You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/10/29 11:02:00 UTC
svn commit: r1813679 - in /ofbiz/ofbiz-framework/trunk: ./
framework/common/groovyScripts/
framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/
Author: jleroux
Date: Sun Oct 29 11:02:00 2017
New Revision: 1813679
URL: http://svn.apache.org/viewvc?rev=1813679&view=rev
Log:
Implemented: Token Based Authentication
(OFBIZ-9833)
This works the same way than externalLoginKey but between 2 servers,
not 2 webapps on the same server.
The Single Sign On (SSO) is ensured by a JWT token, then all is handled as
normal by a session on the reached server. The servers may or may not share a
database but the loginUserIds on the 2 servers must be the same.
OOTB the JWT masterSecretKey is not properly initialised and can not be OOTB.
As we sign on on several servers, so have different sessions, we can't use the
externalLoginKey way to create the JWT masterSecretKey.
The best way to create the JWT masterSecretKey is to use a temporary way to load
in a static final key when compiling. This is simple and most secure.
One of the proposed way is to use sed and uuidgen to modify the masterSecretKey
value. The magic words here are TEMPORARY and FINAL!
I have not tested this between 2 servers yet, only locally where it works well.
I'll do after this commit between my local instance and the trunk demo.
Thanks: Nicolas for the sed ans uuidgen suggestion
Added:
ofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy (with props)
Modified:
ofbiz/ofbiz-framework/trunk/build.gradle
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
Modified: ofbiz/ofbiz-framework/trunk/build.gradle
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?rev=1813679&r1=1813678&r2=1813679&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/build.gradle (original)
+++ ofbiz/ofbiz-framework/trunk/build.gradle Sun Oct 29 11:02:00 2017
@@ -141,6 +141,10 @@ dependencies {
compile 'org.zapodot:jackson-databind-java-optional:2.6.1'
compile 'oro:oro:2.0.8'
compile 'wsdl4j:wsdl4j:1.6.3'
+ compile 'io.jsonwebtoken:jjwt:0.9.0'
+ compile 'com.fasterxml.jackson.core:jackson-core:2.7.3'
+ compile 'com.fasterxml.jackson.core:jackson-annotations:2.7.3'
+ compile 'com.fasterxml.jackson.core:jackson-databind:2.7.3'
// ofbiz unit-test compile libs
testCompile 'org.mockito:mockito-core:2.+'
Added: ofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy?rev=1813679&view=auto
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy (added)
+++ ofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy Sun Oct 29 11:02:00 2017
@@ -0,0 +1,19 @@
+/*******************************************************************************
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *******************************************************************************/
+context.reportingServer = org.apache.ofbiz.webapp.control.ExternalLoginKeysManager.getExternalServerName(request)
Propchange: ofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java?rev=1813679&r1=1813678&r2=1813679&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java Sun Oct 29 11:02:00 2017
@@ -18,11 +18,8 @@
*******************************************************************************/
package org.apache.ofbiz.webapp.control;
-import static org.apache.ofbiz.base.util.UtilGenerics.checkMap;
-
import java.io.IOException;
import java.util.Enumeration;
-import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
@@ -31,13 +28,12 @@ import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.ofbiz.base.util.Debug;
-import org.apache.ofbiz.base.util.StringUtil;
import org.apache.ofbiz.base.util.UtilGenerics;
import org.apache.ofbiz.base.util.UtilHttp;
-import org.apache.ofbiz.base.util.UtilObject;
import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.entity.Delegator;
import org.apache.ofbiz.entity.DelegatorFactory;
@@ -192,8 +188,29 @@ public class ContextFilter implements Fi
}
}
+ HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(httpRequest) {
+ @Override
+ public String getHeader(String name) {
+ String externalServerUserLoginId = request.getParameter(ExternalLoginKeysManager.EXTERNAL_SERVER_LOGIN_KEY);
+ String value = null;
+ if (externalServerUserLoginId != null) {
+ // ExternalLoginKeysManager .createJwt() arguments in order:
+ // id an Id, I suggest userLoginId
+ // issuer is who/what issued the token. I suggest the server DNS
+ // subject is the subject of the token. I suggest the destination webapp
+ // timeToLive is the token maximum duration
+ String webAppName = UtilHttp.getApplicationName(httpRequest);
+ String dnsName = ExternalLoginKeysManager.getExternalServerName(httpRequest);
+ long timeToLive = ExternalLoginKeysManager.getJwtTokenTimeToLive(httpRequest);
+ // We would need a Bearer token (in Authorisation request header) if we were using Oauth2, here we don't, so no Bearer
+ value = ExternalLoginKeysManager.createJwt(externalServerUserLoginId, dnsName, webAppName , timeToLive);
+ }
+ if (value != null) return value;
+ return super.getHeader("Authorisation");
+ }
+ };
