From ab1b91e1c52ade44c45e35b8c9ded7457c3ae1ca Mon Sep 17 00:00:00 2001 From: Sebastian Sdorra Date: Thu, 26 Mar 2015 21:07:28 +0100 Subject: [PATCH] fix authentication on api requests --- .../scm/security/BearerTokenGenerator.java | 33 +++++++++++--- .../web/security/ApiAuthenticationFilter.java | 44 ++++++++----------- .../src/main/resources/logback.default.xml | 3 +- .../src/main/resources/logback.release.xml | 3 +- 4 files changed, 48 insertions(+), 35 deletions(-) diff --git a/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java b/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java index f53e0da445..16aacbf8ec 100644 --- a/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java +++ b/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java @@ -36,14 +36,18 @@ package sonia.scm.security; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import sonia.scm.user.User; import static com.google.common.base.Preconditions.*; -import java.util.Date; -import java.util.concurrent.TimeUnit; //~--- JDK imports ------------------------------------------------------------ +import java.util.Date; +import java.util.concurrent.TimeUnit; + import javax.inject.Inject; /** @@ -55,6 +59,14 @@ import javax.inject.Inject; public final class BearerTokenGenerator { + /** + * the logger for BearerTokenGenerator + */ + private static final Logger logger = + LoggerFactory.getLogger(BearerTokenGenerator.class); + + //~--- constructors --------------------------------------------------------- + /** * Constructs a new token generator. * @@ -84,16 +96,23 @@ public final class BearerTokenGenerator { checkNotNull(user, "user is required"); - SecureKey key = keyResolver.getSecureKey(user.getName()); - + String username = user.getName(); + + String id = keyGenerator.createKey(); + + logger.trace("create new token {} for user {}", id, username); + + SecureKey key = keyResolver.getSecureKey(username); + Date now = new Date(); + // TODO: should be configurable long expiration = TimeUnit.MILLISECONDS.convert(10, TimeUnit.HOURS); - + //J- return Jwts.builder() - .setSubject(user.getName()) - .setId(keyGenerator.createKey()) + .setSubject(username) + .setId(id) .signWith(SignatureAlgorithm.HS256, key.getBytes()) .setIssuedAt(now) .setExpiration(new Date(now.getTime() + expiration)) diff --git a/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java b/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java index 00f0de8e36..5c8f57ae80 100644 --- a/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java +++ b/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java @@ -56,6 +56,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** + * Filter to handle authentication for the rest api of SCM-Manager. * * @author Sebastian Sdorra */ @@ -65,23 +66,16 @@ import javax.servlet.http.HttpServletResponse; public class ApiAuthenticationFilter extends AuthenticationFilter { - /** Field description */ + /** login uri */ public static final String URI_LOGIN = "/api/rest/authentication/login"; - /** Field description */ - public static final String URI_LOGOUT = "/api/rest/authentication/logout"; - - /** Field description */ - public static final String URI_STATE = "/api/rest/authentication/state"; - //~--- constructors --------------------------------------------------------- /** - * Constructs ... + * Constructs a new ApiAuthenticationFilter * - * - * @param configuration - * @param tokenGenerators + * @param configuration scm main configuration + * @param tokenGenerators web token generators */ @Inject public ApiAuthenticationFilter(ScmConfiguration configuration, @@ -93,12 +87,13 @@ public class ApiAuthenticationFilter extends AuthenticationFilter //~--- methods -------------------------------------------------------------- /** - * Method description + * The filter skips the authentication chain on the login resource, for all + * other resources the request is delegated to the + * {@link AuthenticationFilter}. * - * - * @param request - * @param response - * @param chain + * @param request http servlet request + * @param response http servlet response + * @param chain filter chain * * @throws IOException * @throws ServletException @@ -108,11 +103,8 @@ public class ApiAuthenticationFilter extends AuthenticationFilter HttpServletResponse response, FilterChain chain) throws IOException, ServletException { - - // skip filter on authentication resource - if (request.getRequestURI().contains(URI_LOGIN) - || request.getRequestURI().contains(URI_STATE) - || request.getRequestURI().contains(URI_LOGOUT)) + // skip filter on login resource + if (request.getRequestURI().contains(URI_LOGIN)) { chain.doFilter(request, response); } @@ -123,12 +115,12 @@ public class ApiAuthenticationFilter extends AuthenticationFilter } /** - * Method description + * The filter process the chain on unauthorized requests and does not prompt + * for authentication. * - * - * @param request - * @param response - * @param chain + * @param request http servlet request + * @param response http servlet response + * @param chain filter chain * * @throws IOException * @throws ServletException diff --git a/scm-webapp/src/main/resources/logback.default.xml b/scm-webapp/src/main/resources/logback.default.xml index cb0c6841f1..6ddedcdfad 100644 --- a/scm-webapp/src/main/resources/logback.default.xml +++ b/scm-webapp/src/main/resources/logback.default.xml @@ -66,7 +66,8 @@ - + +