You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2016/11/16 18:29:15 UTC

[5/6] brooklyn-server git commit: set session/cookie on some server requests so client gets it early

set session/cookie on some server requests so client gets it early

helps establish csrf protection. done in /server/user and /server/up/extended,
the two main places which an interactive app will hit early.


Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/30a2d852
Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/30a2d852
Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/30a2d852

Branch: refs/heads/master
Commit: 30a2d8524d7eb920766728cef20fa893f3bd42b4
Parents: c8186f8
Author: Alex Heneveld <al...@cloudsoftcorp.com>
Authored: Sun Nov 13 13:33:48 2016 +0000
Committer: Alex Heneveld <al...@cloudsoftcorp.com>
Committed: Sun Nov 13 09:39:52 2016 -0700

----------------------------------------------------------------------
 .../src/main/java/org/apache/brooklyn/rest/api/ServerApi.java  | 6 ++++--
 .../org/apache/brooklyn/rest/resources/ServerResource.java     | 6 ++++++
 2 files changed, 10 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/30a2d852/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/ServerApi.java
----------------------------------------------------------------------
diff --git a/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/ServerApi.java b/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/ServerApi.java
index 90a195a..0b56e3c 100644
--- a/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/ServerApi.java
+++ b/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/ServerApi.java
@@ -109,7 +109,8 @@ public interface ServerApi {
 
     @GET
     @Path("/up/extended")
-    @ApiOperation(value = "Returns extended server-up information, a map including up (/up), shuttingDown (/shuttingDown), healthy (/healthy), and ha (/ha/states) (qv)")
+    @ApiOperation(value = "Returns extended server-up information, a map including up (/up), shuttingDown (/shuttingDown), healthy (/healthy), and ha (/ha/states) (qv)"
+        + "; also forces a session, so a useful general-purpose call for a UI client to do when starting")
     public Map<String,Object> getUpExtended();
 
     @GET
@@ -198,7 +199,8 @@ public interface ServerApi {
 
     @GET
     @Path("/user")
-    @ApiOperation(value = "Return user information for this Brooklyn instance", 
+    @ApiOperation(value = "Return user information for this Brooklyn instance"
+                + "; also forces a session, so a useful general-purpose call for a UI client to do when starting", 
             response = String.class,
             responseContainer = "List")
     public String getUser(); 

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/30a2d852/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
index 7be07de..cfed891 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
@@ -30,6 +30,7 @@ import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
 import java.util.concurrent.atomic.AtomicBoolean;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -94,6 +95,9 @@ public class ServerResource extends AbstractBrooklynRestResource implements Serv
     @Context
     private ContextResolver<ShutdownHandler> shutdownHandler;
 
+    @Context
+    private HttpServletRequest request;
+    
     @Override
     public void reloadBrooklynProperties() {
         if (Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ALL_SERVER_INFO, null)) {
@@ -365,6 +369,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements Serv
     
     @Override
     public Map<String,Object> getUpExtended() {
+        request.getSession();
         return MutableMap.<String,Object>of(
             "up", isUp(),
             "shuttingDown", isShuttingDown(),
@@ -451,6 +456,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements Serv
 
     @Override
     public String getUser() {
+        request.getSession();
         EntitlementContext entitlementContext = Entitlements.getEntitlementContext();
         if (entitlementContext!=null && entitlementContext.user()!=null){
             return entitlementContext.user();