Commit 8f35fffd80cd827c3dd37bd5387fcad75367533c
1 parent
dabc7821
Ajout de la sécurité
Showing
20 changed files
with
293 additions
and
67 deletions
Show diff stats
.gitignore
.idea/dataSources/0d8f27ad-8161-4ee1-8557-56db7fbf44cc/storage.xml deleted
.idea/dataSources/a06fd1f6-5928-4430-a317-e5ebc0e00a82/storage.xml deleted
.idea/dataSources/a88dec51-cb33-4875-a137-6d17703d6d6c/storage.xml deleted
.idea/dataSources/ebfeef5a-f196-4340-9424-14e4e8aaadbb.xml deleted
@@ -1,30 +0,0 @@ | @@ -1,30 +0,0 @@ | ||
1 | -<?xml version="1.0" encoding="UTF-8"?> | ||
2 | -<dataSource name="etunicorn.db"> | ||
3 | - <database-model serializer="dbm" rdbms="SQLITE" format-version="4.0"> | ||
4 | - <root id="1"/> | ||
5 | - <schema id="2" parent="1"> | ||
6 | - <Current>1</Current> | ||
7 | - <Visible>1</Visible> | ||
8 | - </schema> | ||
9 | - <table id="3" parent="2" name="personne"/> | ||
10 | - <column id="4" parent="3" name="id"> | ||
11 | - <DataType>INTEGER(0,-1)|4</DataType> | ||
12 | - </column> | ||
13 | - <column id="5" parent="3" name="carte"> | ||
14 | - <Position>1</Position> | ||
15 | - <DataType>VARCHAR(0,-1)|12</DataType> | ||
16 | - </column> | ||
17 | - <column id="6" parent="3" name="login"> | ||
18 | - <Position>2</Position> | ||
19 | - <DataType>VARCHAR(0,-1)|12</DataType> | ||
20 | - </column> | ||
21 | - <column id="7" parent="3" name="naissance"> | ||
22 | - <Position>3</Position> | ||
23 | - <DataType>TIMESTAMP(0,-1)|12</DataType> | ||
24 | - </column> | ||
25 | - <key id="8" parent="3"> | ||
26 | - <ColNames>id</ColNames> | ||
27 | - <Primary>1</Primary> | ||
28 | - </key> | ||
29 | - </database-model> | ||
30 | -</dataSource> | ||
31 | \ No newline at end of file | 0 | \ No newline at end of file |
.idea/dataSources/ebfeef5a-f196-4340-9424-14e4e8aaadbb/storage.xml deleted
src/main/java/etunicorn/Application.java
@@ -8,6 +8,9 @@ import org.springframework.boot.autoconfigure.jdbc.DataSourceBuilder; | @@ -8,6 +8,9 @@ import org.springframework.boot.autoconfigure.jdbc.DataSourceBuilder; | ||
8 | import org.springframework.context.annotation.Bean; | 8 | import org.springframework.context.annotation.Bean; |
9 | 9 | ||
10 | import javax.sql.DataSource; | 10 | import javax.sql.DataSource; |
11 | +import java.util.ArrayList; | ||
12 | +import java.util.Date; | ||
13 | +import java.util.List; | ||
11 | 14 | ||
12 | /** | 15 | /** |
13 | * etunicorn-server | 16 | * etunicorn-server |
@@ -23,17 +26,33 @@ public class Application { | @@ -23,17 +26,33 @@ public class Application { | ||
23 | } | 26 | } |
24 | 27 | ||
25 | @Bean | 28 | @Bean |
26 | - public CommandLineRunner demo(PermissionRepository permissionRepository) { | 29 | + public CommandLineRunner demo(PermissionRepository permissionRepository, |
30 | + RoleRepository roleRepository, | ||
31 | + PersonneRepository personneRepository, | ||
32 | + SessionRepository sessionRepository) { | ||
27 | return (args) -> { | 33 | return (args) -> { |
28 | - permissionRepository.save(new Permission("ROLE_ADMIN")); | ||
29 | - permissionRepository.save(new Permission("CONSO_ADMIN")); | ||
30 | - permissionRepository.save(new Permission("EVNMT_ADMIN")); | 34 | + permissionRepository.save(new Permission("PERSONNE_ADD")); |
35 | + permissionRepository.save(new Permission("PERSONNE_EDIT")); | ||
36 | + permissionRepository.save(new Permission("PERSONNE_GET")); | ||
37 | + permissionRepository.save(new Permission("PERSONNE_LIST")); | ||
38 | + permissionRepository.save(new Permission("PERSONNE_REMOVE")); | ||
39 | + permissionRepository.save(new Permission("ROLE_ADD")); | ||
40 | + permissionRepository.save(new Permission("ROLE_DELETE")); | ||
41 | + permissionRepository.save(new Permission("ROLE_PERMISSION_ADD")); | ||
42 | + permissionRepository.save(new Permission("ROLE_PERMISSION_LIST")); | ||
43 | + permissionRepository.save(new Permission("ROLE_PERMISSION_REMOVE")); | ||
31 | // ... | 44 | // ... |
45 | + | ||
