You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/12/13 14:27:20 UTC
svn commit: r1774022 - in /qpid/java/trunk:
broker-core/src/main/java/org/apache/qpid/server/logging/
broker-core/src/main/java/org/apache/qpid/server/logging/subjects/
broker-core/src/main/java/org/apache/qpid/server/security/auth/
broker-core/src/tes...
Author: lquack
Date: Tue Dec 13 14:27:19 2016
New Revision: 1774022
URL: http://svn.apache.org/viewvc?rev=1774022&view=rev
Log:
QPID-7549: [Java Broker] Ensure subject is created for REST requests
* change the format of operational logging for management operations
* refactor HTTP Filters
Added:
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java
- copied, changed from r1774020, qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java
Removed:
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingAuthorisationFilter.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/PreemptiveSessionInvalidationFilter.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java
qpid/java/trunk/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/filter/
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java
qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java
qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java
qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java Tue Dec 13 14:27:19 2016
@@ -21,6 +21,18 @@
package org.apache.qpid.server.logging;
+import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.CHANNEL_FORMAT;
+import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.CONNECTION_FORMAT;
+import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.SOCKET_FORMAT;
+import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.USER_FORMAT;
+
+import java.security.AccessController;
+import java.security.Principal;
+import java.text.MessageFormat;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
import org.apache.qpid.server.connection.ConnectionPrincipal;
import org.apache.qpid.server.connection.SessionPrincipal;
import org.apache.qpid.server.logging.subjects.LogSubjectFormat;
@@ -30,17 +42,6 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.TaskPrincipal;
import org.apache.qpid.server.transport.AMQPConnection;
-import javax.security.auth.Subject;
-import java.security.AccessController;
-import java.security.Principal;
-import java.text.MessageFormat;
-import java.util.Set;
-
-import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.CHANNEL_FORMAT;
-import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.CONNECTION_FORMAT;
-import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.SOCKET_FORMAT;
-import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.USER_FORMAT;
-
public abstract class AbstractMessageLogger implements MessageLogger
{
public static final String DEFAULT_LOG_HIERARCHY_PREFIX = "qpid.message.";
@@ -137,7 +138,15 @@ public abstract class AbstractMessageLog
{
String remoteAddress = managementConnection.getRemoteAddress().toString();
String user = userPrincipal == null ? "N/A" : userPrincipal.getName();
- return "[" + MessageFormat.format(LogSubjectFormat.MANAGEMENT_FORMAT, user, remoteAddress) + "] ";
+ String sessionId = managementConnection.getSessionId();
+ if (sessionId == null)
+ {
+ sessionId = "N/A";
+ }
+ return "[" + MessageFormat.format(LogSubjectFormat.MANAGEMENT_FORMAT,
+ sessionId,
+ user,
+ remoteAddress) + "] ";
}
private String generateTaskMessage(final TaskPrincipal taskPrincipal)
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java Tue Dec 13 14:27:19 2016
@@ -39,10 +39,11 @@ public class LogSubjectFormat
/**
* LOG FORMAT for the ManagementActors,
- * 0 - User ID
- * 1 - IP[:Port]
+ * 0 - Session ID
+ * 1 - User ID
+ * 2 - IP[:Port]
*/
- public static final String MANAGEMENT_FORMAT = "mng:{0}({1})";
+ public static final String MANAGEMENT_FORMAT = "mng:{0}({1}@{2})";
/**
* LOG FORMAT for the Subscription Log Subject
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java Tue Dec 13 14:27:19 2016
@@ -22,5 +22,7 @@ package org.apache.qpid.server.security.
