Overview
In order to prevent persons who, although still may have records in LDAP but do not have an affiliation with the university (denoted by LDAP affiliation attribute) from accessing any functionality in either RICE or KFS.
Implementation
- Override existing log in action
- Create new struts configuration file
- Append to existing main struts configuration file
- Create new jsp to handle unauthorized log in attempts
UConnKualiPortalAction.java
package edu.uconn.kuali.rice.kns.web.struts.action;
public class UConnKualiPortalAction extends Action {
private static final org.apache.log4j.Logger LOG = org.apache.log4j.Logger.getLogger(UConnKualiPortalAction.class);
@Override
public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
String forward = RiceConstants.MAPPING_BASIC;
String gotoUrl = null;
HttpSession session = request.getSession();
boolean backdoorRestriction = true;
String env = CoreApiServiceLocator.getKualiConfigurationService().getPropertyValueAsString(KRADConstants.ENVIRONMENT_KEY);
String prd = CoreApiServiceLocator.getKualiConfigurationService().getPropertyValueAsString(KRADConstants.PROD_ENVIRONMENT_CODE_KEY);
boolean drEnv = CoreApiServiceLocator.getKualiConfigurationService().getPropertyValueAsBoolean(UConnRiceConstants.DR_CLOUD_ENV);
UserSession userSession = (UserSession) request.getSession().getAttribute(KRADConstants.USER_SESSION_KEY);
//Actual Netid - use this to avoid user entering backdoor using the URL
String userId = userSession.getLoggedInUserPrincipalName();
//Backdoor Netid
String principalId = userSession.getPrincipalId();
String netId = userId;
if (!userId.equalsIgnoreCase(principalId)) {
netId = principalId;
}
/*
* Do not use ldap unaffilated persons filter in DR Cloud envionment
*/
if (!drEnv) {
if (this.isAuthroized(netId)) {
if ((env != null) && (prd != null)) {
if (!env.equalsIgnoreCase(prd)) {
backdoorRestriction = isBackdoorRestricted(userId, principalId, userSession);
}
}
} else {
forward = "notAuthorized";
}
}
if (request.getQueryString() != null && request.getQueryString().indexOf("channelUrl") >= 0) {
gotoUrl = request.getQueryString().substring(request.getQueryString().indexOf("channelUrl") + 11, request.getQueryString().length());
} else if (request.getParameter("channelUrl") != null && request.getParameter("channelUrl").length() > 0) {
gotoUrl = request.getParameter("channelUrl");
}
request.setAttribute("gotoUrl", gotoUrl);
if (request.getParameter("selectedTab") != null && request.getParameter("selectedTab").length() > 0) {
request.getSession().setAttribute("selectedTab", request.getParameter("selectedTab"));
}
session.setAttribute(UConnRiceConstants.BACKDOOR_SESSION_KEY, backdoorRestriction);
return mapping.findForward(forward);
}
/*
*
*/
private boolean isBackdoorRestricted(String userId, String principalId, UserSession userSession) {
boolean restricted = true;
PermissionService permService = KimApiServiceLocator.getPermissionService();
if (permService.hasPermission(principalId, KRADConstants.KUALI_RICE_WORKFLOW_NAMESPACE, UConnRiceConstants.BACKDOOR_RESTRICTION)) {
restricted = false;
} else {
if (permService.hasPermission(principalId, UConnRiceConstants.KFS_NAMESPACE, UConnRiceConstants.BACKDOOR_RESTRICTION)) {
restricted = false;
} else {
if (!userId.equals(principalId)) {
userSession.clearBackdoorUser();
}
}
}
return restricted;
}
private boolean isAuthroized(String userId) {
boolean result = false;
String affMap = CoreApiServiceLocator.getKualiConfigurationService().getPropertyValueAsString(UConnConstants.LDAP_AFFL_MAPPINGS);
String[] primaryAffiliations = affMap.split(",");
IdentityService identityService = KimApiServiceLocator.getIdentityService();
Entity entity = identityService.getEntity(userId);
if (entity != null) {
List<EntityAffiliation> lst = entity.getAffiliations();
for (EntityAffiliation en : lst) {
EntityAffiliationType type = en.getAffiliationType();
for(String aff : primaryAffiliations){
if(aff.toLowerCase().contains(type.getName().toLowerCase())){
result = true;
break;
}
}
}
}
return result;
}
}
UConnBackDoorAction.java
package edu.uconn.kuali.rice.kns.web.struts.action;
public class UConnBackDoorAction extends BackdoorAction{
@Override
public ActionForward login(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception {
BackdoorForm backdoorForm = (BackdoorForm) form;
if (isAuthroized(backdoorForm.getBackdoorId())) {
return super.login(mapping, form, request, response);
}
request.setAttribute("badbackdoor", "Invalid backdoor Id given '" + backdoorForm.getBackdoorId() + "'");
return logout(mapping, form, request, response);
}
private boolean isAuthroized(String userId) {
boolean result = false;
UConnRiceLdapService ldapService = UConnServiceLocator.getUconnLdapService();
if (ldapService.getUConnEntityById(userId, true) != null) {
result = true;
}
return result;
}
}
uconn-struts-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
To change this template, choose Tools | Templates
and open the template in the editor.