46 | + roleRepository.save(new Role("admin", (List<Permission>) permissionRepository.findAll())); | ||
47 | + roleRepository.save(new Role("etudiant", new ArrayList<>())); | ||
48 | + personneRepository.save(new Personne("carte", new Date(), "gbontoux", roleRepository.findByNom("admin"))); | ||
49 | + sessionRepository.save(new Session(personneRepository.findByLogin("gbontoux"), "A", new Date(new Date().getTime() + 1000 * 60 * 10))); | ||
50 | + | ||
32 | }; | 51 | }; |
33 | } | 52 | } |
34 | 53 | ||
35 | @Bean | 54 | @Bean |
36 | - public DataSource dataSource(){ | 55 | + public DataSource dataSource() { |
37 | DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create(); | 56 | DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create(); |
38 | dataSourceBuilder.driverClassName("org.sqlite.JDBC"); | 57 | dataSourceBuilder.driverClassName("org.sqlite.JDBC"); |
39 | dataSourceBuilder.url("jdbc:sqlite:etunicorn.db"); | 58 | dataSourceBuilder.url("jdbc:sqlite:etunicorn.db"); |
@@ -0,0 +1,36 @@ | @@ -0,0 +1,36 @@ | ||
1 | +package etunicorn; | ||
2 | + | ||
3 | +import org.springframework.beans.factory.annotation.Autowired; | ||
4 | +import org.springframework.web.bind.annotation.RestController; | ||
5 | + | ||
6 | +import javax.servlet.http.HttpServletRequest; | ||
7 | + | ||
8 | +/** | ||
9 | + * etunicorn-server | ||
10 | + * Copyright © 2017 Le Club Info Polytech Lille | ||
11 | + * Tous droits réservés | ||
12 | + */ | ||
13 | +@RestController | ||
14 | +public class BaseController { | ||
15 | + | ||
16 | + // Permettent la vérification de permissions dans les méthodes de controlleur | ||
17 | + @Autowired | ||
18 | + private HttpServletRequest request; | ||
19 | + @Autowired | ||
20 | + private SessionService sessionService; | ||
21 | + @Autowired | ||
22 | + private PermissionRepository permissionRepository; | ||
23 | + | ||
24 | + protected boolean hasPermission(Permission permission) { | ||
25 | + Session session = sessionService.getSession(request); | ||
26 | + if (session == null || permission == null) { | ||
27 | + return false; | ||
28 | + } | ||
29 | + return session.hasPermission(permission); | ||
30 | + } | ||
31 | + | ||
32 | + protected boolean hasPermission(String nomPermission) { | ||
33 | + Permission permission = permissionRepository.findByNom(nomPermission); | ||
34 | + return hasPermission(permission); | ||
35 | + } | ||
36 | +} |
src/main/java/etunicorn/LoginController.java
@@ -7,8 +7,6 @@ import org.springframework.web.bind.annotation.PathVariable; | @@ -7,8 +7,6 @@ import org.springframework.web.bind.annotation.PathVariable; | ||
7 | import org.springframework.web.bind.annotation.RequestParam; | 7 | import org.springframework.web.bind.annotation.RequestParam; |
8 | import org.springframework.web.bind.annotation.RestController; | 8 | import org.springframework.web.bind.annotation.RestController; |
9 | 9 | ||
10 | -import java.util.Date; | ||
11 | - | ||
12 | /** | 10 | /** |
13 | * etunicorn-server | 11 | * etunicorn-server |
14 | * Copyright © 2017 Le Club Info Polytech Lille | 12 | * Copyright © 2017 Le Club Info Polytech Lille |
@@ -17,22 +15,27 @@ import java.util.Date; | @@ -17,22 +15,27 @@ import java.util.Date; | ||
17 | @RestController | 15 | @RestController |
18 | public class LoginController implements etunicorn.generated.LoginController { | 16 | public class LoginController implements etunicorn.generated.LoginController { |
19 | @Autowired | 17 | @Autowired |
20 | - private PermissionRepository permissionRepository; | 18 | + private PersonneRepository personneRepository; |
19 | + | ||
20 | + @Autowired | ||
21 | + private SessionService sessionService; | ||
21 | 22 | ||
22 | @Override | 23 | @Override |
24 | + @RestrictedTo(authentifie = false) | ||
23 | public ResponseEntity<?> updateLogin(@RequestParam String login, @RequestParam String password) { | 25 | public ResponseEntity<?> updateLogin(@RequestParam String login, @RequestParam String password) { |
