mirror of
https://github.com/DSpace/DSpace.git
synced 2025-10-07 01:54:22 +00:00
DS-3542 Authentication status link fixes
This commit is contained in:
Tom Desair
@@ -10,6 +10,7 @@ package org.dspace.app.rest.model;
|
||||
import java.io.Serializable;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||
import org.atteo.evo.inflector.English;
|
||||
|
||||
/**
|
||||
* Methods to implement to make a REST resource addressable
|
||||
@@ -27,6 +28,11 @@ public interface RestModel extends Serializable {
|
||||
|
||||
public String getType();
|
||||
|
||||
@JsonIgnore
|
||||
default public String getTypePlural() {
|
||||
return English.plural(getType());
|
||||
}
|
||||
|
||||
@JsonIgnore
|
||||
public Class getController();
|
||||
}
|
||||
|
||||
@@ -22,7 +22,7 @@ public class StatusRest extends BaseObjectRest<Integer>
|
||||
private boolean authenticated;
|
||||
|
||||
public static final String NAME = "status";
|
||||
public static final String CATEGORY = "";
|
||||
public static final String CATEGORY = "authn";
|
||||
|
||||
@Override
|
||||
public String getCategory() {
|
||||
@@ -34,6 +34,12 @@ public class StatusRest extends BaseObjectRest<Integer>
|
||||
return NAME;
|
||||
}
|
||||
|
||||
@Override
|
||||
@JsonIgnore
|
||||
public String getTypePlural() {
|
||||
return getType();
|
||||
}
|
||||
|
||||
public Class getController() {
|
||||
return RestResourceController.class;
|
||||
}
|
||||
|
||||
@@ -7,8 +7,10 @@
|
||||
*/
|
||||
package org.dspace.app.rest.model.hateoas;
|
||||
|
||||
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.linkTo;
|
||||
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.methodOn;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonUnwrapped;
|
||||
import org.atteo.evo.inflector.English;
|
||||
import org.dspace.app.rest.RestResourceController;
|
||||
import org.dspace.app.rest.model.BrowseEntryRest;
|
||||
import org.dspace.app.rest.model.BrowseIndexRest;
|
||||
@@ -16,9 +18,6 @@ import org.springframework.hateoas.Link;
|
||||
import org.springframework.hateoas.ResourceSupport;
|
||||
import org.springframework.web.util.UriComponentsBuilder;
|
||||
|
||||
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.linkTo;
|
||||
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.methodOn;
|
||||
|
||||
/**
|
||||
* Browse Entry Rest HAL Resource. The HAL Resource wraps the REST Resource
|
||||
* adding support for the links and embedded resources
|
||||
@@ -41,7 +40,7 @@ public class BrowseEntryResource extends ResourceSupport {
|
||||
BrowseIndexRest bix = entry.getBrowseIndex();
|
||||
RestResourceController methodOn = methodOn(RestResourceController.class, bix.getCategory(), bix.getType());
|
||||
UriComponentsBuilder uriComponentsBuilder = linkTo(methodOn
|
||||
.findRel(null, bix.getCategory(), English.plural(bix.getType()), bix.getId(), BrowseIndexRest.ITEMS, null, null, null))
|
||||
.findRel(null, bix.getCategory(), bix.getTypePlural(), bix.getId(), BrowseIndexRest.ITEMS, null, null, null))
|
||||
.toUriComponentsBuilder();
|
||||
Link link = new Link(addFilterParams(uriComponentsBuilder).build().toString(), BrowseIndexRest.ITEMS);
|
||||
add(link);
|
||||
|
||||
@@ -7,6 +7,17 @@
|
||||
*/
|
||||
package org.dspace.app.rest.model.hateoas;
|
||||
|
||||
import java.beans.IntrospectionException;
|
||||
import java.beans.Introspector;
|
||||
import java.beans.PropertyDescriptor;
|
||||
import java.io.Serializable;
|
||||
