jwt token expiration test
diff --git a/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java b/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
index aa1e00b..6563563 100644
--- a/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
+++ b/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
@@ -117,7 +117,7 @@
return signContent(username, "", "", ttl);
}
- private SignedJWT verifyToken(String token) throws KustvaktException {
+ public SignedJWT verifyToken(String token) throws KustvaktException {
SignedJWT client;
try {
client = SignedJWT.parse(token);
diff --git a/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java b/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
index 406d319..9f1bdee 100644
--- a/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
+++ b/src/main/java/de/ids_mannheim/korap/config/KustvaktConfiguration.java
@@ -92,6 +92,7 @@
*/
protected Properties load(Properties properties)
throws MalformedURLException {
+ properties.list(System.out);
maxhits = new Integer(properties.getProperty("maxhits", "50000"));
returnhits = new Integer(properties.getProperty("returnhits", "50000"));
indexDir = properties.getProperty("lucene.indexDir", "");
diff --git a/src/main/java/de/ids_mannheim/korap/security/ac/PolicyDao.java b/src/main/java/de/ids_mannheim/korap/security/ac/PolicyDao.java
index 33dc18d..ec611e7 100644
--- a/src/main/java/de/ids_mannheim/korap/security/ac/PolicyDao.java
+++ b/src/main/java/de/ids_mannheim/korap/security/ac/PolicyDao.java
@@ -16,6 +16,7 @@
import de.ids_mannheim.korap.utils.KustvaktLogger;
import de.ids_mannheim.korap.utils.StringUtils;
import de.ids_mannheim.korap.utils.TimeUtils;
+import org.slf4j.Logger;
import org.springframework.dao.DataAccessException;
import org.springframework.jdbc.core.ResultSetExtractor;
import org.springframework.jdbc.core.RowCallbackHandler;
@@ -37,6 +38,9 @@
// todo: transactions and exception management
public class PolicyDao implements PolicyHandlerIface {
+ private static final Logger jlog = KustvaktLogger
+ .getLogger(PolicyDao.class);
+
private NamedParameterJdbcTemplate jdbcTemplate;
public PolicyDao(PersistenceClient client) {
@@ -90,9 +94,8 @@
this.mapConstraints(policy);
return policy.getID();
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (INSERT) not possible for '{}' for user '{}'",
- policy.toString(), user.getId());
+ jlog.error("Operation (INSERT) not possible for '{}' for user '{}'",
+ policy.toString(), user.getId());
throw new dbException(user.getId(), "policy_store",
StatusCodes.DB_INSERT_FAILED, policy.toString());
}
@@ -141,9 +144,9 @@
}
policy.clear();
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (MAPPING POLICY CONDITIONS) not possible for '{}' for user '{}'",
- policy.toString(), policy.getCreator());
+ jlog.error(
+ "Operation (MAPPING POLICY CONDITIONS) not possible for '{}' for user '{}'",
+ policy.toString(), policy.getCreator());
// throwing an error here is not recommended
// throw new dbException(policy.getCreator(), "policy_store",
// StatusCodes.DB_INSERT_FAILED, policy.toString());
@@ -181,9 +184,9 @@
this.addToCondition(Arrays.asList(user.getUsername()), cond,
admin);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (SELECT) not possible for '{}' for user '{}'",
- policy.getTarget(), user.getId());
+ jlog.error(
+ "Operation (SELECT) not possible for '{}' for user '{}'",
+ policy.getTarget(), user.getId());
throw new dbException(user.getId(), "policy_store",
StatusCodes.DB_GET_FAILED, policy.toString());
}
@@ -228,9 +231,9 @@
}
});
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission Denied for policy retrieval for '{}' for user '{}'",
- target, user.getId());
+ jlog.error(
+ "Permission Denied for policy retrieval for '{}' for user '{}'",
+ target, user.getId());
return new List[2];
}
}
@@ -273,9 +276,9 @@
}
});
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission Denied for policy retrieval for '{}' for user '{}'",
- target, user.getId());
+ jlog.error(
+ "Permission Denied for policy retrieval for '{}' for user '{}'",
+ target, user.getId());
return new List[2];
}
}
@@ -316,9 +319,9 @@
}
});
