Revision 5079
Added by daigle over 14 years ago
WorkflowScheduler.java | ||
---|---|---|
43 | 43 |
import org.xml.sax.InputSource; |
44 | 44 |
|
45 | 45 |
import org.ecoinformatics.ecogrid.client.AuthenticationServiceClient; |
46 |
import org.ecoinformatics.ecogrid.client.AuthorizationServiceClient; |
|
46 | 47 |
|
48 |
import edu.ucsb.nceas.metacat.AccessControlInterface; |
|
47 | 49 |
import edu.ucsb.nceas.metacat.scheduler.BaseScheduler; |
48 | 50 |
import edu.ucsb.nceas.metacat.scheduler.ScheduledJobAccess; |
49 | 51 |
import edu.ucsb.nceas.metacat.scheduler.ScheduledJobDAO; |
... | ... | |
169 | 171 |
} |
170 | 172 |
jobParams.put("workflowid", workflowids[0]); |
171 | 173 |
|
174 |
String workflowAuthorizeStatus = authorizeRemoteSession(sessionIds[0], workflowids[0], AccessControlInterface.WRITESTRING); |
|
175 |
if (!workflowAuthorizeStatus.equals("true")) { |
|
176 |
throw new MetacatSchedulerException("WorkflowScheduler.scheduleJob - session " |
|
177 |
+ request.getSession().getId() + " is not authorized to write workflow " + workflowids[0] + "."); |
|
178 |
} |
|
179 |
|
|
172 | 180 |
// kar id must exist. Add to job params |
173 | 181 |
String karids[] = params.get("karid"); |
174 | 182 |
if (karids == null || karids.length == 0) { |
... | ... | |
177 | 185 |
} |
178 | 186 |
jobParams.put("karid", karids[0]); |
179 | 187 |
|
188 |
String karAuthorizeStatus = authorizeRemoteSession(sessionIds[0], karids[0], AccessControlInterface.READSTRING); |
|
189 |
if (!karAuthorizeStatus.equals("true")) { |
|
190 |
throw new MetacatSchedulerException("WorkflowScheduler.scheduleJob - session " |
|
191 |
+ request.getSession().getId() + " is not authorized to read kar " + karids[0] + "."); |
|
192 |
} |
|
180 | 193 |
|
181 | 194 |
// workflow name unit must exist. Add to job params |
182 | 195 |
String workflownames[] = params.get("workflowname"); |
... | ... | |
455 | 468 |
|
456 | 469 |
return sessionStatus; |
457 | 470 |
} |
471 |
|
|
472 |
private String authorizeRemoteSession(String sessionId, String resourceLsid, String permission) |
|
473 |
throws MetacatSchedulerException { |
|
474 |
|
|
475 |
String authStatus = "unknown"; |
|
476 |
XPath xpath = XPathFactory.newInstance().newXPath(); |
|
477 |
|
|
478 |
try { |
|
479 |
String ecogridUrl = PropertyService.getProperty("workflowScheduler.authorizationServiceUrl"); |
|
480 |
|
|
481 |
AuthorizationServiceClient authorizationServiceClient = |
|
482 |
new AuthorizationServiceClient(ecogridUrl); |
|
483 |
|
|
484 |
String authStatusXML = authorizationServiceClient.is_authorized_action(sessionId, resourceLsid, permission); |
|
485 |
|
|
486 |
authStatus = |
|
487 |
xpath.evaluate("/resourceAuthorization/isAuthorized", new InputSource(new StringReader(authStatusXML))); |
|
488 |
|
|
489 |
|
|
490 |
} catch (PropertyNotFoundException pnfe) { |
|
491 |
throw new MetacatSchedulerException("WorkflowScheduler.authorizeRemoteSession - Could not " |
|
492 |
+ "find property: " + pnfe.getMessage()); |
|
493 |
} catch (Exception e) { |
|
494 |
throw new MetacatSchedulerException("WorkflowScheduler.authorizeRemoteSession - " |
|
495 |
+ "general error when authorizing Session: " + e.getMessage()); |
|
496 |
} |
|
497 |
|
|
498 |
|
|
499 |
return authStatus; |
|
500 |
} |
|
458 | 501 |
} |
Also available in: Unified diff
Add authorization check before scheduling a job in the workflow scheduler