fix authentication on api requests

scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java

@@ -36,14 +36,18 @@ package sonia.scm.security;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import sonia.scm.user.User;
 
 import static com.google.common.base.Preconditions.*;
-import java.util.Date;
-import java.util.concurrent.TimeUnit;
 
 //~--- JDK imports ------------------------------------------------------------
 
+import java.util.Date;
+import java.util.concurrent.TimeUnit;
+
 import javax.inject.Inject;
 
 /**
@@ -55,6 +59,14 @@ import javax.inject.Inject;
 public final class BearerTokenGenerator
 {
 
+  /**
+   * the logger for BearerTokenGenerator
+   */
+  private static final Logger logger =
+    LoggerFactory.getLogger(BearerTokenGenerator.class);
+
+  //~--- constructors ---------------------------------------------------------
+
   /**
    * Constructs a new token generator.
    *
@@ -84,16 +96,23 @@ public final class BearerTokenGenerator
   {
     checkNotNull(user, "user is required");
 
-    SecureKey key = keyResolver.getSecureKey(user.getName());
+    String username = user.getName();
-    
+
+    String id = keyGenerator.createKey();
+
+    logger.trace("create new token {} for user {}", id, username);
+
+    SecureKey key = keyResolver.getSecureKey(username);
+
     Date now = new Date();
+
     // TODO: should be configurable
     long expiration = TimeUnit.MILLISECONDS.convert(10, TimeUnit.HOURS);
-    
+
     //J-
     return Jwts.builder()
-      .setSubject(user.getName())
+      .setSubject(username)
-      .setId(keyGenerator.createKey())
+      .setId(id)
       .signWith(SignatureAlgorithm.HS256, key.getBytes())
       .setIssuedAt(now)
       .setExpiration(new Date(now.getTime() + expiration))

scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java

@@ -56,6 +56,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 /**
+ * Filter to handle authentication for the rest api of SCM-Manager.
  *
  * @author Sebastian Sdorra
  */
@@ -65,23 +66,16 @@ import javax.servlet.http.HttpServletResponse;
 public class ApiAuthenticationFilter extends AuthenticationFilter
 {
 
-  /** Field description */
+  /** login uri */
   public static final String URI_LOGIN = "/api/rest/authentication/login";
 
-  /** Field description */
-  public static final String URI_LOGOUT = "/api/rest/authentication/logout";
-
-  /** Field description */
-  public static final String URI_STATE = "/api/rest/authentication/state";
-
   //~--- constructors ---------------------------------------------------------
 
   /**
-   * Constructs ...
+   * Constructs a new ApiAuthenticationFilter
    *
-   *
+   * @param configuration scm main configuration
-   * @param configuration
+   * @param tokenGenerators web token generators
-   * @param tokenGenerators
    */
   @Inject
   public ApiAuthenticationFilter(ScmConfiguration configuration,
@@ -93,12 +87,13 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
   //~--- methods --------------------------------------------------------------
 
   /**
-   * Method description
+   * The filter skips the authentication chain on the login resource, for all
+   * other resources the request is delegated to the 
+   * {@link AuthenticationFilter}.
    *
-   *
+   * @param request http servlet request
-   * @param request
+   * @param response http servlet response
-   * @param response
+   * @param chain filter chain
-   * @param chain
    *
    * @throws IOException
    * @throws ServletException
@@ -108,11 +103,8 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
     HttpServletResponse response, FilterChain chain)
     throws IOException, ServletException
   {
-
+    // skip filter on login resource
-    // skip filter on authentication resource
+    if (request.getRequestURI().contains(URI_LOGIN))
-    if (request.getRequestURI().contains(URI_LOGIN)
-      || request.getRequestURI().contains(URI_STATE)
-      || request.getRequestURI().contains(URI_LOGOUT))
     {
       chain.doFilter(request, response);
     }
@@ -123,12 +115,12 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
   }
 
   /**
-   * Method description
+   * The filter process the chain on unauthorized requests and does not prompt 
+   * for authentication.
    *
-   *
+   * @param request http servlet request
-   * @param request
+   * @param response http servlet response
-   * @param response
+   * @param chain filter chain
-   * @param chain
    *
    * @throws IOException
    * @throws ServletException

scm-webapp/src/main/resources/logback.default.xml

@@ -66,7 +66,8 @@
   <logger name="sonia.scm.web.cgi.DefaultCGIExecutor" level="DEBUG" />
   
   <!-- shiro -->
-  <logger name="org.apache.shiro" level="TRACE" />
+  <logger name="org.apache.shiro" level="INFO" />
+  <logger name="org.apache.shiro.authc.pam.ModularRealmAuthenticator" level="DEBUG" />
   
   <!-- svnkit -->
   <!--

scm-webapp/src/main/resources/logback.release.xml

@@ -86,7 +86,8 @@
   
   <!-- shiro -->
   <!--
-  <logger name="org.apache.shiro" level="TRACE" />
+  <logger name="org.apache.shiro" level="INFO" />
+  <logger name="org.apache.shiro.authc.pam.ModularRealmAuthenticator" level="DEBUG" />
   -->
   
   <!-- svnkit -->