Mercurial > hg > AnnotationManager
changeset 10:0bdfe01e30b5
checking auth token works now.
| author | casties |
|---|---|
| date | Tue, 20 Mar 2012 15:55:51 +0100 |
| parents | e9fd2e1e0979 |
| children | 2f8c72ae4c43 |
| files | .classpath .project .settings/org.eclipse.wst.common.component libs/joda-time-2.1.jar libs/joda-time-LICENSE.txt libs/joda-time-NOTICE.txt src/de/mpiwg/itgroup/annotationManager/restlet/AnnotatorResourceImpl.java src/de/mpiwg/itgroup/annotationManager/restlet/AnnotatorSearch.java |
| diffstat | 8 files changed, 305 insertions(+), 54 deletions(-) [+] |
line wrap: on
line diff
--- a/.classpath Mon Mar 19 21:26:20 2012 +0100 +++ b/.classpath Tue Mar 20 15:55:51 2012 +0100 @@ -47,5 +47,11 @@ <attribute name="owner.project.facets" value="java"/> </attributes> </classpathentry> + <classpathentry kind="lib" path="libs/joda-time-2.1.jar"> + <attributes> + <attribute name="javadoc_location" value="http://joda-time.sourceforge.net/api-release/index.html"/> + <attribute name="org.eclipse.jst.component.dependency" value="/WEB-INF/lib"/> + </attributes> + </classpathentry> <classpathentry kind="output" path="build/classes"/> </classpath>
--- a/.project Mon Mar 19 21:26:20 2012 +0100 +++ b/.project Tue Mar 20 15:55:51 2012 +0100 @@ -3,7 +3,6 @@ <name>AnnotationManager</name> <comment></comment> <projects> - <project>NamedIdentityManager</project> <project>TripleStoreManager</project> </projects> <buildSpec>
--- a/.settings/org.eclipse.wst.common.component Mon Mar 19 21:26:20 2012 +0100 +++ b/.settings/org.eclipse.wst.common.component Tue Mar 20 15:55:51 2012 +0100 @@ -3,30 +3,9 @@ <wb-module deploy-name="AnnotationManager"> <wb-resource deploy-path="/" source-path="/WebContent"/> <wb-resource deploy-path="/WEB-INF/classes" source-path="/src"/> - <dependent-module archiveName="NamedIdentityManager.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/NamedIdentityManager/NamedIdentityManager"> - <dependency-type>uses</dependency-type> - </dependent-module> <dependent-module archiveName="org.restlet.ext.jaas.jar" deploy-path="/WEB-INF/lib" handle="module:/classpath/lib/AnnotationManager/libs/org.restlet.ext.jaas.jar"> <dependency-type>uses</dependency-type> </dependent-module> - <dependent-module archiveName="openrdf-sesame-2.3.2-onejar.jar" deploy-path="/WEB-INF/lib" handle="module:/classpath/lib/NamedIdentityManager/libs/openrdf-sesame-2.3.2-onejar.jar"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="virtjdbc3.jar" deploy-path="/WEB-INF/lib" handle="module:/classpath/lib/NamedIdentityManager/libs/virtjdbc3.jar"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="virtjdbc4.jar" deploy-path="/WEB-INF/lib" handle="module:/classpath/lib/NamedIdentityManager/libs/virtjdbc4.jar"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="virt_sesame2.jar" deploy-path="/WEB-INF/lib" handle="module:/classpath/lib/NamedIdentityManager/libs/virt_sesame2.jar"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="virtjdbc3ssl.jar" deploy-path="/WEB-INF/lib" handle="module:/classpath/lib/NamedIdentityManager/libs/virtjdbc3ssl.jar"> - <dependency-type>uses</dependency-type> - </dependent-module> - <dependent-module archiveName="virtjdbc4ssl.jar" deploy-path="/WEB-INF/lib" handle="module:/classpath/lib/NamedIdentityManager/libs/virtjdbc4ssl.jar"> - <dependency-type>uses</dependency-type> - </dependent-module> <dependent-module archiveName="TripleStoreManager.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/TripleStoreManager/TripleStoreManager"> <dependency-type>uses</dependency-type> </dependent-module>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/libs/joda-time-LICENSE.txt Tue Mar 20 15:55:51 2012 +0100 @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/libs/joda-time-NOTICE.txt Tue Mar 20 15:55:51 2012 +0100 @@ -0,0 +1,5 @@ +============================================================================= += NOTICE file corresponding to section 4d of the Apache License Version 2.0 = +============================================================================= +This product includes software developed by +Joda.org (http://www.joda.org/).
