You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@brooklyn.apache.org by he...@apache.org on 2019/01/16 02:12:08 UTC
[brooklyn-server] 28/49: add'l tidy for removal of jaas,
introduction of SecurityProvider as filter
This is an automated email from the ASF dual-hosted git repository.
heneveld pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
commit dc9b355b87f42528d1eb7c2ca66539c4765422fb
Author: Alex Heneveld <al...@cloudsoftcorp.com>
AuthorDate: Wed Jan 9 10:05:44 2019 +0000
add'l tidy for removal of jaas, introduction of SecurityProvider as filter
---
.../brooklyn/launcher/WebAppContextProvider.java | 10 +++-
.../org/apache/brooklyn/rest/api/LogoutApi.java | 11 ++--
.../BrooklynSecurityProviderFilterHelper.java | 69 ++++------------------
.../BrooklynSecurityProviderFilterJavax.java | 2 +-
.../rest/filter/CorsImplSupplierFilter.java | 1 +
.../rest/filter/HaHotCheckResourceFilter.java | 1 -
.../brooklyn/rest/resources/LogoutResource.java | 14 +++--
.../provider/DelegatingSecurityProvider.java | 12 ++--
.../security/provider/OauthSecurityProvider.java | 39 ++++++++----
.../src/main/resources/web-security.xml | 29 +--------
10 files changed, 75 insertions(+), 113 deletions(-)
diff --git a/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java b/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java
index 880aa48..6e269d1 100644
--- a/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java
+++ b/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java
@@ -24,6 +24,8 @@ import java.io.File;
import java.io.InputStream;
import java.util.Map;
+import javax.servlet.Servlet;
+
import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.core.server.BrooklynServiceAttributes;
import org.apache.brooklyn.launcher.config.CustomResourceLocator;
@@ -73,9 +75,11 @@ public class WebAppContextProvider {
final WebAppContext context = new WebAppContext();
// use a unique session ID to prevent interference with other web apps on same server (esp for localhost);
- // it might be better to make this brooklyn-only or base on the management-plane ID;
- // but i think it actually *is* per-server instance, since we don't cache sessions server-side,
- // so i think this is write. [Alex 2015-09]
+ // note however this is only run for the legacy launcher
+ // TODO would be nice if the various karaf startups rename the session cookie property (from JSESSIONID)
+ // as the default is likely to conflict with other java-based servers (esp on localhost);
+ // this can be done e.g. on ServletContext.getSessionCookieConfig(), but will be needed for REST and for JS (static) bundles
+ // low priority however, if you /etc/hosts a localhost-brooklyn and use that it will stop conflicting
context.setInitParameter(SessionHandler.__SessionCookieProperty, SessionHandler.__DefaultSessionCookie + "_" + "BROOKLYN" + Identifiers.makeRandomId(6));
context.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
context.setAttribute(BrooklynServiceAttributes.BROOKLYN_MANAGEMENT_CONTEXT, managementContext);
diff --git a/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/LogoutApi.java b/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/LogoutApi.java
index f0ca328..526a72f 100644
--- a/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/LogoutApi.java
+++ b/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/LogoutApi.java
@@ -36,19 +36,22 @@ public interface LogoutApi {
@POST
@ApiOperation(value = "Request a logout and clean session")
@ApiResponses(value = {
- @ApiResponse(code = 307, message = "Redirect to /logout/user, keeping the request method")
+ @ApiResponse(code = 307, message = "Redirect to /logout/{user}, keeping the request method")
})
Response logout();
-
+ // TODO what is this for? misleading as it does not unauthorize the _session_ or log out in any way;
