add security and filters for anonymous download via http and amqp

requests Signed-off-by: Michael Hirsch <michael.hirsch@bosch-si.com>
2016-03-23 16:17:53 +01:00
parent cdac7185c4
commit 1cb7519ace
13 changed files with 304 additions and 35 deletions
--- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java
+++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/AbstractHttpControllerAuthenticationFilter.java
@@ -9,6 +9,8 @@
 package org.eclipse.hawkbit.security;

 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Map;

 import javax.servlet.FilterChain;
@@ -16,6 +18,7 @@ import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;

 import org.eclipse.hawkbit.dmf.json.model.TenantSecurityToken;
 import org.eclipse.hawkbit.dmf.json.model.TenantSecurityToken.FileResource;
@@ -23,8 +26,11 @@ import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
 import org.eclipse.hawkbit.tenancy.TenantAware;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.util.AntPathMatcher;

 import com.google.common.collect.Iterators;
@@ -80,14 +86,6 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac
        pathExtractor = new AntPathMatcher();
    }

-    /*
-     * (non-Javadoc)
-     * 
-     * @see org.springframework.security.web.authentication.preauth.
-     * AbstractPreAuthenticatedProcessingFilter
-     * #doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
-     * javax.servlet.FilterChain)
-     */
    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
            throws IOException, ServletException {
@@ -113,6 +111,18 @@ public abstract class AbstractHttpControllerAuthenticationFilter extends Abstrac

    protected abstract PreAuthenficationFilter createControllerAuthenticationFilter();

+    @Override
+    protected void successfulAuthentication(final HttpServletRequest request, final HttpServletResponse response,
+            final Authentication authResult) {
+        final Collection<GrantedAuthority> authorities = new ArrayList<>();
+        authorities.addAll(authResult.getAuthorities());
+        authorities.addAll(abstractControllerAuthenticationFilter.getSuccessfulAuthenticationAuthorities());
+        final PreAuthenticatedAuthenticationToken authTokenWithGrantedAuthorities = new PreAuthenticatedAuthenticationToken(
+                authResult.getPrincipal(), authResult.getCredentials(), authorities);
+        authTokenWithGrantedAuthorities.setDetails(authResult.getDetails());
+        super.successfulAuthentication(request, response, authTokenWithGrantedAuthorities);
+    }
+
    /**
     * Extracts tenant and controllerId from the request URI as path variables.
     * 
--- a/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java
+++ b/hawkbit-http-security/src/main/java/org/eclipse/hawkbit/security/HttpControllerPreAuthenticateAnonymousDownloadFilter.java
@@ -0,0 +1,47 @@
+/**
+ * Copyright (c) 2015 Bosch Software Innovations GmbH and others.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.eclipse.hawkbit.security;
+
+import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
+import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
+import org.eclipse.hawkbit.tenancy.TenantAware;
+
+/**
+ * An pre-authenticated processing filter which add the
+ * {@link SpringEvalExpressions#CONTROLLER_DOWNLOAD_ROLE_ANONYMOUS} to the
+ * security context in case the anonymous download is allowed through
+ * configuration.
+ */
+public class HttpControllerPreAuthenticateAnonymousDownloadFilter extends AbstractHttpControllerAuthenticationFilter {
+
+    /**
+     * Constructor.
+     * 
+     * @param tenantConfigurationManagement
+     *            the system management service to retrieve configuration
+     *            properties
+     * @param tenantAware
+     *            the tenant aware service to get configuration for the specific
+     *            tenant
+     * @param systemSecurityContext
+     *            the system security context
+     */
+    public HttpControllerPreAuthenticateAnonymousDownloadFilter(
+            final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
+            final SystemSecurityContext systemSecurityContext) {
+        super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
+    }
+
+    @Override
+    protected PreAuthenficationFilter createControllerAuthenticationFilter() {
+        return new ControllerPreAuthenticatedAnonymousDownload(tenantConfigurationManagement, tenantAware,
+                systemSecurityContext);
+    }
+
+}