diff --git a/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java b/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
index f53e0da445..16aacbf8ec 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
@@ -36,14 +36,18 @@ package sonia.scm.security;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
import sonia.scm.user.User;
import static com.google.common.base.Preconditions.*;
-import java.util.Date;
-import java.util.concurrent.TimeUnit;
//~--- JDK imports ------------------------------------------------------------
+import java.util.Date;
+import java.util.concurrent.TimeUnit;
+
import javax.inject.Inject;
/**
@@ -55,6 +59,14 @@ import javax.inject.Inject;
public final class BearerTokenGenerator
{
+ /**
+ * the logger for BearerTokenGenerator
+ */
+ private static final Logger logger =
+ LoggerFactory.getLogger(BearerTokenGenerator.class);
+
+ //~--- constructors ---------------------------------------------------------
+
/**
* Constructs a new token generator.
*
@@ -84,16 +96,23 @@ public final class BearerTokenGenerator
{
checkNotNull(user, "user is required");
- SecureKey key = keyResolver.getSecureKey(user.getName());
-
+ String username = user.getName();
+
+ String id = keyGenerator.createKey();
+
+ logger.trace("create new token {} for user {}", id, username);
+
+ SecureKey key = keyResolver.getSecureKey(username);
+
Date now = new Date();
+
// TODO: should be configurable
long expiration = TimeUnit.MILLISECONDS.convert(10, TimeUnit.HOURS);
-
+
//J-
return Jwts.builder()
- .setSubject(user.getName())
- .setId(keyGenerator.createKey())
+ .setSubject(username)
+ .setId(id)
.signWith(SignatureAlgorithm.HS256, key.getBytes())
.setIssuedAt(now)
.setExpiration(new Date(now.getTime() + expiration))
diff --git a/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java b/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
index 00f0de8e36..5c8f57ae80 100644
--- a/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
@@ -56,6 +56,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
+ * Filter to handle authentication for the rest api of SCM-Manager.
*
* @author Sebastian Sdorra
*/
@@ -65,23 +66,16 @@ import javax.servlet.http.HttpServletResponse;
public class ApiAuthenticationFilter extends AuthenticationFilter
{
- /** Field description */
+ /** login uri */
public static final String URI_LOGIN = "/api/rest/authentication/login";
- /** Field description */
- public static final String URI_LOGOUT = "/api/rest/authentication/logout";
-
- /** Field description */
- public static final String URI_STATE = "/api/rest/authentication/state";
-
//~--- constructors ---------------------------------------------------------
/**
- * Constructs ...
+ * Constructs a new ApiAuthenticationFilter
*
- *
- * @param configuration
- * @param tokenGenerators
+ * @param configuration scm main configuration
+ * @param tokenGenerators web token generators
*/
@Inject
public ApiAuthenticationFilter(ScmConfiguration configuration,
@@ -93,12 +87,13 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
//~--- methods --------------------------------------------------------------
/**
- * Method description
+ * The filter skips the authentication chain on the login resource, for all
+ * other resources the request is delegated to the
+ * {@link AuthenticationFilter}.
*
- *
- * @param request
- * @param response
- * @param chain
+ * @param request http servlet request
+ * @param response http servlet response
+ * @param chain filter chain
*
* @throws IOException
* @throws ServletException
@@ -108,11 +103,8 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
HttpServletResponse response, FilterChain chain)
throws IOException, ServletException
{
-
- // skip filter on authentication resource
- if (request.getRequestURI().contains(URI_LOGIN)
- || request.getRequestURI().contains(URI_STATE)
- || request.getRequestURI().contains(URI_LOGOUT))
+ // skip filter on login resource
+ if (request.getRequestURI().contains(URI_LOGIN))
{
chain.doFilter(request, response);
}
@@ -123,12 +115,12 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
}
/**
- * Method description
+ * The filter process the chain on unauthorized requests and does not prompt
+ * for authentication.
*
- *
- * @param request
- * @param response
- * @param chain
+ * @param request http servlet request
+ * @param response http servlet response
+ * @param chain filter chain
*
* @throws IOException
* @throws ServletException
diff --git a/scm-webapp/src/main/resources/logback.default.xml b/scm-webapp/src/main/resources/logback.default.xml
index cb0c6841f1..6ddedcdfad 100644
--- a/scm-webapp/src/main/resources/logback.default.xml
+++ b/scm-webapp/src/main/resources/logback.default.xml
@@ -66,7 +66,8 @@
-
+
+