Acegi security exception within JEXL should propagate through the call stack...

Acegi security exception within JEXL should propagate through the call stack for us to commence the authentication protocol. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@6355 71c3de6d-444a-0410-be80-ed276b4c234a

Acegi security exception within JEXL should propagate through the call stack...
Acegi security exception within JEXL should propagate through the call stack for us to commence the authentication protocol. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@6355 71c3de6d-444a-0410-be80-ed276b4c234a
c94c95ac · kohsuke · 5835e4e0 · c94c95ac · c94c95ac · c94c95ac
5 changed file
--- a/core/src/main/java/hudson/ExpressionFactory2.java
+++ b/core/src/main/java/hudson/ExpressionFactory2.java
+package hudson;
+
+import org.acegisecurity.AcegiSecurityException;
+import org.apache.commons.jelly.JellyContext;
+import org.apache.commons.jelly.JellyException;
+import org.apache.commons.jelly.expression.Expression;
+import org.apache.commons.jelly.expression.ExpressionFactory;
+import org.apache.commons.jelly.expression.ExpressionSupport;
+import org.apache.commons.jexl.JexlContext;
+
+import java.util.Collection;
+import java.util.Map;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * {@link ExpressionFactory} so that security exception aborts the page rendering.
+ *
+ * @author Kohsuke Kawaguchi
+*/
+final class ExpressionFactory2 implements ExpressionFactory {
+    public Expression createExpression(String text) throws JellyException {
+        try {
+            return new JexlExpression(
+                org.apache.commons.jexl.ExpressionFactory.createExpression(text)
+            );
+        } catch (Exception e) {
+            throw new JellyException("Unable to create expression: " + text, e);
+        }
+    }
+
+    /*
+     * Copyright 2002,2004 The Apache Software Foundation.
+     *
+     * Licensed under the Apache License, Version 2.0 (the "License");
+     * you may not use this file except in compliance with the License.
+     * You may obtain a copy of the License at
+     *
+     *      http://www.apache.org/licenses/LICENSE-2.0
+     *
+     * Unless required by applicable law or agreed to in writing, software
+     * distributed under the License is distributed on an "AS IS" BASIS,
+     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     * See the License for the specific language governing permissions and
+     * limitations under the License.
+     */
+    static final class JexlExpression extends ExpressionSupport {
+
+        /** The Jexl expression object */
+        private org.apache.commons.jexl.Expression expression;
+
+        public JexlExpression(org.apache.commons.jexl.Expression expression) {
+            this.expression = expression;
+        }
+
+        public String toString() {
+            return super.toString() + "[" + expression.getExpression() + "]";
+        }
+
+        // Expression interface
+        //-------------------------------------------------------------------------
+        public String getExpressionText() {
+            return "${" + expression.getExpression() + "}";
+        }
+
+        public Object evaluate(JellyContext context) {
+            try {
+                JexlContext jexlContext = new JellyJexlContext( context );
+                return expression.evaluate(jexlContext);
+            } catch (AcegiSecurityException e) {
+                // let the security exception pass through
+                throw e;
+            } catch (Exception e) {
+                LOGGER.log(Level.WARNING,"Caught exception evaluating: " + expression + ". Reason: " + e, e);
+                return null;
+            }
+        }
+
+        private static final Logger LOGGER = Logger.getLogger(JexlExpression.class.getName());
+    }
+
+    static final class JellyJexlContext implements JexlContext {
+        private Map vars;
+
+        JellyJexlContext(JellyContext context) {
+            this.vars = new JellyMap( context );
+        }
+
+        public void setVars(Map vars) {
+            this.vars.clear();
+            this.vars.putAll( vars );
+        }
+
+        public Map getVars() {
+            return this.vars;
+        }
+    }
+
+
+    static final class JellyMap implements Map {
+
+        private JellyContext context;
+
+        JellyMap(JellyContext context) {
+            this.context = context;
+        }
+
+        public Object get(Object key) {
+            return context.getVariable( (String) key );
+        }
+
+        public void clear() {
+            // not implemented
+        }
+
+        public boolean containsKey(Object key) {
+            return ( get( key ) != null );
+        }
+
+        public boolean containsValue(Object value) {
+            return false;
+        }
+
+        public Set entrySet() {
+            return null;
+        }
+
+        public boolean isEmpty() {
+            return false;
+        }
+
+        public Set keySet() {
+            return null;
+        }
+
+        public Object put(Object key, Object value) {
+            return null;
+        }
+
+        public void putAll(Map t) {
+            // not implemented
+        }
+
+        public Object remove(Object key) {
+            return null;
+        }
+
+        public int size() {
+            return -1;
+        }
+
+        public Collection values() {
+            return null;
+        }
+    }
+}
--- a/core/src/main/java/hudson/Functions.java
+++ b/core/src/main/java/hudson/Functions.java
@@ -424,15 +424,8 @@ public class Functions {
        }