// we're done checking; continue on
- chain.doFilter(request, httpResponse);
+ chain.doFilter(wrapper, httpResponse);
}
/**
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1813679&r1=1813678&r2=1813679&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Sun Oct 29 11:02:00 2017
@@ -18,21 +18,34 @@
*/
package org.apache.ofbiz.webapp.control;
+import java.security.Key;
+import java.util.Date;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
+import javax.crypto.spec.SecretKeySpec;
+import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import javax.xml.bind.DatatypeConverter;
import org.apache.ofbiz.base.util.Debug;
+import org.apache.ofbiz.base.util.UtilHttp;
import org.apache.ofbiz.entity.Delegator;
import org.apache.ofbiz.entity.DelegatorFactory;
+import org.apache.ofbiz.entity.GenericEntityException;
import org.apache.ofbiz.entity.GenericValue;
+import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.apache.ofbiz.service.LocalDispatcher;
import org.apache.ofbiz.webapp.WebAppUtil;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.JwtBuilder;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+
/**
* This class manages the authentication tokens that provide single sign-on authentication to the OFBiz applications.
*/
@@ -41,6 +54,17 @@ public class ExternalLoginKeysManager {
private static final String EXTERNAL_LOGIN_KEY_ATTR = "externalLoginKey";
// This Map is keyed by the randomly generated externalLoginKey and the value is a UserLogin GenericValue object
private static final Map<String, GenericValue> externalLoginKeys = new ConcurrentHashMap<>();
+ public static final String EXTERNAL_SERVER_LOGIN_KEY = "externalServerLoginKey";
+ // This works the same way than externalLoginKey but between 2 servers, not 2 webapps on the same server.
+ // The Single Sign On (SSO) is ensured by a JWT token, then all is handled as normal by a session on the reached server.
+ // The servers may or may not share a database but the 2 loginUserId must be the same.
+
+ // OOTB the JWT masterSecretKey is not properly initialised and can not be OOTB.
+ // As we sign on on several servers, so have different sessions, we can't use the externalLoginKey way to create the JWT masterSecretKey.
+ // The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling.
+ // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value
+ // The magic words here are TEMPORARY and FINAL!
+ private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";
/**
* Gets (and creates if necessary) an authentication token to be used for an external login parameter.
@@ -146,5 +170,158 @@ public class ExternalLoginKeysManager {
private static boolean isAjax(HttpServletRequest request) {
return "XMLHttpRequest".equals(request.getHeader("X-Requested-With"));
}
+
+ public static String externalServerLoginCheck(HttpServletRequest request, HttpServletResponse response) {
+
+ Delegator delegator = (Delegator) request.getAttribute("delegator");
+ HttpSession session = request.getSession();
+
+ String externalServerUserLoginId = request.getParameter(EXTERNAL_SERVER_LOGIN_KEY);
+ if (externalServerUserLoginId == null) return "success"; // Nothing to do here
+
+ GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
+
+ try {
+ GenericValue userLogin = delegator.findOne("UserLogin", false, "userLoginId", externalServerUserLoginId);
+ if (userLogin != null) {
+ //to check it's the right tenant
+ //in case username and password are the same in different tenants
+ LocalDispatcher dispatcher = (LocalDispatcher) request.getAttribute("dispatcher");
+ delegator = (Delegator) request.getAttribute("delegator");
+ String oldDelegatorName = delegator.getDelegatorName();
+ ServletContext servletContext = session.getServletContext();
+ if (!oldDelegatorName.equals(userLogin.getDelegator().getDelegatorName())) {
+ delegator = DelegatorFactory.getDelegator(userLogin.getDelegator().getDelegatorName());
+ dispatcher = WebAppUtil.makeWebappDispatcher(servletContext, delegator);
+ LoginWorker.setWebContextObjects(request, response, delegator, dispatcher);
+ }
+
+ String authorisationHeader = request.getHeader("Authorisation");
+ if (authorisationHeader != null) {
+ boolean jwtOK = checkJwt(authorisationHeader, userLogin.getString("userLoginId"), getExternalServerName(request), UtilHttp.getApplicationName(request));
+ if (!jwtOK) {
+ Debug.logWarning("*** There was a problem with the JWT token, loging out the current user: " + externalServerUserLoginId, module);
+ LoginWorker.logout(request, response);
+ return "success";
+ }
+ } else {
+ // Something weird happened here => logout current user
+ Debug.logWarning("*** There was a problem with the JWT token, loging out the current user: " + externalServerUserLoginId, module);
+ LoginWorker.logout(request, response);
+ return "success";
+ }
+
+ // if the user is already logged in and the login is different, logout the other user
+ if (currentUserLogin != null) {
+ if (currentUserLogin.getString("userLoginId").equals(userLogin.getString("userLoginId"))) {
+ // is the same user, just carry on...
