Skip to content

Commit

Permalink
Merge pull request #836 from Dev-ALPM/security-fix-glassfish
Browse files Browse the repository at this point in the history 
Change security test to @RoleAllowed
  • Loading branch information
@rsoika
rsoika authored Sep 28, 2023
2 parents 07afc54 + e788001 commit de6dbb2
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 12 deletions.
10 changes: 6 additions & 4 deletions imixs-workflow-jax-rs/src/main/java/org/imixs/workflow/jaxrs/AdminPRestService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@

package org.imixs.workflow.jaxrs;

import jakarta.annotation.Resource;
import jakarta.ejb.SessionContext;
import java.io.IOException;
import java.io.OutputStream;
import java.util.Collection;
Expand Down Expand Up @@ -76,8 +78,8 @@ public class AdminPRestService {
@Inject
private AdminPService adminPService;

@jakarta.ws.rs.core.Context
private HttpServletRequest servletRequest;
@Resource
private SessionContext ctx;

private static Logger logger = Logger.getLogger(AdminPRestService.class.getName());

Expand Down Expand Up @@ -160,7 +162,7 @@ public XMLDataCollection getAllJobs() {
@Produces(MediaType.APPLICATION_XML)
@Consumes({ MediaType.APPLICATION_XML, "text/xml" })
public Response putJob(XMLDocument xmlworkitem) {
if (servletRequest.isUserInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
if (ctx.isCallerInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
ItemCollection workitem;
Expand Down Expand Up @@ -201,7 +203,7 @@ public Response putJob(XMLDocument xmlworkitem) {
@DELETE
@Path("/jobs/{uniqueid}")
public Response deleteJob(@PathParam("uniqueid") String uniqueid) {
if (servletRequest.isUserInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
if (ctx.isCallerInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
adminPService.deleteJob(uniqueid);
Expand Down
18 changes: 10 additions & 8 deletions imixs-workflow-jax-rs/src/main/java/org/imixs/workflow/jaxrs/DocumentRestService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@

package org.imixs.workflow.jaxrs;

import jakarta.annotation.Resource;
import jakarta.ejb.SessionContext;
import java.io.IOException;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
Expand Down Expand Up @@ -88,8 +90,8 @@ public class DocumentRestService {
@Inject
private SchemaService schemaService;

@jakarta.ws.rs.core.Context
private HttpServletRequest servletRequest;
@Resource
private SessionContext ctx;

private static Logger logger = Logger.getLogger(DocumentRestService.class.getName());

Expand Down Expand Up @@ -356,7 +358,7 @@ public Response countTotalPagesByQuery(@PathParam("query") String query,
@Produces(MediaType.APPLICATION_XML)
@Consumes({ MediaType.APPLICATION_XML, MediaType.TEXT_XML, MediaType.APPLICATION_JSON, })
public Response postDocument(XMLDocument xmlworkitem, @QueryParam("items") String items) {
if (servletRequest.isUserInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
if (ctx.isCallerInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
ItemCollection workitem;
Expand Down Expand Up @@ -434,7 +436,7 @@ public Response putDocument(XMLDocument xmlworkitem, @QueryParam("items") String
@DELETE
@Path("/{uniqueid : ([0-9a-f]{8}-.*|[0-9a-f]{11}-.*)}")
public Response deleteEntity(@PathParam("uniqueid") String uniqueid) {
if (servletRequest.isUserInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
if (ctx.isCallerInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
ItemCollection entity = documentService.load(uniqueid);
Expand All @@ -461,7 +463,7 @@ public Response deleteEntity(@PathParam("uniqueid") String uniqueid) {
public Response backup(@PathParam("query") String query, @QueryParam("filepath") String filepath,
@QueryParam("snapshots") boolean snapshots) {

if (servletRequest.isUserInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
if (ctx.isCallerInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
try {
Expand Down Expand Up @@ -490,7 +492,7 @@ public Response backup(@PathParam("query") String query, @QueryParam("filepath")
@Path("/restore")
public Response restore(@QueryParam("filepath") String filepath) {

if (servletRequest.isUserInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
if (ctx.isCallerInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
try {
Expand All @@ -514,8 +516,8 @@ public Response restore(@QueryParam("filepath") String filepath) {
@Path("/configuration")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public Response getConfiguration(@QueryParam("format") String format) throws Exception {
if (servletRequest.isUserInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
return null;
if (ctx.isCallerInRole("org.imixs.ACCESSLEVEL.MANAGERACCESS") == false) {
return Response.status(Response.Status.UNAUTHORIZED).build();
}
ItemCollection config = schemaService.getConfiguration();

Expand Down

0 comments on commit de6dbb2

Please sign in to comment.