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission Denied for retrieval for resource id '{}' for user '{}'",
- path, user.getId());
+ jlog.error(
+ "Permission Denied for retrieval for resource id '{}' for user '{}'",
+ path, user.getId());
return new List[2];
}
}
@@ -396,9 +399,9 @@
return this.jdbcTemplate.query(sql, param,
new SecurityRowMappers.HierarchicalResultExtractor());
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission Denied for retrieval for path '{}' for user '{}'",
- path, user.getId());
+ jlog.error(
+ "Permission Denied for retrieval for path '{}' for user '{}'",
+ path, user.getId());
throw new dbException(user.getId(), "policy_store",
StatusCodes.DB_GET_FAILED, path, clazz.toString());
}
@@ -470,9 +473,9 @@
return this.jdbcTemplate.query(sql, param,
new SecurityRowMappers.HierarchicalResultExtractor());
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission Denied for retrieval for path '{}' for user '{}'",
- name, user.getId());
+ jlog.error(
+ "Permission Denied for retrieval for path '{}' for user '{}'",
+ name, user.getId());
throw new dbException(user.getId(), "policy_store",
StatusCodes.DB_GET_FAILED, name, clazz.toString());
}
@@ -495,9 +498,8 @@
return this.jdbcTemplate
.update("DELETE FROM policy_store WHERE id=:id", param);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (DELETE) not possible for '{}' for user '{}'",
- policy.toString(), user.getId());
+ jlog.error("Operation (DELETE) not possible for '{}' for user '{}'",
+ policy.toString(), user.getId());
throw new dbException(user.getId(), "policy_store, group_ref",
StatusCodes.DB_DELETE_FAILED, policy.toString());
}
@@ -512,9 +514,8 @@
try {
this.jdbcTemplate.update(sql, param);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (DELETE) not possible for '{}' for user '{}'",
- id, user.getId());
+ jlog.error("Operation (DELETE) not possible for '{}' for user '{}'",
+ id, user.getId());
throw new dbException(user.getId(), "policy_store",
StatusCodes.DB_DELETE_FAILED, id);
}
@@ -536,9 +537,8 @@
this.mapConstraints(policy);
return result;
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (UPDATE) not possible for '{}' for user '{}'",
- policy.toString(), user.getId());
+ jlog.error("Operation (UPDATE) not possible for '{}' for user '{}'",
+ policy.toString(), user.getId());
throw new dbException(user.getId(), "policy_store",
StatusCodes.DB_UPDATE_FAILED, policy.toString());
}
@@ -557,9 +557,8 @@
try {
return this.jdbcTemplate.queryForObject(sql1, param, Integer.class);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (SELECT) not possible for '{}' for user '{}'",
- policy.getTarget(), user.getId());
+ jlog.error("Operation (SELECT) not possible for '{}' for user '{}'",
+ policy.getTarget(), user.getId());
throw new dbException(user.getId(), "policy_store",
StatusCodes.DB_GET_FAILED, policy.toString());
}
@@ -597,9 +596,8 @@
try {
return this.jdbcTemplate.queryForObject(sql, param, Integer.class);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (SELECT) not possible for '{}' for user '{}'",
- group, user.getId());
+ jlog.error("Operation (SELECT) not possible for '{}' for user '{}'",
+ group, user.getId());
throw new dbException(user.getId(), "policy_store",
StatusCodes.DB_GET_FAILED, group);
}
@@ -621,9 +619,8 @@
+ "VALUES (:name, :sy, :ex, :com);", param, key);
return key.getKey().intValue();
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (INSERT) not possible for '{}'",
- condition.toString());
+ jlog.error("Operation (INSERT) not possible for '{}'",
+ condition.toString());
throw new dbException(user.getId(), "group_store",
StatusCodes.DB_INSERT_FAILED, condition.toString());
}
@@ -644,9 +641,8 @@
param.addValue("status", BooleanUtils.getBoolean(admin));
return this.jdbcTemplate.update(insert, param);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (INSERT) not possible for '{}' for user '{}'",
- condition.toString(), username);
+ jlog.error("Operation (INSERT) not possible for '{}' for user '{}'",
+ condition.toString(), username);
throw new dbException(null, "group_store",
StatusCodes.DB_INSERT_FAILED, condition.toString());
}
@@ -698,9 +694,8 @@
//fixme: problem - unique constraints throws exception. skip that user entry?!