+ // deprecating as at 2019-01
+ /** @deprecated since 1.0 */
+ @Deprecated
@POST
@Path("/unauthorize")
- @ApiOperation(value = "Return UNAUTHORIZED 401 response")
+ @ApiOperation(value = "Return UNAUTHORIZED 401 response, but without disabling the session [deprecated]")
Response unAuthorize();
@POST
@Path("/{user}")
- @ApiOperation(value = "Logout and clean session if matching user logged")
+ @ApiOperation(value = "Logout and clean session if matching user logged in")
Response logoutUser(
@ApiParam(value = "User to log out", required = true)
@PathParam("user") final String user);
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java
index 47180c9..53cb34a 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java
@@ -33,6 +33,7 @@ import org.apache.brooklyn.rest.security.provider.DelegatingSecurityProvider;
import org.apache.brooklyn.rest.security.provider.SecurityProvider;
import org.apache.brooklyn.rest.security.provider.SecurityProvider.SecurityProviderDeniedAuthentication;
import org.apache.brooklyn.util.collections.MutableSet;
+import org.apache.brooklyn.util.text.StringEscapes;
import org.apache.commons.codec.binary.Base64;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.server.Request;
@@ -72,31 +73,35 @@ public class BrooklynSecurityProviderFilterHelper {
*/
public static final String AUTHENTICATED_USER_SESSION_ATTRIBUTE = "brooklyn.user";
- // TODO ugly, using a static, but it shares across bundles and all have different instances, so this is reasonable
public static Set<SessionHandler> SESSION_MANAGER_CACHE = MutableSet.of();
private static final Logger log = LoggerFactory.getLogger(BrooklynSecurityProviderFilterHelper.class);
+
+ // TODO this should be parametrisable
+ public static final String BASIC_REALM_NAME = "brooklyn";
+
+ public static final String BASIC_REALM_HEADER_VALUE = "BASIC realm="+StringEscapes.JavaStringEscapes.wrapJavaString(BASIC_REALM_NAME);
/* check all contexts for sessions; surprisingly hard to configure session management for karaf/pax web container.
* they _really_ want each servlet to have their own sessions. how you're meant to do oauth for multiple servlets i don't know! */
public HttpSession getSession(HttpServletRequest webRequest, ManagementContext mgmt, boolean create) {
String requestedSessionId = webRequest.getRequestedSessionId();
- log.info("SESSION for "+ webRequest.getRequestURI()+", wants session "+requestedSessionId);
+ log.trace("SESSION for {}, wants session {}", webRequest.getRequestURI(), requestedSessionId);
if (webRequest instanceof Request) {
SessionHandler sm = ((Request)webRequest).getSessionHandler();
boolean added = SESSION_MANAGER_CACHE.add( sm );
- log.info("SESSION MANAGER found for "+webRequest.getRequestURI()+": "+sm+" ("+added+")");
+ log.trace("SESSION MANAGER found for {}: {} (added={})", webRequest.getRequestURI(), sm, added);
} else {
- log.info("SESSION MANAGER NOT found for "+webRequest.getRequestURI()+" - "+webRequest);
+ log.trace("SESSION MANAGER NOT found for {}: {}", webRequest.getRequestURI(), webRequest);
}
if (requestedSessionId!=null) {
for (SessionHandler m: SESSION_MANAGER_CACHE) {
HttpSession s = m.getHttpSession(requestedSessionId);
if (s!=null) {
- log.info("SESSION found for "+webRequest.getRequestURI()+": "+s+"; "+m.isValid(s));
+ log.trace("SESSION found for {}: {} (valid={})", webRequest.getRequestURI(), s, m.isValid(s));
return s;
}
}
@@ -104,62 +109,14 @@ public class BrooklynSecurityProviderFilterHelper {
if (create) {
HttpSession session = webRequest.getSession(true);
- log.info("SESSION creating for "+webRequest.getRequestURI()+": "+session);
+ log.trace("SESSION creating for {}: {}", webRequest.getRequestURI(), session);
return session;
}
- return null;
-
-// HttpSession session = webRequest.getSession(false);
