Commit d33f530d authored by Bruno Nocera Zanette's avatar Bruno Nocera Zanette

Added permission control based on requested ID

Added permission control based on the ID requested by the URL.
It compares this ID with logged-in user's ID and Professor's students/courses/...
If the requested ID is equal to logged-in user's ID or is some of the students's/courses's ID
it allows the access to the information. Otherwise it denies it.
This is necessary for the cases when the user requests an ID's information direct from the URL (modifying it) and
not from a menu (with restricted registers). In this case the user could request an information
that is not allowed to him to view.
Signed-off-by: Bruno Nocera Zanette's avatarBruno Nocera Zanette <brunonzanette@gmail.com>
parent 392bebc5
package br.ufpr.c3sl.sapos.models.util;
import java.util.Collection;
import java.util.List;
import java.lang.String;
import java.math.BigInteger;
import org.springframework.security.core.GrantedAuthority;
import br.ufpr.c3sl.sapos.models.util.KerberosAuthProvider;
import br.ufpr.c3sl.sapos.models.scholar.Registration;
public class PermissionProvider {
// ------------------------------------------------------------------------------------------ //
// Interface to AuthProvider's class, to make the code cleaner and easier to
// modify if some change has been made in AuthProvider's class.
private static Collection<? extends GrantedAuthority> Aluno
= KerberosAuthProvider.authAluno;
private static Collection<? extends GrantedAuthority> Professor
= KerberosAuthProvider.authProfessor;
private static Collection<? extends GrantedAuthority> Funcionario
= KerberosAuthProvider.authFuncionario;
private static Collection<? extends GrantedAuthority> Administrador
= KerberosAuthProvider.authAdministrador;
private static Collection<? extends GrantedAuthority> personAuth(){
return KerberosAuthProvider.getPersonAuth();
}
private static String personUsername(){
return KerberosAuthProvider.getPersonUsername();
}
private static String idFromLoggedInStudent(){
return KerberosAuthProvider.getIdFromLoggedInStudent();
}
private static String idFromLoggedInProfessor(){
return KerberosAuthProvider.getIdFromLoggedInProfessor();
}
// ------------------------------------------------------------------------------------------ //
// Convert ID from String to BigInteger to match Database's format
private static BigInteger castToBigInt(String s){
return BigInteger.valueOf(Long.valueOf(s));
}
// Parse URL string to get ID element based on the prefix, supposing that
// URL is formatted in the following pattern: "^/{prefix}/{id}$"
private static String getIdElement(String idPrefix, String url){
String[] urlElements = url.split("/");
int pos = 0;
for (String element : urlElements){
if (element.equals(idPrefix))
return urlElements[pos+1];
pos++;
}
return null;
}
@SuppressWarnings("unchecked")
private static List<Object> getStudentsIdFromLoggedInProfessor(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT r.id FROM registration r, person p"+
" WHERE r.advisor = p.id"+
" and p.user_name="+"'"+personUsername()+"'").getResultList();
}
@SuppressWarnings("unchecked")
private static List<Object> getCoursesIdFromLoggedInProfessor(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT c.course FROM section_pos c, person p"+
" WHERE c.professor = p.id"+
" and p.user_name="+"'"+personUsername()+"'").getResultList();
}
@SuppressWarnings("unchecked")
private static List<Object> getSectionposIdFromLoggedInProfessor(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT c.id FROM section_pos c, person p"+
" WHERE c.professor = p.id"+
" and p.user_name="+"'"+personUsername()+"'").getResultList();
}
// ------------------------------------------------------------------------------------------ //
// Check permission to view Student informations
public boolean hasPermissionToViewPerson(String idPrefix, String url){
System.out.println("Executando hasPermissionToView(2) com o parametro: "+idPrefix+"+"+url);
return hasPermissionToViewPerson(getIdElement(idPrefix,url));
}
public boolean hasPermissionToViewPerson(String id){
System.out.println("Executando hasPermissionToView(1) com o parametro: "+id);
if (id.equals(null))
return false;
if (personAuth().equals(Aluno))
return (idFromLoggedInStudent().equals(id));
if (personAuth().equals(Professor))
return (idFromLoggedInProfessor().equals(id)
|| getStudentsIdFromLoggedInProfessor().contains(castToBigInt(id)));
if (personAuth().equals(Funcionario) || personAuth().equals(Administrador))
return true;
return false;
}
// ------------------------------------------------------------------------------------------ //
// ------------------------------------------------------------------------------------------ //
// Check permission to view Course informations
public boolean hasPermissionToViewCourse(String idPrefix, String url){