return this.jdbcTemplate.batchUpdate(insert, sources);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (INSERT) not possible for '{}' for user '{}'",
- condition.toString(), usernames);
+ jlog.error("Operation (INSERT) not possible for '{}' for user '{}'",
+ condition.toString(), usernames);
throw new KustvaktException(e, StatusCodes.CONNECTION_ERROR);
}
}
@@ -725,9 +720,8 @@
try {
this.jdbcTemplate.batchUpdate(del, sources);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (DELETE) not possible for '{}' for user '{}'",
- condition.toString(), usernames);
+ jlog.error("Operation (DELETE) not possible for '{}' for user '{}'",
+ condition.toString(), usernames);
throw new KustvaktException(e, StatusCodes.CONNECTION_ERROR);
}
}
@@ -748,9 +742,8 @@
try {
this.jdbcTemplate.update(insert, source);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (INSERT) not possible for '{}",
- param.toString());
+ jlog.error("Operation (INSERT) not possible for '{}",
+ param.toString());
throw new KustvaktException(e, StatusCodes.CONNECTION_ERROR);
}
}
@@ -766,9 +759,8 @@
try {
return this.jdbcTemplate.queryForList(sql1, source, String.class);
}catch (DataAccessException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation (SELECT) not possible for '{}'",
- condition.toString());
+ jlog.error("Operation (SELECT) not possible for '{}'",
+ condition.toString());
throw new KustvaktException(StatusCodes.CONNECTION_ERROR);
}
}
diff --git a/src/main/java/de/ids_mannheim/korap/security/ac/SecurityManager.java b/src/main/java/de/ids_mannheim/korap/security/ac/SecurityManager.java
index 09f48b5..d1fc2b9 100644
--- a/src/main/java/de/ids_mannheim/korap/security/ac/SecurityManager.java
+++ b/src/main/java/de/ids_mannheim/korap/security/ac/SecurityManager.java
@@ -16,7 +16,6 @@
import de.ids_mannheim.korap.user.User;
import de.ids_mannheim.korap.utils.KustvaktLogger;
import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import java.util.*;
@@ -32,10 +31,12 @@
@SuppressWarnings("all")
public class SecurityManager<T extends KustvaktResource> {
- private static final Logger secLogger = LoggerFactory
- .getLogger(KustvaktLogger.SECURITY_LOG);
- private static final Logger errorLogger = LoggerFactory
- .getLogger(KustvaktLogger.ERROR_LOG);
+ // private static final Logger errorLogger = LoggerFactory
+ // .getLogger(KustvaktLogger.ERROR_LOG);
+
+ private static final Logger jlog = KustvaktLogger
+ .getLogger(SecurityManager.class);
+
private static PolicyHandlerIface policydao;
private static Map<Class<? extends KustvaktResource>, ResourceOperationIface> handlers;
private static EncryptionIface crypto;
@@ -66,7 +67,7 @@
SecurityManager.policydao = policyHandler;
SecurityManager.crypto = crypto;
SecurityManager.handlers = new HashMap<>();
- secLogger.info("Registering handlers: {}", Arrays.asList(ifaces));
+ jlog.info("Registering handlers: {}", Arrays.asList(ifaces));
for (ResourceOperationIface iface : ifaces)
handlers.put(iface.getType(), iface);
}
@@ -138,10 +139,8 @@
if (evaluator.isAllowed(Permissions.PERMISSIONS.READ)) {
return this.resource;
}else {
- secLogger
- .error("Reading the resource '{}' is not allowed for user '{}'",
- this.resource.getPersistentID(),
- this.user.getUsername());
+ jlog.error("Reading the resource '{}' is not allowed for user '{}'",
+ this.resource.getPersistentID(), this.user.getUsername());
throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
evaluator.getResourceID());
}
@@ -157,10 +156,9 @@
handlers.get(KustvaktResource.class)
.updateResource(resource, this.user);
}else {
- secLogger
