You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by du...@apache.org on 2020/11/10 11:08:29 UTC
[sling-org-apache-sling-testing-clients] branch master updated:
SLING-9855 Invalidate login token when receiving 401
This is an automated email from the ASF dual-hosted git repository.
dulvac pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-testing-clients.git
The following commit(s) were added to refs/heads/master by this push:
new 74246de SLING-9855 Invalidate login token when receiving 401
74246de is described below
commit 74246de8737de9fbefcddc255bb43d40aadde8ef
Author: Andrei Dulvac <ad...@adobe.com>
AuthorDate: Tue Nov 10 11:58:00 2020 +0100
SLING-9855 Invalidate login token when receiving 401
---
pom.xml | 4 +-
.../apache/sling/testing/clients/SlingClient.java | 33 +++++++++
.../interceptors/FormBasedAuthInterceptor.java | 58 +++++++++++----
.../HttpRequestResponseInterceptor.java | 23 ++++++
.../testing/clients/interceptors/package-info.java | 2 +-
.../apache/sling/testing/clients/package-info.java | 2 +-
.../testing/FormBasedAuthInterceptorTest.java | 85 ++++++++++++++++++++++
7 files changed, 189 insertions(+), 18 deletions(-)
diff --git a/pom.xml b/pom.xml
index 6c0e602..1bf0094 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
<parent>
<groupId>org.apache.sling</groupId>
<artifactId>sling-bundle-parent</artifactId>
- <version>39</version>
+ <version>40</version>
<relativePath />
</parent>
@@ -38,7 +38,7 @@
<connection>scm:git:https://gitbox.apache.org/repos/asf/sling-org-apache-sling-testing-clients.git</connection>
<developerConnection>scm:git:https://gitbox.apache.org/repos/asf/sling-org-apache-sling-testing-clients.git</developerConnection>
<url>https://gitbox.apache.org/repos/asf?p=sling-org-apache-sling-testing-clients.git</url>
- <tag>org.apache.sling.testing.clients-2.0.6</tag>
+ <tag>HEAD</tag>
</scm>
<build>
diff --git a/src/main/java/org/apache/sling/testing/clients/SlingClient.java b/src/main/java/org/apache/sling/testing/clients/SlingClient.java
index 75814ca..baa3a0c 100644
--- a/src/main/java/org/apache/sling/testing/clients/SlingClient.java
+++ b/src/main/java/org/apache/sling/testing/clients/SlingClient.java
@@ -42,6 +42,7 @@ import org.apache.http.entity.mime.MultipartEntityBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.sling.testing.clients.interceptors.DelayRequestInterceptor;
+import org.apache.sling.testing.clients.interceptors.HttpRequestResponseInterceptor;
import org.apache.sling.testing.clients.interceptors.TestDescriptionInterceptor;
import org.apache.sling.testing.clients.util.FormEntityBuilder;
import org.apache.sling.testing.clients.util.HttpUtils;
@@ -768,6 +769,38 @@ public class SlingClient extends AbstractSlingClient {
}
/**
+ * Adds this protocol interceptor to the head of the protocol processing list for both requests and responses
+ * <p>
+ * Please note this value can be overridden by the {@link HttpClientBuilder#setHttpProcessor(
+ * org.apache.http.protocol.HttpProcessor)} method.
+ * </p>
+ *
+ * @param itcp the request and response interceptor
+ * @return this
+ */
+ public final InternalBuilder<T> addInterceptorFirst(final HttpRequestResponseInterceptor itcp) {
+ httpClientBuilder.addInterceptorFirst((HttpRequestInterceptor) itcp);
+ httpClientBuilder.addInterceptorFirst((HttpResponseInterceptor) itcp);
+ return this;
+ }
+
+ /**
+ * Adds this protocol interceptor to the tail of the protocol processing list for both requests and responses
+ * <p>
+ * Please note this value can be overridden by the {@link HttpClientBuilder#setHttpProcessor(
+ * org.apache.http.protocol.HttpProcessor)} method.
+ * </p>
+ *
+ * @param itcp the request and response interceptor
+ * @return this
+ */
+ public final InternalBuilder<T> addInterceptorLast(final HttpRequestResponseInterceptor itcp) {
+ httpClientBuilder.addInterceptorLast((HttpRequestInterceptor) itcp);
+ httpClientBuilder.addInterceptorLast((HttpResponseInterceptor) itcp);
+ return this;
+ }
+
+ /**
* Assigns {@link RedirectStrategy} instance.