-// if (session!=null) return session;
-//
-// // go through all the known session managers
-//
-//
-// webRequest.getServletContext().getServlets().nextElement().getServletConfig().getServletContext().getser
-// BundleContext ctx = (BundleContext) webRequest.getServletContext().getAttribute(
-// //WebContainerConstants.BUNDLE_CONTEXT_ATTRIBUTE
-// "osgi-bundlecontext");
-// log.info("TEST context "+ctx);
-// if (ctx!=null) {
-// log.info("TEST server "+ctx.getServiceReference( "org.ops4j.pax.web.service.WebContainer" ));
-// }
-// ctx.getServiceReference( "org.ops4j.pax.web.service.WebContainer" );
-//
-// ctx = FrameworkUtil.getBundle(BrooklynSecurityProviderFilterHelper.class).getBundleContext();
-//
-//
-// log.info("TEST context2 "+ctx);
-// if (ctx!=null) {
-// log.info("TEST server2 "+ctx.getServiceReference( "org.ops4j.pax.web.service.WebContainer" ));
-// }
-//
-//// String id = webRequest.getRequestedSessionId();
-//// webRequest.getServletContext().gethan
-////// for (Cookie c: webRequest.getCookies()) {
-////// if ("JSESSIONID".equals(c.getName())) {
-////// c.getValue()
-////// }
-////// }
-//// HttpSession session = getLocalSession(id);
-//// if (session == null) {
-//// for (SessionHandler manager: getSessionIdManager().getSessionHandlers()) {
-//// if (manager.equals(this) || !(manager instanceof CustomSessionHandler)) {
-//// continue;
-//// }
-//// session = ((CustomSessionHandler)manager).getLocalSession(id);
-//// if (session != null) {
-//// break;
-//// }
-//// } // should we duplicate sessions in each context? // will we end up with inconsistent sessions? /* if (externalSession != null) { try { getSessionCache().put(id, externalSession); } catch (Exception e) { LOG.warn("Unable to save session to local cache."); } } */ }
-//// }
-//// return session;
-// return null;
+ return null; // not found
}
public void run(HttpServletRequest webRequest, ManagementContext mgmt) throws SecurityProviderDeniedAuthentication {
- log.info("SEC PROV for "+webRequest.getRequestURI());
-
SecurityProvider provider = getProvider(mgmt);
HttpSession session = getSession(webRequest, mgmt, false);
@@ -203,7 +160,7 @@ public class BrooklynSecurityProviderFilterHelper {
private SecurityProviderDeniedAuthentication abort(String msg, boolean requiresUserPass) throws SecurityProviderDeniedAuthentication {
ResponseBuilder response = Response.status(Status.UNAUTHORIZED);
if (requiresUserPass) {
- response.header(HttpHeader.WWW_AUTHENTICATE.asString(), "BASIC realm=\"brooklyn\"");
+ response.header(HttpHeader.WWW_AUTHENTICATE.asString(), BASIC_REALM_HEADER_VALUE);
}
response.header(HttpHeader.CONTENT_TYPE.asString(), MediaType.TEXT_PLAIN);
response.entity(msg);
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJavax.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJavax.java
index 5751872..b2b679b 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJavax.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJavax.java
@@ -69,7 +69,7 @@ public class BrooklynSecurityProviderFilterJavax implements Filter {
rout.setStatus(rin.getStatus());
- // TODO does content type need to be set explicitly?
+ // note content-type is explicitly set in some Response objects, but this should set it
rin.getHeaders().forEach((k,v) -> v.forEach(v2 -> rout.addHeader(k, Strings.toString(v2))));
Object body = rin.getEntity();
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CorsImplSupplierFilter.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CorsImplSupplierFilter.java
index 51c9e5c..9262c00 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CorsImplSupplierFilter.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CorsImplSupplierFilter.java
@@ -59,6 +59,7 @@ import java.util.List;
* Apache Brooklyn API calls do not use CORS annotations so findResourceMethod is set to false.