--- a/src/de/mpiwg/itgroup/annotationManager/restlet/AnnotatorResourceImpl.java Mon Mar 19 21:26:20 2012 +0100 +++ b/src/de/mpiwg/itgroup/annotationManager/restlet/AnnotatorResourceImpl.java Tue Mar 20 15:55:51 2012 +0100 @@ -5,11 +5,17 @@ import java.io.UnsupportedEncodingException; import java.net.URLDecoder; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; +import org.apache.log4j.Logger; +import org.joda.time.DateTime; +import org.joda.time.format.DateTimeFormatter; +import org.joda.time.format.ISODateTimeFormat; import org.json.JSONArray; import org.json.JSONException; import org.json.JSONObject; @@ -29,6 +35,8 @@ */ public abstract class AnnotatorResourceImpl extends ServerResource { + protected Logger logger = Logger.getRootLogger(); + protected String getAllowedMethodsForHeader() { return "OPTIONS,GET,POST"; } @@ -40,26 +48,21 @@ */ @Options public void doOptions(Representation entity) { - Form responseHeaders = (Form) getResponse().getAttributes().get( - "org.restlet.http.headers"); + Form responseHeaders = (Form) getResponse().getAttributes().get("org.restlet.http.headers"); if (responseHeaders == null) { responseHeaders = new Form(); - getResponse().getAttributes().put("org.restlet.http.headers", - responseHeaders); + getResponse().getAttributes().put("org.restlet.http.headers", responseHeaders); } - responseHeaders.add("Access-Control-Allow-Methods", - getAllowedMethodsForHeader()); + responseHeaders.add("Access-Control-Allow-Methods", getAllowedMethodsForHeader()); // echo back Origin and Request-Headers - Form requestHeaders = (Form) getRequest().getAttributes().get( - "org.restlet.http.headers"); + Form requestHeaders = (Form) getRequest().getAttributes().get("org.restlet.http.headers"); String origin = requestHeaders.getFirstValue("Origin", true); if (origin == null) { responseHeaders.add("Access-Control-Allow-Origin", "*"); } else { responseHeaders.add("Access-Control-Allow-Origin", origin); } - String allowHeaders = requestHeaders.getFirstValue( - "Access-Control-Request-Headers", true); + String allowHeaders = requestHeaders.getFirstValue("Access-Control-Request-Headers", true); if (allowHeaders != null) { responseHeaders.add("Access-Control-Allow-Headers", allowHeaders); } @@ -68,8 +71,80 @@ } /** - * Erzeugt aus einer Annotation, das fuer den Annotator notwendige - * JSON-Format + * returns if authentication information from headers is valid. + * + * @param entity + * @return + */ + public boolean isAuthenticated(Representation entity) { + // get authToken + Form requestHeaders = (Form) getRequest().getAttributes().get("org.restlet.http.headers"); + String consumerKey = requestHeaders.getFirstValue("x-annotator-consumer-key", true); + if (consumerKey == null) { + return false; + } + RestServer restServer = (RestServer) getApplication(); + String consumerSecret = restServer.getConsumerSecret(consumerKey); + logger.debug("requested consumer key=" + consumerKey + " secret=" + consumerSecret); + if (consumerSecret == null) { + return false; + } + String userId = requestHeaders.getFirstValue("x-annotator-user-id", true); + String issueTime = requestHeaders.getFirstValue("x-annotator-auth-token-issue-time", true); + if (userId == null || issueTime == null) { + return false; + } + // compute hashed token based on the values we know + // computed_token = hashlib.sha256(consumer.secret + user_id + issue_time).hexdigest() + String computedToken; + try { + MessageDigest md = MessageDigest.getInstance("SHA-256"); + String computedString = consumerSecret + userId + issueTime; + md.update(computedString.getBytes("UTF-8")); + byte[] dg = md.digest(); + StringBuffer sb = new