+ return "success";
+ }
+
+ // logout the current user and login the new user...
+ LoginWorker.logout(request, response);
+ // ignore the return value; even if the operation failed we want to set the new UserLogin
+ }
+
+ //connect
+ String enabled = userLogin.getString("enabled");
+ if (enabled == null || "Y".equals(enabled)) {
+ userLogin.set("hasLoggedOut", "N");
+ userLogin.store();
+ }
+ LoginWorker.doBasicLogin(userLogin, request);
+ } else {
+ Debug.logWarning("Could not find userLogin for external login key: " + externalServerUserLoginId, module);
+ }
+ } catch (GenericEntityException e) {
+ Debug.logError(e, "Cannot get autoUserLogin information: " + e.getMessage(), module);
+ }
+
+ return "success";
+ }
+
+ /**
+ * Generate and return a JWT key
+ *
+ * @param id is an Id, I suggest userLoginId
+ * @param issuer is who/what issued the token. I suggest the server DNS
+ * @param subject is the subject of the token. I suggest the destination webapp
+ * @param ttlMillis the expiration time
+ * @return a JWT token
+ */
+ public static String createJwt(String id, String issuer, String subject, long ttlMillis) {
+ //The JWT signature algorithm we will be using to sign the token
+ SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS512;
+
+ long nowMillis = System.currentTimeMillis();
+ Date now = new Date(nowMillis);
+
+ byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(ExternalServerJwtMasterSecretKey);
+ Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
+ //Let's set the JWT Claims
+ JwtBuilder builder = Jwts.builder().setId(id)
+ .setIssuedAt(now)
+ .setSubject(subject)
+ .setIssuer(issuer)
+ .setIssuedAt(now)
+ .signWith(signatureAlgorithm, signingKey);
+
+ //if it has been specified, let's add the expiration date, this should always be true
+ if (ttlMillis >= 0) {
+ long expMillis = nowMillis + ttlMillis;
+ Date exp = new Date(expMillis);
+ builder.setExpiration(exp);
+ }
+
+ //Builds the JWT and serialises it to a compact, URL-safe string
+ return builder.compact();
+ }
+
+ /**
+ * Reads and validates a JWT token
+ * Throws a SignatureException if it is not a signed JWS (as expected) or has been tampered
+ * @param jwt a JWT token
+ * @param id is an Id, I suggest userLoginId
+ * @param issuer is who/what issued the token. I suggest the server DNS
+ * @param subject is the subject of the token. I suggest the destination webapp
+ * @return true if the JWT token corresponds to the one sent and is not expired
+ */
+ private static boolean checkJwt(String jwt, String id, String issuer, String subject) {
+ //The JWT signature algorithm is using this to sign the token
+ SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS512;
+
+ byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(ExternalServerJwtMasterSecretKey);
+ Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());
+
+ //This line will throw a SignatureException if it is not a signed JWS (as expected) or has been tampered
+ Claims claims = Jwts.parser()
+ .setSigningKey(signingKey)
+ .parseClaimsJws(jwt).getBody();
+
+ long nowMillis = System.currentTimeMillis();
+ Date now = new Date(nowMillis);
+
+ return claims.getId().equals(id)
+ && claims.getIssuer().equals(issuer)
+ && claims.getSubject().equals(subject)
+ && claims.getExpiration().after(now);
+ }
+
+ public static String getExternalServerName(HttpServletRequest request) {
+ String reportingServerName = "";
+ Delegator delegator = (Delegator) request.getAttribute("delegator");
+ if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("embisphere", "use-external-server", "Y", delegator))) {
+ reportingServerName = EntityUtilProperties.getPropertyValue("embisphere", "external-server-name", "localhost:8443", delegator);
+ String reportingServerQuery = EntityUtilProperties.getPropertyValue("embisphere", "external-server-query", "/catalog/control/", delegator);
+ reportingServerName = "https://" + reportingServerName + reportingServerQuery;
+ }
+ return reportingServerName;
+ }
+
+ public static long getJwtTokenTimeToLive(HttpServletRequest request) {
+ Delegator delegator = (Delegator) request.getAttribute("delegator");
+ if (delegator != null) return 1000 * Long.parseLong(EntityUtilProperties.getPropertyValue("embisphere", "external-server-token-duration", "30", delegator));
+ else return 1000 * 30;
+ }
}
Re: svn commit: r1813679 - in /ofbiz/ofbiz-framework/trunk: ./
framework/common/groovyScripts/
framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks Deepak,
Ha indeed, I see your point now.
