Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import java.util.Calendar;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.validation.BindingResult;
Expand All @@ -55,6 +56,7 @@
*
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/batchcreateuseraccounts.html")
public class BatchCreateUserAccountsController {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import javax.servlet.http.HttpServletResponse;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
Expand All @@ -41,6 +42,7 @@
* Only accessed by a WISE admin user.
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/enabledisableuser")
public class EnableDisableUserController {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import javax.servlet.http.HttpServletRequest;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.validation.BindingResult;
Expand All @@ -50,6 +51,7 @@
* @author Patrick Lawler
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/lookupuser")
public class LookupUserController {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import javax.servlet.http.HttpServletResponse;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
Expand All @@ -44,6 +45,7 @@
*
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/manageuserroles.html")
public class ManageUserRolesController {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
package org.wise.portal.presentation.web.controllers.admin;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.wise.portal.service.authentication.UserDetailsService;

@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/show-all-users")
public class ShowAllUsersController {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package org.wise.portal.presentation.web.controllers.admin;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.acls.model.Permission;
import org.springframework.web.bind.annotation.*;
import org.wise.portal.dao.ObjectNotFoundException;
Expand All @@ -13,6 +14,7 @@
import java.util.List;
import java.util.Set;

@Secured("ROLE_ADMINISTRATOR")
@RestController
@RequestMapping("/api/admin/project/shared")
public class UpdateProjectSharedPermissionsAPIController {
Expand Down
25 changes: 18 additions & 7 deletions src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -85,14 +85,25 @@ protected void configure(HttpSecurity http) throws Exception {
.addFilterAfter(googleOpenIdConnectFilter(), OAuth2ClientContextFilter.class)
.addFilterAfter(microsoftOpenIdConnectFilter(), OAuth2ClientContextFilter.class)
.addFilterAfter(authenticationProcessingFilter(), GoogleOpenIdConnectFilter.class)
.authorizeRequests().antMatchers("/api/login/impersonate")
.hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/admin/**")
.hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/author/**").hasAnyRole("TEACHER")
.authorizeRequests()
// User, role, portal, news and destructive maintenance endpoints must be
// restricted to administrators. They were previously reachable by researchers
// through the broad "/admin/**" rule, which let a researcher grant themselves
// the administrator role or manage other users' accounts. These more specific
// rules are listed first so they take precedence over the broader ones below.
.antMatchers("/admin/account/**", "/admin/portal/**", "/admin/news/**",
"/admin/mergeProjectMetadata", "/admin/run/replacebase64withpng.html", "/api/admin/**")
.hasRole("ADMINISTRATOR")
.antMatchers("/api/login/impersonate").hasAnyRole("ADMINISTRATOR", "RESEARCHER")
.antMatchers("/admin/**").hasAnyRole("ADMINISTRATOR", "RESEARCHER")
.antMatchers("/author/**").hasAnyRole("TEACHER")
.antMatchers("/project/notifyAuthor*/**").hasAnyRole("TEACHER")
.antMatchers("/student/account/info").hasAnyRole("TEACHER").antMatchers("/student/**")
.hasAnyRole("STUDENT").antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT")
.antMatchers("/teacher/**").hasAnyRole("TEACHER").antMatchers("/sso/discourse")
.hasAnyRole("TEACHER", "STUDENT").antMatchers("/").permitAll();
.antMatchers("/student/account/info").hasAnyRole("TEACHER")
.antMatchers("/student/**").hasAnyRole("STUDENT")
.antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT")
.antMatchers("/teacher/**").hasAnyRole("TEACHER")
.antMatchers("/sso/discourse").hasAnyRole("TEACHER", "STUDENT")
.antMatchers("/").permitAll();
http.formLogin().loginPage("/login").permitAll();
http.logout().addLogoutHandler(wiseLogoutHandler())
.logoutRequestMatcher(new AntPathRequestMatcher("/api/logout"));
Expand Down