- .error("Updating the resource '{}' is not allowed for user '{}'",
- this.resource.getPersistentID(),
- this.user.getUsername());
+ jlog.error(
+ "Updating the resource '{}' is not allowed for user '{}'",
+ this.resource.getPersistentID(), this.user.getUsername());
throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
this.evaluator.getResourceID());
}
@@ -214,9 +212,8 @@
this.evaluator = new PolicyEvaluator(this.user, this.policies);
if (this.policies == null) {
- KustvaktLogger.SECURITY_LOGGER
- .error("No policies found for resource id '{}' for user '{}'",
- id, user.getId());
+ jlog.error("No policies found for resource id '{}' for user '{}'",
+ id, user.getId());
throw new EmptyResultException(String.valueOf(id));
}
return true;
@@ -226,9 +223,8 @@
private T findResource(Class type)
throws NotAuthorizedException, KustvaktException {
if (!evaluator.isAllowed()) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission denied for resource id '{}' for user '{}'",
- this.evaluator.getResourceID(), user.getId());
+ jlog.error("Permission denied for resource id '{}' for user '{}'",
+ this.evaluator.getResourceID(), user.getId());
throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
this.evaluator.getResourceID());
}
@@ -262,9 +258,9 @@
SecurityManager.findbyId(resource.getParentID(), user,
Permissions.PERMISSIONS.ALL);
}catch (EmptyResultException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("No policies found for parent '{}' for user '{}'",
- resource.getParentID(), user.getId());
+ jlog.error(
+ "No policies found for parent '{}' for user '{}'",
+ resource.getParentID(), user.getId());
throw new KustvaktException(StatusCodes.EMPTY_RESULTS);
}
}
@@ -279,10 +275,9 @@
if (newid | !p.checkResource(resource.getPersistentID(), user)) {
resource.setOwner(user.getId());
- KustvaktLogger.SECURITY_LOGGER
- .info("Creating Access Control structure for resource '"
- + resource.getPersistentID() + "@" + resource
- .getId() + "'");
+ jlog.info("Creating Access Control structure for resource '"
+ + resource.getPersistentID() + "@" + resource.getId()
+ + "'");
// storing resource is called twice. first when this is register and later in idsbootstrap to create cstorage entry. how to unify this?
ResourceOperationIface iface = p.handlers
.get(resource.getClass());
@@ -301,9 +296,9 @@
Permissions.PERMISSIONS.READ_POLICY,
Permissions.PERMISSIONS.MODIFY_POLICY);
}catch (EmptyResultException e) {
- KustvaktLogger.SECURITY_LOGGER
- .error("No policies found for '{}' for user '{}'. Resource could not be registered!",
- resource.getPersistentID(), user.getId());
+ jlog.error(
+ "No policies found for '{}' for user '{}'. Resource could not be registered!",
+ resource.getPersistentID(), user.getId());
throw new KustvaktException(user.getId(),
StatusCodes.POLICY_CREATE_ERROR,
"Resource could not be registered",
@@ -349,17 +344,15 @@
public void addPolicy(SecurityPolicy policy, Parameter... params)
throws KustvaktException, NotAuthorizedException {
if (policy.getConditions().isEmpty()) {
- KustvaktLogger.SECURITY_LOGGER
- .error("No conditions set for '{}' for user '{}'",
- policy.toString(), this.user.getId());
+ jlog.error("No conditions set for '{}' for user '{}'",
+ policy.toString(), this.user.getId());
throw new NotAuthorizedException(StatusCodes.ILLEGAL_ARGUMENT,
policy.getTarget());
}
if (this.policies[0] == null) {
- KustvaktLogger.SECURITY_LOGGER
- .error("No policies found for '{}' for user '{}'",
- this.evaluator.getResourceID(), this.user.getId());
+ jlog.error("No policies found for '{}' for user '{}'",
