mirror of
https://github.com/scm-manager/scm-manager.git
synced 2026-07-04 17:08:18 +02:00
Check token content before handling them
This adds plausibility checks before handling tokens as for example jwt or api keys. Doing so we generate less error logs and therefore we cause less confusion.
This commit is contained in:
@@ -30,6 +30,8 @@ import org.apache.shiro.authc.UsernamePasswordToken;
|
||||
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
|
||||
import org.apache.shiro.authz.AuthorizationException;
|
||||
import org.apache.shiro.realm.AuthenticatingRealm;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import sonia.scm.plugin.Extension;
|
||||
import sonia.scm.repository.RepositoryRole;
|
||||
import sonia.scm.repository.RepositoryRoleManager;
|
||||
@@ -43,6 +45,8 @@ import static com.google.common.base.Preconditions.checkArgument;
|
||||
@Extension
|
||||
public class ApiKeyRealm extends AuthenticatingRealm {
|
||||
|
||||
private static final Logger LOG = LoggerFactory.getLogger(ApiKeyRealm.class);
|
||||
|
||||
private final ApiKeyService apiKeyService;
|
||||
private final DAORealmHelper helper;
|
||||
private final RepositoryRoleManager repositoryRoleManager;
|
||||
@@ -58,7 +62,14 @@ public class ApiKeyRealm extends AuthenticatingRealm {
|
||||
|
||||
@Override
|
||||
public boolean supports(AuthenticationToken token) {
|
||||
return token instanceof UsernamePasswordToken || token instanceof BearerToken;
|
||||
if (token instanceof UsernamePasswordToken || token instanceof BearerToken) {
|
||||
boolean containsDot = getPassword(token).contains(".");
|
||||
if (containsDot) {
|
||||
LOG.debug("Ignoring token with at least one dot ('.'); this is probably a JWT token");
|
||||
}
|
||||
return !containsDot;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
* SOFTWARE.
|
||||
*/
|
||||
|
||||
|
||||
package sonia.scm.security;
|
||||
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
@@ -29,6 +29,8 @@ import org.apache.shiro.authc.AuthenticationInfo;
|
||||
import org.apache.shiro.authc.AuthenticationToken;
|
||||
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
|
||||
import org.apache.shiro.realm.AuthenticatingRealm;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import sonia.scm.group.GroupDAO;
|
||||
import sonia.scm.plugin.Extension;
|
||||
import sonia.scm.user.UserDAO;
|
||||
@@ -54,6 +56,7 @@ public class BearerRealm extends AuthenticatingRealm
|
||||
@VisibleForTesting
|
||||
static final String REALM = "BearerRealm";
|
||||
|
||||
private static final Logger LOG = LoggerFactory.getLogger(BearerRealm.class);
|
||||
|
||||
/** dao realm helper */
|
||||
private final DAORealmHelper helper;
|
||||
@@ -76,7 +79,17 @@ public class BearerRealm extends AuthenticatingRealm
|
||||
setAuthenticationTokenClass(BearerToken.class);
|
||||
}
|
||||
|
||||
//~--- methods --------------------------------------------------------------
|
||||
@Override
|
||||
public boolean supports(AuthenticationToken token) {
|
||||
if (token instanceof BearerToken) {
|
||||
boolean containsDot = ((BearerToken) token).getCredentials().contains(".");
|
||||
if (!containsDot) {
|
||||
LOG.debug("Ignoring token without a dot ('.'); this probably is an API key");
|
||||
}
|
||||
return containsDot;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates the given bearer token and retrieves authentication data from
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
* SOFTWARE.
|
||||
*/
|
||||
|
||||
|
||||
package sonia.scm.web.security;
|
||||
|
||||
import org.apache.shiro.authc.AuthenticationException;
|
||||
@@ -90,6 +90,10 @@ public class TokenRefreshFilter extends HttpFilter {
|
||||
|
||||
private void examineToken(HttpServletRequest request, HttpServletResponse response, BearerToken token) {
|
||||
AccessToken accessToken;
|
||||
if (!token.getCredentials().contains(".")) {
|
||||
LOG.trace("Ignoring token without dot. This probably is an API key, no JWT");
|
||||
return;
|
||||
}
|
||||
try {
|
||||
accessToken = resolver.resolve(token);
|
||||
} catch (AuthenticationException e) {
|
||||
|
||||
Reference in New Issue
Block a user