public interface ManagementConnectionPrincipal extends SocketConnectionPrincipal
{
- public String getType();
+ String getType();
+
+ String getSessionId();
}
Modified: qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java (original)
+++ qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java Tue Dec 13 14:27:19 2016
@@ -50,7 +50,12 @@ public class HttpManagementActorTest ext
};
private static final String IP = "127.0.0.1";
private static final int PORT = 1;
- private static final String SUFFIX = "(/" + IP + ":" + PORT + ")] ";
+ private static final String TEST_USER = "guest";
+ private static final String SESSION_ID = "testSession";
+
+ private static final String FORMAT = "[mng:%s(%s@/" + IP + ":" + PORT + ")] ";
+ private static final Object NA = "N/A";
+
private ManagementConnectionPrincipal _connectionPrincipal;
@Override
@@ -66,6 +71,12 @@ public class HttpManagementActorTest ext
}
@Override
+ public String getSessionId()
+ {
+ return SESSION_ID;
+ }
+
+ @Override
public SocketAddress getRemoteAddress()
{
return new InetSocketAddress(IP, PORT);
@@ -87,7 +98,7 @@ public class HttpManagementActorTest ext
public void testSubjectPrincipalNameAppearance()
{
- Subject subject = TestPrincipalUtils.createTestSubject("guest");
+ Subject subject = TestPrincipalUtils.createTestSubject(TEST_USER);
subject.getPrincipals().add(_connectionPrincipal);
@@ -106,7 +117,8 @@ public class HttpManagementActorTest ext
String logMessage = logs.get(0).toString();
assertTrue("Message was not found in log message", logMessage.contains(message));
- assertTrue("Message does not contain expected value: " + logMessage, logMessage.contains("[mng:guest" + SUFFIX));
+ assertTrue("Message does not contain expected value: " + logMessage,
+ logMessage.startsWith(String.format(FORMAT, SESSION_ID, TEST_USER)));
}
/** It's necessary to test successive calls because HttpManagementActor caches
@@ -137,8 +149,9 @@ public class HttpManagementActorTest ext
String logMessage = logs.get(0).toString();
assertEquals("Unexpected log message",
- "[mng:" + "N/A" + SUFFIX,
+ String.format(FORMAT, SESSION_ID, NA),
logMessage);
+
return null;
}
});
@@ -164,6 +177,6 @@ public class HttpManagementActorTest ext
}
});
- assertEquals("Unexpected log message", "[mng:" + principalName + SUFFIX, message);
+ assertTrue("Unexpected log message", message.startsWith(String.format(FORMAT, SESSION_ID, principalName)));
}
}
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java Tue Dec 13 14:27:19 2016
@@ -72,12 +72,11 @@ import org.apache.qpid.server.configurat
import org.apache.qpid.server.logging.messages.ManagementConsoleMessages;
import org.apache.qpid.server.logging.messages.PortMessages;
import org.apache.qpid.server.management.plugin.connector.TcpAndSslSelectChannelConnector;
+import org.apache.qpid.server.management.plugin.filter.AuthenticationCheckFilter;
import org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter;
-import org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter;
import org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter;
import org.apache.qpid.server.management.plugin.filter.LoggingFilter;
-import org.apache.qpid.server.management.plugin.filter.RedirectingAuthorisationFilter;
-import org.apache.qpid.server.management.plugin.filter.PreemptiveSessionInvalidationFilter;
+import org.apache.qpid.server.management.plugin.filter.RedirectingFilter;
import org.apache.qpid.server.management.plugin.filter.RewriteRequestForUncompressedJavascript;
import org.apache.qpid.server.management.plugin.servlet.FileServlet;
import org.apache.qpid.server.management.plugin.servlet.RootServlet;
@@ -324,22 +323,20 @@ public class HttpManagement extends Abst
corsFilter.setInitParameter(CrossOriginFilter.ALLOW_CREDENTIALS_PARAM, String.valueOf(getCorsAllowCredentials()));
root.addFilter(corsFilter, "/*", EnumSet.of(DispatcherType.REQUEST));
- root.addFilter(new FilterHolder(new PreemptiveSessionInvalidationFilter()), "/api/*", EnumSet.of(DispatcherType.REQUEST));
+ root.addFilter(new FilterHolder(new ForbiddingTraceFilter()), "/*", EnumSet.of(DispatcherType.REQUEST));
FilterHolder loggingFilter = new FilterHolder(new LoggingFilter());
root.addFilter(loggingFilter, "/api/*", EnumSet.of(DispatcherType.REQUEST));
root.addFilter(loggingFilter, "/service/*", EnumSet.of(DispatcherType.REQUEST));
- root.addFilter(new FilterHolder(new ForbiddingTraceFilter()), "/*", EnumSet.of(DispatcherType.REQUEST));
- FilterHolder restAuthorizationFilter = new FilterHolder(new ForbiddingAuthorisationFilter());
- restAuthorizationFilter.setInitParameter(ForbiddingAuthorisationFilter.INIT_PARAM_ALLOWED, "/service/sasl");