24 | - // TODO C'est du debug ! | ||
25 | - Role role = new Role(); | ||
26 | - role.setNom("superman"); | ||
27 | - for (Permission permission : permissionRepository.findAll()) { | ||
28 | - role.addPermission(permission); | 26 | + Personne personne = personneRepository.findByLogin(login); |
27 | + if (personne == null) { | ||
28 | + return new ResponseEntity<Object>(HttpStatus.UNAUTHORIZED); | ||
29 | } | 29 | } |
30 | - Personne personne = new Personne(); | ||
31 | - personne.setLogin("gbontoux"); | ||
32 | - personne.setCarte("39cdd9ed0b191d"); | ||
33 | - personne.setNaissance(new Date("14-Feb-1997")); | ||
34 | - personne.setRole(role); | ||
35 | - return new ResponseEntity<Object>(personne, HttpStatus.OK); | 30 | + |
31 | + // TODO Vraie vérification du mot de passe | ||
32 | + if (!password.equals("test")) { | ||
33 | + return new ResponseEntity<Object>(HttpStatus.UNAUTHORIZED); | ||
34 | + } | ||
35 | + | ||
36 | + Session session = sessionService.createSession(personne); | ||
37 | + | ||
38 | + return new ResponseEntity<Object>(session, HttpStatus.OK); | ||
36 | } | 39 | } |
37 | 40 | ||
38 | @Override | 41 | @Override |
src/main/java/etunicorn/Personne.java
@@ -31,6 +31,13 @@ public class Personne { | @@ -31,6 +31,13 @@ public class Personne { | ||
31 | public Personne() { | 31 | public Personne() { |
32 | } | 32 | } |
33 | 33 | ||
34 | + public Personne(String carte, Date naissance, String login, Role role) { | ||
35 | + this.carte = carte; | ||
36 | + this.naissance = naissance; | ||
37 | + this.login = login; | ||
38 | + this.role = role; | ||
39 | + } | ||
40 | + | ||
34 | public int getId() { | 41 | public int getId() { |
35 | return id; | 42 | return id; |
36 | } | 43 | } |
@@ -70,4 +77,8 @@ public class Personne { | @@ -70,4 +77,8 @@ public class Personne { | ||
70 | public void setRole(Role role) { | 77 | public void setRole(Role role) { |
71 | this.role = role; | 78 | this.role = role; |
72 | } | 79 | } |
80 | + | ||
81 | + public boolean hasPermission(Permission permission) { | ||
82 | + return role.hasPermission(permission); | ||
83 | + } | ||
73 | } | 84 | } |
src/main/java/etunicorn/PersonneController.java
@@ -19,7 +19,7 @@ import java.util.List; | @@ -19,7 +19,7 @@ import java.util.List; | ||
19 | */ | 19 | */ |
20 | 20 | ||
21 | @RestController | 21 | @RestController |
22 | -public class PersonneController implements etunicorn.generated.PersonneController { | 22 | +public class PersonneController extends BaseController implements etunicorn.generated.PersonneController { |
23 | @Autowired | 23 | @Autowired |
24 | private PersonneRepository personneRepository; | 24 | private PersonneRepository personneRepository; |
25 | 25 | ||
@@ -27,10 +27,12 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | @@ -27,10 +27,12 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | ||
27 | private RoleRepository roleRepository; | 27 | private RoleRepository roleRepository; |
28 | 28 | ||
29 | @Override | 29 | @Override |
30 | + @RestrictedTo("PERSONNE_LIST") | ||
30 | public ResponseEntity<?> getPersonne() { | 31 | public ResponseEntity<?> getPersonne() { |
31 | return new ResponseEntity<List>((List) this.personneRepository.findAll(), HttpStatus.OK); | 32 | return new ResponseEntity<List>((List) this.personneRepository.findAll(), HttpStatus.OK); |
32 | } | 33 | } |
33 | 34 | ||
35 | + | ||
34 | private ResponseEntity<?> mergePersonne(Personne personne, String carte, Date naissance, String login, String role) { | 36 | private ResponseEntity<?> mergePersonne(Personne personne, String carte, Date naissance, String login, String role) { |
35 | if (carte != null) { | 37 | if (carte != null) { |
36 | personne.setCarte(carte); | 38 | personne.setCarte(carte); |
@@ -41,11 +43,16 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | @@ -41,11 +43,16 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | ||
