Added System Security Context as attribute to AbstractControllerAuthenticationFilter

This is necessary, because the tenant configuration methods are only accessable with specific permissions.
With the SystemSecurityContext methods can be executed as SystemRunner and therefor we can set permissions.

* updated the chaine of condtructors to set the context in the filter class
* added SystemRunner permission to TenantConfigurationManagement
* Autowired the system context to AMQP and HTTP controller

Signed-off-by: Nonnenmacher Fabian <fabian.nonnenmacher@bosch-si.com>
This commit is contained in:
Fabian Nonnenmacher
2016-02-05 11:01:06 +01:00
committed by Nonnenmacher Fabian
parent 57e040aec1
commit 2be4922615
11 changed files with 65 additions and 36 deletions

View File

@@ -29,11 +29,13 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
protected final TenantConfigurationManagement tenantConfigurationManagement;
protected final TenantAware tenantAware;
private final SecurityConfigurationKeyTenantRunner configurationKeyTenantRunner;
protected final SystemSecurityContext systemSecurityContext;
protected AbstractControllerAuthenticationFilter(final TenantConfigurationManagement systemManagement,
final TenantAware tenantAware) {
final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
this.tenantConfigurationManagement = systemManagement;
this.tenantAware = tenantAware;
this.systemSecurityContext = systemSecurityContext;
this.configurationKeyTenantRunner = new SecurityConfigurationKeyTenantRunner();
}
@@ -53,9 +55,10 @@ public abstract class AbstractControllerAuthenticationFilter implements PreAuthe
private final class SecurityConfigurationKeyTenantRunner implements TenantAware.TenantRunner<Boolean> {
@Override
public Boolean run() {
LOGGER.trace("retrieving configuration value for configuration key {}", getTenantConfigurationKey());
return tenantConfigurationManagement.getConfigurationValue(getTenantConfigurationKey(), Boolean.class)
.getValue();
return systemSecurityContext.runAsSystem(() -> tenantConfigurationManagement
.getConfigurationValue(getTenantConfigurationKey(), Boolean.class).getValue());
}
}

View File

@@ -45,8 +45,8 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
/**
* Constructor.
*
* @param systemManagement
* the system management service to retrieve configuration
* @param tenantConfigurationManagement
* the tenant management service to retrieve configuration
* properties
* @param controllerManagement
* the controller management to retrieve the specific target
@@ -54,11 +54,15 @@ public class ControllerPreAuthenticateSecurityTokenFilter extends AbstractContro
* @param tenantAware
* the tenant aware service to get configuration for the specific
* tenant
* @param systemSecurityContext
* the system security context to get access to tenant
* configuration
*/
public ControllerPreAuthenticateSecurityTokenFilter(
final TenantConfigurationManagement tenantConfigurationManagement,
final ControllerManagement controllerManagement, final TenantAware tenantAware) {
super(tenantConfigurationManagement, tenantAware);
final ControllerManagement controllerManagement, final TenantAware tenantAware,
final SystemSecurityContext systemSecurityContext) {
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
this.controllerManagement = controllerManagement;
}

View File

@@ -39,16 +39,20 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
/**
* Constructor.
*
* @param systemManagement
* the system management service to retrieve configuration
* @param tenantConfigurationManagement
* the tenant management service to retrieve configuration
* properties
* @param tenantAware
* the tenant aware service to get configuration for the specific
* tenant
* @param systemSecurityContext
* the system security context to get access to tenant
* configuration
*/
public ControllerPreAuthenticatedGatewaySecurityTokenFilter(
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware) {
super(tenantConfigurationManagement, tenantAware);
final TenantConfigurationManagement tenantConfigurationManagement, final TenantAware tenantAware,
final SystemSecurityContext systemSecurityContext) {
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
}
@Override
@@ -84,8 +88,12 @@ public class ControllerPreAuthenticatedGatewaySecurityTokenFilter extends Abstra
public String run() {
LOGGER.trace("retrieving configuration value for configuration key {}",
TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY);
return tenantConfigurationManagement.getConfigurationValue(
TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class).getValue();
return systemSecurityContext
.runAsSystem(() -> tenantConfigurationManagement
.getConfigurationValue(
TenantConfigurationKey.AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, String.class)
.getValue());
}
}

View File

@@ -56,18 +56,20 @@ public class ControllerPreAuthenticatedSecurityHeaderFilter extends AbstractCont
* @param caAuthorityNameHeader
* the http-header which holds the ca-authority name of the
* certificate
* @param systemManagement
* the system management service to retrieve configuration
* properties to check if the header authentication is enabled
* for this tenant
* @param tenantConfigurationManagement
* the tenant management service to retrieve configuration
* properties
* @param tenantAware
* the tenant aware service to get configuration for the specific
* tenant
* @param systemSecurityContext
* the system security context to get access to tenant
* configuration
*/
public ControllerPreAuthenticatedSecurityHeaderFilter(final String caCommonNameHeader,
final String caAuthorityNameHeader, final TenantConfigurationManagement tenantConfigurationManagement,
final TenantAware tenantAware) {
super(tenantConfigurationManagement, tenantAware);
final TenantAware tenantAware, final SystemSecurityContext systemSecurityContext) {
super(tenantConfigurationManagement, tenantAware, systemSecurityContext);
this.caCommonNameHeader = caCommonNameHeader;
this.sslIssuerHashBasicHeader = caAuthorityNameHeader;
}