diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/AdminUtilsController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/AdminUtilsController.java index 03518ec5e..9338c4976 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/AdminUtilsController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/AdminUtilsController.java @@ -24,6 +24,7 @@ package org.wise.portal.presentation.web.controllers.admin; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.wise.portal.domain.project.Project; @@ -42,6 +43,7 @@ * Admin utility functions like db migrations and batch scripts * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller public class AdminUtilsController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/BatchCreateUserAccountsController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/BatchCreateUserAccountsController.java index 1426aa330..7fb991877 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/BatchCreateUserAccountsController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/BatchCreateUserAccountsController.java @@ -30,6 +30,7 @@ import java.util.Calendar; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; @@ -55,6 +56,7 @@ * * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/batchcreateuseraccounts.html") public class BatchCreateUserAccountsController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/EnableDisableUserController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/EnableDisableUserController.java index e40c3c53e..683e52ba2 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/EnableDisableUserController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/EnableDisableUserController.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.RequestMapping; @@ -41,6 +42,7 @@ * Only accessed by a WISE admin user. * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/enabledisableuser") public class EnableDisableUserController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/LookupUserController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/LookupUserController.java index 0f9b93adc..009b7bc36 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/LookupUserController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/LookupUserController.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletRequest; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.validation.BindingResult; @@ -50,6 +51,7 @@ * @author Patrick Lawler * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/lookupuser") public class LookupUserController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/ManageUserRolesController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/ManageUserRolesController.java index 5462caab0..a669be627 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/ManageUserRolesController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/ManageUserRolesController.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.security.core.GrantedAuthority; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; @@ -44,6 +45,7 @@ * * @author Hiroki Terashima */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/manageuserroles.html") public class ManageUserRolesController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowAllUsersController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowAllUsersController.java index ea7aae0b5..38cb480bf 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowAllUsersController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/ShowAllUsersController.java @@ -1,6 +1,7 @@ package org.wise.portal.presentation.web.controllers.admin; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.GetMapping; @@ -8,6 +9,7 @@ import org.springframework.web.bind.annotation.RequestParam; import org.wise.portal.service.authentication.UserDetailsService; +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/account/show-all-users") public class ShowAllUsersController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateProjectSharedPermissionsAPIController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateProjectSharedPermissionsAPIController.java index 74a352317..cbff00917 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateProjectSharedPermissionsAPIController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateProjectSharedPermissionsAPIController.java @@ -1,6 +1,7 @@ package org.wise.portal.presentation.web.controllers.admin; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.annotation.Secured; import org.springframework.security.acls.model.Permission; import org.springframework.web.bind.annotation.*; import org.wise.portal.dao.ObjectNotFoundException; @@ -13,6 +14,7 @@ import java.util.List; import java.util.Set; +@Secured("ROLE_ADMINISTRATOR") @RestController @RequestMapping("/api/admin/project/shared") public class UpdateProjectSharedPermissionsAPIController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateSharedProjectsController.java b/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateSharedProjectsController.java index 69070fab1..07e1c4dc8 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateSharedProjectsController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/admin/UpdateSharedProjectsController.java @@ -1,11 +1,13 @@ package org.wise.portal.presentation.web.controllers.admin; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.servlet.ModelAndView; +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/project/updatesharedprojects") public class UpdateSharedProjectsController { diff --git a/src/main/java/org/wise/portal/presentation/web/controllers/run/ReplaceBase64WithPNGController.java b/src/main/java/org/wise/portal/presentation/web/controllers/run/ReplaceBase64WithPNGController.java index 1ac9d4a1a..b7dde93a8 100644 --- a/src/main/java/org/wise/portal/presentation/web/controllers/run/ReplaceBase64WithPNGController.java +++ b/src/main/java/org/wise/portal/presentation/web/controllers/run/ReplaceBase64WithPNGController.java @@ -3,6 +3,7 @@ import org.json.JSONObject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.core.env.Environment; +import org.springframework.security.access.annotation.Secured; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.GetMapping; @@ -32,6 +33,7 @@ * student data, it will replace the Base64 string with a reference to that png image in the * studentuploads folder. */ +@Secured("ROLE_ADMINISTRATOR") @Controller @RequestMapping("/admin/run/replacebase64withpng.html") public class ReplaceBase64WithPNGController { diff --git a/src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java b/src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java index b608d1272..d98f79e2e 100644 --- a/src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java +++ b/src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java @@ -85,14 +85,23 @@ protected void configure(HttpSecurity http) throws Exception { .addFilterAfter(googleOpenIdConnectFilter(), OAuth2ClientContextFilter.class) .addFilterAfter(microsoftOpenIdConnectFilter(), OAuth2ClientContextFilter.class) .addFilterAfter(authenticationProcessingFilter(), GoogleOpenIdConnectFilter.class) - .authorizeRequests().antMatchers("/api/login/impersonate") - .hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/admin/**") - .hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/author/**").hasAnyRole("TEACHER") + .authorizeRequests() + // Matched the way Spring MVC matches, so a trailing slash cannot slip an exact path + // past these rules and into the broader "/admin/**" rule below. + .mvcMatchers("/admin/account/**", "/admin/portal/**", "/admin/news/**", + "/admin/mergeProjectMetadata", "/admin/project/updatesharedprojects", + "/admin/run/replacebase64withpng.html", "/api/admin/**") + .hasRole("ADMINISTRATOR") + .antMatchers("/api/login/impersonate").hasAnyRole("ADMINISTRATOR", "RESEARCHER") + .antMatchers("/admin/**").hasAnyRole("ADMINISTRATOR", "RESEARCHER") + .antMatchers("/author/**").hasAnyRole("TEACHER") .antMatchers("/project/notifyAuthor*/**").hasAnyRole("TEACHER") - .antMatchers("/student/account/info").hasAnyRole("TEACHER").antMatchers("/student/**") - .hasAnyRole("STUDENT").antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT") - .antMatchers("/teacher/**").hasAnyRole("TEACHER").antMatchers("/sso/discourse") - .hasAnyRole("TEACHER", "STUDENT").antMatchers("/").permitAll(); + .antMatchers("/student/account/info").hasAnyRole("TEACHER") + .antMatchers("/student/**").hasAnyRole("STUDENT") + .antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT") + .antMatchers("/teacher/**").hasAnyRole("TEACHER") + .antMatchers("/sso/discourse").hasAnyRole("TEACHER", "STUDENT") + .antMatchers("/").permitAll(); http.formLogin().loginPage("/login").permitAll(); http.logout().addLogoutHandler(wiseLogoutHandler()) .logoutRequestMatcher(new AntPathRequestMatcher("/api/logout")); diff --git a/src/main/webapp/portal/admin/index.jsp b/src/main/webapp/portal/admin/index.jsp index a5113f67c..7852fb6a9 100644 --- a/src/main/webapp/portal/admin/index.jsp +++ b/src/main/webapp/portal/admin/index.jsp @@ -58,12 +58,12 @@