improve security

2025-11-13 08:55:44 +01:00 · 2010-10-15 17:58:16 +02:00
parent e891d762fb
commit d0825b25c8
9 changed files with 469 additions and 101 deletions
--- a/scm-web-api/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
+++ b/scm-web-api/src/main/java/sonia/scm/web/filter/BasicAuthenticationFilter.java
@@ -10,11 +10,12 @@ package sonia.scm.web.filter;
 //~--- non-JDK imports --------------------------------------------------------

 import com.google.inject.Inject;
+import com.google.inject.Provider;
 import com.google.inject.Singleton;

 import sonia.scm.User;
 import sonia.scm.util.Util;
-import sonia.scm.web.security.Authenticator;
+import sonia.scm.web.security.SecurityContext;

 //~--- JDK imports ------------------------------------------------------------

@@ -56,20 +57,6 @@ public class BasicAuthenticationFilter extends HttpFilter
  /** Field description */
  public static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";

-  //~--- constructors ---------------------------------------------------------
-
-  /**
-   * Constructs ...
-   *
-   *
-   * @param authenticator
-   */
-  @Inject
-  public BasicAuthenticationFilter(Authenticator authenticator)
-  {
-    this.authenticator = authenticator;
-  }
-
  //~--- methods --------------------------------------------------------------

  /**
@@ -88,32 +75,40 @@ public class BasicAuthenticationFilter extends HttpFilter
                          HttpServletResponse response, FilterChain chain)
          throws IOException, ServletException
  {
-    User user = authenticator.getUser(request);
+    SecurityContext securityContext = securityContextProvider.get();
+    User user = null;

-    if (user == null)
+    if (securityContext != null)
    {
-      String authentication = request.getHeader(HEADER_AUTHORIZATION);
-
-      if (Util.isEmpty(authentication))
+      if (!securityContext.isAuthenticated())
      {
-        sendUnauthorized(response);
+        String authentication = request.getHeader(HEADER_AUTHORIZATION);
+
+        if (Util.isEmpty(authentication))
+        {
+          sendUnauthorized(response);
+        }
+        else
+        {
+          if (!authentication.toUpperCase().startsWith(
+                  AUTHORIZATION_BASIC_PREFIX))
+          {
+            throw new ServletException("wrong basic header");
+          }
+
+          String token = authentication.substring(6);
+
+          token = new String(Base64.decode(token.getBytes()));
+
+          String[] credentials = token.split(CREDENTIAL_SEPARATOR);
+
+          user = securityContext.authenticate(request, response,
+                  credentials[0], credentials[1]);
+        }
      }
      else
      {
-        if (!authentication.toUpperCase().startsWith(
-                AUTHORIZATION_BASIC_PREFIX))
-        {
-          throw new ServletException("wrong basic header");
-        }
-
-        String token = authentication.substring(6);
-
-        token = new String(Base64.decode(token.getBytes()));
-
-        String[] credentials = token.split(CREDENTIAL_SEPARATOR);
-
-        user = authenticator.authenticate(request, credentials[0],
-                                          credentials[1]);
+        user = securityContext.getUser();
      }
    }

@@ -145,5 +140,6 @@ public class BasicAuthenticationFilter extends HttpFilter
  //~--- fields ---------------------------------------------------------------

  /** Field description */
-  private Authenticator authenticator;
+  @Inject
+  private Provider<SecurityContext> securityContextProvider;
 }
--- a/scm-web-api/src/main/java/sonia/scm/web/security/Authenticator.java
+++ b/scm-web-api/src/main/java/sonia/scm/web/security/Authenticator.java
@@ -14,6 +14,7 @@ import sonia.scm.User;
 //~--- JDK imports ------------------------------------------------------------

 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;

 /**
 *
@@ -27,23 +28,13 @@ public interface Authenticator
   *
   *
   * @param request
+   * @param response
   * @param username
   * @param password
   *
   * @return
   */
-  public User authenticate(HttpServletRequest request, String username,
+  public User authenticate(HttpServletRequest request,
+                           HttpServletResponse response, String username,
                           String password);
-
-  //~--- get methods ----------------------------------------------------------
-
-  /**
-   * Method description
-   *
-   *
-   * @param request
-   *
-   * @return
-   */
-  public User getUser(HttpServletRequest request);
 }
--- a/scm-web-api/src/main/java/sonia/scm/web/security/BasicSecurityContext.java
+++ b/scm-web-api/src/main/java/sonia/scm/web/security/BasicSecurityContext.java
@@ -0,0 +1,85 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+
+
+package sonia.scm.web.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import com.google.inject.Inject;
+import com.google.inject.servlet.SessionScoped;
+
+import sonia.scm.User;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ */
+@SessionScoped
+public class BasicSecurityContext implements SecurityContext
+{
+
+  /**
+   * Method description
+   *
+   *
+   * @param request
+   * @param response
+   * @param username
+   * @param password
+   *
+   * @return
+   */
+  @Override
+  public User authenticate(HttpServletRequest request,
+                           HttpServletResponse response, String username,
+                           String password)
+  {
+    user = authenticator.authenticate(request, response, username, password);
+
+    return user;
+  }
+
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @return
+   */
+  @Override
+  public User getUser()
+  {
+    return user;
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @return
+   */
+  @Override
+  public boolean isAuthenticated()
+  {
+    return user != null;
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** Field description */
+  @Inject
+  private Authenticator authenticator;
+
+  /** Field description */
+  private User user;
+}
--- a/scm-web-api/src/main/java/sonia/scm/web/security/SecurityContext.java
+++ b/scm-web-api/src/main/java/sonia/scm/web/security/SecurityContext.java
@@ -0,0 +1,58 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+
+
+package sonia.scm.web.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import sonia.scm.User;
+
+//~--- JDK imports ------------------------------------------------------------
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ */
+public interface SecurityContext
+{
+
+  /**
+   * Method description
+   *
+   *
+   * @param request
+   * @param response
+   * @param username
+   * @param password
+   *
+   * @return
+   */
+  public User authenticate(HttpServletRequest request,
+                              HttpServletResponse response, String username,
+                              String password);
+
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @return
+   */
+  public User getUser();
+
+  /**
+   * Method description
+   *
+   *
+   * @return
+   */
+  public boolean isAuthenticated();
+}