mirror of
https://github.com/DSpace/DSpace.git
synced 2025-10-07 18:14:26 +00:00
DS-3542 Authentication status link fixes
This commit is contained in:
Tom Desair
@@ -10,6 +10,7 @@ package org.dspace.app.rest.model;
|
|||||||
import java.io.Serializable;
|
import java.io.Serializable;
|
||||||
|
|
||||||
import com.fasterxml.jackson.annotation.JsonIgnore;
|
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||||
|
import org.atteo.evo.inflector.English;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Methods to implement to make a REST resource addressable
|
* Methods to implement to make a REST resource addressable
|
||||||
@@ -27,6 +28,11 @@ public interface RestModel extends Serializable {
|
|||||||
|
|
||||||
public String getType();
|
public String getType();
|
||||||
|
|
||||||
|
@JsonIgnore
|
||||||
|
default public String getTypePlural() {
|
||||||
|
return English.plural(getType());
|
||||||
|
}
|
||||||
|
|
||||||
@JsonIgnore
|
@JsonIgnore
|
||||||
public Class getController();
|
public Class getController();
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -22,7 +22,7 @@ public class StatusRest extends BaseObjectRest<Integer>
|
|||||||
private boolean authenticated;
|
private boolean authenticated;
|
||||||
|
|
||||||
public static final String NAME = "status";
|
public static final String NAME = "status";
|
||||||
public static final String CATEGORY = "";
|
public static final String CATEGORY = "authn";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getCategory() {
|
public String getCategory() {
|
||||||
@@ -34,6 +34,12 @@ public class StatusRest extends BaseObjectRest<Integer>
|
|||||||
return NAME;
|
return NAME;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@JsonIgnore
|
||||||
|
public String getTypePlural() {
|
||||||
|
return getType();
|
||||||
|
}
|
||||||
|
|
||||||
public Class getController() {
|
public Class getController() {
|
||||||
return RestResourceController.class;
|
return RestResourceController.class;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,8 +7,10 @@
|
|||||||
*/
|
*/
|
||||||
package org.dspace.app.rest.model.hateoas;
|
package org.dspace.app.rest.model.hateoas;
|
||||||
|
|
||||||
|
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.linkTo;
|
||||||
|
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.methodOn;
|
||||||
|
|
||||||
import com.fasterxml.jackson.annotation.JsonUnwrapped;
|
import com.fasterxml.jackson.annotation.JsonUnwrapped;
|
||||||
import org.atteo.evo.inflector.English;
|
|
||||||
import org.dspace.app.rest.RestResourceController;
|
import org.dspace.app.rest.RestResourceController;
|
||||||
import org.dspace.app.rest.model.BrowseEntryRest;
|
import org.dspace.app.rest.model.BrowseEntryRest;
|
||||||
import org.dspace.app.rest.model.BrowseIndexRest;
|
import org.dspace.app.rest.model.BrowseIndexRest;
|
||||||
@@ -16,9 +18,6 @@ import org.springframework.hateoas.Link;
|
|||||||
import org.springframework.hateoas.ResourceSupport;
|
import org.springframework.hateoas.ResourceSupport;
|
||||||
import org.springframework.web.util.UriComponentsBuilder;
|
import org.springframework.web.util.UriComponentsBuilder;
|
||||||
|
|
||||||
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.linkTo;
|
|
||||||
import static org.springframework.hateoas.mvc.ControllerLinkBuilder.methodOn;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Browse Entry Rest HAL Resource. The HAL Resource wraps the REST Resource
|
* Browse Entry Rest HAL Resource. The HAL Resource wraps the REST Resource
|
||||||
* adding support for the links and embedded resources
|
* adding support for the links and embedded resources
|
||||||
@@ -41,7 +40,7 @@ public class BrowseEntryResource extends ResourceSupport {
|
|||||||
BrowseIndexRest bix = entry.getBrowseIndex();
|
BrowseIndexRest bix = entry.getBrowseIndex();
|
||||||
RestResourceController methodOn = methodOn(RestResourceController.class, bix.getCategory(), bix.getType());
|
RestResourceController methodOn = methodOn(RestResourceController.class, bix.getCategory(), bix.getType());
|
||||||
UriComponentsBuilder uriComponentsBuilder = linkTo(methodOn
|
UriComponentsBuilder uriComponentsBuilder = linkTo(methodOn
|
||||||
.findRel(null, bix.getCategory(), English.plural(bix.getType()), bix.getId(), BrowseIndexRest.ITEMS, null, null, null))
|
.findRel(null, bix.getCategory(), bix.getTypePlural(), bix.getId(), BrowseIndexRest.ITEMS, null, null, null))
|
||||||
.toUriComponentsBuilder();
|
.toUriComponentsBuilder();
|
||||||
Link link = new Link(addFilterParams(uriComponentsBuilder).build().toString(), BrowseIndexRest.ITEMS);
|
Link link = new Link(addFilterParams(uriComponentsBuilder).build().toString(), BrowseIndexRest.ITEMS);
|
||||||
add(link);
|
add(link);
|
||||||
|
|||||||
@@ -7,6 +7,17 @@
|
|||||||
*/
|
*/
|
||||||
package org.dspace.app.rest.model.hateoas;
|
package org.dspace.app.rest.model.hateoas;
|
||||||
|
|
||||||
|
import java.beans.IntrospectionException;
|
||||||
|
import java.beans.Introspector;
|
||||||
|
import java.beans.PropertyDescriptor;
|
||||||
|
import java.io.Serializable;
|
||||||
|
import java.lang.reflect.InvocationTargetException;
