Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

In order to prevent persons who, although still may have records in LDAP but do not have an affiliation with the university (denoted by LDAP affiliation attribute) from accessing any functionality in either RICE or KFS. 

Implementation

  • Override existing log in action
  • Create new struts configuration file
  • Append to existing main struts configuration file
  • Create new jsp to handle unauthorized log in attempts

 

Code Block
languagejava
titleUConnKualiPortalAction.java
package edu.uconn.kuali.rice.kns.web.struts.action;

public class UConnKualiPortalAction extends Action {
    private static final org.apache.log4j.Logger LOG = org.apache.log4j.Logger.getLogger(UConnKualiPortalAction.class);
    @Override
    public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
        String forward = RiceConstants.MAPPING_BASIC;
        String gotoUrl = null;
        HttpSession session = request.getSession();
        boolean backdoorRestriction = true;
        String env = CoreApiServiceLocator.getKualiConfigurationService().getPropertyValueAsString(KRADConstants.ENVIRONMENT_KEY);
        String prd = CoreApiServiceLocator.getKualiConfigurationService().getPropertyValueAsString(KRADConstants.PROD_ENVIRONMENT_CODE_KEY);
        boolean drEnv = CoreApiServiceLocator.getKualiConfigurationService().getPropertyValueAsBoolean(UConnRiceConstants.DR_CLOUD_ENV);
        UserSession userSession = (UserSession) request.getSession().getAttribute(KRADConstants.USER_SESSION_KEY);
        //Actual Netid - use this to avoid user entering backdoor using the URL
        String userId = userSession.getLoggedInUserPrincipalName();
        //Backdoor Netid
        String principalId = userSession.getPrincipalId();
        String netId = userId;
        if (!userId.equalsIgnoreCase(principalId)) {
            netId = principalId;
        }
        /*
         * Do not use ldap unaffilated persons filter in DR Cloud envionment
         */
        if (!drEnv) {
            if (this.isAuthroized(netId)) {
                if ((env != null) && (prd != null)) {
                    if (!env.equalsIgnoreCase(prd)) {
                        backdoorRestriction = isBackdoorRestricted(userId, principalId, userSession);
                    }
                }
            } else {
                forward = "notAuthorized";
            }
        }
        if (request.getQueryString() != null && request.getQueryString().indexOf("channelUrl") >= 0) {
            gotoUrl = request.getQueryString().substring(request.getQueryString().indexOf("channelUrl") + 11, request.getQueryString().length());
        } else if (request.getParameter("channelUrl") != null && request.getParameter("channelUrl").length() > 0) {
            gotoUrl = request.getParameter("channelUrl");
        }
        request.setAttribute("gotoUrl", gotoUrl);
        if (request.getParameter("selectedTab") != null && request.getParameter("selectedTab").length() > 0) {
            request.getSession().setAttribute("selectedTab", request.getParameter("selectedTab"));
        }
        session.setAttribute(UConnRiceConstants.BACKDOOR_SESSION_KEY, backdoorRestriction);
        return mapping.findForward(forward);
    }
    /*
     * 
     */
    private boolean isBackdoorRestricted(String userId, String principalId, UserSession userSession) {
        boolean restricted = true;
        PermissionService permService = KimApiServiceLocator.getPermissionService();
        if (permService.hasPermission(principalId, KRADConstants.KUALI_RICE_WORKFLOW_NAMESPACE, UConnRiceConstants.BACKDOOR_RESTRICTION)) {
            restricted = false;
        } else {
            if (permService.hasPermission(principalId, UConnRiceConstants.KFS_NAMESPACE, UConnRiceConstants.BACKDOOR_RESTRICTION)) {
                restricted = false;
            } else {
                if (!userId.equals(principalId)) {
                    userSession.clearBackdoorUser();
                }
            }
        }
        return restricted;
    }
    private boolean isAuthroized(String userId) {
        boolean result = false;
        String affMap = CoreApiServiceLocator.getKualiConfigurationService().getPropertyValueAsString(UConnConstants.LDAP_AFFL_MAPPINGS);
        String[] primaryAffiliations = affMap.split(",");
        IdentityService identityService = KimApiServiceLocator.getIdentityService();
        Entity entity = identityService.getEntity(userId);
        if (entity != null) {
            List<EntityAffiliation> lst = entity.getAffiliations();
            for (EntityAffiliation en : lst) {
                EntityAffiliationType type = en.getAffiliationType();
                for(String aff : primaryAffiliations){             
                    if(aff.toLowerCase().contains(type.getName().toLowerCase())){
                        result = true;
                        break;
                    }
                }
            }
        }
        return result;
    }
}
Code Block
languagejava
titleUConnBackDoorAction.java
package edu.uconn.kuali.rice.kns.web.struts.action;