-->
<!DOCTYPE struts-config PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 1.1//EN" "http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd">
<struts-config>
<action-mappings>
<!-- Begin required KNS mappings -->
<action path="/portal" name="KualiForm" type="edu.uconn.kuali.rice.kns.web.struts.action.UConnKualiPortalAction">
<forward name="basic" path="/portal.jsp" />
<!-- KRICE-138- use ldap to authorize user (must be affiliated with the university) -->
<forward name="notAuthorized" path="/notAuthorized.jsp" />
</action>
<!-- KRICE-138- use ldap to authorize user (must be affiliated with the university) -->
<action path="/backdoorlogin" name="BackdoorForm" scope="request" parameter="methodToCall"
input="/WEB-INF/jsp/backdoor/index.jsp" type="edu.uconn.kuali.rice.kns.web.struts.action.UConnBackDoorAction">
<forward name="basic" path="/portal.jsp" />
<forward name="viewPortal" path="/portal.jsp" />
<forward name="logout" path="/logout.do" />
</action>
<action path="/identityManagementPersonInquiry" name="IdentityManagementPersonDocumentForm"
input="/WEB-INF/jsp/identityManagementPersonDocument.jsp"
type="edu.uconn.kuali.rice.kim.web.struts.action.UConnIdentityManagementPersonInquiry"
scope="request" parameter="methodToCall" validate="true" attribute="KualiForm">
<forward name="basic" path="/WEB-INF/jsp/identityManagementPersonDocument.jsp" />
</action>
</action-mappings>
</struts-config>
rice-web/web.xml
.
.
.
.
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.kuali.rice.kns.web.struts.action.KualiActionServlet</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml,/WEB-INF/uconn-struts-config.xml</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>3</param-value>
</init-param>
<init-param>
<param-name>detail</param-name>
<param-value>3</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
.
.
.
rice-web/web pages/WEB-INF/tags/rice-portal/immutableBar.tag
.
.
.
<div id="login-info">
<c:choose>
<c:when test="${empty UserSession.loggedInUserPrincipalName}" >
<!--
David Chudnow
KFS-1624: reposiotion so that CAS authentication occurs prior to arrival at the KFS home page
-->
<% response.sendRedirect("portal.do");%>
<!-- replaces <strong>You are not logged in.</strong> -->
</c:when>
<c:otherwise>
<strong>Logged in User: ${UserSession.loggedInUserPrincipalName}</strong>
<c:if test="${UserSession.backdoorInUse}" > <strong> Impersonating User: ${UserSession.principalName}</strong> </c:if>
</c:otherwise>
</c:choose>
</div>
.
.
.
rice-web/notAuthorized.jsp
<%@ include file="/rice-portal/jsp/sys/riceTldHeader.jsp"%>
<portal:portalTop />
<div style="padding:50px 300px 50px 300px;background-color:#ffffff; font:Verdana, Arial, Helvetica, sans-serif; font-style:italic; font-weight:bold;">
<div style="color:#993300; ">
You are not authorized to access this application
</div>
<div style="color:#333333; padding-top:2px;">
Please close your browser
</div>
</div>
<portal:portalBottom />