import java.lang.reflect.InvocationTargetException;
|
||||
import java.lang.reflect.Method;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonInclude;
|
||||
import com.fasterxml.jackson.annotation.JsonInclude.Include;
|
||||
import com.fasterxml.jackson.annotation.JsonProperty;
|
||||
@@ -24,17 +35,6 @@ import org.springframework.data.domain.PageImpl;
|
||||
import org.springframework.hateoas.Link;
|
||||
import org.springframework.hateoas.ResourceSupport;
|
||||
|
||||
import java.beans.IntrospectionException;
|
||||
import java.beans.Introspector;
|
||||
import java.beans.PropertyDescriptor;
|
||||
import java.io.Serializable;
|
||||
import java.lang.reflect.InvocationTargetException;
|
||||
import java.lang.reflect.Method;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* A base class for DSpace Rest HAL Resource. The HAL Resource wraps the REST
|
||||
* Resource adding support for the links and embedded resources. Each property
|
||||
@@ -141,10 +141,11 @@ public abstract class DSpaceResource<T extends RestModel> extends ResourceSuppor
|
||||
}
|
||||
if (linkedObject != null) {
|
||||
embedded.put(name, wrapObject);
|
||||
} else {
|
||||
this.add(linkToSubResource);
|
||||
} else if(!linkAnnotation.optional()) {
|
||||
embedded.put(name, null);
|
||||
this.add(linkToSubResource);
|
||||
}
|
||||
this.add(linkToSubResource);
|
||||
|
||||
Method writeMethod = pd.getWriteMethod();
|
||||
writeMethod.invoke(data, new Object[] { null });
|
||||
|
||||
@@ -14,7 +14,6 @@ import java.util.List;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.atteo.evo.inflector.English;
|
||||
import org.dspace.app.rest.exception.PaginationException;
|
||||
import org.dspace.app.rest.exception.RepositoryNotFoundException;
|
||||
import org.dspace.app.rest.model.CommunityRest;
|
||||
@@ -65,7 +64,7 @@ public class Utils {
|
||||
}
|
||||
|
||||
public Link linkToSingleResource(RestModel data, String rel) {
|
||||
return linkTo(data.getController(), data.getCategory(), English.plural(data.getType())).slash(data)
|
||||
return linkTo(data.getController(), data.getCategory(), data.getTypePlural()).slash(data)
|
||||
.withRel(rel);
|
||||
}
|
||||
|
||||
@@ -74,7 +73,7 @@ public class Utils {
|
||||
}
|
||||
|
||||
public Link linkToSubResource(RestModel data, String rel, String path) {
|
||||
return linkTo(data.getController(), data.getCategory(), English.plural(data.getType())).slash(data).slash(path)
|
||||
return linkTo(data.getController(), data.getCategory(), data.getTypePlural()).slash(data).slash(path)
|
||||
.withRel(rel);
|
||||
}
|
||||
|
||||
|
||||
@@ -122,7 +122,12 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
|
||||
//Tamper with the token, insert id of group we don't belong to
|
||||
String[] jwtSplit = token.split("\\.");
|
||||
|
||||
String tampered = new String(Base64.getUrlEncoder().encode(new String(Base64.getUrlDecoder().decode(token.split("\\.")[1])).replaceAll("\\[]", "[\"" + internalGroup.getID() + "\"]").getBytes()));
|
||||
//We try to inject a special group ID to spoof membership
|
||||
String tampered = new String(Base64.getUrlEncoder().encode(
|
||||
new String(Base64.getUrlDecoder().decode(
|
||||
token.split("\\.")[1]))
|
||||
.replaceAll("\\[]", "[\"" + internalGroup.getID() + "\"]")
|
||||
.getBytes()));
|
||||
|
||||
String tamperedToken = jwtSplit[0] + "." + tampered + "." + jwtSplit[2];
|
||||
|
||||
|
||||
Reference in New Issue
Block a user