Sorry for the confusion!
Jacques
Le 16/01/2018 à 11:30, Deepak Dixit a écrit :
> Thanks Jacques for detail,
> but I think name is not always Authorisation in code we are having lots of
> request.getHeader usage and its breaks their usage.
> I'll confirm and reply here (just for reference.)
>
> Need to backport this to 17.12 as well.
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwaxsystems.com
> www.hotwax.co
>
> On Tue, Jan 16, 2018 at 3:26 PM, Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Le 16/01/2018 à 09:53, Deepak Dixit a écrit :
>>
>>> + return super.getHeader("Authorisation");
>>>> I think this should be
>>> return super.getHeader(name);
>>>
>> Thanks Deepak,
>>
>> Actually let me explain the context here (maybe not for you but at large)
>> In the case of ExternalLoginKeysManager, it's always "Authorisation". It's
>> explained there
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
>> https://en.wikipedia.org/wiki/Basic_access_authentication
>> And it's the only usage of the wrapper so far.
>>
>> Note that in the case of JWT token used in OAuth 2 you normally need to
>> use a bearer token
>> https://www.google.fr/search?q=http+authorization+header+bearer&ie=UTF-8
>> But in the case I committed it was not necessary (it's not OAuth 2, just a
>> JWT token) and I must say I got issue trying to encode things with it
>>
>> Anyway you are right, why not using name there, it will not change things,
>> and the wrapper idea could be then reused/refactored when adding other
>> related features, will do :)
>>
>> Jacques
>>
>>
Re: svn commit: r1813679 - in /ofbiz/ofbiz-framework/trunk: ./
framework/common/groovyScripts/ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/
Posted by Deepak Dixit <de...@hotwaxsystems.com>.
Thanks Jacques for detail,
but I think name is not always Authorisation in code we are having lots of
request.getHeader usage and its breaks their usage.
I'll confirm and reply here (just for reference.)
Need to backport this to 17.12 as well.
Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
www.hotwax.co
On Tue, Jan 16, 2018 at 3:26 PM, Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Le 16/01/2018 à 09:53, Deepak Dixit a écrit :
>
>> + return super.getHeader("Authorisation");
>>>
>>> I think this should be
>>
>> return super.getHeader(name);
>>
> Thanks Deepak,
>
> Actually let me explain the context here (maybe not for you but at large)
> In the case of ExternalLoginKeysManager, it's always "Authorisation". It's
> explained there
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
> https://en.wikipedia.org/wiki/Basic_access_authentication
> And it's the only usage of the wrapper so far.
>
> Note that in the case of JWT token used in OAuth 2 you normally need to
> use a bearer token
> https://www.google.fr/search?q=http+authorization+header+bearer&ie=UTF-8
> But in the case I committed it was not necessary (it's not OAuth 2, just a
> JWT token) and I must say I got issue trying to encode things with it
>
> Anyway you are right, why not using name there, it will not change things,
> and the wrapper idea could be then reused/refactored when adding other
> related features, will do :)
>
> Jacques
>
>
Re: svn commit: r1813679 - in /ofbiz/ofbiz-framework/trunk: ./
framework/common/groovyScripts/
framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 16/01/2018 à 09:53, Deepak Dixit a écrit :
>> + return super.getHeader("Authorisation");
>>
> I think this should be
>
> return super.getHeader(name);
Thanks Deepak,
Actually let me explain the context here (maybe not for you but at large)
In the case of ExternalLoginKeysManager, it's always "Authorisation". It's explained there
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization
https://en.wikipedia.org/wiki/Basic_access_authentication
And it's the only usage of the wrapper so far.
Note that in the case of JWT token used in OAuth 2 you normally need to use a bearer token
https://www.google.fr/search?q=http+authorization+header+bearer&ie=UTF-8
But in the case I committed it was not necessary (it's not OAuth 2, just a JWT token) and I must say I got issue trying to encode things with it
Anyway you are right, why not using name there, it will not change things, and the wrapper idea could be then reused/refactored when adding other
related features, will do :)
Jacques
Re: svn commit: r1813679 - in /ofbiz/ofbiz-framework/trunk: ./
framework/common/groovyScripts/ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/
Posted by Deepak Dixit <de...@hotwaxsystems.com>.
