Ed 1025
I seem to have missed the change in the POM to switch the org.cryptacular dependency version. But this commit addresses the AuthorizationMap issue on ED-1025 reopened ticket.
Merge request reports
Activity
- Last reply by Erdem A Memisyazici
- Last reply by Erdem A Memisyazici
6 6 <groupId>edu.vt.middleware</groupId> 7 7 <artifactId>edldap</artifactId> 8 8 <packaging>jar</packaging> 9 <version>3.0-SNAPSHOT</version> 9 <version>3.0</version> 297 249 298 250 return memberships.toArray(new String[memberships.size()]); 299 251 } 252 253 /** 254 * SpEL Authorization Context for this class. 255 * 256 * @author Middleware Services 257 */ 258 class EdAuthorizationContext Absolutely none, changed to private. I also wrapped the EvaluationException I commented on earlier like so:
try { if (!exp.getValue(context, Boolean.class)) { throw new EdAuthAuthorizationException( EdAuthAuthorizationException. EDAUTH_EXCEPTION_MSG_AUTHZ_FAILED); } } catch (EvaluationException ee) { throw new EdAuthAuthorizationException( EdAuthAuthorizationException. EDAUTH_EXCEPTION_MSG_AUTHZ_FAILED, ee); }
160 176 edauth.authenticateAndAuthorize( 161 177 authId, 162 password, 163 authMap, 164 AuthorizationMethod.ANY 165 ) 166 ); 178 new Credential("THIS IS NOT THE PASSWORD"), 179 "hasAttributeValue('" + authorizationAttribute + "', 'FAIL!')" 180 ); 181 requiredException1 = null; 182 } catch (LdapException ex) { 183 requiredException1 = ex; 184 } 185 186 AssertJUnit.assertNotNull(requiredException1); 18 18 import org.ldaptive.auth.BindAuthenticationHandler; 19 19 import org.ldaptive.auth.SearchDnResolver; 20 20 import org.ldaptive.beans.reflect.DefaultLdapEntryMapper; 21 import org.springframework.expression.EvaluationContext; 22 import org.springframework.expression.Expression; 23 import org.springframework.expression.ExpressionParser; 24 import org.springframework.expression.spel.standard.SpelExpressionParser; 25 import org.springframework.expression.spel.support.StandardEvaluationContext; I don't see the spel artifact defined in the pom. That indicates it's a transitive dependency of spring web security? Since that is marked as a provided dependency we're going to run into problems with anyone using this in an environment that doesn't provide spel.
The current dependencies are: cryptacular, ldaptive, and slf4j. What will adding spel bring into the dependency graph?
Added 1 new commit:
- f8304634 - Addressed issues from previous commit.
184 final EvaluationContext context = 185 new StandardEvaluationContext(authorizationContext); 183 186 184 if (!exp.getValue(context, Boolean.class)) { 187 if (!exp.getValue(context, Boolean.class)) { 188 throw new EdAuthAuthorizationException( 189 EdAuthAuthorizationException. 190 EDAUTH_EXCEPTION_MSG_AUTHZ_FAILED); 191 } 192 } catch (EvaluationException | ParseException ee) { 185 193 throw new EdAuthAuthorizationException( 186 194 EdAuthAuthorizationException. 187 EDAUTH_EXCEPTION_MSG_ATTR_NOT_RETURNED); 195 EDAUTH_EXCEPTION_MSG_AUTHZ_EXPR_FAILED, ee); 188 196 } 189 197 } After far too much analysis... I recommend we drop the authorize method. This library focuses on data retrieval and this is the only place we stray from that. I believe that most of our clients are leveraging frameworks for authorization at this point. We should look for use cases going forward (3.1) to write adapters for those frameworks.
That's not quite true in that the library also provides authorization framework for Spring, Jetty, and Tomcat realms. This would be the container free version of an authentication scheme familiar to anyone who works within the Spring world. It really just covers all bases where auth/authz occurs using ED-x in my opinion.