*/
@Provider
+@SuppressWarnings("serial")
public class CorsImplSupplierFilter extends CrossOriginResourceSharingFilter {
/**
* @see CrossOriginResourceSharingFilter#setAllowOrigins(List<String>)
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/HaHotCheckResourceFilter.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/HaHotCheckResourceFilter.java
index 28eac1c..128d06a 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/HaHotCheckResourceFilter.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/HaHotCheckResourceFilter.java
@@ -33,7 +33,6 @@ import javax.ws.rs.ext.Provider;
import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.api.mgmt.ha.ManagementNodeState;
-import org.apache.brooklyn.rest.util.BrooklynRestResourceUtils;
import org.apache.brooklyn.util.guava.Maybe;
import org.apache.brooklyn.util.text.Strings;
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java
index 5ce65ba..a03cb24 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java
@@ -30,6 +30,7 @@ import javax.ws.rs.core.UriInfo;
import org.apache.brooklyn.core.mgmt.entitlement.Entitlements;
import org.apache.brooklyn.core.mgmt.entitlement.WebEntitlementContext;
import org.apache.brooklyn.rest.api.LogoutApi;
+import org.apache.brooklyn.rest.filter.BrooklynSecurityProviderFilterHelper;
import org.apache.brooklyn.util.exceptions.Exceptions;
public class LogoutResource extends AbstractBrooklynRestResource implements LogoutApi {
@@ -58,19 +59,21 @@ public class LogoutResource extends AbstractBrooklynRestResource implements Logo
@Override
public Response unAuthorize() {
return Response.status(Status.UNAUTHORIZED)
- .build();
+ // NB: 2019-01 no longer returns a realm (there might not be a realm; in this code we don't know)
+ // method is now deprecated anyway
+ .build();
}
@Override
public Response logoutUser(String user) {
- // Will work when switching users, but will keep re-authenticating if user types in same user name.
- // Could improve by keeping state in cookies to decide whether to request auth or declare successfull re-auth.
WebEntitlementContext ctx = (WebEntitlementContext) Entitlements.getEntitlementContext();
if (user.equals(ctx.user())) {
doLogout();
- return Response.status(Status.UNAUTHORIZED)
- .build();
+ return Response.status(Status.OK)
+ // 2019-01 no longer returns unauthorized, returns OK to indicate user is successfully logged out
+ // also the realm is removed (there might not be a realm; in this code we don't know)
+ .build();
} else {
return Response.temporaryRedirect(uri.getAbsolutePathBuilder().replacePath("/").build()).build();
}
@@ -78,6 +81,7 @@ public class LogoutResource extends AbstractBrooklynRestResource implements Logo
private void doLogout() {
try {
+ req.getSession().removeAttribute(BrooklynSecurityProviderFilterHelper.AUTHENTICATED_USER_SESSION_ATTRIBUTE);
req.logout();
} catch (ServletException e) {
Exceptions.propagate(e);
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java
index 65567c4..b420501 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java
@@ -77,14 +77,14 @@ public class DelegatingSecurityProvider implements SecurityProvider {
SecurityProvider presetDelegate = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_INSTANCE);
if (presetDelegate!=null) {
- log.info("REST using pre-set security provider " + presetDelegate);
+ log.trace("Brooklyn security: using pre-set security provider {}", presetDelegate);
return presetDelegate;
}
String className = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME);
if (delegate != null && BrooklynWebConfig.hasNoSecurityOptions(mgmt.getConfig())) {
- log.debug("{} refusing to change from {}: No security provider set in reloaded properties.",
+ log.debug("Brooklyn security: {} refusing to change from {}: No security provider set in reloaded properties.",
this, delegate);
return delegate;
}
@@ -93,17 +93,17 @@ public class DelegatingSecurityProvider implements SecurityProvider {
String bundle = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_BUNDLE);
if (bundle!=null) {
String bundleVersion = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_BUNDLE_VERSION);
- log.info("REST using security provider " + className + " from " + bundle+":"+bundleVersion);
+ log.info("Brooklyn security: using security provider " + className + " from " + bundle+":"+bundleVersion);
BundleContext bundleContext = ((ManagementContextInternal)mgmt).getOsgiManager().get().getFramework().getBundleContext();
delegate = loadProviderFromBundle(mgmt, bundleContext, bundle, bundleVersion, className);
} else {
- log.info("REST using security provider " + className);
+ log.info("Brooklyn security: using security provider " + className);
ClassLoaderUtils clu = new ClassLoaderUtils(this, mgmt);