* <p>Please note this value can be overridden by the {@link #disableRedirectHandling()} method.</p>
*
diff --git a/src/main/java/org/apache/sling/testing/clients/interceptors/FormBasedAuthInterceptor.java b/src/main/java/org/apache/sling/testing/clients/interceptors/FormBasedAuthInterceptor.java
index 962b2c3..409a328 100644
--- a/src/main/java/org/apache/sling/testing/clients/interceptors/FormBasedAuthInterceptor.java
+++ b/src/main/java/org/apache/sling/testing/clients/interceptors/FormBasedAuthInterceptor.java
@@ -21,6 +21,8 @@ import org.apache.http.HttpException;
import org.apache.http.HttpHost;
import org.apache.http.HttpRequest;
import org.apache.http.HttpRequestInterceptor;
+import org.apache.http.HttpResponse;
+import org.apache.http.HttpStatus;
import org.apache.http.NameValuePair;
import org.apache.http.auth.AuthScope;
import org.apache.http.client.CredentialsProvider;
@@ -30,6 +32,7 @@ import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.cookie.Cookie;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.cookie.BasicClientCookie;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.protocol.HttpContext;
import org.apache.sling.testing.clients.util.ServerErrorRetryStrategy;
@@ -38,10 +41,11 @@ import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.net.URI;
+import java.util.Date;
import java.util.LinkedList;
import java.util.List;
-public class FormBasedAuthInterceptor implements HttpRequestInterceptor {
+public class FormBasedAuthInterceptor implements HttpRequestInterceptor, HttpRequestResponseInterceptor {
static final Logger LOG = LoggerFactory.getLogger(FormBasedAuthInterceptor.class);
private final String loginPath = "j_security_check";
@@ -51,6 +55,7 @@ public class FormBasedAuthInterceptor implements HttpRequestInterceptor {
this.loginTokenName = loginTokenName;
}
+ @Override
public void process(HttpRequest request, HttpContext context) throws HttpException, IOException {
final URI uri = URI.create(request.getRequestLine().getUri());
if (uri.getPath().endsWith(loginPath)) {
@@ -60,11 +65,47 @@ public class FormBasedAuthInterceptor implements HttpRequestInterceptor {
Cookie loginCookie = getLoginCookie(context, loginTokenName);
if (loginCookie != null) {
- LOG.debug("Request has cookie {}={} so I'm not intercepting the request",
- loginCookie.getName(), loginCookie.getValue());
+ LOG.debug("Request has cookie {} so I'm not intercepting the request", loginCookie.getName());
return;
}
+ doLogin(request, context);
+ }
+
+ @Override
+ public void process(HttpResponse response, HttpContext context) throws HttpException, IOException {
+ if (response.getStatusLine().getStatusCode() != HttpStatus.SC_UNAUTHORIZED) {
+ return;
+ }
+
+ if (URI.create(HttpClientContext.adapt(context).getRequest().getRequestLine().getUri()).getPath().endsWith(loginPath)) {
+ LOG.debug("Request ends with {} so I'm not intercepting the request", loginPath);
+ return;
+ }
+
+ Cookie loginCookie = getLoginCookie(context, loginTokenName);
+ if (loginCookie == null) {
+ return;
+ }
+ LOG.info("Response code was 401 even though {} is set. Removing the cookie.", loginCookie.getName());
+ BasicClientCookie expiredLoginTokenCookie = new BasicClientCookie(loginCookie.getName(), "expired");
+ expiredLoginTokenCookie.setExpiryDate(new Date(1)); // far enough in the past
+ expiredLoginTokenCookie.setDomain(loginCookie.getDomain());
+ expiredLoginTokenCookie.setPath(loginCookie.getPath());
+ HttpClientContext.adapt(context).getCookieStore().addCookie(expiredLoginTokenCookie);
+ }
+
+ /** Get login token cookie or null if not found */
+ private Cookie getLoginCookie(HttpContext context, String loginTokenName) {
+ for (Cookie cookie : HttpClientContext.adapt(context).getCookieStore().getCookies()) {
+ if (cookie.getName().equalsIgnoreCase(loginTokenName) && !cookie.getValue().isEmpty()) {
+ return cookie;
+ }
+ }
+ return null;
+ }
+
+ private void doLogin(HttpRequest request, HttpContext context) throws IOException {
// get host
final HttpHost host = HttpClientContext.adapt(context).getTargetHost();
@@ -88,16 +129,5 @@ public class FormBasedAuthInterceptor implements HttpRequestInterceptor {
.build();
client.execute(host, loginPost, context);
-
- }
-
- /** Get login token cookie or null if not found */
- private Cookie getLoginCookie(HttpContext context, String loginTokenName) {
- for (Cookie cookie : HttpClientContext.adapt(context).getCookieStore().getCookies()) {
- if (cookie.getName().equalsIgnoreCase(loginTokenName) && !cookie.getValue().isEmpty()) {
- return cookie;
- }
- }
- return null;
}
}
diff --git a/src/main/java/org/apache/sling/testing/clients/interceptors/HttpRequestResponseInterceptor.java b/src/main/java/org/apache/sling/testing/clients/interceptors/HttpRequestResponseInterceptor.java
new file mode 100644
index 0000000..d596b70
--- /dev/null
+++ b/src/main/java/org/apache/sling/testing/clients/interceptors/HttpRequestResponseInterceptor.java
@@ -0,0 +1,23 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sling.testing.clients.interceptors;
+
+import org.apache.http.HttpRequestInterceptor;
+import org.apache.http.HttpResponseInterceptor;
+
+public interface HttpRequestResponseInterceptor extends HttpRequestInterceptor, HttpResponseInterceptor {
+}
diff --git a/src/main/java/org/apache/sling/testing/clients/interceptors/package-info.java b/src/main/java/org/apache/sling/testing/clients/interceptors/package-info.java
index 25c711d..4279cef 100644
--- a/src/main/java/org/apache/sling/testing/clients/interceptors/package-info.java
+++ b/src/main/java/org/apache/sling/testing/clients/interceptors/package-info.java
@@ -17,7 +17,7 @@
* under the License.