        // make sure the user owns the necessary permission to access this page.
-        if(permission!=null) {
-            if(!Hudson.getInstance().getACL().hasPermission(permission)) {
-                // check failed. commit the FORBIDDEN response, then abort.
-                // if we just throw an exception, JEXL will eat it so it won't have the effect.
-                rsp.setStatus(HttpServletResponse.SC_FORBIDDEN);
-                rsp.getOutputStream().close();
-                throw new ServletException("Unauthorized access");
-            }
-        }
+        if(permission!=null)
+            Hudson.getInstance().getACL().checkPermission(permission);
    }

    /**

--- a/core/src/main/java/hudson/WebAppMain.java
+++ b/core/src/main/java/hudson/WebAppMain.java
@@ -26,6 +26,8 @@ import java.util.logging.Logger;
 import java.net.URLClassLoader;
 import java.net.URL;

+import org.kohsuke.stapler.Stapler;
+
 /**
 * Entry point when Hudson is used as a webapp.
 *
@@ -98,6 +100,8 @@ public class WebAppMain implements ServletContextListener {
                }
            }

+            Stapler.setExpressionFactory(event, new ExpressionFactory2());
+
            context.setAttribute(APP,new HudsonIsLoading());

            new Thread("hudson initialization thread") {
@@ -222,4 +226,5 @@ public class WebAppMain implements ServletContextListener {
    }

    private static final Logger LOGGER = Logger.getLogger(WebAppMain.class.getName());
+
 }
--- a/core/src/main/java/hudson/security/UnwrapSecurityExceptionFilter.java
+++ b/core/src/main/java/hudson/security/UnwrapSecurityExceptionFilter.java
+package hudson.security;
+
+import org.apache.commons.jelly.JellyTagException;
+import org.acegisecurity.AcegiSecurityException;
+import org.acegisecurity.ui.ExceptionTranslationFilter;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.FilterChain;
+import java.io.IOException;
+
+/**
+ * If {@link AcegiSecurityException} caused {@link JellyTagException},
+ * rethrow it accordingly so that {@link ExceptionTranslationFilter}
+ * can pick it up and initiate the redirection.
+ * 
+ * @author Kohsuke Kawaguchi
+ */
+public class UnwrapSecurityExceptionFilter implements Filter {
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        try {
+            chain.doFilter(request,response);
+        } catch (ServletException e) {
+            Throwable t = e.getRootCause();
+            if (t instanceof JellyTagException) {
+                JellyTagException jte = (JellyTagException) t;
+                Throwable cause = jte.getCause();
+                if (cause instanceof AcegiSecurityException) {
+                    AcegiSecurityException se = (AcegiSecurityException) cause;
+                    throw new ServletException(se);
+                }
+            }
+            throw e;
+        }
+    }
+
+    public void destroy() {
+    }
+}
--- a/war/resources/WEB-INF/security/SecurityFilters.groovy
+++ b/war/resources/WEB-INF/security/SecurityFilters.groovy
@@ -13,6 +13,7 @@ import hudson.security.ChainedServletFilter
 import hudson.security.AccessDeniedHandlerImpl
 import hudson.security.BasicAuthenticationFilter
 import hudson.security.AuthenticationProcessingFilter2
+import hudson.security.UnwrapSecurityExceptionFilter

 // providers that apply to both patterns
 def commonProviders(redirectUrl) {
@@ -26,7 +27,8 @@ def commonProviders(redirectUrl) {
            authenticationEntryPoint = bean(AuthenticationProcessingFilterEntryPoint) {
                loginFormUrl = redirectUrl;
            }
-        }
+        },
+        bean(UnwrapSecurityExceptionFilter)
    ]
 }