Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-14 17:26:22 +01:00
Code Issues Packages Projects Releases Activity

added restful endpoint for jwt authentication

Browse Source
This commit is contained in:
Sebastian Sdorra
2015-03-15 11:40:29 +01:00
parent be385e4f2e
commit 325ca0c795
10 changed files with 352 additions and 347 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
scm-webapp/src/main/java/sonia/scm/ScmSecurityModule.java
View File

@@ -114,6 +114,9 @@ public class ScmSecurityModule extends ShiroWebModule
// disable access to mustache resources
addFilterChain("/**.mustache", config(ROLES, "nobody"));
// disable session
// addFilterChain("/**", NO_SESSION_CREATION);
}
/**

179
scm-webapp/src/main/java/sonia/scm/api/rest/resources/AuthenticationResource.java
View File

@@ -37,8 +37,6 @@ package sonia.scm.api.rest.resources;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableList.Builder;
import com.google.inject.Inject;
import com.google.inject.Singleton;
@@ -46,8 +44,6 @@ import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
import org.codehaus.enunciate.jaxrs.TypeHint;
@@ -56,30 +52,18 @@ import org.codehaus.enunciate.modules.jersey.ExternallyManagedLifecycle;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.SCMContext;
import sonia.scm.SCMContextProvider;
import sonia.scm.ScmClientConfig;
import sonia.scm.ScmState;
import sonia.scm.ScmStateFactory;
import sonia.scm.api.rest.RestActionResult;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.group.GroupNames;
import sonia.scm.repository.RepositoryManager;
import sonia.scm.security.AuthorizationCollector;
import sonia.scm.security.PermissionDescriptor;
import sonia.scm.security.Role;
import sonia.scm.security.SecuritySystem;
import sonia.scm.security.StringablePermission;
import sonia.scm.security.BearerTokenGenerator;
import sonia.scm.security.Tokens;
import sonia.scm.user.User;
import sonia.scm.user.UserManager;
import sonia.scm.util.HttpUtil;
//~--- JDK imports ------------------------------------------------------------
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -89,6 +73,7 @@ import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
@@ -127,25 +112,17 @@ public class AuthenticationResource
* Constructs ...
*
*
* @param contextProvider
* @param configuration
* @param repositoryManger
* @param userManager
* @param securitySystem
* @param collector
* @param stateFactory
* @param tokenGenerator
*/
@Inject
public AuthenticationResource(SCMContextProvider contextProvider,
ScmConfiguration configuration, RepositoryManager repositoryManger,
UserManager userManager, SecuritySystem securitySystem,
AuthorizationCollector collector)
public AuthenticationResource(ScmConfiguration configuration,
ScmStateFactory stateFactory, BearerTokenGenerator tokenGenerator)
{
this.contextProvider = contextProvider;
this.configuration = configuration;
this.repositoryManger = repositoryManger;
this.userManager = userManager;
this.securitySystem = securitySystem;
this.permissionCollector = collector;
this.stateFactory = stateFactory;
this.tokenGenerator = tokenGenerator;
}
//~--- methods --------------------------------------------------------------
@@ -160,10 +137,12 @@ public class AuthenticationResource
* <li>500 internal server error</li>
* </ul>
*
* @param request the current http request
* @param request current http request
* @param response current http response
* @param username the username for the authentication
* @param password the password for the authentication
* @param rememberMe true to remember the user across sessions
* @param cookie create authentication token
*
* @return
*/
@@ -171,23 +150,46 @@ public class AuthenticationResource
@Path("login")
@TypeHint(ScmState.class)
public Response authenticate(@Context HttpServletRequest request,
@Context HttpServletResponse response,
@FormParam("username") String username,
@FormParam("password") String password, @FormParam("rememberMe")
@DefaultValue("false") boolean rememberMe)
@DefaultValue("false") boolean rememberMe, @QueryParam(
"cookie") boolean cookie)
{
Preconditions.checkArgument(!Strings.isNullOrEmpty(username),
"username parameter is required");
Preconditions.checkArgument(!Strings.isNullOrEmpty(password),
"password parameter is required");
Response response;
Response res;
Subject subject = SecurityUtils.getSubject();
try
{
subject.login(Tokens.createAuthenticationToken(request, username,
password, rememberMe));
response = Response.ok(createState(subject)).build();