41 | if (login != null) { | 43 | if (login != null) { |
42 | personne.setLogin(login); | 44 | personne.setLogin(login); |
43 | } | 45 | } |
46 | + // TODO Il faut que login ou carte soient mis | ||
44 | if (role != null) { | 47 | if (role != null) { |
45 | - Role roleObj = roleRepository.findByNom(role); | ||
46 | - personne.setRole(roleObj); | ||
47 | - if (roleObj == null) { | ||
48 | - return new ResponseEntity<Object>("Rôle inconnu", HttpStatus.NOT_FOUND); | 48 | + if (hasPermission("PERSONNE_ROLE")) { |
49 | + Role roleObj = roleRepository.findByNom(role); | ||
50 | + personne.setRole(roleObj); | ||
51 | + if (roleObj == null) { | ||
52 | + return new ResponseEntity<Object>("Rôle inconnu", HttpStatus.NOT_FOUND); | ||
53 | + } | ||
54 | + } else { | ||
55 | + return new ResponseEntity<Object>(HttpStatus.FORBIDDEN); | ||
49 | } | 56 | } |
50 | } | 57 | } |
51 | try { | 58 | try { |
@@ -57,12 +64,14 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | @@ -57,12 +64,14 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | ||
57 | } | 64 | } |
58 | 65 | ||
59 | @Override | 66 | @Override |
67 | + @RestrictedTo("PERSONNE_ADD") | ||
60 | public ResponseEntity<?> updatePersonne(@RequestParam(required = false) String carte, @RequestParam(required = false) Date naissance, @RequestParam(required = false) String login, @RequestParam(required = false) String role) { | 68 | public ResponseEntity<?> updatePersonne(@RequestParam(required = false) String carte, @RequestParam(required = false) Date naissance, @RequestParam(required = false) String login, @RequestParam(required = false) String role) { |
61 | Personne personne = new Personne(); | 69 | Personne personne = new Personne(); |
62 | return mergePersonne(personne, carte, naissance, login, role); | 70 | return mergePersonne(personne, carte, naissance, login, role); |
63 | } | 71 | } |
64 | 72 | ||
65 | @Override | 73 | @Override |
74 | + @RestrictedTo("PERSONNE_GET") | ||
66 | public ResponseEntity<?> getPersonneById(@PathVariable BigDecimal idPersonne) { | 75 | public ResponseEntity<?> getPersonneById(@PathVariable BigDecimal idPersonne) { |
67 | Personne personne = personneRepository.findById(idPersonne.intValueExact()); | 76 | Personne personne = personneRepository.findById(idPersonne.intValueExact()); |
68 | if (personne == null) { | 77 | if (personne == null) { |
@@ -72,6 +81,7 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | @@ -72,6 +81,7 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | ||
72 | } | 81 | } |
73 | 82 | ||
74 | @Override | 83 | @Override |
84 | + @RestrictedTo("PERSONNE_EDIT") | ||
75 | public ResponseEntity<?> updatePersonneById(@PathVariable BigDecimal idPersonne, @RequestParam(required = false) String carte, @RequestParam(required = false) Date naissance, @RequestParam(required = false) String login, @RequestParam(required = false) String role) { | 85 | public ResponseEntity<?> updatePersonneById(@PathVariable BigDecimal idPersonne, @RequestParam(required = false) String carte, @RequestParam(required = false) Date naissance, @RequestParam(required = false) String login, @RequestParam(required = false) String role) { |
76 | Personne personne = personneRepository.findById(idPersonne.intValueExact()); | 86 | Personne personne = personneRepository.findById(idPersonne.intValueExact()); |
77 | if (personne == null) { | 87 | if (personne == null) { |
@@ -81,6 +91,7 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | @@ -81,6 +91,7 @@ public class PersonneController implements etunicorn.generated.PersonneControlle | ||
81 | } | 91 | } |
82 | 92 | ||
83 | @Override | 93 | @Override |
94 | + @RestrictedTo("PERSONNE_REMOVE") | ||
84 | public ResponseEntity<?> deletePersonneById(@PathVariable BigDecimal idPersonne) { | 95 | public ResponseEntity<?> deletePersonneById(@PathVariable BigDecimal idPersonne) { |