Hi Jacques,
> Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/
> java/org/apache/ofbiz/webapp/control/ContextFilter.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/
> framework/webapp/src/main/java/org/apache/ofbiz/webapp/
> control/ContextFilter.java?rev=1813679&r1=1813678&r2=1813679&view=diff
> ============================================================
> ==================
> --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/
> java/org/apache/ofbiz/webapp/control/ContextFilter.java (original)
> +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/
> java/org/apache/ofbiz/webapp/control/ContextFilter.java Sun Oct 29
> 11:02:00 2017
> @@ -18,11 +18,8 @@
> ************************************************************
> *******************/
> package org.apache.ofbiz.webapp.control;
>
> -import static org.apache.ofbiz.base.util.UtilGenerics.checkMap;
> -
> import java.io.IOException;
> import java.util.Enumeration;
> -import java.util.Map;
>
> import javax.servlet.Filter;
> import javax.servlet.FilterChain;
> @@ -31,13 +28,12 @@ import javax.servlet.ServletException;
> import javax.servlet.ServletRequest;
> import javax.servlet.ServletResponse;
> import javax.servlet.http.HttpServletRequest;
> +import javax.servlet.http.HttpServletRequestWrapper;
> import javax.servlet.http.HttpServletResponse;
>
> import org.apache.ofbiz.base.util.Debug;
> -import org.apache.ofbiz.base.util.StringUtil;
> import org.apache.ofbiz.base.util.UtilGenerics;
> import org.apache.ofbiz.base.util.UtilHttp;
> -import org.apache.ofbiz.base.util.UtilObject;
> import org.apache.ofbiz.base.util.UtilValidate;
> import org.apache.ofbiz.entity.Delegator;
> import org.apache.ofbiz.entity.DelegatorFactory;
> @@ -192,8 +188,29 @@ public class ContextFilter implements Fi
> }
> }
>
> + HttpServletRequestWrapper wrapper = new HttpServletRequestWrapper(httpRequest)
> {
> + @Override
> + public String getHeader(String name) {
> + String externalServerUserLoginId = request.getParameter(
> ExternalLoginKeysManager.EXTERNAL_SERVER_LOGIN_KEY);
> + String value = null;
> + if (externalServerUserLoginId != null) {
> + // ExternalLoginKeysManager .createJwt() arguments in
> order:
> + // id an Id, I suggest userLoginId
> + // issuer is who/what issued the token. I suggest the
> server DNS
> + // subject is the subject of the token. I suggest the
> destination webapp
> + // timeToLive is the token maximum duration
> + String webAppName = UtilHttp.getApplicationName(
> httpRequest);
> + String dnsName = ExternalLoginKeysManager.
> getExternalServerName(httpRequest);
> + long timeToLive = ExternalLoginKeysManager.
> getJwtTokenTimeToLive(httpRequest);
> + // We would need a Bearer token (in Authorisation
> request header) if we were using Oauth2, here we don't, so no Bearer
> + value = ExternalLoginKeysManager.createJwt(externalServerUserLoginId,
> dnsName, webAppName , timeToLive);
> + }
> + if (value != null) return value;
> + return super.getHeader("Authorisation");
>
I think this should be
return super.getHeader(name);
>
> + }
> + };
> // we're done checking; continue on
> - chain.doFilter(request, httpResponse);
> + chain.doFilter(wrapper, httpResponse);
> }
>
> /**
>
>
>
Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com
www.hotwax.co
Re: svn commit: r1813679 - in /ofbiz/ofbiz-framework/trunk: ./
framework/common/groovyScripts/
framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/
Posted by Jacques Le Roux <ja...@les7arts.com>.
Oops, thanks Deepak :)
Fixed
Jacques
Le 30/10/2017 à 06:43, Deepak Dixit a écrit :
> Hi Jacques,
>
>> + if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("embisphere",
>> "use-external-server", "Y", delegator))) {
>>
> I think ti should be security instead of embisphere :)
>
Re: svn commit: r1813679 - in /ofbiz/ofbiz-framework/trunk: ./
framework/common/groovyScripts/ framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/
Posted by Deepak Dixit <de...@hotwaxsystems.com>.
Hi Jacques,
> + if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("embisphere",
> "use-external-server", "Y", delegator))) {
>
I think ti should be security instead of embisphere :)