working auth / security

Author: lprimak

emailmanager/hope-website/WEB-INF/faces-config.xml

@@ -0,0 +1,39 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+-->
+<faces-config version="2.3"
+              xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-facesconfig_2_3.xsd">
+    <factory>
+        <exception-handler-factory>
+            org.primefaces.application.exceptionhandler.PrimeExceptionHandlerFactory
+        </exception-handler-factory>
+        <!-- order is important, the following line needs to appear last -->
+        <exception-handler-factory>org.omnifaces.exceptionhandler.ViewExpiredExceptionHandlerFactory</exception-handler-factory>
+    </factory>
+    <application>
+        <resource-handler>org.omnifaces.resourcehandler.UnmappedResourceHandler</resource-handler>
+        <el-resolver>
+            org.primefaces.application.exceptionhandler.PrimeExceptionHandlerELResolver
+        </el-resolver>
+    </application>
+</faces-config>

emailmanager/hope-website/WEB-INF/shiro.ini

@@ -11,22 +11,12 @@ authc.useRemembered = true
 authc.loginFailedWaitTime = 5
 
 [urls]
-# Admin pages
-/shiro/adminpage* = ssl, authc, roles[admin]
-
-# User pages
-/shiro/index* = ssl, anon
-/shiro/unprotected/** = ssl, anon
-/shiro/* = ssl, authc, perms[pages:read]
-
 # Login pages
 /auth/login* = ssl, authc
 /auth/logout* = ssl, logout
 
-# All other pages - fallback
-; +++ requireSession = false
-/** = anon
+# Resources
+/javax.faces.resource/** = anon
 
-[roles]
-admin = *
-regular = pages:read
+# All other pages - fallback
+/** = ssl, authc

emailmanager/hope-website/WEB-INF/web.xml

@@ -12,6 +12,14 @@
         <param-name>org.omnifaces.FACES_VIEWS_SCAN_PATHS</param-name>
         <param-value>/*.xhtml</param-value>
     </context-param>
+    <context-param>
+        <param-name>org.omnifaces.EXCEPTION_TYPES_TO_IGNORE_IN_LOGGING</param-name>
+        <param-value>javax.faces.application.ViewExpiredException, java.nio.channels.ClosedByInterruptException</param-value>
+    </context-param>
+    <context-param>
+        <param-name>primefaces.CLIENT_SIDE_VALIDATION</param-name>
+        <param-value>true</param-value>
+    </context-param>
 
     <mime-mapping>
         <extension>ttf</extension>

emailmanager/hope-website/auth/login.xhtml

@@ -0,0 +1,35 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml"
+      xmlns:jsf="http://xmlns.jcp.org/jsf"
+      xmlns:h="http://xmlns.jcp.org/jsf/html"
+      xmlns:p="http://primefaces.org/ui">
+    <h:head>
+        <title>Login Page</title>
+        <h:outputStylesheet name="css/login-style.css"/>
+    </h:head>
+    <h:body id="loginFormContainer">
+        <div jsf:rendered="#{authc.sessionExpired}" style="color: red;">
+            Your Session Has Expired
+        </div>
+        <div jsf:rendered="#{authc.loginFailure}" style="color: red;">
+            Login Failed
+        </div>
+        <h:form styleClass="rounded-border form-container" id="loginForm"  prependId="false">
+            <p:messages id="messages"/>
+            <p:focus for="username"/>
+            <div>
+                <p:outputLabel for="username" value="User Name"/>
+                <p:inputText id="username" required="true"/>
+            </div>
+            <div>
+                <p:outputLabel for="password" value="Password"/>
+                <p:password id="password" required="true"/>
+            </div>
+            <div>
+                <p:outputLabel for="rememberMe" value="Remember Me"/>
+                <h:selectBooleanCheckbox id="rememberMe" />
+            </div>
+            <p:commandButton value="Login ..." action="#{authc.login}" validateClient="true"/>
+        </h:form>
+    </h:body>
+</html>