*/
-@Version("1.1.0")
+@Version("1.2.0")
package org.apache.sling.testing.clients.interceptors;
import org.osgi.annotation.versioning.Version;
diff --git a/src/main/java/org/apache/sling/testing/clients/package-info.java b/src/main/java/org/apache/sling/testing/clients/package-info.java
index 94da83e..9e17199 100644
--- a/src/main/java/org/apache/sling/testing/clients/package-info.java
+++ b/src/main/java/org/apache/sling/testing/clients/package-info.java
@@ -17,7 +17,7 @@
* under the License.
*/
-@Version("2.2.0")
+@Version("2.3.0")
package org.apache.sling.testing.clients;
import org.osgi.annotation.versioning.Version;
diff --git a/src/test/java/org/apache/sling/testing/FormBasedAuthInterceptorTest.java b/src/test/java/org/apache/sling/testing/FormBasedAuthInterceptorTest.java
new file mode 100644
index 0000000..5d8f9d4
--- /dev/null
+++ b/src/test/java/org/apache/sling/testing/FormBasedAuthInterceptorTest.java
@@ -0,0 +1,85 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sling.testing;
+
+import org.apache.http.cookie.Cookie;
+import org.apache.http.entity.StringEntity;
+import org.apache.sling.testing.clients.HttpServerRule;
+import org.apache.sling.testing.clients.SlingClient;
+import org.apache.sling.testing.clients.interceptors.FormBasedAuthInterceptor;
+import org.junit.Assert;
+import org.junit.ClassRule;
+import org.junit.Test;
+
+import java.util.Date;
+import java.util.Optional;
+
+import static org.hamcrest.CoreMatchers.is;
+
+public class FormBasedAuthInterceptorTest {
+
+ private static final String LOGIN_COOKIE_NAME = "login-token";
+ private static final String LOGIN_COOKIE_VALUE = "testvalue";
+ private static final String OK_PATH = "/test/ok";
+ private static final String LOGIN_OK_PATH = OK_PATH + "/j_security_check";
+ private static final String UNAUTHORIZED_PATH = "/test/unauthorized";
+ private static final String LOGIN_OK_RESPONSE = "TEST_OK LOGIN";
+ private static final String UNAUTHORIZED_RESPONSE = "TEST_UNAUTHORIZED";
+
+ @ClassRule
+ public static HttpServerRule httpServer = new HttpServerRule() {
+ @Override
+ protected void registerHandlers() {
+ serverBootstrap.registerHandler(LOGIN_OK_PATH, (request, response, context) -> {
+ response.setEntity(new StringEntity(LOGIN_OK_RESPONSE));
+ response.setStatusCode(200);
+ response.setHeader("set-cookie", LOGIN_COOKIE_NAME + "=" + LOGIN_COOKIE_VALUE +
+ "; Path=/; HttpOnly; Max-Age=3600; Secure; SameSite=Lax");
+ });
+ serverBootstrap.registerHandler(UNAUTHORIZED_PATH, (request, response, context) -> {
+ response.setEntity(new StringEntity(UNAUTHORIZED_RESPONSE));
+ response.setStatusCode(401);
+ });
+ }
+ };
+
+ @Test
+ public void testLoginToken() throws Exception {
+ FormBasedAuthInterceptor interceptor = new FormBasedAuthInterceptor(LOGIN_COOKIE_NAME);
+ SlingClient c = SlingClient.Builder.create(httpServer.getURI(), "user", "pass")
+ .addInterceptorLast(interceptor).build();
+
+ // Make sure cookie is stored
+ c.doGet(LOGIN_OK_PATH, 200);
+ Optional<Cookie> loginCookie = getLoginCookie(c);
+ Assert.assertThat("login token cookie should be stored on the client config",
+ loginCookie.isPresent(), is(true));
+ Assert.assertThat("login token cookie should not be expired",
+ loginCookie.get().isExpired(new Date()), is(false));
+
+ c.doGet(UNAUTHORIZED_PATH, 401);
+ loginCookie = getLoginCookie(c);
+ Assert.assertThat("login token cookie should be forced removed from the client config",
+ loginCookie.isPresent(), is(false));
+ }
+
+ private static Optional<Cookie> getLoginCookie(SlingClient c) {
+ return c.getCookieStore().getCookies().stream().filter(
+ cookie -> LOGIN_COOKIE_NAME.equals(cookie.getName())).findFirst();
+ }
+
+}