|
||||||
|
import java.lang.reflect.Method;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
import com.fasterxml.jackson.annotation.JsonInclude;
|
import com.fasterxml.jackson.annotation.JsonInclude;
|
||||||
import com.fasterxml.jackson.annotation.JsonInclude.Include;
|
import com.fasterxml.jackson.annotation.JsonInclude.Include;
|
||||||
import com.fasterxml.jackson.annotation.JsonProperty;
|
import com.fasterxml.jackson.annotation.JsonProperty;
|
||||||
@@ -24,17 +35,6 @@ import org.springframework.data.domain.PageImpl;
|
|||||||
import org.springframework.hateoas.Link;
|
import org.springframework.hateoas.Link;
|
||||||
import org.springframework.hateoas.ResourceSupport;
|
import org.springframework.hateoas.ResourceSupport;
|
||||||
|
|
||||||
import java.beans.IntrospectionException;
|
|
||||||
import java.beans.Introspector;
|
|
||||||
import java.beans.PropertyDescriptor;
|
|
||||||
import java.io.Serializable;
|
|
||||||
import java.lang.reflect.InvocationTargetException;
|
|
||||||
import java.lang.reflect.Method;
|
|
||||||
import java.util.Arrays;
|
|
||||||
import java.util.HashMap;
|
|
||||||
import java.util.List;
|
|
||||||
import java.util.Map;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A base class for DSpace Rest HAL Resource. The HAL Resource wraps the REST
|
* A base class for DSpace Rest HAL Resource. The HAL Resource wraps the REST
|
||||||
* Resource adding support for the links and embedded resources. Each property
|
* Resource adding support for the links and embedded resources. Each property
|
||||||
@@ -141,10 +141,11 @@ public abstract class DSpaceResource<T extends RestModel> extends ResourceSuppor
|
|||||||
}
|
}
|
||||||
if (linkedObject != null) {
|
if (linkedObject != null) {
|
||||||
embedded.put(name, wrapObject);
|
embedded.put(name, wrapObject);
|
||||||
} else {
|
|
||||||
embedded.put(name, null);
|
|
||||||
}
|
|
||||||
this.add(linkToSubResource);
|
this.add(linkToSubResource);
|
||||||
|
} else if(!linkAnnotation.optional()) {
|
||||||
|
embedded.put(name, null);
|
||||||
|
this.add(linkToSubResource);
|
||||||
|
}
|
||||||
|
|
||||||
Method writeMethod = pd.getWriteMethod();
|
Method writeMethod = pd.getWriteMethod();
|
||||||
writeMethod.invoke(data, new Object[] { null });
|
writeMethod.invoke(data, new Object[] { null });
|
||||||
|
|||||||
@@ -14,7 +14,6 @@ import java.util.List;
|
|||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
|
||||||
import org.apache.commons.lang3.StringUtils;
|
import org.apache.commons.lang3.StringUtils;
|
||||||
import org.atteo.evo.inflector.English;
|
|
||||||
import org.dspace.app.rest.exception.PaginationException;
|
import org.dspace.app.rest.exception.PaginationException;
|
||||||
import org.dspace.app.rest.exception.RepositoryNotFoundException;
|
import org.dspace.app.rest.exception.RepositoryNotFoundException;
|
||||||
import org.dspace.app.rest.model.CommunityRest;
|
import org.dspace.app.rest.model.CommunityRest;
|
||||||
@@ -65,7 +64,7 @@ public class Utils {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public Link linkToSingleResource(RestModel data, String rel) {
|
public Link linkToSingleResource(RestModel data, String rel) {
|
||||||
return linkTo(data.getController(), data.getCategory(), English.plural(data.getType())).slash(data)
|
return linkTo(data.getController(), data.getCategory(), data.getTypePlural()).slash(data)
|
||||||
.withRel(rel);
|
.withRel(rel);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -74,7 +73,7 @@ public class Utils {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public Link linkToSubResource(RestModel data, String rel, String path) {
|
public Link linkToSubResource(RestModel data, String rel, String path) {
|
||||||
return linkTo(data.getController(), data.getCategory(), English.plural(data.getType())).slash(data).slash(path)
|
return linkTo(data.getController(), data.getCategory(), data.getTypePlural()).slash(data).slash(path)
|
||||||
.withRel(rel);
|
.withRel(rel);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -122,7 +122,12 @@ public class AuthenticationRestControllerIT extends AbstractControllerIntegratio
|
|||||||
//Tamper with the token, insert id of group we don't belong to
|
//Tamper with the token, insert id of group we don't belong to
|
||||||
String[] jwtSplit = token.split("\\.");
|
String[] jwtSplit = token.split("\\.");
|
||||||
|
|
||||||
String tampered = new String(Base64.getUrlEncoder().encode(new String(Base64.getUrlDecoder().decode(token.split("\\.")[1])).replaceAll("\\[]", "[\"" + internalGroup.getID() + "\"]").getBytes()));
|
//We try to inject a special group ID to spoof membership
|
||||||
|
String tampered = new String(Base64.getUrlEncoder().encode(
|
||||||
|
new String(Base64.getUrlDecoder().decode(
|
||||||
|
token.split("\\.")[1]))
|
||||||
|
.replaceAll("\\[]", "[\"" + internalGroup.getID() + "\"]")
|
||||||
|
.getBytes()));
|
||||||
|
|
||||||
String tamperedToken = jwtSplit[0] + "." + tampered + "." + jwtSplit[2];
|
String tamperedToken = jwtSplit[0] + "." + tampered + "." + jwtSplit[2];
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user