+ FilterHolder restAuthorizationFilter = new FilterHolder(new AuthenticationCheckFilter());
+ restAuthorizationFilter.setInitParameter(AuthenticationCheckFilter.INIT_PARAM_ALLOWED, "/service/sasl");
root.addFilter(restAuthorizationFilter, "/api/*", EnumSet.of(DispatcherType.REQUEST));
root.addFilter(restAuthorizationFilter, "/apidocs/*", EnumSet.of(DispatcherType.REQUEST));
root.addFilter(restAuthorizationFilter, "/service/*", EnumSet.of(DispatcherType.REQUEST));
- root.addFilter(new FilterHolder(new RedirectingAuthorisationFilter()), "/index.html", EnumSet.of(DispatcherType.REQUEST));
- root.addFilter(new FilterHolder(new RedirectingAuthorisationFilter()), "/", EnumSet.of(DispatcherType.REQUEST));
-
+ root.addFilter(new FilterHolder(new RedirectingFilter()), "/index.html", EnumSet.of(DispatcherType.REQUEST));
+ root.addFilter(new FilterHolder(new RedirectingFilter()), "/", EnumSet.of(DispatcherType.REQUEST));
if (_serveUncompressedDojo)
{
root.addFilter(RewriteRequestForUncompressedJavascript.class, "/dojo/dojo/*", EnumSet.of(DispatcherType.REQUEST));
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java Tue Dec 13 14:27:19 2016
@@ -103,26 +103,6 @@ public class HttpManagementUtil
return (session == null ? null : (Subject) session.getAttribute(getRequestSpecificAttributeName(ATTR_SUBJECT,request)));
}
- public static void checkRequestAuthenticatedAndAccessAuthorized(HttpServletRequest request, Broker broker,
- HttpManagementConfiguration managementConfig)
- {
- Subject subject = getAuthorisedSubject(request);
- if (subject == null)
- {
- subject = tryToAuthenticate(request, managementConfig);
- if (subject == null)
- {
- throw new SecurityException("Only authenticated users can access the management interface");
- }
-
- subject = createServletConnectionSubject(request, subject);
-
- assertManagementAccess(broker, subject);
-
- saveAuthorisedSubject(request, subject);
- }
- }
-
public static Subject createServletConnectionSubject(final HttpServletRequest request, Subject original)
{
Subject subject = new Subject(false,
Added: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java?rev=1774022&view=auto
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java (added)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java Tue Dec 13 14:27:19 2016
@@ -0,0 +1,210 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.qpid.server.management.plugin.filter;
+
+import java.io.IOException;
+import java.security.AccessControlException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
+import org.apache.qpid.server.management.plugin.HttpManagementUtil;
+import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.security.auth.ManagementConnectionPrincipal;
+import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
+
+public class AuthenticationCheckFilter implements Filter
+{
+ public static final String INIT_PARAM_ALLOWED = "allowed";
+ private String _allowed = null;
+
+ private Broker _broker;
+ private HttpManagementConfiguration _managementConfiguration;
+
+ @Override
+ public void init(final FilterConfig filterConfig) throws ServletException
+ {
+ String allowed = filterConfig.getInitParameter(INIT_PARAM_ALLOWED);
+ if (allowed != null && !"".equals(allowed))
+ {
+ _allowed = allowed;
+ }
+ ServletContext servletContext = filterConfig.getServletContext();
+ _broker = HttpManagementUtil.getBroker(servletContext);
+ _managementConfiguration = HttpManagementUtil.getManagementConfiguration(servletContext);
+ }
+
+ @Override
+ public void destroy()
+ {
+
+ }
+
+ @Override
+ public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
+ throws IOException, ServletException
+ {
+ HttpServletRequest httpRequest = (HttpServletRequest) request;
+ HttpServletResponse httpResponse = (HttpServletResponse) response;
+ boolean isPreemptiveAuthentication = false;
+
+ try
+ {
+ Subject subject = HttpManagementUtil.getAuthorisedSubject(httpRequest);
+
+ if (subject == null)
+ {
+ if (_allowed != null && httpRequest.getServletPath().startsWith(_allowed))
+ {
+ subject = new Subject(true,
+ Collections.<Principal>singleton(new ServletConnectionPrincipal(httpRequest)),
+ Collections.emptySet(),
+ Collections.emptySet());
+ }
+ else
+ {
+ subject = tryPreemptiveAuthentication(httpRequest);
+ isPreemptiveAuthentication = true;
+ }
+ }
+ else
+ {
+ Set<Principal> principals = subject.getPrincipals();
+ Set<Principal> newPrincipals = new LinkedHashSet<>();
+ for (Principal principal : principals)
+ {
+ if (!(principal instanceof ManagementConnectionPrincipal))
+ {
+ newPrincipals.add(principal);
+ }
+ }