85 | Personne personne = personneRepository.findById(idPersonne.intValueExact()); | 96 | Personne personne = personneRepository.findById(idPersonne.intValueExact()); |
86 | if (personne == null) { | 97 | if (personne == null) { |
@@ -0,0 +1,17 @@ | @@ -0,0 +1,17 @@ | ||
1 | +package etunicorn; | ||
2 | + | ||
3 | +import java.lang.annotation.*; | ||
4 | + | ||
5 | +/** | ||
6 | + * etunicorn-server | ||
7 | + * Copyright © 2017 Le Club Info Polytech Lille | ||
8 | + * Tous droits réservés | ||
9 | + */ | ||
10 | +@Target(value = {ElementType.METHOD, ElementType.PARAMETER}) | ||
11 | +@Retention(value = RetentionPolicy.RUNTIME) | ||
12 | +@Documented | ||
13 | +public @interface RestrictedTo { | ||
14 | + String value() default ""; | ||
15 | + | ||
16 | + boolean authentifie() default true; | ||
17 | +} |
src/main/java/etunicorn/Role.java
@@ -25,6 +25,11 @@ public class Role { | @@ -25,6 +25,11 @@ public class Role { | ||
25 | public Role() { | 25 | public Role() { |
26 | } | 26 | } |
27 | 27 | ||
28 | + public Role(String nom, List<Permission> permissions) { | ||
29 | + this.nom = nom; | ||
30 | + this.permissions = permissions; | ||
31 | + } | ||
32 | + | ||
28 | public String getNom() { | 33 | public String getNom() { |
29 | return nom; | 34 | return nom; |
30 | } | 35 | } |
@@ -41,6 +46,10 @@ public class Role { | @@ -41,6 +46,10 @@ public class Role { | ||
41 | this.permissions = permissions; | 46 | this.permissions = permissions; |
42 | } | 47 | } |
43 | 48 | ||
49 | + public boolean hasPermission(Permission permission) { | ||
50 | + return permissions.contains(permission); | ||
51 | + } | ||
52 | + | ||
44 | public void addPermission(Permission permission) { | 53 | public void addPermission(Permission permission) { |
45 | this.permissions.add(permission); | 54 | this.permissions.add(permission); |
46 | } | 55 | } |
src/main/java/etunicorn/RoleController.java
@@ -17,7 +17,7 @@ import java.util.List; | @@ -17,7 +17,7 @@ import java.util.List; | ||
17 | * Tous droits réservés | 17 | * Tous droits réservés |
18 | */ | 18 | */ |
19 | @RestController | 19 | @RestController |
20 | -public class RoleController implements etunicorn.generated.RoleController { | 20 | +public class RoleController extends BaseController implements etunicorn.generated.RoleController { |
21 | @Autowired | 21 | @Autowired |
22 | private RoleRepository roleRepository; | 22 | private RoleRepository roleRepository; |
23 | 23 | ||
@@ -30,6 +30,7 @@ public class RoleController implements etunicorn.generated.RoleController { | @@ -30,6 +30,7 @@ public class RoleController implements etunicorn.generated.RoleController { | ||
30 | } | 30 | } |
31 | 31 | ||
32 | @Override | 32 | @Override |
33 | + @RestrictedTo("ROLE_ADD") | ||
33 | public ResponseEntity<?> updateRole(@RequestParam String nom) { | 34 | public ResponseEntity<?> updateRole(@RequestParam String nom) { |
34 | Role oldRole = roleRepository.findByNom(nom); | 35 | Role oldRole = roleRepository.findByNom(nom); |
35 | if (oldRole != null) { | 36 | if (oldRole != null) { |
@@ -46,6 +47,7 @@ public class RoleController implements etunicorn.generated.RoleController { | @@ -46,6 +47,7 @@ public class RoleController implements etunicorn.generated.RoleController { | ||
46 | } | 47 | } |
47 | 48 | ||
48 | @Override | 49 | @Override |
50 | + @RestrictedTo("ROLE_DELETE") | ||
49 | public ResponseEntity<?> deleteRoleById(@PathVariable String nomRole) { | 51 | public ResponseEntity<?> deleteRoleById(@PathVariable String nomRole) { |
50 | Role role = roleRepository.findByNom(nomRole); | 52 | Role role = roleRepository.findByNom(nomRole); |
51 | if (role == null) { | 53 | if (role == null) { |
@@ -56,6 +58,7 @@ public class RoleController implements etunicorn.generated.RoleController { | @@ -56,6 +58,7 @@ public class RoleController implements etunicorn.generated.RoleController { | ||
56 | } | 58 | } |
57 | 59 | ||
58 | @Override | 60 | @Override |
61 | + @RestrictedTo("ROLE_PERMISSION_ADD") | ||
