From 7d66054920a496399cb0e20f10556ae78c3ee009 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sun, 20 Feb 2022 23:12:01 -0800 Subject: Add security package --- src/main/java/org/traccar/api/BaseResource.java | 2 + .../org/traccar/api/SecurityRequestFilter.java | 119 --------------------- src/main/java/org/traccar/api/UserPrincipal.java | 37 ------- .../java/org/traccar/api/UserSecurityContext.java | 49 --------- .../api/security/SecurityRequestFilter.java | 119 +++++++++++++++++++++ .../org/traccar/api/security/UserPrincipal.java | 37 +++++++ .../traccar/api/security/UserSecurityContext.java | 49 +++++++++ src/main/java/org/traccar/web/WebServer.java | 2 +- 8 files changed, 208 insertions(+), 206 deletions(-) delete mode 100644 src/main/java/org/traccar/api/SecurityRequestFilter.java delete mode 100644 src/main/java/org/traccar/api/UserPrincipal.java delete mode 100644 src/main/java/org/traccar/api/UserSecurityContext.java create mode 100644 src/main/java/org/traccar/api/security/SecurityRequestFilter.java create mode 100644 src/main/java/org/traccar/api/security/UserPrincipal.java create mode 100644 src/main/java/org/traccar/api/security/UserSecurityContext.java (limited to 'src/main') diff --git a/src/main/java/org/traccar/api/BaseResource.java b/src/main/java/org/traccar/api/BaseResource.java index 56bf70cf0..6dff8c8c3 100644 --- a/src/main/java/org/traccar/api/BaseResource.java +++ b/src/main/java/org/traccar/api/BaseResource.java @@ -15,6 +15,8 @@ */ package org.traccar.api; +import org.traccar.api.security.UserPrincipal; + import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; diff --git a/src/main/java/org/traccar/api/SecurityRequestFilter.java b/src/main/java/org/traccar/api/SecurityRequestFilter.java deleted file mode 100644 index 6b190be9f..000000000 --- a/src/main/java/org/traccar/api/SecurityRequestFilter.java +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright 2015 - 2016 Anton Tananaev (anton@traccar.org) - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.traccar.api; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.traccar.Context; -import org.traccar.Main; -import org.traccar.api.resource.SessionResource; -import org.traccar.database.StatisticsManager; -import org.traccar.helper.DataConverter; -import org.traccar.model.User; -import org.traccar.storage.StorageException; - -import javax.annotation.security.PermitAll; -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.container.ResourceInfo; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.SecurityContext; -import java.lang.reflect.Method; -import java.nio.charset.StandardCharsets; - -public class SecurityRequestFilter implements ContainerRequestFilter { - - private static final Logger LOGGER = LoggerFactory.getLogger(SecurityRequestFilter.class); - - public static final String AUTHORIZATION_HEADER = "Authorization"; - public static final String WWW_AUTHENTICATE = "WWW-Authenticate"; - public static final String BASIC_REALM = "Basic realm=\"api\""; - public static final String X_REQUESTED_WITH = "X-Requested-With"; - public static final String XML_HTTP_REQUEST = "XMLHttpRequest"; - - public static String[] decodeBasicAuth(String auth) { - auth = auth.replaceFirst("[B|b]asic ", ""); - byte[] decodedBytes = DataConverter.parseBase64(auth); - if (decodedBytes != null && decodedBytes.length > 0) { - return new String(decodedBytes, StandardCharsets.US_ASCII).split(":", 2); - } - return null; - } - - @javax.ws.rs.core.Context - private HttpServletRequest request; - - @javax.ws.rs.core.Context - private ResourceInfo resourceInfo; - - @Override - public void filter(ContainerRequestContext requestContext) { - - if (requestContext.getMethod().equals("OPTIONS")) { - return; - } - - SecurityContext securityContext = null; - - try { - - String authHeader = requestContext.getHeaderString(AUTHORIZATION_HEADER); - if (authHeader != null) { - - try { - String[] auth = decodeBasicAuth(authHeader); - User user = Context.getPermissionsManager().login(auth[0], auth[1]); - if (user != null) { - Main.getInjector().getInstance(StatisticsManager.class).registerRequest(user.getId()); - securityContext = new UserSecurityContext(new UserPrincipal(user.getId())); - } - } catch (StorageException e) { - throw new WebApplicationException(e); - } - - } else if (request.getSession() != null) { - - Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); - if (userId != null) { - Context.getPermissionsManager().checkUserEnabled(userId); - Main.getInjector().getInstance(StatisticsManager.class).registerRequest(userId); - securityContext = new UserSecurityContext(new UserPrincipal(userId)); - } - - } - - } catch (SecurityException e) { - LOGGER.warn("Authentication error", e); - } - - if (securityContext != null) { - requestContext.setSecurityContext(securityContext); - } else { - Method method = resourceInfo.getResourceMethod(); - if (!method.isAnnotationPresent(PermitAll.class)) { - Response.ResponseBuilder responseBuilder = Response.status(Response.Status.UNAUTHORIZED); - if (!XML_HTTP_REQUEST.equals(request.getHeader(X_REQUESTED_WITH))) { - responseBuilder.header(WWW_AUTHENTICATE, BASIC_REALM); - } - throw new WebApplicationException(responseBuilder.build()); - } - } - - } - -} diff --git a/src/main/java/org/traccar/api/UserPrincipal.java b/src/main/java/org/traccar/api/UserPrincipal.java deleted file mode 100644 index 175bca391..000000000 --- a/src/main/java/org/traccar/api/UserPrincipal.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * Copyright 2015 - 2020 Anton Tananaev (anton@traccar.org) - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.traccar.api; - -import java.security.Principal; - -public class UserPrincipal implements Principal { - - private final long userId; - - public UserPrincipal(long userId) { - this.userId = userId; - } - - public Long getUserId() { - return userId; - } - - @Override - public String getName() { - return null; - } - -} diff --git a/src/main/java/org/traccar/api/UserSecurityContext.java b/src/main/java/org/traccar/api/UserSecurityContext.java deleted file mode 100644 index 6773230fa..000000000 --- a/src/main/java/org/traccar/api/UserSecurityContext.java +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright 2015 - 2022 Anton Tananaev (anton@traccar.org) - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.traccar.api; - -import javax.ws.rs.core.SecurityContext; -import java.security.Principal; - -public class UserSecurityContext implements SecurityContext { - - private final UserPrincipal principal; - - public UserSecurityContext(UserPrincipal principal) { - this.principal = principal; - } - - @Override - public Principal getUserPrincipal() { - return principal; - } - - @Override - public boolean isUserInRole(String role) { - return true; - } - - @Override - public boolean isSecure() { - return false; - } - - @Override - public String getAuthenticationScheme() { - return BASIC_AUTH; - } - -} diff --git a/src/main/java/org/traccar/api/security/SecurityRequestFilter.java b/src/main/java/org/traccar/api/security/SecurityRequestFilter.java new file mode 100644 index 000000000..9f20acb40 --- /dev/null +++ b/src/main/java/org/traccar/api/security/SecurityRequestFilter.java @@ -0,0 +1,119 @@ +/* + * Copyright 2015 - 2016 Anton Tananaev (anton@traccar.org) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.traccar.api.security; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.traccar.Context; +import org.traccar.Main; +import org.traccar.api.resource.SessionResource; +import org.traccar.database.StatisticsManager; +import org.traccar.helper.DataConverter; +import org.traccar.model.User; +import org.traccar.storage.StorageException; + +import javax.annotation.security.PermitAll; +import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.container.ContainerRequestFilter; +import javax.ws.rs.container.ResourceInfo; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.SecurityContext; +import java.lang.reflect.Method; +import java.nio.charset.StandardCharsets; + +public class SecurityRequestFilter implements ContainerRequestFilter { + + private static final Logger LOGGER = LoggerFactory.getLogger(SecurityRequestFilter.class); + + public static final String AUTHORIZATION_HEADER = "Authorization"; + public static final String WWW_AUTHENTICATE = "WWW-Authenticate"; + public static final String BASIC_REALM = "Basic realm=\"api\""; + public static final String X_REQUESTED_WITH = "X-Requested-With"; + public static final String XML_HTTP_REQUEST = "XMLHttpRequest"; + + public static String[] decodeBasicAuth(String auth) { + auth = auth.replaceFirst("[B|b]asic ", ""); + byte[] decodedBytes = DataConverter.parseBase64(auth); + if (decodedBytes != null && decodedBytes.length > 0) { + return new String(decodedBytes, StandardCharsets.US_ASCII).split(":", 2); + } + return null; + } + + @javax.ws.rs.core.Context + private HttpServletRequest request; + + @javax.ws.rs.core.Context + private ResourceInfo resourceInfo; + + @Override + public void filter(ContainerRequestContext requestContext) { + + if (requestContext.getMethod().equals("OPTIONS")) { + return; + } + + SecurityContext securityContext = null; + + try { + + String authHeader = requestContext.getHeaderString(AUTHORIZATION_HEADER); + if (authHeader != null) { + + try { + String[] auth = decodeBasicAuth(authHeader); + User user = Context.getPermissionsManager().login(auth[0], auth[1]); + if (user != null) { + Main.getInjector().getInstance(StatisticsManager.class).registerRequest(user.getId()); + securityContext = new UserSecurityContext(new UserPrincipal(user.getId())); + } + } catch (StorageException e) { + throw new WebApplicationException(e); + } + + } else if (request.getSession() != null) { + + Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); + if (userId != null) { + Context.getPermissionsManager().checkUserEnabled(userId); + Main.getInjector().getInstance(StatisticsManager.class).registerRequest(userId); + securityContext = new UserSecurityContext(new UserPrincipal(userId)); + } + + } + + } catch (SecurityException e) { + LOGGER.warn("Authentication error", e); + } + + if (securityContext != null) { + requestContext.setSecurityContext(securityContext); + } else { + Method method = resourceInfo.getResourceMethod(); + if (!method.isAnnotationPresent(PermitAll.class)) { + Response.ResponseBuilder responseBuilder = Response.status(Response.Status.UNAUTHORIZED); + if (!XML_HTTP_REQUEST.equals(request.getHeader(X_REQUESTED_WITH))) { + responseBuilder.header(WWW_AUTHENTICATE, BASIC_REALM); + } + throw new WebApplicationException(responseBuilder.build()); + } + } + + } + +} diff --git a/src/main/java/org/traccar/api/security/UserPrincipal.java b/src/main/java/org/traccar/api/security/UserPrincipal.java new file mode 100644 index 000000000..18b84a0e1 --- /dev/null +++ b/src/main/java/org/traccar/api/security/UserPrincipal.java @@ -0,0 +1,37 @@ +/* + * Copyright 2015 - 2020 Anton Tananaev (anton@traccar.org) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.traccar.api.security; + +import java.security.Principal; + +public class UserPrincipal implements Principal { + + private final long userId; + + public UserPrincipal(long userId) { + this.userId = userId; + } + + public Long getUserId() { + return userId; + } + + @Override + public String getName() { + return null; + } + +} diff --git a/src/main/java/org/traccar/api/security/UserSecurityContext.java b/src/main/java/org/traccar/api/security/UserSecurityContext.java new file mode 100644 index 000000000..97df6b6c7 --- /dev/null +++ b/src/main/java/org/traccar/api/security/UserSecurityContext.java @@ -0,0 +1,49 @@ +/* + * Copyright 2015 - 2022 Anton Tananaev (anton@traccar.org) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.traccar.api.security; + +import javax.ws.rs.core.SecurityContext; +import java.security.Principal; + +public class UserSecurityContext implements SecurityContext { + + private final UserPrincipal principal; + + public UserSecurityContext(UserPrincipal principal) { + this.principal = principal; + } + + @Override + public Principal getUserPrincipal() { + return principal; + } + + @Override + public boolean isUserInRole(String role) { + return true; + } + + @Override + public boolean isSecure() { + return false; + } + + @Override + public String getAuthenticationScheme() { + return BASIC_AUTH; + } + +} diff --git a/src/main/java/org/traccar/web/WebServer.java b/src/main/java/org/traccar/web/WebServer.java index c8c564940..0364972d7 100644 --- a/src/main/java/org/traccar/web/WebServer.java +++ b/src/main/java/org/traccar/web/WebServer.java @@ -53,7 +53,7 @@ import org.traccar.api.AsyncSocketServlet; import org.traccar.api.CorsResponseFilter; import org.traccar.api.MediaFilter; import org.traccar.api.ResourceErrorHandler; -import org.traccar.api.SecurityRequestFilter; +import org.traccar.api.security.SecurityRequestFilter; import org.traccar.api.resource.ServerResource; import org.traccar.config.Keys; -- cgit v1.2.3