User user = subject.getPrincipals().oneByType(User.class);
String token = tokenGenerator.createBearerToken(user);
ScmState state;
if (cookie)
{
Cookie c = new Cookie("X-Bearer-Token", token);
c.setPath(request.getContextPath());
c.setHttpOnly(true);
response.addCookie(c);
state = stateFactory.createState(subject);
}
else
{
state = stateFactory.createState(subject, token);
}
res = Response.ok(state).build();
}
catch (DisabledAccountException ex)
{
@@ -202,8 +204,8 @@ public class AuthenticationResource
logger.warn("authentication failed, account {} is locked", username);
}
response = handleFailedAuthentication(request, ex,
Response.Status.FORBIDDEN, WUIAuthenticationFailure.LOCKED);
res = handleFailedAuthentication(request, ex, Response.Status.FORBIDDEN,
WUIAuthenticationFailure.LOCKED);
}
catch (ExcessiveAttemptsException ex)
{
@@ -219,8 +221,8 @@ public class AuthenticationResource
username);
}
response = handleFailedAuthentication(request, ex,
Response.Status.FORBIDDEN, WUIAuthenticationFailure.TEMPORARY_LOCKED);
res = handleFailedAuthentication(request, ex, Response.Status.FORBIDDEN,
WUIAuthenticationFailure.TEMPORARY_LOCKED);
}
catch (AuthenticationException ex)
{
@@ -233,12 +235,12 @@ public class AuthenticationResource
logger.warn("authentication failed for user {}", username);
}
response = handleFailedAuthentication(request, ex,
res = handleFailedAuthentication(request, ex,
Response.Status.UNAUTHORIZED,
WUIAuthenticationFailure.WRONG_CREDENTIALS);
}
return response;
return res;
}
/**
@@ -270,7 +272,7 @@ public class AuthenticationResource
if (configuration.isAnonymousAccessEnabled())
{
resp = Response.ok(createAnonymousState()).build();
resp = Response.ok(stateFactory.createAnonymousState()).build();
}
else
{
@@ -338,14 +340,14 @@ public class AuthenticationResource
subject.getPrincipal());
}
ScmState state = createState(subject);
ScmState state = stateFactory.createState(subject);
response = Response.ok(state).build();
}
else if (configuration.isAnonymousAccessEnabled())
{
response = Response.ok(createAnonymousState()).build();
response = Response.ok(stateFactory.createAnonymousState()).build();
}
else
{
@@ -357,78 +359,6 @@ public class AuthenticationResource
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @return
*/
@SuppressWarnings("unchecked")
private ScmState createAnonymousState()
{
return createState(SCMContext.ANONYMOUS, Collections.EMPTY_LIST,
Collections.EMPTY_LIST, Collections.EMPTY_LIST);
}
/**
* Method description
*
*
* @param securityContext
*
* @param subject
*
* @return
*/
@SuppressWarnings("unchecked")
private ScmState createState(Subject subject)
{
PrincipalCollection collection = subject.getPrincipals();
User user = collection.oneByType(User.class);
GroupNames groups = collection.oneByType(GroupNames.class);
List<PermissionDescriptor> ap = Collections.EMPTY_LIST;
if (subject.hasRole(Role.ADMIN))
{
ap = securitySystem.getAvailablePermissions();
}
Builder<String> builder = ImmutableList.builder();
for (Permission p : permissionCollector.collect().getObjectPermissions())
{
if (p instanceof StringablePermission)
{
builder.add(((StringablePermission) p).getAsString());
}
}
return createState(user, groups.getCollection(), builder.build(), ap);
}
/**
* Method description
*
*
* @param user
* @param groups
* @param assignedPermissions
* @param availablePermissions
*
* @return
*/
private ScmState createState(User user, Collection<String> groups,
List<String> assignedPermissions,
List<PermissionDescriptor> availablePermissions)
{
return new ScmState(contextProvider, user, groups,
repositoryManger.getConfiguredTypes(), userManager.getDefaultType(),
new ScmClientConfig(configuration), assignedPermissions,
availablePermissions);
}
/**
* Method description
*
@@ -529,17 +459,8 @@ public class AuthenticationResource
private final ScmConfiguration configuration;
/** Field description */
private final SCMContextProvider contextProvider;
private final ScmStateFactory stateFactory;
/** Field description */
private final AuthorizationCollector permissionCollector;
/** Field description */
private final RepositoryManager repositoryManger;
/** Field description */
private final SecuritySystem securitySystem;
/** Field description */
private final UserManager userManager;
private final BearerTokenGenerator tokenGenerator;
}

79
scm-webapp/src/main/java/sonia/scm/security/AuthorizationCollector.java → scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java
View File