+ this.evaluator.getResourceID(), this.user.getId());
throw new NotAuthorizedException(StatusCodes.UNSUPPORTED_OPERATION,
policy.getTarget());
}
@@ -372,9 +365,9 @@
if (evaluator.isAllowed(Permissions.PERMISSIONS.CREATE_POLICY)) {
policydao.createPolicy(policy, this.user);
}else if (silent) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission Denied (CREATE_POLICY) on '{}' for user '{}'",
- this.evaluator.getResourceID(), this.user.getId());
+ jlog.error(
+ "Permission Denied (CREATE_POLICY) on '{}' for user '{}'",
+ this.evaluator.getResourceID(), this.user.getId());
throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
policy.getTarget());
}
@@ -411,9 +404,8 @@
this.evaluator.getResourceID());
if (this.policies[0] == null) {
- KustvaktLogger.SECURITY_LOGGER
- .error("No policies found (DELETE_POLICY) on '{}' for '{}'",
- this.evaluator.getResourceID(), this.user.getId());
+ jlog.error("No policies found (DELETE_POLICY) on '{}' for '{}'",
+ this.evaluator.getResourceID(), this.user.getId());
throw new KustvaktException(user.getId(), StatusCodes.NO_POLICIES,
"no policy desicion possible",
this.evaluator.getResourceID());
@@ -422,9 +414,8 @@
.isAllowed(Permissions.PERMISSIONS.DELETE_POLICY))) {
policydao.deletePolicy(policy, this.user);
}else if (silent) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission Denied (DELETE_POLICY) on '{}' for '{}'",
- this.evaluator.getResourceID(), this.user.getId());
+ jlog.error("Permission Denied (DELETE_POLICY) on '{}' for '{}'",
+ this.evaluator.getResourceID(), this.user.getId());
throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
"no policy desicion possible",
this.evaluator.getResourceID());
@@ -440,9 +431,9 @@
throw new NotAuthorizedException(StatusCodes.ILLEGAL_ARGUMENT);
if (this.policies[0] == null) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Operation not possible (MODIFY_POLICY) on '{}' for '{}'",
- this.evaluator.getResourceID(), this.user.getId());
+ jlog.error(
+ "Operation not possible (MODIFY_POLICY) on '{}' for '{}'",
+ this.evaluator.getResourceID(), this.user.getId());
throw new KustvaktException(user.getId(), StatusCodes.NO_POLICIES,
"no policy desicion possible",
this.evaluator.getResourceID());
@@ -452,9 +443,8 @@
.isAllowed(Permissions.PERMISSIONS.MODIFY_POLICY))) {
policydao.updatePolicy(policy, this.user);
}else if (silent) {
- KustvaktLogger.SECURITY_LOGGER
- .error("Permission Denied (DELETE_POLICY) on '{}' for '{}'",
- this.evaluator.getResourceID(), this.user.getId());
+ jlog.error("Permission Denied (DELETE_POLICY) on '{}' for '{}'",
+ this.evaluator.getResourceID(), this.user.getId());
throw new NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
this.evaluator.getResourceID());
}
diff --git a/src/main/resources/log4j.properties b/src/main/resources/log4j.properties
index ff5d34c..ed7269f 100644
--- a/src/main/resources/log4j.properties
+++ b/src/main/resources/log4j.properties
@@ -15,6 +15,12 @@
log4j.appender.errorLog.layout.ConversionPattern=%d{MMM dd, yyyy HH:mm:ss} %C{6} - %M %n %-5p: %m%n
log4j.appender.errorLog.File=./logs/errors.log
+log4j.appender.policyLog=org.apache.log4j.RollingFileAppender
+log4j.appender.policyLog.layout=org.apache.log4j.PatternLayout
+log4j.appender.policyLog.layout.ConversionPattern=%d{MMM dd, yyyy HH:mm:ss} %C{6} - %M %n %-5p: %m%n
+log4j.appender.policyLog.File=./logs/policies.log
+
+log4j.logger.de.ids_mannheim.korap.security.ac = DEBUG, policyLog
log4j.appender.debugLog=org.apache.log4j.RollingFileAppender
log4j.appender.debugLog.layout=org.apache.log4j.PatternLayout