System.out.println("Executando hasPermissionToViewCourse(2) com o parametro: "+idPrefix+"+"+url);
return hasPermissionToViewCourse(getIdElement(idPrefix, url));
}
public boolean hasPermissionToViewCourse(String id){
System.out.println("Executando hasPermissionToViewCourse(1) com o parametro: "+id);
if (id.equals(null))
return false;
if (personAuth().equals(Aluno))
return false;
if (personAuth().equals(Professor))
return (getCoursesIdFromLoggedInProfessor().contains(castToBigInt(id)));
if (personAuth().equals(Funcionario) || personAuth().equals(Administrador))
return true;
return false;
}
// ------------------------------------------------------------------------------------------ //
// ------------------------------------------------------------------------------------------ //
// Check permission to view SectionPos informations
public boolean hasPermissionToViewSectionpos(String idPrefix, String url){
System.out.println("Executando hasPermissionToViewSectionpos(2) com o parametro: "+idPrefix+"+"+url);
return hasPermissionToViewSectionpos(getIdElement(idPrefix, url));
}
public boolean hasPermissionToViewSectionpos(String id){
System.out.println("Executando hasPermissionToViewSectionpos(1) com o parametro: "+id);
if (id.equals(null))
return false;
if (personAuth().equals(Aluno))
return false;
if (personAuth().equals(Professor))
return (getSectionposIdFromLoggedInProfessor().contains(castToBigInt(id)));
if (personAuth().equals(Funcionario) || personAuth().equals(Administrador))
return true;
return false;
}
// ------------------------------------------------------------------------------------------ //
}
\ No newline at end of file
......@@ -5,6 +5,11 @@
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- Defines Kerberos as the authentication method -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="kerberosAuthenticationProvider" />
</authentication-manager>
<!-- HTTP security configurations -->
<http auto-config="true" use-expressions="true" request-matcher="regex">
......@@ -12,7 +17,7 @@
<!-- * Rules are tested in declaration order, from first to last. -->
<!-- * Patterns are Regular Expressions of the type "regex". -->
<!-- For more information: http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html -->
<!-- Defines Login/Logout rules -->
<form-login login-processing-url="/resources/j_spring_security_check"
login-page="/login" authentication-failure-url="/login?login_error=t" />
......@@ -31,39 +36,103 @@
<intercept-url pattern="^/.*$" method="PUT" access="hasAnyRole('Administrador', 'Funcionario')"/>
<intercept-url pattern="^/.*$" method="POST" access="hasAnyRole('Administrador', 'Funcionario')"/>
<!-- Pages that have specific permissions -->
<intercept-url pattern="^/professors$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/professors/.*$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- PROFESSOR - * -->
<intercept-url pattern="^/professors(/.*)?$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- INGRESSOS - Show -->
<intercept-url pattern="^/registrations/studentinfo\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
<intercept-url pattern="^/registrations(/list\?.*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/registrations/registrationspercourse(list\?.*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/registrations/registrationsstatement(pdf\?registration=[0-9]*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')" />
<intercept-url pattern="^/registrations/acceptancestatement(pdf\?registration=[0-9]*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')" />
<intercept-url pattern="^/registrations/regoverviewchoice$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')" />
<intercept-url pattern="^/registrations/studentinfo\?id=[0-9]*$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')" />
<!-- INGRESSOS - Listar Ingressos" -->
<intercept-url pattern="^/registrations(/list\?.*)?$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- INGRESSOS - Listar por status -->
<intercept-url pattern="^/registrations/registrationspercourse(list\?.*)?$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- INGRESSOS - Visao geral do aluno -->
<intercept-url pattern="^/registrations/regoverviewchoice$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')" />
<!-- INGRESSOS - Declaracao matricula -->
<intercept-url pattern="^/registrations/registrationsstatement$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')"/>
<intercept-url pattern="^/registrations/registrationsstatementpdf\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
<!-- INGRESSOS - Declaracao de aceitacao -->
<intercept-url pattern="^/registrations/acceptancestatement$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')"/>
<intercept-url pattern="^/registrations/acceptancestatementpdf\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