+ subject = new Subject(false,
+ principals, subject.getPublicCredentials(), subject.getPrivateCredentials());
+ ServletConnectionPrincipal principal = new ServletConnectionPrincipal(httpRequest);
+ subject.getPrincipals().add(principal);
+ subject.setReadOnly();
+ }
+
+ doFilterChainAs(request, response, chain, subject);
+ }
+ catch (AccessControlException e)
+ {
+ httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+ invalidateSession(httpRequest);
+ return;
+ }
+ catch (SecurityException e)
+ {
+ httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ invalidateSession(httpRequest);
+ return;
+ }
+ finally
+ {
+ if (isPreemptiveAuthentication)
+ {
+ invalidateSession(httpRequest);
+ }
+ }
+ }
+
+ private void doFilterChainAs(final ServletRequest request,
+ final ServletResponse response,
+ final FilterChain chain,
+ final Subject subject) throws IOException, ServletException
+ {
+ try
+ {
+ Subject.doAs(subject, new PrivilegedExceptionAction<Void>()
+ {
+ @Override
+ public Void run() throws IOException, ServletException
+ {
+ chain.doFilter(request, response);
+ return null;
+ }
+ });
+ }
+ catch (PrivilegedActionException e)
+ {
+ Throwable cause = e.getCause();
+
+ if (cause instanceof IOException)
+ {
+ throw (IOException) cause;
+ }
+ else if (cause instanceof ServletException)
+ {
+ throw (ServletException) cause;
+ }
+ else if (cause instanceof Error)
+ {
+ throw (Error) cause;
+ }
+ else if (cause instanceof RuntimeException)
+ {
+ throw (RuntimeException) cause;
+ }
+
+ throw new ConnectionScopedRuntimeException(e.getCause());
+ }
+ }
+
+ private Subject tryPreemptiveAuthentication(final HttpServletRequest httpRequest)
+ {
+ Subject subject = HttpManagementUtil.tryToAuthenticate(httpRequest, _managementConfiguration);
+ if (subject == null)
+ {
+ throw new SecurityException("Only authenticated users can access the management interface");
+ }
+
+ subject = HttpManagementUtil.createServletConnectionSubject(httpRequest, subject);
+
+ HttpManagementUtil.assertManagementAccess(_broker, subject);
+
+ return subject;
+ }
+
+ private void invalidateSession(final HttpServletRequest httpRequest)
+ {
+ HttpSession session = httpRequest.getSession(false);
+ if (session != null)
+ {
+ session.invalidate();
+ }
+ }
+}
Copied: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java (from r1774020, qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java)
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java?p2=qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java&p1=qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java&r1=1774020&r2=1774022&rev=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java Tue Dec 13 14:27:19 2016
@@ -26,6 +26,7 @@ import java.util.Collection;
import java.util.Collections;
import java.util.List;
+import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
@@ -41,8 +42,9 @@ import org.apache.qpid.server.management
import org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.plugin.QpidServiceLoader;
+import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
-public class RedirectingAuthorisationFilter implements Filter
+public class RedirectingFilter implements Filter
{
private static final Collection<HttpRequestInteractiveAuthenticator> AUTHENTICATORS;
@@ -56,8 +58,6 @@ public class RedirectingAuthorisationFil
AUTHENTICATORS = Collections.unmodifiableList(authenticators);
}
-
- private Broker _broker;
private HttpManagementConfiguration _managementConfiguration;
@Override
@@ -69,7 +69,6 @@ public class RedirectingAuthorisationFil
public void init(FilterConfig config) throws ServletException
{
ServletContext servletContext = config.getServletContext();
- _broker = HttpManagementUtil.getBroker(servletContext);
_managementConfiguration = HttpManagementUtil.getManagementConfiguration(servletContext);
}
@@ -79,12 +78,12 @@ public class RedirectingAuthorisationFil
{
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
- try
+ Subject subject = HttpManagementUtil.getAuthorisedSubject(httpRequest);
+ if (subject != null && !subject.getPrincipals(AuthenticatedPrincipal.class).isEmpty())
{
- HttpManagementUtil.checkRequestAuthenticatedAndAccessAuthorized(httpRequest, _broker, _managementConfiguration);
chain.doFilter(request, response);
}
- catch(SecurityException e)
+ else
{
HttpRequestInteractiveAuthenticator.AuthenticationHandler handler = null;
for(HttpRequestInteractiveAuthenticator authenticator : AUTHENTICATORS)
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java Tue Dec 13 14:27:19 2016
@@ -20,10 +20,16 @@
*/
package org.apache.qpid.server.management.plugin.servlet;