59 | public ResponseEntity<?> updateRoleById(@PathVariable String nomRole, @RequestParam String nom) { | 62 | public ResponseEntity<?> updateRoleById(@PathVariable String nomRole, @RequestParam String nom) { |
60 | Role role = roleRepository.findByNom(nomRole); | 63 | Role role = roleRepository.findByNom(nomRole); |
61 | if (role == null) { | 64 | if (role == null) { |
@@ -75,6 +78,7 @@ public class RoleController implements etunicorn.generated.RoleController { | @@ -75,6 +78,7 @@ public class RoleController implements etunicorn.generated.RoleController { | ||
75 | } | 78 | } |
76 | 79 | ||
77 | @Override | 80 | @Override |
81 | + @RestrictedTo("ROLE_PERMISSION_REMOVE") | ||
78 | public ResponseEntity<?> deleteRoleByNomPermission(@PathVariable String nomPermission, @PathVariable String nomRole) { | 82 | public ResponseEntity<?> deleteRoleByNomPermission(@PathVariable String nomPermission, @PathVariable String nomRole) { |
79 | Role role = roleRepository.findByNom(nomRole); | 83 | Role role = roleRepository.findByNom(nomRole); |
80 | if (role == null) { | 84 | if (role == null) { |
@@ -90,6 +94,7 @@ public class RoleController implements etunicorn.generated.RoleController { | @@ -90,6 +94,7 @@ public class RoleController implements etunicorn.generated.RoleController { | ||
90 | } | 94 | } |
91 | 95 | ||
92 | @Override | 96 | @Override |
97 | + @RestrictedTo("ROLE_PERMISSION_LIST") | ||
93 | public ResponseEntity<?> getPermission() { | 98 | public ResponseEntity<?> getPermission() { |
94 | return new ResponseEntity<List>((List) permissionRepository.findAll(), HttpStatus.OK); | 99 | return new ResponseEntity<List>((List) permissionRepository.findAll(), HttpStatus.OK); |
95 | } | 100 | } |
@@ -0,0 +1,70 @@ | @@ -0,0 +1,70 @@ | ||
1 | +package etunicorn; | ||
2 | + | ||
3 | +import org.springframework.beans.factory.annotation.Autowired; | ||
4 | +import org.springframework.http.HttpStatus; | ||
5 | +import org.springframework.transaction.annotation.Transactional; | ||
6 | +import org.springframework.web.method.HandlerMethod; | ||
7 | +import org.springframework.web.servlet.ModelAndView; | ||
8 | +import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; | ||
9 | + | ||
10 | +import javax.servlet.http.HttpServletRequest; | ||
11 | +import javax.servlet.http.HttpServletResponse; | ||
12 | + | ||
13 | +/** | ||
14 | + * etunicorn-server | ||
15 | + * Copyright © 2017 Le Club Info Polytech Lille | ||
16 | + * Tous droits réservés | ||
17 | + */ | ||
18 | +public class SecurityInterceptor extends HandlerInterceptorAdapter { | ||
19 | + @Autowired | ||
20 | + SessionService sessionService; | ||
21 | + @Autowired | ||
22 | + PermissionRepository permissionRepository; | ||
23 | + | ||
24 | + public SecurityInterceptor() { | ||
25 | + super(); | ||
26 | + } | ||
27 | + | ||
28 | + @Override | ||
29 | + @Transactional | ||
30 | + public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { | ||
31 | + Session session = sessionService.getSession(request); | ||
32 | + | ||
33 | + HandlerMethod method = (HandlerMethod) handler; | ||
34 | + RestrictedTo annotation = method.getMethodAnnotation(RestrictedTo.class); | ||
35 | + | ||
36 | + Permission requiredPermission = permissionRepository.findByNom(annotation.value()); | ||
37 | + if (requiredPermission == null) { | ||
38 | + response.setStatus(HttpStatus.NOT_IMPLEMENTED.value()); | ||
39 | + return false; | ||
40 | + } | ||
41 | + | ||
42 | + if (annotation.authentifie()) { | ||
43 | + if (session == null) { | ||
44 | + response.setStatus(HttpStatus.UNAUTHORIZED.value()); | ||
45 | + return false; | ||
46 | + } else { | ||
47 | + if (!session.hasPermission(requiredPermission)) { | ||
48 | + response.setStatus(HttpStatus.FORBIDDEN.value()); | ||
49 | + return false; | ||
50 | + } | ||
51 | + } | ||
52 | + } | ||
53 | + return super.preHandle(request, response, handler); | ||
54 | + } | ||
55 | + | ||