<!-- AVALIACAO - Declaracao disciplinas -->
<intercept-url pattern="^/transcripts/transcriptsstatement$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')"/>
<intercept-url pattern="^/transcripts/transcriptsstatement(list|pdf)\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
<!-- AVALIACAO - Historico -->
<intercept-url pattern="^/transcripts/transcriptshistory$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')"/>
<intercept-url pattern="^/transcripts/transcriptshistorypdf\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
<!-- BOLSA DISCENTE - Show -->
<intercept-url pattern="^/studentgrants/[0-9]+?$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewPerson('studentgrants', request.getRequestURI())"/>
<intercept-url pattern="^/transcripts/transcriptsstatement((list|pdf)\?registration=[0-9]*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')" />
<intercept-url pattern="^/transcripts/transcriptshistory(pdf\?registration=[0-9]*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')" />
<!-- BOLSA DISCENTE - Listar por bolsa -->
<intercept-url pattern="^/studentgrants/grantsperkind(list\?grant=[0-9]+)?$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- BOLSA DISCENTE - Declaracao de bolsista -->
<intercept-url pattern="^/studentgrants/statementgrant$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')"/>
<intercept-url pattern="^/studentgrants/statementgrantpdf\?studentgrant=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('studentgrant'))"/>
<intercept-url pattern="^/studentgrants/statementgrant(pdf\?studentgrant=[0-9]*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')" />
<intercept-url pattern="^/studentgrants/grantsperkind(list\?grant=[0-9]*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- TURMA - Show -->
<intercept-url pattern="^/courses/[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewCourse('courses', request.getRequestURI())"/>
<intercept-url pattern="^/sectionposes(/list\?year=[0-9]*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/sectionposes/sectionsselectchoice$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/sectionposes/sectionsselect\?.*$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- AVALIACAO - Show -->
<intercept-url pattern="^/sectionposes/[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewSectionpos('sectionposes', request.getRequestURI())"/>
<!-- TURMA - Listar turmas pos -->
<intercept-url pattern="^/sectionposes(/list\?year=[0-9]+)?$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- AVALIACAO - Diario de classe -->
<intercept-url pattern="^/sectionposes/sectionsselectchoice$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/sectionposes/sectionsselect\?.*professor=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewCourse(request.getParameter('professor'))"/>
<intercept-url pattern="^/courses(/[0-9]*)?$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- DISCIPLINA - Listar disciplinas -->
<intercept-url pattern="^/courses$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/searchMeetingMinutes$" access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- SERVICOS - Procura atas colegiado -->
<intercept-url pattern="^/searchMeetingMinutes$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<!-- All the rest is considered as Admins permission only. -->
<intercept-url pattern="^/.*$" access="hasAnyRole('Administrador', 'Funcionario')"/>
</http>
<!-- Defines Kerberos as the authentication method -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="kerberosAuthenticationProvider" />
</authentication-manager>
</beans:beans>
\ No newline at end of file
......@@ -5,11 +5,11 @@
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd">
xsi:schemaLocation="http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!--
This will automatically locate any and all property files you have
within your classpath, provided they fall under the META-INF/spring
......@@ -110,13 +110,18 @@
<property name="debug" value="${krb.debug}" />
</bean>
</property>
<property name="userDetailsService" ref="MyUserDetailsService" />
<property name="userDetailsService" ref="saposUserDetailsService" />
</bean>
<bean id="saposUserDetailsService" class="br.ufpr.c3sl.sapos.models.util.KerberosAuthProvider" />
<bean
class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
<property name="debug" value="${krb.debug}" />
<property name="krbConfLocation" value="${krb.conf.location}" />
</bean>
<bean id="MyUserDetailsService" class="br.ufpr.c3sl.sapos.models.util.KerberosAuthProvider" />
<!-- These bean configure PermissionProvider to provide security to restricted functions -->
<bean id="permissionProvider" class="br.ufpr.c3sl.sapos.models.util.PermissionProvider"/>
</beans>
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment