mirror of
https://github.com/scm-manager/scm-manager.git
synced 2025-11-08 14:35:45 +01:00
do not store request and respone in authentication token
This commit is contained in:
Sebastian Sdorra
@@ -56,7 +56,7 @@ import sonia.scm.ScmState;
|
||||
import sonia.scm.config.ScmConfiguration;
|
||||
import sonia.scm.group.GroupNames;
|
||||
import sonia.scm.repository.RepositoryManager;
|
||||
import sonia.scm.security.ScmAuthenticationToken;
|
||||
import sonia.scm.security.Tokens;
|
||||
import sonia.scm.user.User;
|
||||
import sonia.scm.user.UserManager;
|
||||
|
||||
@@ -138,7 +138,6 @@ public class AuthenticationResource
|
||||
@Path("login")
|
||||
@TypeHint(ScmState.class)
|
||||
public ScmState authenticate(@Context HttpServletRequest request,
|
||||
@Context HttpServletResponse response,
|
||||
@FormParam("username") String username,
|
||||
@FormParam("password") String password)
|
||||
{
|
||||
@@ -148,7 +147,7 @@ public class AuthenticationResource
|
||||
|
||||
try
|
||||
{
|
||||
subject.login(new ScmAuthenticationToken(request, response, username,
|
||||
subject.login(Tokens.createAuthenticationToken(request, username,
|
||||
password));
|
||||
state = createState(subject);
|
||||
}
|
||||
|
||||
@@ -39,6 +39,7 @@ import com.google.common.base.Joiner;
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.common.collect.Sets;
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Provider;
|
||||
import com.google.inject.Singleton;
|
||||
|
||||
import org.apache.shiro.authc.AccountException;
|
||||
@@ -48,6 +49,7 @@ import org.apache.shiro.authc.AuthenticationToken;
|
||||
import org.apache.shiro.authc.DisabledAccountException;
|
||||
import org.apache.shiro.authc.SimpleAuthenticationInfo;
|
||||
import org.apache.shiro.authc.UnknownAccountException;
|
||||
import org.apache.shiro.authc.UsernamePasswordToken;
|
||||
import org.apache.shiro.authc.pam.UnsupportedTokenException;
|
||||
import org.apache.shiro.authz.AuthorizationInfo;
|
||||
import org.apache.shiro.authz.SimpleAuthorizationInfo;
|
||||
@@ -91,6 +93,7 @@ import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -130,12 +133,16 @@ public class ScmRealm extends AuthorizingRealm
|
||||
* @param repositoryDAO
|
||||
* @param userDAO
|
||||
* @param authenticator
|
||||
* @param requestProvider
|
||||
* @param responseProvider
|
||||
*/
|
||||
@Inject
|
||||
public ScmRealm(ScmConfiguration configuration, CacheManager cacheManager,
|
||||
UserManager userManager, GroupManager groupManager,
|
||||
RepositoryManager repositoryManager, RepositoryDAO repositoryDAO,
|
||||
UserDAO userDAO, AuthenticationManager authenticator)
|
||||
UserDAO userDAO, AuthenticationManager authenticator,
|
||||
Provider<HttpServletRequest> requestProvider,
|
||||
Provider<HttpServletResponse> responseProvider)
|
||||
{
|
||||
this.configuration = configuration;
|
||||
this.userManager = userManager;
|
||||
@@ -143,13 +150,15 @@ public class ScmRealm extends AuthorizingRealm
|
||||
this.repositoryDAO = repositoryDAO;
|
||||
this.userDAO = userDAO;
|
||||
this.authenticator = authenticator;
|
||||
this.requestProvider = requestProvider;
|
||||
this.responseProvider = responseProvider;
|
||||
|
||||
// init cache
|
||||
this.cache = cacheManager.getCache(String.class, AuthorizationInfo.class,
|
||||
CACHE_NAME);
|
||||
|
||||
// set token class
|
||||
setAuthenticationTokenClass(ScmAuthenticationToken.class);
|
||||
setAuthenticationTokenClass(UsernamePasswordToken.class);
|
||||
|
||||
// use own custom caching
|
||||
setCachingEnabled(false);
|
||||
@@ -229,17 +238,17 @@ public class ScmRealm extends AuthorizingRealm
|
||||
AuthenticationToken authToken)
|
||||
throws AuthenticationException
|
||||
{
|
||||
if (!(authToken instanceof ScmAuthenticationToken))
|
||||
if (!(authToken instanceof UsernamePasswordToken))
|
||||
{
|
||||
throw new UnsupportedTokenException("ScmAuthenticationToken is required");
|
||||
}
|
||||
|
||||
ScmAuthenticationToken token = (ScmAuthenticationToken) authToken;
|
||||
UsernamePasswordToken token = (UsernamePasswordToken) authToken;
|
||||
|
||||
AuthenticationInfo info = null;
|
||||
AuthenticationResult result =
|
||||
authenticator.authenticate(token.getRequest(), token.getResponse(),
|
||||
token.getUsername(), token.getPassword());
|
||||
authenticator.authenticate(requestProvider.get(), responseProvider.get(),
|
||||
token.getUsername(), new String(token.getPassword()));
|
||||
|
||||
if ((result != null) && (AuthenticationState.SUCCESS == result.getState()))
|
||||
{
|
||||
@@ -549,11 +558,11 @@ public class ScmRealm extends AuthorizingRealm
|
||||
* @return
|
||||
*/
|
||||
private AuthenticationInfo createAuthenticationInfo(
|
||||
ScmAuthenticationToken token, AuthenticationResult result)
|
||||
UsernamePasswordToken token, AuthenticationResult result)
|
||||
{
|
||||
User user = result.getUser();
|
||||
Collection<String> groups = authenticate(token.getRequest(),
|
||||
token.getPassword(), result);
|
||||
Collection<String> groups = authenticate(requestProvider.get(),
|
||||
new String(token.getPassword()), result);
|
||||
|
||||
SimplePrincipalCollection collection = new SimplePrincipalCollection();
|
||||
|
||||
@@ -754,6 +763,12 @@ public class ScmRealm extends AuthorizingRealm
|
||||
/** Field description */
|
||||
private RepositoryDAO repositoryDAO;
|
||||
|
||||
/** Field description */
|
||||
private Provider<HttpServletRequest> requestProvider;
|
||||
|
||||
/** Field description */
|
||||
private Provider<HttpServletResponse> responseProvider;
|
||||
|
||||
/** Field description */
|
||||
private UserDAO userDAO;
|
||||
|
||||
|
||||
@@ -46,7 +46,8 @@ import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import sonia.scm.config.ScmConfiguration;
|
||||
import sonia.scm.security.ScmAuthenticationToken;
|
||||
import sonia.scm.group.GroupNames;
|
||||
import sonia.scm.security.Tokens;
|
||||
import sonia.scm.user.User;
|
||||
import sonia.scm.user.UserManager;
|
||||
|
||||
@@ -58,7 +59,6 @@ import java.util.Collections;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.HttpSession;
|
||||
import sonia.scm.group.GroupNames;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -118,7 +118,7 @@ public class BasicSecurityContext implements WebSecurityContext
|
||||
|
||||
Subject subject = SecurityUtils.getSubject();
|
||||
|
||||
subject.login(new ScmAuthenticationToken(request, response, username,
|
||||
subject.login(Tokens.createAuthenticationToken(request, username,
|
||||
password));
|
||||
|
||||
user = subject.getPrincipals().oneByType(User.class);
|
||||
@@ -166,7 +166,6 @@ public class BasicSecurityContext implements WebSecurityContext
|
||||
@Override
|
||||
public Collection<String> getGroups()
|
||||
{
|
||||
Subject subject = SecurityUtils.getSubject();
|
||||
GroupNames groups = getPrincipal(GroupNames.class);
|
||||
|
||||
Collection<String> groupCollection = null;
|
||||
|
||||
Reference in New Issue
Block a user