56 | + @Override | ||
57 | + public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { | ||
58 | + super.postHandle(request, response, handler, modelAndView); | ||
59 | + } | ||
60 | + | ||
61 | + @Override | ||
62 | + public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception { | ||
63 | + super.afterCompletion(request, response, handler, ex); | ||
64 | + } | ||
65 | + | ||
66 | + @Override | ||
67 | + public void afterConcurrentHandlingStarted(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { | ||
68 | + super.afterConcurrentHandlingStarted(request, response, handler); | ||
69 | + } | ||
70 | +} |
src/main/java/etunicorn/Session.java
@@ -8,7 +8,9 @@ import java.security.SecureRandom; | @@ -8,7 +8,9 @@ import java.security.SecureRandom; | ||
8 | import java.util.Date; | 8 | import java.util.Date; |
9 | 9 | ||
10 | /** | 10 | /** |
11 | - * Created by geoffrey on 04/02/17. | 11 | + * etunicorn-server |
12 | + * Copyright © 2017 Le Club Info Polytech Lille | ||
13 | + * Tous droits réservés | ||
12 | */ | 14 | */ |
13 | @Entity | 15 | @Entity |
14 | public class Session { | 16 | public class Session { |
@@ -16,11 +18,11 @@ public class Session { | @@ -16,11 +18,11 @@ public class Session { | ||
16 | // Durée par défaut d'une session en secondes | 18 | // Durée par défaut d'une session en secondes |
17 | private static final int SESSION_DURATION = 10 * 60; | 19 | private static final int SESSION_DURATION = 10 * 60; |
18 | private static SecureRandom random = new SecureRandom(); | 20 | private static SecureRandom random = new SecureRandom(); |
21 | + // TODO Vérifier si c'est bien initialisé qu'une seule fois par éxecution car c'est lourd à initialiser | ||
19 | @ManyToOne | 22 | @ManyToOne |
20 | private Personne personne; | 23 | private Personne personne; |
21 | @Id | 24 | @Id |
22 | private String token; | 25 | private String token; |
23 | - // TODO Vérifier si c'est bien initialisé qu'une seule fois par éxecution car c'est lourd à initialiser | ||
24 | private Date validity; | 26 | private Date validity; |
25 | 27 | ||
26 | 28 | ||
@@ -34,6 +36,12 @@ public class Session { | @@ -34,6 +36,12 @@ public class Session { | ||
34 | this.validity = new Date(new Date().getTime() + SESSION_DURATION * 1000); | 36 | this.validity = new Date(new Date().getTime() + SESSION_DURATION * 1000); |
35 | } | 37 | } |
36 | 38 | ||
39 | + public Session(Personne personne, String token, Date validity) { | ||
40 | + this.personne = personne; | ||
41 | + this.token = token; | ||
42 | + this.validity = validity; | ||
43 | + } | ||
44 | + | ||
37 | public Personne getPersonne() { | 45 | public Personne getPersonne() { |
38 | return personne; | 46 | return personne; |
39 | } | 47 | } |
@@ -57,4 +65,8 @@ public class Session { | @@ -57,4 +65,8 @@ public class Session { | ||
57 | public void setValidity(Date validity) { | 65 | public void setValidity(Date validity) { |
58 | this.validity = validity; | 66 | this.validity = validity; |
59 | } | 67 | } |
68 | + | ||
69 | + public boolean hasPermission(Permission permission) { | ||
70 | + return personne.hasPermission(permission); | ||
71 | + } | ||
60 | } | 72 | } |
src/main/java/etunicorn/SessionRepository.java
@@ -3,7 +3,9 @@ package etunicorn; | @@ -3,7 +3,9 @@ package etunicorn; | ||
3 | import org.springframework.data.repository.CrudRepository; | 3 | import org.springframework.data.repository.CrudRepository; |
4 | 4 | ||
5 | /** | 5 | /** |
6 | - * Created by geoffrey on 04/02/17. | 6 | + * etunicorn-server |
7 | + * Copyright © 2017 Le Club Info Polytech Lille | ||
8 | + * Tous droits réservés | ||
7 | */ | 9 | */ |
8 | public interface SessionRepository extends CrudRepository<Session, Long> { | 10 | public interface SessionRepository extends CrudRepository<Session, Long> { |
9 | Session findByToken(String token); | 11 | Session findByToken(String token); |
@@ -0,0 +1,58 @@ | @@ -0,0 +1,58 @@ | ||
1 | +package etunicorn; | ||
2 | + | ||
3 | +import org.springframework.beans.factory.annotation.Autowired; | ||
4 | +import org.springframework.stereotype.Service; | ||
5 | + | ||
6 | +import javax.servlet.http.HttpServletRequest; | ||
7 | +import java.util.Date; | ||
8 | + | ||
9 | +/** | ||
10 | + * etunicorn-server | ||
11 | + * Copyright © 2017 Le Club Info Polytech Lille | ||
12 | + * Tous droits réservés | ||
13 | + */ | ||
14 | +@Service("sessionService") | ||
15 | +public class SessionService { | ||
16 | + @Autowired | ||
17 | + private SessionRepository sessionRepository; | ||
18 | + @Autowired | ||
19 | + private PersonneRepository personneRepository; | ||
20 | + | ||
21 | + public SessionService() { | ||
22 | + } | ||
23 | + | ||
24 | + public Session getSession(HttpServletRequest request) { | ||
25 | + String token = request.getHeader("Authorization"); | ||
26 | + return getSession(token); | ||
27 | + } | ||
28 | + | ||
29 | + public Session getSession(String token) { | ||
30 | + if (token == null) { | ||
31 | + return null; | ||
32 | + } else { | ||
33 | + Session session = sessionRepository.findByToken(token); | ||
34 | + if (session == null) { | ||
35 | + return null; | ||
36 | + } else { | ||
37 | + if (session.getValidity().compareTo(new Date()) < 0) { | ||
38 | + return null; | ||
39 | + } else { | ||
40 | + // Vérifie si la personne est toujours dans la base de données | ||
41 | + Personne personne = personneRepository.findById(session.getPersonne().getId()); | ||
42 | + if (personne == null) { | ||
43 | + return null; | ||
44 | + } else { | ||
45 | + return session; | ||
46 | + } | ||
47 | + } | ||
48 | + } | ||
49 | + } | ||
50 | + } | ||
51 | + | ||
52 | + public Session createSession(Personne personne) { | ||
53 | + Session session = new Session(personne); | ||
54 | + sessionRepository.save(session); | ||
55 | + return session; | ||
56 | + } | ||
57 | + | ||
58 | +} |
src/main/java/etunicorn/WebMvcConfig.java
1 | package etunicorn; | 1 | package etunicorn; |
2 | 2 | ||
3 | +import org.springframework.context.annotation.Bean; | ||
3 | import org.springframework.context.annotation.Configuration; | 4 | import org.springframework.context.annotation.Configuration; |
4 | import org.springframework.web.servlet.config.annotation.InterceptorRegistry; | 5 | import org.springframework.web.servlet.config.annotation.InterceptorRegistry; |
5 | import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter; | 6 | import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter; |
@@ -13,9 +14,16 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter | @@ -13,9 +14,16 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter | ||
13 | @Configuration | 14 | @Configuration |
14 | public class WebMvcConfig extends WebMvcConfigurerAdapter { | 15 | public class WebMvcConfig extends WebMvcConfigurerAdapter { |
15 | 16 | ||
17 | + // http://stackoverflow.com/a/18218439 | ||
18 | + @Bean | ||
19 | + public SecurityInterceptor securityInterceptor() { | ||
20 | + return new SecurityInterceptor(); | ||
21 | + } | ||
22 | + | ||
16 | @Override | 23 | @Override |
17 | public void addInterceptors(InterceptorRegistry registry) { | 24 | public void addInterceptors(InterceptorRegistry registry) { |
18 | registry.addInterceptor(new GitHeaderInterceptor()); | 25 | registry.addInterceptor(new GitHeaderInterceptor()); |
26 | + registry.addInterceptor(securityInterceptor()); | ||
19 | } | 27 | } |
20 | } | 28 | } |
21 | 29 |
src/main/java/etunicorn/databaseConfiguration/SQLiteDialect.java
1 | package etunicorn.databaseConfiguration; | 1 | package etunicorn.databaseConfiguration; |
2 | 2 | ||
3 | /** | 3 | /** |
4 | - * Created by badet on 29/01/2017. | 4 | + * etunicorn-server |
5 | + * Copyright © 2017 Le Club Info Polytech Lille | ||
6 | + * Tous droits réservés | ||
5 | */ | 7 | */ |
6 | 8 | ||
7 | import org.hibernate.dialect.Dialect; | 9 | import org.hibernate.dialect.Dialect; |