+import java.io.UnsupportedEncodingException;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.server.model.Protocol;
import org.apache.qpid.server.model.Transport;
@@ -33,14 +39,37 @@ import org.apache.qpid.server.security.a
public class ServletConnectionPrincipal implements ManagementConnectionPrincipal
{
private static final long serialVersionUID = 1L;
+ private static final String UTF8 = StandardCharsets.UTF_8.name();
+ private static final int HASH_TRUNCATION_LENGTH = 8;
private final InetSocketAddress _address;
+ private final String _sessionId;
private ServletRequestMetaData _metadata;
public ServletConnectionPrincipal(HttpServletRequest request)
{
_address = new InetSocketAddress(request.getRemoteHost(), request.getRemotePort());
_metadata = new ServletRequestMetaData(request);
+ HttpSession session = request.getSession(false);
+ if (session != null)
+ {
+ MessageDigest md;
+ try
+ {
+ md = MessageDigest.getInstance("SHA-256");
+ md.update(session.getId().getBytes(UTF8));
+ }
+ catch (NoSuchAlgorithmException | UnsupportedEncodingException e)
+ {
+ throw new RuntimeException("Cannot create SHA-256 hash", e);
+ }
+ byte[] digest = md.digest();
+ _sessionId = DatatypeConverter.printBase64Binary(digest).substring(0, HASH_TRUNCATION_LENGTH);
+ }
+ else
+ {
+ _sessionId = null;
+ }
}
@Override
@@ -95,6 +124,13 @@ public class ServletConnectionPrincipal
return "HTTP";
}
+ @Override
+ public String getSessionId()
+ {
+ return _sessionId;
+ }
+
+
private static class ServletRequestMetaData implements SocketConnectionMetaData
{
private final HttpServletRequest _request;
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java Tue Dec 13 14:27:19 2016
@@ -27,8 +27,6 @@ import java.io.IOException;
import java.io.OutputStream;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
@@ -36,7 +34,6 @@ import java.util.concurrent.ConcurrentHa
import java.util.concurrent.ConcurrentMap;
import java.util.zip.GZIPOutputStream;
-import javax.security.auth.Subject;
import javax.servlet.ServletConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
@@ -71,7 +68,7 @@ public abstract class AbstractServlet ex
{
public static final int SC_UNPROCESSABLE_ENTITY = 422;
private static final Logger LOGGER = LoggerFactory.getLogger(AbstractServlet.class);
- public static final String CONTENT_DISPOSITION = "Content-disposition";
+ public static final String CONTENT_DISPOSITION = "Content-Disposition";
private transient Broker<?> _broker;
private transient HttpManagementConfiguration _managementConfiguration;
@@ -93,28 +90,6 @@ public abstract class AbstractServlet ex
super.init();
}
- @Override
- protected final void doGet(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException
- {
- doWithSubjectAndActor(
- new PrivilegedExceptionAction<Void>()
- {
- @Override
- public Void run() throws Exception
- {
- ConfiguredObject<?> managedObject = getManagedObject(request, resp);
- if(managedObject != null)
- {
- doGetWithSubjectAndActor(request, resp, managedObject);
- }
- return null;
- }
- },
- request,
- resp
- );
- }
-
private ConfiguredObject<?> getManagedObject(final HttpServletRequest request, final HttpServletResponse resp)
{
HttpPort<?> port = HttpManagement.getPort(request);
@@ -139,13 +114,19 @@ public abstract class AbstractServlet ex
}
}
- /**
- * Performs the GET action as the logged-in {@link Subject}.
- * Subclasses commonly override this method
- */
- protected void doGetWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse resp,
- ConfiguredObject<?> managedObject) throws ServletException, IOException
+ @Override
+ protected final void doGet(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException
+ {
+ ConfiguredObject<?> managedObject = getManagedObject(request, resp);
+ if(managedObject != null)
+ {
+ doGet(request, resp, managedObject);
+ }
+ }
+
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse resp,
+ ConfiguredObject<?> managedObject) throws ServletException, IOException
{
throw new UnsupportedOperationException("GET not supported by this servlet");
}
@@ -154,32 +135,16 @@ public abstract class AbstractServlet ex
@Override
protected final void doPost(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException
{
- doWithSubjectAndActor(
- new PrivilegedExceptionAction<Void>()
- {
- @Override
- public Void run() throws Exception
- {
- ConfiguredObject<?> managedObject = getManagedObject(request, resp);
- if(managedObject != null)
- {
- doPostWithSubjectAndActor(request, resp, managedObject);
- }
- return null;
- }
- },
- request,
- resp
- );
- }
-
- /**
- * Performs the POST action as the logged-in {@link Subject}.