@@ -36,6 +36,7 @@ package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import com.github.legman.Subscribe;
import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
@@ -59,6 +60,7 @@ import sonia.scm.cache.Cache;
import sonia.scm.cache.CacheManager;
import sonia.scm.group.GroupEvent;
import sonia.scm.group.GroupNames;
import sonia.scm.plugin.Extension;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.Repository;
import sonia.scm.repository.RepositoryDAO;
@@ -77,17 +79,18 @@ import java.util.Set;
* @author Sebastian Sdorra
*/
@Singleton
public class AuthorizationCollector
@Extension
public class DefaultAuthorizationCollector implements AuthorizationCollector
{
/** Field description */
private static final String CACHE_NAME = "sonia.cache.authorizing";
/**
* the logger for AuthorizationCollector
* the logger for DefaultAuthorizationCollector
*/
private static final Logger logger =
LoggerFactory.getLogger(AuthorizationCollector.class);
LoggerFactory.getLogger(DefaultAuthorizationCollector.class);
//~--- constructors ---------------------------------------------------------
@@ -102,7 +105,7 @@ public class AuthorizationCollector
* @param resolver
*/
@Inject
public AuthorizationCollector(CacheManager cacheManager,
public DefaultAuthorizationCollector(CacheManager cacheManager,
RepositoryDAO repositoryDAO, SecuritySystem securitySystem,
PermissionResolver resolver)
{
@@ -120,6 +123,7 @@ public class AuthorizationCollector
*
* @return
*/
@Override
public AuthorizationInfo collect()
{
AuthorizationInfo authorizationInfo;
@@ -267,16 +271,6 @@ public class AuthorizationCollector
return info;
}
/**
* Method description
*
*
*
* @param builder
* @param user
* @param groups
*
*/
private void collectGlobalPermissions(Builder<Permission> builder,
final User user, final GroupNames groups)
{
@@ -313,16 +307,6 @@ public class AuthorizationCollector
}
}
/**
* Method description
*
*
*
* @param builder
* @param user
* @param groups
*
*/
private void collectRepositoryPermissions(Builder<Permission> builder,
User user, GroupNames groups)
{
@@ -338,16 +322,6 @@ public class AuthorizationCollector
}
}
/**
* Method description
*
*
*
* @param builder
* @param repository
* @param user
* @param groups
*/
private void collectRepositoryPermissions(Builder<Permission> builder,
Repository repository, User user, GroupNames groups)
{
@@ -381,15 +355,6 @@ public class AuthorizationCollector
}
}
/**
* Method description
*
*
* @param user
* @param groups
*
* @return
*/
private AuthorizationInfo createAuthorizationInfo(User user,
GroupNames groups)
{
@@ -434,16 +399,6 @@ public class AuthorizationCollector
//~--- get methods ----------------------------------------------------------
/**
* Method description
*
*
* @param user
* @param groups
* @param perm
*
* @return
*/
private boolean isUserPermission(User user, GroupNames groups,
PermissionObject perm)
{
@@ -456,22 +411,10 @@ public class AuthorizationCollector
//~--- inner classes --------------------------------------------------------
/**
* Class description
*
*
* @version Enter version here..., 13/08/28
* @author Enter your name here...
* Cache key.
*/
private static class CacheKey
{
/**
* Constructs ...
*
*
* @param username
* @param groupnames
*/
private CacheKey(String username, GroupNames groupnames)
{
this.username = username;
@@ -513,10 +456,10 @@ public class AuthorizationCollector
//~--- fields -------------------------------------------------------------
/** Field description */
/** group names */
private final GroupNames groupnames;
/** Field description */
/** username */
private final String username;
}

10
scm-webapp/src/main/java/sonia/scm/security/DefaultRealm.java
View File

@@ -55,9 +55,9 @@ import javax.inject.Inject;
import javax.inject.Singleton;
/**
* Default authorizing realm.
*
* @author Sebastian Sdorra
*
* @since 2.0.0
*/
@Extension
@@ -82,7 +82,7 @@ public class DefaultRealm extends AuthorizingRealm
*/
@Inject
public DefaultRealm(PasswordService service,
AuthorizationCollector collector, UserDAO userDAO, GroupDAO groupDAO)
DefaultAuthorizationCollector collector, UserDAO userDAO, GroupDAO groupDAO)
{
this.collector = collector;
this.helper = new DAORealmHelper(REALM, userDAO, groupDAO);
@@ -131,9 +131,9 @@ public class DefaultRealm extends AuthorizingRealm
//~--- fields ---------------------------------------------------------------
/** Field description */
private final AuthorizationCollector collector;
/** default authorization collector */
private final DefaultAuthorizationCollector collector;
/** Field description */
/** realm helper */
private final DAORealmHelper helper;
}