fix authentication on api requests

2025-11-14 17:26:22 +01:00 · 2015-03-26 21:07:28 +01:00
parent 9add730143
commit ab1b91e1c5
4 changed files with 48 additions and 35 deletions
--- a/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
@@ -36,14 +36,18 @@ package sonia.scm.security;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;

+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import sonia.scm.user.User;

 import static com.google.common.base.Preconditions.*;
-import java.util.Date;
-import java.util.concurrent.TimeUnit;

 //~--- JDK imports ------------------------------------------------------------

+import java.util.Date;
+import java.util.concurrent.TimeUnit;
+
 import javax.inject.Inject;

 /**
@@ -55,6 +59,14 @@ import javax.inject.Inject;
 public final class BearerTokenGenerator
 {

+  /**
+   * the logger for BearerTokenGenerator
+   */
+  private static final Logger logger =
+    LoggerFactory.getLogger(BearerTokenGenerator.class);
+
+  //~--- constructors ---------------------------------------------------------
+
  /**
   * Constructs a new token generator.
   *
@@ -84,16 +96,23 @@ public final class BearerTokenGenerator
  {
    checkNotNull(user, "user is required");

-    SecureKey key = keyResolver.getSecureKey(user.getName());
+    String username = user.getName();
+
+    String id = keyGenerator.createKey();
+
+    logger.trace("create new token {} for user {}", id, username);
+
+    SecureKey key = keyResolver.getSecureKey(username);

    Date now = new Date();
+
    // TODO: should be configurable
    long expiration = TimeUnit.MILLISECONDS.convert(10, TimeUnit.HOURS);

    //J-
    return Jwts.builder()
-      .setSubject(user.getName())
-      .setId(keyGenerator.createKey())
+      .setSubject(username)
+      .setId(id)
      .signWith(SignatureAlgorithm.HS256, key.getBytes())
      .setIssuedAt(now)
      .setExpiration(new Date(now.getTime() + expiration))
--- a/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
@@ -56,6 +56,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 /**
+ * Filter to handle authentication for the rest api of SCM-Manager.
 *
 * @author Sebastian Sdorra
 */
@@ -65,23 +66,16 @@ import javax.servlet.http.HttpServletResponse;
 public class ApiAuthenticationFilter extends AuthenticationFilter
 {

-  /** Field description */
+  /** login uri */
  public static final String URI_LOGIN = "/api/rest/authentication/login";

-  /** Field description */
-  public static final String URI_LOGOUT = "/api/rest/authentication/logout";
-
-  /** Field description */
-  public static final String URI_STATE = "/api/rest/authentication/state";
-
  //~--- constructors ---------------------------------------------------------

  /**
-   * Constructs ...
+   * Constructs a new ApiAuthenticationFilter
   *
-   *
-   * @param configuration
-   * @param tokenGenerators
+   * @param configuration scm main configuration
+   * @param tokenGenerators web token generators
   */
  @Inject
  public ApiAuthenticationFilter(ScmConfiguration configuration,
@@ -93,12 +87,13 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
  //~--- methods --------------------------------------------------------------

  /**
-   * Method description
+   * The filter skips the authentication chain on the login resource, for all
+   * other resources the request is delegated to the 
+   * {@link AuthenticationFilter}.
   *
-   *
-   * @param request
-   * @param response
-   * @param chain
+   * @param request http servlet request
+   * @param response http servlet response
+   * @param chain filter chain
   *
   * @throws IOException
   * @throws ServletException
@@ -108,11 +103,8 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
    HttpServletResponse response, FilterChain chain)
    throws IOException, ServletException
  {
-
-    // skip filter on authentication resource
-    if (request.getRequestURI().contains(URI_LOGIN)
-      || request.getRequestURI().contains(URI_STATE)
-      || request.getRequestURI().contains(URI_LOGOUT))
+    // skip filter on login resource
+    if (request.getRequestURI().contains(URI_LOGIN))
    {
      chain.doFilter(request, response);
    }
@@ -123,12 +115,12 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
  }

  /**
-   * Method description
+   * The filter process the chain on unauthorized requests and does not prompt 
+   * for authentication.
   *
-   *
-   * @param request
-   * @param response
-   * @param chain
+   * @param request http servlet request
+   * @param response http servlet response
+   * @param chain filter chain
   *
   * @throws IOException
   * @throws ServletException
--- a/scm-webapp/src/main/resources/logback.default.xml
+++ b/scm-webapp/src/main/resources/logback.default.xml
@@ -66,7 +66,8 @@
  <logger name="sonia.scm.web.cgi.DefaultCGIExecutor" level="DEBUG" />
  
  <!-- shiro -->
-  <logger name="org.apache.shiro" level="TRACE" />
+  <logger name="org.apache.shiro" level="INFO" />
+  <logger name="org.apache.shiro.authc.pam.ModularRealmAuthenticator" level="DEBUG" />
  
  <!-- svnkit -->
  <!--
--- a/scm-webapp/src/main/resources/logback.release.xml
+++ b/scm-webapp/src/main/resources/logback.release.xml
@@ -86,7 +86,8 @@
  
  <!-- shiro -->
  <!--
-  <logger name="org.apache.shiro" level="TRACE" />
+  <logger name="org.apache.shiro" level="INFO" />
+  <logger name="org.apache.shiro.authc.pam.ModularRealmAuthenticator" level="DEBUG" />
  -->
  
  <!-- svnkit -->