Class<? extends SecurityProvider> clazz = (Class<? extends SecurityProvider>) clu.loadClass(className);
delegate = createSecurityProviderInstance(mgmt, clazz);
}
} catch (Exception e) {
- log.warn("REST unable to instantiate security provider " + className + "; all logins are being disallowed", e);
+ log.warn("Brooklyn security: unable to instantiate security provider " + className + "; all logins are being disallowed", e);
delegate = new BlackholeSecurityProvider();
}
@@ -122,7 +122,7 @@ public class DelegatingSecurityProvider implements SecurityProvider {
if (bundles.isEmpty()) {
throw new IllegalStateException("No bundle " + symbolicName + ":" + version + " found");
} else if (bundles.size() > 1) {
- log.warn("Found multiple bundles matching symbolicName " + symbolicName + " and version " + version +
+ log.warn("Brooklyn security: found multiple bundles matching symbolicName " + symbolicName + " and version " + version +
" while trying to load security provider " + className + ". Will use first one that loads the class successfully.");
}
SecurityProvider p = tryLoadClass(mgmt, className, bundles);
diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/OauthSecurityProvider.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/OauthSecurityProvider.java
index a3bbcf1..c3c7be4 100644
--- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/OauthSecurityProvider.java
+++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/OauthSecurityProvider.java
@@ -30,6 +30,7 @@ import javax.servlet.http.HttpSession;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
+import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.rest.filter.BrooklynSecurityProviderFilterHelper;
import org.apache.brooklyn.util.exceptions.Exceptions;
import org.apache.brooklyn.util.text.Identifiers;
@@ -55,12 +56,15 @@ import org.eclipse.jetty.server.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.google.common.annotations.Beta;
+
/** Configurable OAuth redirect security provider
*
* Redirects all inbound requests to an oath web server unless a session token is specified. */
+@Beta // work in progress
public class OauthSecurityProvider implements SecurityProvider {
- public static final Logger LOG = LoggerFactory.getLogger(OauthSecurityProvider.class);
+ public static final Logger log = LoggerFactory.getLogger(OauthSecurityProvider.class);
private static final String OAUTH_ACCESS_TOKEN_SESSION_KEY = "org.apache.brooklyn.security.oauth.access_token";
private static final String OAUTH_ACCESS_TOKEN_EXPIRY_UTC_KEY = "org.apache.brooklyn.security.oauth.access_token_expiry_utc";
@@ -68,7 +72,9 @@ public class OauthSecurityProvider implements SecurityProvider {
private static final String OAUTH_AUTH_CODE_PARAMETER_FROM_USER = "code";
private static final String OAUTH_AUTH_CODE_PARAMETER_FOR_SERVER = OAUTH_AUTH_CODE_PARAMETER_FROM_USER;
- // TODO parameterise
+// private static String KEY_PREFIX = BrooklynWebConfig.BASE_NAME_SECURITY+".oauth.";
+// ConfigKey<String> URI_GET_TOKEN_KEY = ConfigKeys.newStringConfigKey(KEY_PREFIX+"uriGetToken", "URL where token can be fetched");
+ // TODO parameterise values below with keys as above
// tempting to use getJettyRequest().getRequestURL().toString();
// but some oauth providers require this to be declared
@@ -77,7 +83,7 @@ public class OauthSecurityProvider implements SecurityProvider {
private String audience = "audience";
private Duration validity = Duration.hours(1);
- // google test data
+ // google test data - hard-coded for now
private String uriGetToken = "https://accounts.google.com/o/oauth2/token";
private String uriAuthorize = "https://accounts.google.com/o/oauth2/auth";
private String uriTokenInfo = "https://www.googleapis.com/oauth2/v1/tokeninfo";
@@ -91,9 +97,22 @@ public class OauthSecurityProvider implements SecurityProvider {
// private String clientId = "7f76b9970d8ac15b30b0";
// private String clientSecret = "9e15f8dd651f0b1896a3a582f17fa82f049fc910";
+ protected final ManagementContext mgmt;
+
+ public OauthSecurityProvider(ManagementContext mgmt) {
+ this.mgmt = mgmt;
+ initialize();
+ }
+
+ private synchronized void initialize() {
+ // TODO set these keys
+// Preconditions.checkNotNull(mgmt.getConfig().getConfig(URI_GET_TOKEN_KEY), "URI to get token must be set: "+URI_GET_TOKEN_KEY.getName());
+ }
+
@Override
public boolean isAuthenticated(HttpSession session) {
- LOG.info("isAuthenticated 1 "+getJettyRequest().getRequestURI()+" "+session+" ... "+this);
+ // TODO tidy log messages
+ log.info("isAuthenticated 1 "+getJettyRequest().getRequestURI()+" "+session+" ... "+this);
Object token = session.getAttribute(OAUTH_ACCESS_TOKEN_SESSION_KEY);
// TODO is it valid?