- * Subclasses commonly override this method
- */
- protected void doPostWithSubjectAndActor(HttpServletRequest req,
- HttpServletResponse resp,
- ConfiguredObject<?> managedObject) throws ServletException, IOException
+ ConfiguredObject<?> managedObject = getManagedObject(request, resp);
+ if(managedObject != null)
+ {
+ doPost(request, resp, managedObject);
+ }
+ }
+
+ protected void doPost(HttpServletRequest req,
+ HttpServletResponse resp,
+ ConfiguredObject<?> managedObject) throws ServletException, IOException
{
throw new UnsupportedOperationException("POST not supported by this servlet");
}
@@ -187,38 +152,16 @@ public abstract class AbstractServlet ex
@Override
protected final void doPut(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException
{
- doWithSubjectAndActor(
- new PrivilegedExceptionAction<Void>()
- {
- @Override
- public Void run() throws Exception
- {
- ConfiguredObject<?> managedObject = getManagedObject(request, resp);
- if(managedObject != null)
- {
- doPutWithSubjectAndActor(request, resp, managedObject);
- }
- return null;
- }
- },
- request,
- resp
- );
- }
-
- public OutputStream getOutputStream(final HttpServletRequest request, final HttpServletResponse response)
- throws IOException
- {
- return HttpManagementUtil.getOutputStream(request, response, _managementConfiguration);
+ ConfiguredObject<?> managedObject = getManagedObject(request, resp);
+ if(managedObject != null)
+ {
+ doPut(request, resp, managedObject);
+ }
}
- /**
- * Performs the PUT action as the logged-in {@link Subject}.
- * Subclasses commonly override this method
- */
- protected void doPutWithSubjectAndActor(HttpServletRequest req,
- HttpServletResponse resp,
- final ConfiguredObject<?> managedObject) throws ServletException, IOException
+ protected void doPut(HttpServletRequest req,
+ HttpServletResponse resp,
+ final ConfiguredObject<?> managedObject) throws ServletException, IOException
{
throw new UnsupportedOperationException("PUT not supported by this servlet");
}
@@ -227,91 +170,24 @@ public abstract class AbstractServlet ex
protected final void doDelete(final HttpServletRequest request, final HttpServletResponse resp)
throws ServletException, IOException
{
- doWithSubjectAndActor(
- new PrivilegedExceptionAction<Void>()
- {
- @Override
- public Void run() throws Exception
- {
- ConfiguredObject<?> managedObject = getManagedObject(request, resp);
- if(managedObject != null)
- {
- doDeleteWithSubjectAndActor(request, resp, managedObject);
- }
- return null;
- }
- },
- request,
- resp
- );
- }
-
- /**
- * Performs the PUT action as the logged-in {@link Subject}.
- * Subclasses commonly override this method
- */
- protected void doDeleteWithSubjectAndActor(HttpServletRequest req,
- HttpServletResponse resp,
- ConfiguredObject<?> managedObject) throws ServletException, IOException
- {
- throw new UnsupportedOperationException("DELETE not supported by this servlet");
- }
-
- private void doWithSubjectAndActor(
- PrivilegedExceptionAction<Void> privilegedExceptionAction,
- final HttpServletRequest request,
- final HttpServletResponse resp) throws IOException
- {
- Subject subject;
- try
- {
- subject = getAuthorisedSubject(request);
- }
- catch (SecurityException e)
- {
- sendError(resp, HttpServletResponse.SC_UNAUTHORIZED);
- return;
- }
-
- try
- {
- Subject.doAs(subject, privilegedExceptionAction);
- }
- catch(RuntimeException e)
+ ConfiguredObject<?> managedObject = getManagedObject(request, resp);
+ if(managedObject != null)
{
- throw e;
+ doDelete(request, resp, managedObject);
}
- catch (PrivilegedActionException e)
- {
- Throwable cause = e.getCause();
-
- // Jetty uses EofException to signal an EOF from the peer (e.g. broken pipe etc). It arises in
- // situations such as abnormal browser termination etc.
