You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@usergrid.apache.org by mr...@apache.org on 2016/08/01 16:53:43 UTC

[08/50] [abbrv] usergrid git commit: Allow CORS pre-flight requests to come through unauthenticated ( bad creds shouldn't stop browsers from trying the real request ).

Allow CORS pre-flight requests to come through unauthenticated ( bad creds shouldn't stop browsers from trying the real request ).


Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/8413f212
Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/8413f212
Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/8413f212

Branch: refs/heads/master
Commit: 8413f212ee7bdfdd729d4f3f7d93200362e01751
Parents: 8d79d36
Author: Michael Russo <mr...@apigee.com>
Authored: Thu Jul 7 17:47:52 2016 -0700
Committer: Michael Russo <mr...@apigee.com>
Committed: Thu Jul 7 17:47:52 2016 -0700

----------------------------------------------------------------------
 .../security/shiro/filters/BasicAuthSecurityFilter.java |  3 +++
 .../shiro/filters/ClientCredentialsSecurityFilter.java  |  4 ++++
 .../shiro/filters/OAuth2AccessTokenSecurityFilter.java  |  4 ++++
 .../rest/security/shiro/filters/SecurityFilter.java     | 12 ++++++++++++
 4 files changed, 23 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/usergrid/blob/8413f212/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
index a5d7272..5594a1c 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
@@ -49,6 +49,9 @@ public class BasicAuthSecurityFilter extends SecurityFilter {
             logger.trace("Filtering: {}", request.getUriInfo().getBaseUri());
         }
 
+        if( bypassSecurityCheck(request) ){
+            return;
+        }
 
         Map<String, String> auth_types = getAuthTypes( request );
         if ( ( auth_types == null ) || !auth_types.containsKey( AUTH_BASIC_TYPE ) ) {

http://git-wip-us.apache.org/repos/asf/usergrid/blob/8413f212/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/ClientCredentialsSecurityFilter.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/ClientCredentialsSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/ClientCredentialsSecurityFilter.java
index 83e53c1..486d105 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/ClientCredentialsSecurityFilter.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/ClientCredentialsSecurityFilter.java
@@ -55,6 +55,10 @@ public class ClientCredentialsSecurityFilter extends SecurityFilter {
             logger.trace("Filtering: {}", request.getUriInfo().getBaseUri());
         }
 
+        if( bypassSecurityCheck(request) ){
+            return;
+        }
+
         String clientId = httpServletRequest.getParameter( "client_id" );
         String clientSecret = httpServletRequest.getParameter( "client_secret" );
 

http://git-wip-us.apache.org/repos/asf/usergrid/blob/8413f212/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/OAuth2AccessTokenSecurityFilter.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/OAuth2AccessTokenSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/OAuth2AccessTokenSecurityFilter.java
index 03da0e8..ca040e8 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/OAuth2AccessTokenSecurityFilter.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/OAuth2AccessTokenSecurityFilter.java
@@ -74,6 +74,10 @@ public class OAuth2AccessTokenSecurityFilter extends SecurityFilter implements C
             logger.trace("Filtering: {}", request.getUriInfo().getBaseUri());
         }
 
+        if( bypassSecurityCheck(request) ){
+            return;
+        }
+
         try {
             try {
 

http://git-wip-us.apache.org/repos/asf/usergrid/blob/8413f212/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/SecurityFilter.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/SecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/SecurityFilter.java
index e0dadba..1c06aed 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/SecurityFilter.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/SecurityFilter.java
@@ -132,4 +132,16 @@ public abstract class SecurityFilter implements ContainerRequestFilter {
         }
         return auth_types;
     }
+
+    public static boolean bypassSecurityCheck( ContainerRequestContext request ){
+
+        // if this is a CORS Pre-Flight request, we can skip the security check
+        // OPTIONS requests do not have access into Usergrid data, Jersey default handles these requests
+        if( request.getMethod().equalsIgnoreCase("options")){
+            return true;
+        }
+
+        return false;
+
+    }
 }