public class UConnBackDoorAction extends BackdoorAction{
    @Override
    public ActionForward login(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
        BackdoorForm backdoorForm = (BackdoorForm) form;
        if (isAuthroized(backdoorForm.getBackdoorId())) {
            return super.login(mapping, form, request, response);
        }
        request.setAttribute("badbackdoor", "Invalid backdoor Id given '" + backdoorForm.getBackdoorId() + "'");
        return logout(mapping, form, request, response);
    }
    private boolean isAuthroized(String userId) {
        boolean result = false;
        UConnRiceLdapService ldapService = UConnServiceLocator.getUconnLdapService();
        if (ldapService.getUConnEntityById(userId, true) != null) {
            result = true;
        }
        return result;
    }
}

 

 

 

Code Block
languagexml
titleuconn-struts-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE struts-config PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 1.1//EN" "http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd">

<struts-config>
   
    <action-mappings>
        <!-- Begin required KNS mappings -->
        <action path="/portal" name="KualiForm" type="edu.uconn.kuali.rice.kns.web.struts.action.UConnKualiPortalAction">
            <forward name="basic" path="/portal.jsp" />
            <!--  KRICE-138- use ldap to authorize user (must be affiliated with the university) -->
            <forward name="notAuthorized" path="/notAuthorized.jsp" />
        </action>
        
        <!--  KRICE-138- use ldap to authorize user (must be affiliated with the university) -->
        <action path="/backdoorlogin" name="BackdoorForm" scope="request" parameter="methodToCall"
                input="/WEB-INF/jsp/backdoor/index.jsp" type="edu.uconn.kuali.rice.kns.web.struts.action.UConnBackDoorAction">
            <forward name="basic" path="/portal.jsp" />
            <forward name="viewPortal" path="/portal.jsp" />
            <forward name="logout" path="/logout.do" />
        </action>
        
        <action path="/identityManagementPersonInquiry" name="IdentityManagementPersonDocumentForm" 
                input="/WEB-INF/jsp/identityManagementPersonDocument.jsp" 
                type="edu.uconn.kuali.rice.kim.web.struts.action.UConnIdentityManagementPersonInquiry"
                        scope="request" parameter="methodToCall" validate="true" attribute="KualiForm">
            <forward name="basic" path="/WEB-INF/jsp/identityManagementPersonDocument.jsp" />
        </action>
    </action-mappings>
  
</struts-config>

 

 

 

Code Block
languagexml
titlerice-web/web.xml
.
.
.
.
 <servlet>
    <servlet-name>action</servlet-name>
    <servlet-class>org.kuali.rice.kns.web.struts.action.KualiActionServlet</servlet-class>
    <init-param>
      <param-name>config</param-name>
      <param-value>/WEB-INF/struts-config.xml,/WEB-INF/uconn-struts-config.xml</param-value>
    </init-param>
    <init-param>
      <param-name>debug</param-name>
      <param-value>3</param-value>
    </init-param>
    <init-param>
      <param-name>detail</param-name>
      <param-value>3</param-value>
    </init-param>
    <load-on-startup>0</load-on-startup>
  </servlet>
.
.
.

 

 

 

Code Block
languagexml
titlerice-web/web pages/WEB-INF/tags/rice-portal/immutableBar.tag
.
.
.
<div id="login-info">
    <c:choose> 
        <c:when test="${empty UserSession.loggedInUserPrincipalName}" > 
            <!--
            David Chudnow
            KFS-1624: reposiotion so that CAS authentication occurs prior to arrival at the KFS home page
            -->
            <% response.sendRedirect("portal.do");%>
            <!-- replaces <strong>You are not logged in.</strong> -->
        </c:when>
        <c:otherwise> 
            <strong>Logged in User:&nbsp;${UserSession.loggedInUserPrincipalName}</strong> 
            <c:if test="${UserSession.backdoorInUse}" > <strong>&nbsp;&nbsp;Impersonating User:&nbsp;${UserSession.principalName}</strong> </c:if> 
        </c:otherwise> 
    </c:choose> 
  </div>
.
.
.
Code Block
languagexml
titlerice-web/notAuthorized.jsp
<%@ include file="/rice-portal/jsp/sys/riceTldHeader.jsp"%>
<portal:portalTop />
<div style="padding:50px 300px 50px 300px;background-color:#ffffff; font:Verdana, Arial, Helvetica, sans-serif; font-style:italic; font-weight:bold;">  
    <div style="color:#993300; ">
        You are not authorized to access this application
    </div>
    <div style="color:#333333; padding-top:2px;">
        Please close your browser
    </div>
</div>
<portal:portalBottom />