- if (cause instanceof org.eclipse.jetty.io.EofException)
- {
- throw (IOException)cause;
- }
+ }
- if(cause instanceof RuntimeException)
- {
- throw (RuntimeException)cause;
- }
- else if(cause instanceof Error)
- {
- throw (Error)cause;
- }
- throw new ConnectionScopedRuntimeException(e.getCause());
- }
+ protected void doDelete(HttpServletRequest req,
+ HttpServletResponse resp,
+ ConfiguredObject<?> managedObject) throws ServletException, IOException
+ {
+ throw new UnsupportedOperationException("DELETE not supported by this servlet");
}
- protected Subject getAuthorisedSubject(HttpServletRequest request)
+ protected OutputStream getOutputStream(final HttpServletRequest request, final HttpServletResponse response)
+ throws IOException
{
- Subject subject = HttpManagementUtil.getAuthorisedSubject(request);
- if (subject == null)
- {
- throw new SecurityException("Access to management rest interfaces is denied for un-authorised user");
- }
- return subject;
+ return HttpManagementUtil.getOutputStream(request, response, _managementConfiguration);
}
protected Broker<?> getBroker()
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java Tue Dec 13 14:27:19 2016
@@ -67,9 +67,9 @@ public class ApiDocsServlet extends Abst
}
@Override
- protected void doGetWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject) throws ServletException, IOException
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject) throws ServletException, IOException
{
ConfiguredObjectFinder finder = getConfiguredObjectFinder(managedObject);
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java Tue Dec 13 14:27:19 2016
@@ -39,9 +39,9 @@ public class JsonValueServlet extends Ab
}
@Override
- protected void doGetWithSubjectAndActor(final HttpServletRequest request,
- final HttpServletResponse resp,
- final ConfiguredObject<?> managedObject)
+ protected void doGet(final HttpServletRequest request,
+ final HttpServletResponse resp,
+ final ConfiguredObject<?> managedObject)
throws ServletException, IOException
{
sendJsonResponse(_value, request, resp);
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java Tue Dec 13 14:27:19 2016
@@ -67,9 +67,9 @@ public class MetaDataServlet extends Abs
}
@Override
- protected void doGetWithSubjectAndActor(final HttpServletRequest request,
- final HttpServletResponse response,
- final ConfiguredObject<?> managedObject)
+ protected void doGet(final HttpServletRequest request,
+ final HttpServletResponse response,
+ final ConfiguredObject<?> managedObject)
throws ServletException, IOException
{
response.setContentType("application/json");
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java Tue Dec 13 14:27:19 2016
@@ -44,9 +44,9 @@ public abstract class QueryServlet<X ext
@Override
- protected void doGetWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject)
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject)
throws IOException, ServletException
{
performQuery(request, response, managedObject);
@@ -54,9 +54,9 @@ public abstract class QueryServlet<X ext
@Override
- protected void doPostWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject)
+ protected void doPost(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject)
throws IOException, ServletException
{
performQuery(request, response, managedObject);
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java Tue Dec 13 14:27:19 2016
@@ -39,9 +39,9 @@ public class QueueReportServlet extends
private static final long serialVersionUID = 1L;
@Override
- protected void doGetWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject)
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject)
throws IOException, ServletException
{
List<String> pathInfoElements =
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java Tue Dec 13 14:27:19 2016
@@ -177,9 +177,9 @@ public class RestServlet extends Abstrac
}
@Override
- protected void doGetWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject)
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject)
throws ServletException, IOException
{
ConfiguredObjectFinder finder = getConfiguredObjectFinder(managedObject);
@@ -379,9 +379,9 @@ public class RestServlet extends Abstrac
}
@Override
- protected void doPutWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject)
+ protected void doPut(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject)
throws ServletException, IOException
{
performCreateOrUpdate(request, response, managedObject);
@@ -1003,9 +1003,9 @@ public class RestServlet extends Abstrac
}
@Override
- protected void doDeleteWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject) throws ServletException, IOException
+ protected void doDelete(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject) throws ServletException, IOException
{
ConfiguredObjectFinder finder = getConfiguredObjectFinder(managedObject);
Class<? extends ConfiguredObject> configuredClass = getConfiguredClass(request, managedObject);
@@ -1059,9 +1059,9 @@ public class RestServlet extends Abstrac
}
@Override
- protected void doPostWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject) throws ServletException, IOException
+ protected void doPost(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject) throws ServletException, IOException