StringBuffer(); + for (byte b : dg) { + sb.append(String.format("%02x", b)); + } + computedToken = sb.toString(); + } catch (NoSuchAlgorithmException e) { + e.printStackTrace(); + return false; + } catch (UnsupportedEncodingException e) { + e.printStackTrace(); + return false; + } + // compare to the token we got + String authToken = requestHeaders.getFirstValue("x-annotator-auth-token", true); + logger.debug(String.format("got: authToken=%s consumerSecret=%s userId=%s issueTime=%s", authToken, consumerSecret, userId, + issueTime)); + if (!computedToken.equals(authToken)) { + return false; + } + // check token lifetime + // validity = iso8601.parse_date(issue_time) + // expiry = validity + datetime.timedelta(seconds=consumer.ttl) + int tokenTtl = 86400; + DateTime tokenValidity = null; + DateTime tokenExpiry = null; + try { + DateTimeFormatter parser = ISODateTimeFormat.dateTime(); + tokenValidity = parser.parseDateTime(issueTime); + String tokenTtlString = requestHeaders.getFirstValue("x-annotator-auth-token-ttl", true); + tokenTtl = Integer.parseInt(tokenTtlString); + tokenExpiry = tokenValidity.plusSeconds(tokenTtl); + } catch (NumberFormatException e) { + e.printStackTrace(); + } + if (tokenValidity == null || tokenValidity.isAfterNow() || tokenExpiry.isBeforeNow()) { + return false; + } + // must be ok then + return true; + } + + /** + * Erzeugt aus einer Annotation, das fuer den Annotator notwendige JSON-Format * * @param annot * @return @@ -87,8 +162,7 @@ String userID = annot.creator; if (userID.startsWith(NS.MPIWG_PERSONS)) { - userID = userID.replace(NS.MPIWG_PERSONS, ""); // entferne - // NAMESPACE + userID = userID.replace(NS.MPIWG_PERSONS, ""); // entferne NAMESPACE } String userName = restServer.getUserNameFromLdap(userID); userObject.put("name", userName); @@ -120,8 +194,7 @@ Pattern rg = Pattern .compile("#xpointer\\(start-point\\(string-range\\(\"([^\"]*)\",([^,]*),1\\)\\)/range-to\\(end-point\\(string-range\\(\"([^\"]*)\",([^,]*),1\\)\\)\\)\\)"); - Pattern rg1 = Pattern - .compile("#xpointer\\(start-point\\(string-range\\(\"([^\"]*)\",([^,]*),1\\)\\)\\)"); + Pattern rg1 = Pattern.compile("#xpointer\\(start-point\\(string-range\\(\"([^\"]*)\",([^,]*),1\\)\\)\\)"); try { for (String xpointer : xpointers) {
--- a/src/de/mpiwg/itgroup/annotationManager/restlet/AnnotatorSearch.java Mon Mar 19 21:26:20 2012 +0100 +++ b/src/de/mpiwg/itgroup/annotationManager/restlet/AnnotatorSearch.java Tue Mar 20 15:55:51 2012 +0100 @@ -34,8 +34,6 @@ */ public class AnnotatorSearch extends AnnotatorResourceImpl { - private Logger logger = Logger.getRootLogger(); - protected String getAllowedMethodsForHeader() { return "OPTIONS,GET"; } @@ -52,14 +50,8 @@ doOptions(entity); - // check authToken - Form requestHeaders = (Form) getRequest().getAttributes().get("org.restlet.http.headers"); - String ck = requestHeaders.getFirstValue("x-annotator-consumer-key", true); - if (ck != null) { - RestServer restServer = (RestServer) getApplication(); - String cs = restServer.getConsumerSecret(ck); - logger.debug("requested consumer key=" + ck + " secret=" + cs); - } + boolean authenticated = isAuthenticated(entity); + logger.debug("request authenticated="+authenticated); Form form = getRequest().getResourceRef().getQueryAsForm(); String uri = form.getFirstValue("uri"); @@ -68,12 +60,7 @@ String limit = form.getFirstValue("limit"); String offset = form.getFirstValue("offset"); - RDFSearcher searcher = new RDFSearcher("file:///annotations"); // TODO - // should - // ge - // into - // config - // file + RDFSearcher searcher = new RDFSearcher("file:///annotations"); // TODO should go into config file JSONArray ja; try {