You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by du...@apache.org on 2021/09/06 13:44:32 UTC
[brooklyn-server] branch master updated: allow static content if
login form being used
This is an automated email from the ASF dual-hosted git repository.
duncangrant pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
The following commit(s) were added to refs/heads/master by this push:
new d45025b allow static content if login form being used
new 157b4e8 Merge pull request #1249 from ahgittin/allow-static-content-if-login-form
d45025b is described below
commit d45025b61eeeb3cf1919fbe389130bf4f5144399
Author: Alex Heneveld <al...@cloudsoftcorp.com>
AuthorDate: Mon Sep 6 14:18:52 2021 +0100
allow static content if login form being used
---
.../BrooklynSecurityProviderFilterHelper.java | 38 +++++++++++++++++++++-
1 file changed, 37 insertions(+), 1 deletion(-)
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java
index 007bbfd..3ecf952 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java
@@ -18,6 +18,10 @@
*/
package org.apache.brooklyn.rest.filter;
+import com.google.common.collect.ImmutableList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Objects;
import java.util.function.Supplier;
import javax.servlet.http.HttpServletRequest;
@@ -76,6 +80,10 @@ public class BrooklynSecurityProviderFilterHelper {
ConfigKeys.newStringConfigKey(BrooklynWebConfig.BASE_NAME_SECURITY + ".unauthenticated.endpoints",
"List of endpoints available without authentication e.g. a login page", "");
+ private static final List<String> STATIC_CONTENT_EXTENSIONS = ImmutableList.of(
+ ".html", ".htm", ".js", ".png", ".gif", ".jpg", ".svg"
+ );
+
public interface Responder {
void error(String message, boolean requiresBasicAuth) throws SecurityProviderDeniedAuthentication;
}
@@ -116,6 +124,10 @@ public class BrooklynSecurityProviderFilterHelper {
}
}
}
+ if (Strings.isNonBlank(mgmt.getConfig().getConfig(BrooklynSecurityProviderFilterJavax.LOGIN_FORM)) && isStaticContent(webRequest)) {
+ // also allow pages' static content to be accessed
+ return;
+ }
final HttpSession preferredSession1 = preferredSessionWrapper==null ? null : preferredSessionWrapper.getPreferredSession();
@@ -174,7 +186,31 @@ public class BrooklynSecurityProviderFilterHelper {
throw abort("Authentication failed", provider.requiresUserPass());
}
-
+
+ boolean isStaticContent(HttpServletRequest webRequest) {
+ String servletPath = webRequest.getServletPath();
+ if (servletPath!=null) {
+ if (servletPath.matches("\\/v[0-9]+\\/")) {
+ // disallow API endpoints
+ return false;
+ }
+
+ if (Objects.equals(stripTrailingSlash(webRequest.getContextPath()), stripTrailingSlash(servletPath))) {
+ return true;
+ }
+ String servletPathLower = servletPath.toLowerCase(Locale.ROOT);
+ if (STATIC_CONTENT_EXTENSIONS.stream().anyMatch(
+ //ext -> servletPath.endsWith(ext) // <-- this seems allowed, but why? it's not effectively final!
+ servletPathLower::endsWith
+ )) return true;
+ }
+ return false;
+ }
+
+ private String stripTrailingSlash(String contextPath) {
+ return Strings.removeFromEnd(contextPath, "/");
+ }
+
SecurityProviderDeniedAuthentication abort(String msg, boolean requiresUserPass) throws SecurityProviderDeniedAuthentication {
ResponseBuilder response = Response.status(Status.UNAUTHORIZED);
if (requiresUserPass) {