{
performCreateOrUpdate(request, response, managedObject);
}
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java Tue Dec 13 14:27:19 2016
@@ -21,6 +21,8 @@
package org.apache.qpid.server.management.plugin.servlet.rest;
import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessController;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.LinkedHashMap;
@@ -69,11 +71,12 @@ public class SaslServlet extends Abstrac
super();
}
- protected void doGetWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject) throws
- ServletException,
- IOException
+
+
+
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject) throws ServletException, IOException
{
getRandom(request);
@@ -82,10 +85,10 @@ public class SaslServlet extends Abstrac
String[] mechanisms = mechanismsList.toArray(new String[mechanismsList.size()]);
Map<String, Object> outputObject = new LinkedHashMap<String, Object>();
- final Subject subject = getAuthorisedSubject(request);
- if(subject != null)
+ final Subject subject = Subject.getSubject(AccessController.getContext());
+ final Principal principal = AuthenticatedPrincipal.getOptionalAuthenticatedPrincipalFromSubject(subject);
+ if(principal != null)
{
- Principal principal = AuthenticatedPrincipal.getAuthenticatedPrincipalFromSubject(subject);
outputObject.put("user", principal.getName());
}
else if (request.getRemoteUser() != null)
@@ -117,9 +120,9 @@ public class SaslServlet extends Abstrac
@Override
- protected void doPostWithSubjectAndActor(final HttpServletRequest request,
- final HttpServletResponse response,
- final ConfiguredObject<?> managedObject) throws IOException
+ protected void doPost(final HttpServletRequest request,
+ final HttpServletResponse response,
+ final ConfiguredObject<?> managedObject) throws IOException
{
checkSaslAuthEnabled(request);
@@ -293,16 +296,4 @@ public class SaslServlet extends Abstrac
return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(request).getSubjectCreator(
request.isSecure());
}
-
- @Override
- protected Subject getAuthorisedSubject(HttpServletRequest request)
- {
- Subject subject = HttpManagementUtil.getAuthorisedSubject(request);
- if(subject == null)
- {
- subject = HttpManagementUtil.tryToAuthenticate(request, HttpManagementUtil.getManagementConfiguration(getServletContext()));
- }
- return subject;
- }
-
}
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java Tue Dec 13 14:27:19 2016
@@ -40,9 +40,9 @@ public class StructureServlet extends Ab
}
@Override
- protected void doGetWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject) throws IOException, ServletException
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject) throws IOException, ServletException
{
// TODO filtering??? request.getParameter("filter"); // filter=1,2,3 /groups/*/*
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java Tue Dec 13 14:27:19 2016
@@ -45,10 +45,9 @@ public class TimeZoneServlet extends Abs
}
@Override
- protected void doGetWithSubjectAndActor(HttpServletRequest request,
- HttpServletResponse response,
- final ConfiguredObject<?> managedObject) throws ServletException,
- IOException
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse response,
+ final ConfiguredObject<?> managedObject) throws ServletException, IOException
{
sendJsonResponse(getTimeZones(), request, response);
}
Modified: qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java (original)
+++ qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java Tue Dec 13 14:27:19 2016
@@ -80,8 +80,8 @@ public class BrokerRestHttpsClientCertAu
_restTestHelper.setKeystore(KEYSTORE, KEYSTORE_PASSWORD);
_restTestHelper.setClientAuthAlias(CERT_ALIAS_APP1);
- Map<String, Object> saslData = getRestTestHelper().getJsonAsMap("/service/sasl");
+ Map<String, Object> saslData = getRestTestHelper().getJsonAsSingletonList("broker");
- Asserts.assertAttributesPresent(saslData, "user");
+ Asserts.assertAttributesPresent(saslData, "modelVersion");
}
}
Modified: qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java (original)
+++ qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java Tue Dec 13 14:27:19 2016
@@ -27,8 +27,10 @@ import static org.apache.qpid.test.utils
import static org.apache.qpid.test.utils.TestSSLConstants.UNTRUSTED_KEYSTORE;
import java.io.IOException;
+import java.net.HttpURLConnection;
import java.util.Collections;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletResponse;
@@ -189,4 +191,17 @@ public class PreemtiveAuthRestTest exten
e.printStackTrace();
}
}
+
+ public void testPreemptiveDoesNotCreateSession() throws Exception
+ {
+ configure(false, false);
+ super.startDefaultBroker();
+ _restTestHelper = new RestTestHelper(getDefaultBroker().getHttpPort());
+
+ _restTestHelper.setUsernameAndPassword(USERNAME, PASSWORD);
+ final HttpURLConnection firstConnection = _restTestHelper.openManagementConnection("broker", "GET");
+ assertEquals("Unexpected server response", HttpServletResponse.SC_OK, firstConnection.getResponseCode());
+ List<String> cookies = firstConnection.getHeaderFields().get("Set-Cookie");
+ assertNull("Should not create session cookies", cookies);
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org