emailmanager/hope-website/emailmanager.xhtml

@@ -8,12 +8,12 @@
     </h:head>
     <h:body>
         <h:form>
-            <h1>Press <p:commandButton value="Here" actionListener="#{emailManager.eraseJunk}"/>
+            <h1>Press <p:commandButton value="Here" actionListener="#{emailManager.eraseJunk}" update="status"/>
                 to Erase Junk Email</h1>
-            <h1>Press <p:commandButton value="Here" actionListener="#{emailManager.sendDrafts}"/>
+            <h1>Press <p:commandButton value="Here" actionListener="#{emailManager.sendDrafts}" update="status"/>
                 to Send Draft Emails</h1>
         </h:form>
-        <h:form>
+        <h:form id="status">
             <h3>E-Mail Operation Status: ${emailManager.emailStatus}</h3>
             <p:commandButton value="Log Out" action="#{authc.logout}"/>
         </h:form>

emailmanager/hope-website/resources/css/login-style.css

@@ -0,0 +1,10 @@
+#loginFormContainer {
+    background: url(../img/login-bg.png) no-repeat;
+    width:778px;
+    height:600px;
+    margin:0 auto;
+}
+
+#loginForm {
+    padding: 90px 110px;
+}

…A-INF/resources/images/auth/login-bg.png …/hope-website/resources/img/login-bg.pngemailmanager/src/main/resources/META-INF/resources/images/auth/login-bg.png renamed to emailmanager/hope-website/resources/img/login-bg.png emailmanager/src/main/resources/META-INF/resources/images/auth/login-bg.png renamed to emailmanager/hope-website/resources/img/login-bg.png

@@ -16,6 +16,8 @@
 import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Objects;
+import javax.annotation.PostConstruct;
 import javax.inject.Inject;
 import javax.mail.Address;
 import javax.mail.MailSessionDefinition;
@@ -44,6 +46,17 @@ public class EmailManagerImpl implements EmailManagerLocal {
     @ConfigProperty(name = "hope-smtp-password", defaultValue = "none")
     private String smtp_password;
 
+    @PostConstruct
+    @SneakyThrows(MessagingException.class)
+    void init() {
+        @Cleanup var transport = mailSession.getTransport();
+        transport.connect(smtp_host, smtp_user, smtp_password);
+        @Cleanup var store = mailSession.getStore();
+        UserAuth user = (UserAuth) SecurityUtils.getSubject().getPrincipal();
+        Objects.requireNonNull(user, "not authenticated");
+        store.connect(user.getUserName(), user.getPassword());
+    }
+
     @Override
     @SneakyThrows(MessagingException.class)
     public void eraseFolder(String folderName) {

emailmanager/src/main/java/com/flowlogix/website/impl/EmailManagerImpl.java

@@ -7,6 +7,7 @@
 import com.flowlogix.website.ui.Constants;
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.Set;
 import lombok.Cleanup;
 import lombok.SneakyThrows;
 import org.apache.shiro.authc.AuthenticationException;
@@ -16,7 +17,6 @@
 import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.authz.AuthorizationInfo;
-import org.apache.shiro.authz.Permission;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.authz.permission.WildcardPermission;
 import org.apache.shiro.authz.permission.WildcardPermissionResolver;
@@ -70,23 +70,21 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
     @Override
     @SneakyThrows(PAMException.class)
     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
-        var roles = new HashSet<String>();
-        var permissions = new HashSet<Permission>();
-        permissions.add(new WildcardPermission("mail:*"));
         Collection<UserAuth> principalsList = principals.byType(UserAuth.class);
 
         if (principalsList.isEmpty()) {
             throw new AuthorizationException("Empty principals list!");
         }
 
+        var roles = new HashSet<String>();
         for (UserAuth userPrincipal : principalsList) {
             @Cleanup("dispose")
             PAM pam = getPam();
             UnixUser unixUser = pam.authenticate(userPrincipal.getUserName(), userPrincipal.getPassword());
             roles.addAll(unixUser.getGroups());
         }
         SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
-        info.setObjectPermissions(permissions);
+        info.setObjectPermissions(Set.of(new WildcardPermission("mail:*")));
 
         return info;
     }

emailmanager/src/main/java/com/flowlogix/website/security/UnixRealm.java

@@ -22,7 +22,7 @@
             "fish.payara.connection-validation-method = auto-commit"})
 public class Constants {
     @Inject
-    @ConfigProperty(name = "com.flowlogix.pam-service-name", defaultValue = "pwauth")
+    @ConfigProperty(name = "com.flowlogix.pam-service-name", defaultValue = "login")
     String pamAuthServiceName;
     @Inject
     @ConfigProperty(name = "com.flowlogix.junk-folder-name", defaultValue = "Junk")