Project

General

Profile

Revision 5079

Added by daigle almost 12 years ago

Add authorization check before scheduling a job in the workflow scheduler

View differences:

lib/workflowscheduler/workflowscheduler.properties
152 152
executionEngine.endPointAddress=http://localhost:8080/axis2/services/KeplerWebService
153 153

  
154 154
workflowScheduler.authServiceUrl=http://indus.msi.ucsb.edu/knb/services/AuthenticationService
155
workflowScheduler.authorizationServiceUrl=http://indus.msi.ucsb.edu/knb/services/AuthorizationService
155 156

  
156 157
######## junit test section  ################
157 158

  
src/edu/ucsb/nceas/workflowscheduler/WorkflowScheduler.java
43 43
import org.xml.sax.InputSource;
44 44

  
45 45
import org.ecoinformatics.ecogrid.client.AuthenticationServiceClient;
46
import org.ecoinformatics.ecogrid.client.AuthorizationServiceClient;
46 47

  
48
import edu.ucsb.nceas.metacat.AccessControlInterface;
47 49
import edu.ucsb.nceas.metacat.scheduler.BaseScheduler;
48 50
import edu.ucsb.nceas.metacat.scheduler.ScheduledJobAccess;
49 51
import edu.ucsb.nceas.metacat.scheduler.ScheduledJobDAO;
......
169 171
			}
170 172
			jobParams.put("workflowid", workflowids[0]);
171 173
			
174
			String workflowAuthorizeStatus = authorizeRemoteSession(sessionIds[0], workflowids[0], AccessControlInterface.WRITESTRING);
175
			if (!workflowAuthorizeStatus.equals("true")) {
176
				throw new MetacatSchedulerException("WorkflowScheduler.scheduleJob - session " 
177
						+ request.getSession().getId() + " is not authorized to write workflow " + workflowids[0]  + ".");
178
			}
179
			
172 180
			// kar id must exist.  Add to job params
173 181
			String karids[] = params.get("karid");
174 182
			if (karids == null || karids.length == 0) {
......
177 185
			}
178 186
			jobParams.put("karid", karids[0]);
179 187
			
188
			String karAuthorizeStatus = authorizeRemoteSession(sessionIds[0], karids[0], AccessControlInterface.READSTRING);
189
			if (!karAuthorizeStatus.equals("true")) {
190
				throw new MetacatSchedulerException("WorkflowScheduler.scheduleJob - session " 
191
						+ request.getSession().getId() + " is not authorized to read kar " + karids[0]  + ".");
192
			}
180 193
			
181 194
			// workflow name unit must exist.  Add to job params
182 195
			String workflownames[] = params.get("workflowname");
......
455 468
		
456 469
		return sessionStatus;
457 470
	}
471
	
472
	private String authorizeRemoteSession(String sessionId, String resourceLsid, String permission) 
473
		throws MetacatSchedulerException {
474
		
475
		String authStatus = "unknown";
476
	    XPath xpath = XPathFactory.newInstance().newXPath();
477
		
478
		try {
479
			String ecogridUrl = PropertyService.getProperty("workflowScheduler.authorizationServiceUrl");
480
		
481
			AuthorizationServiceClient authorizationServiceClient = 
482
					new AuthorizationServiceClient(ecogridUrl);
483
			
484
			String authStatusXML = authorizationServiceClient.is_authorized_action(sessionId, resourceLsid, permission);
485
			
486
			authStatus = 
487
				xpath.evaluate("/resourceAuthorization/isAuthorized",  new InputSource(new StringReader(authStatusXML)));
488
			
489
			
490
		} catch (PropertyNotFoundException pnfe) {
491
			throw new MetacatSchedulerException("WorkflowScheduler.authorizeRemoteSession - Could not " 
492
					+ "find property: " + pnfe.getMessage());
493
		} catch (Exception e) {
494
			throw new MetacatSchedulerException("WorkflowScheduler.authorizeRemoteSession - " 
495
					+ "general error when authorizing Session: " + e.getMessage());
496
		}
497
		
498
		
499
		return authStatus;
500
	}
458 501
}

Also available in: Unified diff