diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java
index 19c6ab34bbee37a92b2d0669f1e8b6763980c7af..6ceca04328afecd0a281618cd0c089185452c251 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/ACSearchRunner.java
@@ -68,11 +68,14 @@
*/
package ca.nrc.cadc.ac.server.web;
+import java.security.AccessControlContext;
import java.security.AccessControlException;
+import java.security.AccessController;
import java.security.Principal;
import java.util.Collection;
import java.util.Date;
+import javax.security.auth.Subject;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
@@ -84,7 +87,6 @@ import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.ac.server.PluginFactory;
import ca.nrc.cadc.ac.server.RequestValidator;
-import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.uws.ExecutionPhase;
import ca.nrc.cadc.uws.Job;
@@ -154,6 +156,8 @@ public class ACSearchRunner implements JobRunner
try
{
+
+
ExecutionPhase ep =
jobUpdater.setPhase(job.getID(), ExecutionPhase.QUEUED,
ExecutionPhase.EXECUTING, new Date());
@@ -166,6 +170,23 @@ public class ACSearchRunner implements JobRunner
RequestValidator rv = new RequestValidator();
rv.validate(job.getParameterList());
+ // only allow users to search themselves...
+ Principal userBeingSearched = rv.getPrincipal();
+ if (userBeingSearched != null)
+ {
+ AccessControlContext acContext = AccessController.getContext();
+ Subject subject = Subject.getSubject(acContext);
+ boolean idMatch = false;
+ for (Principal p : subject.getPrincipals())
+ {
+ if (p.equals(userBeingSearched))
+ idMatch = true;
+ }
+ if (!idMatch)
+ throw new AccessControlException("Can only search oneself.");
+ }
+
+
PluginFactory factory = new PluginFactory();
GroupPersistence dao = factory.getGroupPersistence();
Collection<Group> groups =
@@ -246,7 +267,7 @@ public class ACSearchRunner implements JobRunner
logInfo.setMessage(t.getMessage());
log.debug("FAIL", t);
- syncOut.setResponseCode(401);
+ syncOut.setResponseCode(403);
// ErrorSummary errorSummary =
// new ErrorSummary(t.getMessage(), ErrorType.FATAL);
@@ -284,36 +305,4 @@ public class ACSearchRunner implements JobRunner
}
}
-// private Principal getUserPrincipal(String userID, IdentityType type)
-// {
-// if (type == IdentityType.OPENID)
-// {
-// return new OpenIdPrincipal(userID);
-// }
-// if (type == IdentityType.UID)
-// {
-// try
-// {
-// Long numericId = Long.valueOf(userID);
-// return new NumericPrincipal(numericId);
-// }
-// catch (NumberFormatException e)
-// {
-// throw new IllegalArgumentException("Illegal UID userID " +
-// userID + " because " +
-// e.getMessage());
-// }
-// }
-// if (type == IdentityType.USERNAME)
-// {
-// return new HttpPrincipal(userID);
-// }
-// if (type == IdentityType.X500)
-// {
-// return new X500Principal(userID);
-// }
-// throw new IllegalArgumentException("Unknown user type " +
-// type.getValue());
-// }
-
}
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsAction.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsAction.java
index e1846d21afb1c07032606f2d7344dd077543e550..02f64926a9982e7ae88b89bed6c054087cb473a9 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsAction.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsAction.java
@@ -68,26 +68,28 @@
*/
package ca.nrc.cadc.ac.server.web;
-import ca.nrc.cadc.ac.GroupAlreadyExistsException;
-import ca.nrc.cadc.ac.GroupNotFoundException;
-import ca.nrc.cadc.ac.MemberAlreadyExistsException;
-import ca.nrc.cadc.ac.MemberNotFoundException;
-import ca.nrc.cadc.ac.UserNotFoundException;
-import ca.nrc.cadc.ac.server.GroupPersistence;
-import ca.nrc.cadc.ac.server.PluginFactory;
-import ca.nrc.cadc.ac.server.UserPersistence;
-import ca.nrc.cadc.net.TransientException;
import java.io.IOException;
-import java.io.PrintWriter;
import java.security.AccessControlException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.List;
+
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletResponse;
+
import org.apache.log4j.Logger;
+import ca.nrc.cadc.ac.GroupAlreadyExistsException;
+import ca.nrc.cadc.ac.GroupNotFoundException;
+import ca.nrc.cadc.ac.MemberAlreadyExistsException;
+import ca.nrc.cadc.ac.MemberNotFoundException;
+import ca.nrc.cadc.ac.UserNotFoundException;
+import ca.nrc.cadc.ac.server.GroupPersistence;
+import ca.nrc.cadc.ac.server.PluginFactory;
+import ca.nrc.cadc.ac.server.UserPersistence;
+import ca.nrc.cadc.net.TransientException;
+
public abstract class GroupsAction
implements PrivilegedExceptionAction<Object>
{
@@ -131,9 +133,9 @@ public abstract class GroupsAction
catch (AccessControlException e)
{
log.debug(e);
- String message = "Unauthorized";
+ String message = "Permission Denied";
this.logInfo.setMessage(message);
- sendError(401, message);
+ sendError(403, message);
}
catch (IllegalArgumentException e)
{
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsServlet.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsServlet.java
index 9e86d6dc88459c71314d7e198a2b59324e43d230..dd62ed5cdb871629bb86aa975b1a24e7b583e492 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsServlet.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/GroupsServlet.java
@@ -94,16 +94,6 @@ public class GroupsServlet extends HttpServlet
try
{
log.info(logInfo.start());
-
- // Note: For this servlet, one does not want the subject to be
- // augmented with all user principals, only the one in which
- // they used to connect to the service. This is accomplished
- // by ensuring that there is no authenticator implementation
- // available in the classpath with the name:
- // ca.nrc.cadc.auth.AuthenticatorImpl.class
- // See cadcUtil method ca.nrc.cadc.auth.AuthenticationUtil#getAuthenticator()
- // for more information.
-
Subject subject = AuthenticationUtil.getSubject(request);
logInfo.setSubject(subject);
GroupsAction action = GroupsActionFactory.getGroupsAction(request, logInfo);