Commit aa7e15d4 authored by Andrea Aime's avatar Andrea Aime Committed by Jean Pommier
Browse files

[GEOS-9203] RestControllerAdvice eats security exceptions turning them into HTTP 500

parent cdf524a0
......@@ -12,9 +12,12 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.geoserver.ows.Dispatcher;
import org.geoserver.platform.GeoServerExtensions;
import org.geotools.util.logging.Logging;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.util.StreamUtils;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
......@@ -103,7 +106,15 @@ public class RestControllerAdvice extends ResponseEntityExceptionHandler {
@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
public void handleGeneralException(
Exception e, HttpServletRequest request, HttpServletResponse response, OutputStream os)
throws IOException {
throws Exception {
// if there is a OGC request active, the exception was not meant for this dispatcher,
// nor it was if it's a security exception, in this case let servlet filters handle it
// instead
if (Dispatcher.REQUEST.get() != null
|| e instanceof AuthenticationException
|| e instanceof AccessDeniedException) {
throw e;
}
LOGGER.log(Level.SEVERE, e.getMessage(), e);
notifyExceptionToCallbacks(request, response, e);
......
......@@ -63,6 +63,13 @@
<artifactId>javax.servlet-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.geoserver</groupId>
<artifactId>gs-wms</artifactId>
<version>${project.version}</version>
<classifier>tests</classifier>
<scope>test</scope>
</dependency>
</dependencies>
</project>
/*
* GeoTools - The Open Source Java GIS Toolkit
* http://geotools.org
*
* (C) 2019, Open Source Geospatial Foundation (OSGeo)
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation;
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
*/
package org.geoserver.rest.service;
import static org.junit.Assert.assertEquals;
import java.util.Collections;
import java.util.List;
import java.util.logging.Logger;
import org.geoserver.catalog.Catalog;
import org.geoserver.data.test.SystemTestData;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.security.CatalogMode;
import org.geoserver.security.GeoServerRoleStore;
import org.geoserver.security.GeoServerUserGroupStore;
import org.geoserver.security.TestResourceAccessManager;
import org.geoserver.security.WorkspaceAccessLimits;
import org.geoserver.security.impl.AbstractUserGroupService;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.wms.WMSTestSupport;
import org.geotools.util.logging.Logging;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletResponse;
public class ResourceAccessManagerWMSTest extends WMSTestSupport {
static final Logger LOGGER = Logging.getLogger(ResourceAccessManagerWMSTest.class);
/** Add the test resource access manager in the spring context */
@Override
protected void setUpSpring(List<String> springContextLocations) {
super.setUpSpring(springContextLocations);
springContextLocations.add("classpath:/org/geoserver/wms/ResourceAccessManagerContext.xml");
}
/** Enable the Spring Security auth filters */
@Override
protected List<javax.servlet.Filter> getFilters() {
return Collections.singletonList(
(javax.servlet.Filter) GeoServerExtensions.bean("filterChainProxy"));
}
@Override
protected void onSetUp(SystemTestData testData) throws Exception {
super.onSetUp(testData);
GeoServerUserGroupStore ugStore =
getSecurityManager()
.loadUserGroupService(AbstractUserGroupService.DEFAULT_NAME)
.createStore();
ugStore.addUser(ugStore.createUserObject("cite", "cite", true));
ugStore.store();
GeoServerRoleStore roleStore = getSecurityManager().getActiveRoleService().createStore();
GeoServerRole role = roleStore.createRoleObject("ROLE_DUMMY");
roleStore.addRole(role);
roleStore.associateRoleToUser(role, "cite");
roleStore.store();
prepare();
}
public void prepare() throws Exception {
// populate the access manager
Catalog catalog = getCatalog();
TestResourceAccessManager tam =
(TestResourceAccessManager) applicationContext.getBean("testResourceAccessManager");
tam.putLimits(
"cite",
catalog.getWorkspaceByName("cite"),
new WorkspaceAccessLimits(CatalogMode.MIXED, false, false));
}
@Test
public void testGetCapabilitiesLimitedWorkspace() throws Exception {
setRequestAuth("cite", "cite");
MockHttpServletResponse response =
getAsServletResponse("cite/wms?service=WMS&version=1.1.1&request=GetCapabilities");
// exception used to be eaten and result be a 200
assertEquals(403, response.getStatus());
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment