Skip to content

Commit

Permalink
Implement #426
Browse files Browse the repository at this point in the history
  • Loading branch information
@gashcrumb
gashcrumb committed Jul 29, 2013
1 parent 30f3d62 commit 77595fc
Show file tree
Hide file tree
Showing 5 changed files with 62 additions and 34 deletions.
11 changes: 9 additions & 2 deletions hawtio-web/src/main/java/io/hawt/system/Authenticator.java
View file
Expand Up @@ -49,7 +49,7 @@ public static void extractAuthInfo(String authHeader, ExtractAuthInfoCallback cb

}

public static AuthenticateResult authenticate(String realm, String role, String rolePrincipalClasses, HttpServletRequest request) {
public static AuthenticateResult authenticate(String realm, String role, String rolePrincipalClasses, HttpServletRequest request, PrivilegedCallback cb) {

String authHeader = request.getHeader(HEADER_AUTHORIZATION);

Expand Down Expand Up @@ -78,7 +78,14 @@ public void getAuthInfo(String userName, String password) {
return AuthenticateResult.NOT_AUTHORIZED;
}

SubjectThreadLocal.put(subject);
if (cb != null) {
try {
cb.execute(subject);
} catch (Exception e) {
LOG.warn("Failed to execute privileged action: ", e);
}
}

return AuthenticateResult.AUTHORIZED;
}

Expand Down
11 changes: 11 additions & 0 deletions hawtio-web/src/main/java/io/hawt/system/PrivilegedCallback.java
View file
@@ -0,0 +1,11 @@
package io.hawt.system;

import javax.security.auth.Subject;

/**
* @author Stan Lewis
*/
public interface PrivilegedCallback {

public void execute(Subject subject) throws Exception;
}
21 changes: 0 additions & 21 deletions hawtio-web/src/main/java/io/hawt/system/SubjectThreadLocal.java
View file

This file was deleted.

35 changes: 30 additions & 5 deletions hawtio-web/src/main/java/io/hawt/web/AuthenticationFilter.java
View file
Expand Up @@ -2,14 +2,18 @@

import io.hawt.system.Authenticator;
import io.hawt.system.Helpers;
import io.hawt.system.PrivilegedCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.auth.Subject;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;

/**
* @author Stan Lewis
Expand Down Expand Up @@ -41,7 +45,7 @@ public void init(FilterConfig filterConfig) throws ServletException {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException {

if (realm == null || realm.equals("") || !enabled) {
chain.doFilter(request, response);
Expand All @@ -54,8 +58,11 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
LOG.debug("Handling request for path {}", httpRequest.getServletPath());

if (session != null) {
chain.doFilter(request, response);
return;
Subject subject = (Subject) session.getAttribute("subject");
if (subject != null) {
executeAs(request, response, chain, subject);
return;
}
}

String path = httpRequest.getServletPath();
Expand All @@ -66,9 +73,13 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha

if (doAuthenticate) {
LOG.debug("Doing authentication and authorization for path {}", path);
switch (Authenticator.authenticate(realm, role, rolePrincipalClasses, httpRequest)) {
switch (Authenticator.authenticate(realm, role, rolePrincipalClasses, httpRequest, new PrivilegedCallback() {
public void execute(Subject subject) throws Exception {
executeAs(request, response, chain, subject);
}
})) {
case AUTHORIZED:
chain.doFilter(request, response);
// request was executed using the authenticated subject, nothing more to do
break;
case NOT_AUTHORIZED:
Helpers.doForbidden((HttpServletResponse) response);
Expand All @@ -83,6 +94,20 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
}
}

private static void executeAs(final ServletRequest request, final ServletResponse response, final FilterChain chain, Subject subject) {
try {
Subject.doAs(subject, new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
chain.doFilter(request, response);
return null;
}
});
} catch (PrivilegedActionException e) {
LOG.info("Failed to invoke action " + ((HttpServletRequest)request).getPathInfo() + " due to:", e);
}
}

@Override
public void destroy() {
LOG.info("Destroying hawtio authentication filter");
Expand Down
18 changes: 12 additions & 6 deletions hawtio-web/src/main/java/io/hawt/web/LoginServlet.java
View file
@@ -1,7 +1,6 @@
package io.hawt.web;

import io.hawt.system.Helpers;
import io.hawt.system.SubjectThreadLocal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand All @@ -12,6 +11,8 @@
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Principal;
import java.util.GregorianCalendar;
import java.util.Set;
Expand All @@ -26,7 +27,9 @@ public class LoginServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {

Subject subject = SubjectThreadLocal.take();
AccessControlContext acc = AccessController.getContext();
Subject subject = Subject.getSubject(acc);

if (subject == null) {
Helpers.doForbidden(resp);
return;
Expand All @@ -35,14 +38,17 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S

String username = null;

for (Principal principal : principals) {
if (principal.getClass().getSimpleName().equals("UserPrincipal")) {
username = principal.getName();
LOG.info("Authorizing user " + username);
if (principals != null) {
for (Principal principal : principals) {
if (principal.getClass().getSimpleName().equals("UserPrincipal")) {
username = principal.getName();
LOG.info("Authorizing user " + username);
}
}
}

HttpSession session = req.getSession(true);
session.setAttribute("subject", subject);
session.setAttribute("user", username);
session.setAttribute("org.osgi.service.http.authentication.remote.user", username);
session.setAttribute("org.osgi.service.http.authentication.type", HttpServletRequest.BASIC_AUTH);
Expand Down

0 comments on commit 77595fc

Please sign in to comment.