return token!=null;
@@ -101,7 +120,7 @@ public class OauthSecurityProvider implements SecurityProvider {
@Override
public boolean authenticate(HttpSession session, String user, String password) throws SecurityProviderDeniedAuthentication {
- LOG.info("authenticate "+session+" "+user);
+ log.info("authenticate "+session+" "+user);
if (isAuthenticated(session)) {
return true;
@@ -127,14 +146,14 @@ public class OauthSecurityProvider implements SecurityProvider {
} catch (SecurityProviderDeniedAuthentication e) {
throw e;
} catch (Exception e) {
- LOG.warn("Error performing OAuth: "+e, e);
+ log.warn("Error performing OAuth: "+e, e);
throw Exceptions.propagate(e);
}
}
@Override
public boolean logout(HttpSession session) {
- LOG.info("logout");
+ log.info("logout");
session.removeAttribute(OAUTH_ACCESS_TOKEN_SESSION_KEY);
session.removeAttribute(OAUTH_ACCESS_TOKEN_EXPIRY_UTC_KEY);
return true;
@@ -161,10 +180,10 @@ public class OauthSecurityProvider implements SecurityProvider {
// get the access token from json and request info from Google
try {
jsonObject = (Map<?,?>) Yamls.parseAll(body).iterator().next();
- LOG.info("Parsed '"+body+"' as "+jsonObject);
+ log.info("Parsed '"+body+"' as "+jsonObject);
} catch (Exception e) {
Exceptions.propagateIfFatal(e);
- LOG.info("Unable to parse: '"+body+"'");
+ log.info("Unable to parse: '"+body+"'");
// throw new RuntimeException("Unable to parse json " + body);
return redirectUserToOauthLoginUi();
}
@@ -179,7 +198,7 @@ public class OauthSecurityProvider implements SecurityProvider {
// request.getSession().setAttribute(SESSION_KEY_CODE, code);
// TODO is it valid?
- LOG.debug("Got token/code "+accessToken+"/"+code+" from "+jsonObject);
+ log.debug("Got token/code "+accessToken+"/"+code+" from "+jsonObject);
// eg Got token/code
// ya29.GluHBtzZ-R-CaoWMlso6KB6cq3DrbmwX6B3kjMmzWqzU-vO76WjKuNS3Ktog7vt9CJnxSZ63NmqO4p5bg20wl0-M14yO1LuoXNV5JX3qHDmXl2rl-z1LbCPEYJ-o
// / 4/yADFJRSRCxLgZFcpD_KU2jQiCXBGNHTsw0eGZqZ2t6IJJh2O1oWBnBDx4eWl4ZLCRAFJx3QjPYtl7LF9zj_DNlA
diff --git a/rest/rest-server/src/main/resources/web-security.xml b/rest/rest-server/src/main/resources/web-security.xml
index a03c448..c6a3974 100644
--- a/rest/rest-server/src/main/resources/web-security.xml
+++ b/rest/rest-server/src/main/resources/web-security.xml
@@ -21,31 +21,6 @@
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>Logout</web-resource-name>
- <url-pattern>/v1/logout</url-pattern>
- </web-resource-collection>
- </security-constraint>
-
- <!-- Ignored programmatically if noConsoleSecurity -->
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>All</web-resource-name>
- <url-pattern>/</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <role-name>webconsole</role-name>
- </auth-constraint>
- </security-constraint>
-
- <login-config>
- <!--<auth-method>BASIC</auth-method>-->
- <realm-name>webconsole</realm-name>
- </login-config>
-
- <security-role>
- <role-name>webconsole</role-name>
- </security-role>
-
+ <!-- now done with filters -->
+
</web-app>