claims claims = (Claims) request.getAttribute("claims");
if (claims == null) {
throw new DawnException(BaseExceptions.FORBIDDEN);
}
// call db to check
Role role = service.getUserRole(claims.getUserId());
if (!role.isAccessAllowed(annotation.value())) {
throw new DawnException(BaseExceptions.FORBIDDEN);
}
} else if (!annotation.disableWarning()) {
log.warn("RoleRestriction annotation has been disabled - if this is a production environment, consider this"
+ " a critical security error. Request with unknown role accessed endpoint with restriction "
......
......@@ -4,12 +4,9 @@ import com.google.common.base.CaseFormat;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
......@@ -42,9 +39,7 @@ public class CaseInsensitiveFilter extends OncePerRequestFilter {
formattedParams.put(formattedParam, request.getParameterValues(param));
}
filterChain.doFilter(
new CaseInsensitiveFilterWrapper(request, formattedParams),
response);
filterChain.doFilter(new CaseInsensitiveFilterWrapper(request, formattedParams), response);
if (invalidParameterCase.size() > 0) {
log.warn(String.format(
......
package edu.umd.dawn.common.filters;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Map;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
public class CaseInsensitiveFilterWrapper extends HttpServletRequestWrapper {
Map<String, String[]> formattedParams;
......@@ -18,9 +17,7 @@ public class CaseInsensitiveFilterWrapper extends HttpServletRequestWrapper {
@Override
public String getParameter(String name) {
return formattedParams.containsKey(name)
? formattedParams.get(name)[0]
: null;
return formattedParams.containsKey(name) ? formattedParams.get(name)[0] : null;
}
@Override
......@@ -37,5 +34,4 @@ public class CaseInsensitiveFilterWrapper extends HttpServletRequestWrapper {
public Map<String, String[]> getParameterMap() {
return formattedParams;
}
}
package edu.umd.dawn.common.interceptor;
import edu.umd.dawn.common.jwt.Claims;
import edu.umd.dawn.common.jwt.JWTUtil;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.extern.log4j.Log4j2;
import org.springframework.web.servlet.HandlerInterceptor;
/**
* interceptor to pull the claims and token for a jwt
* @implNote This does NOT throw any error if a jwt is not provided
*/
@Log4j2
public class JWTInterceptor implements HandlerInterceptor {
private boolean local;
private boolean warn;
private String accessSecret;
/**
*
* @param accessSecret JWT Access Secret from configuration
* @param local is the environment a local env or not
* @param warn should a warning be thrown if no jwt is provided
*/
public JWTInterceptor(String accessSecret, boolean local, boolean warn) {
this.local = local;
this.accessSecret = accessSecret;
this.warn = warn;
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
if (!local) {
String token = request.getHeader("Authorization");
if (token != null && !token.equals("")) {
if (token.startsWith("Bearer ")) {
token = token.replace("Bearer ", "");
}
Claims claims = JWTUtil.parse(accessSecret, token).getClaims();
request.setAttribute("claims", claims);
request.setAttribute("token", token);
} else if (warn) {
log.warn("No jwt provided");
}
} else {
log.warn("JWT interceptor has been disabled - if this is a production environment, consider this a"
+ " critical security error");
}
return true;
}
}
package edu.umd.dawn.common.interceptor;
import edu.umd.dawn.common.jwt.Claims;
import edu.umd.dawn.common.jwt.JWTUtil;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.extern.log4j.Log4j2;
import org.springframework.web.servlet.HandlerInterceptor;
/**
* interceptor to pull the claims and token for a jwt
* @implNote This does NOT throw any error if a jwt is not provided
*/
@Log4j2
public class JWTInterceptor implements HandlerInterceptor {
private boolean local;
private boolean warn;
private String accessSecret;
/**
*
* @param accessSecret JWT Access Secret from configuration
* @param local is the environment a local env or not
* @param warn should a warning be thrown if no jwt is provided
*/
public JWTInterceptor(String accessSecret, boolean local, boolean warn) {
this.local = local;
this.accessSecret = accessSecret;
this.warn = warn;
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
throws Exception {
if (!local) {
String token = request.getHeader("Authorization");
if (token != null && !token.equals("")) {
if (token.startsWith("Bearer ")) {
token = token.replace("Bearer ", "");
}
Claims claims = JWTUtil.parse(accessSecret, token).getClaims();
request.setAttribute("claims", claims);
request.setAttribute("token", token);
} else if (warn) {
log.warn("No jwt provided");
}
} else {
log.warn("JWT interceptor has been disabled - if this is a production environment, consider this a"
+ " critical security error");
}
return true;
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment