introduce api for handling token validation failed exception

2025-11-02 03:25:56 +01:00 · 2020-10-08 09:58:51 +02:00
parent 5887c5c268
commit f2a53644b6
6 changed files with 102 additions and 8 deletions
--- a/scm-core/src/main/java/sonia/scm/security/TokenValidationFailedException.java
+++ b/scm-core/src/main/java/sonia/scm/security/TokenValidationFailedException.java
@@ -0,0 +1,51 @@
+/*
+ * MIT License
+ *
+ * Copyright (c) 2020-present Cloudogu GmbH and Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package sonia.scm.security;
+
+import org.apache.shiro.authc.AuthenticationException;
+
+/**
+ * Thrown by the {@link AccessTokenResolver} when an {@link AccessTokenValidator} fails to validate an access token.
+ * @since 2.6.2
+ */
+@SuppressWarnings("squid:MaximumInheritanceDepth") // exceptions have a deep inheritance depth themselves; therefore we accept this here
+public class TokenValidationFailedException extends AuthenticationException {
+  private final AccessTokenValidator validator;
+  private final AccessToken accessToken;
+
+  public TokenValidationFailedException(AccessTokenValidator validator, AccessToken accessToken) {
+    super(String.format("Token validator %s failed for access token %s", validator.getClass(), accessToken.getId()));
+    this.validator = validator;
+    this.accessToken = accessToken;
+  }
+
+  public AccessTokenValidator getValidator() {
+    return validator;
+  }
+
+  public AccessToken getAccessToken() {
+    return accessToken;
+  }
+}
--- a/scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java
+++ b/scm-core/src/main/java/sonia/scm/web/filter/AuthenticationFilter.java
@@ -39,6 +39,7 @@ import sonia.scm.config.ScmConfiguration;
 import sonia.scm.security.AnonymousMode;
 import sonia.scm.security.AnonymousToken;
 import sonia.scm.security.TokenExpiredException;
+import sonia.scm.security.TokenValidationFailedException;
 import sonia.scm.util.HttpUtil;
 import sonia.scm.util.Util;
 import sonia.scm.web.WebTokenGenerator;
@@ -168,9 +169,15 @@ public class AuthenticationFilter extends HttpFilter {

  protected void handleTokenExpiredException(HttpServletRequest request, HttpServletResponse response,
                                             FilterChain chain, TokenExpiredException tokenExpiredException) throws IOException, ServletException {
+    logger.trace("rethrow token expired exception");
    throw tokenExpiredException;
  }

+  protected void handleTokenValidationFailedException(HttpServletRequest request, HttpServletResponse response, FilterChain chain, TokenValidationFailedException tokenValidationFailedException) throws IOException, ServletException {
+    logger.trace("send unauthorized, because of a failed token validation");
+    handleUnauthorized(request, response, chain);
+  }
+
  /**
   * Iterates all {@link WebTokenGenerator} and creates an
   * {@link AuthenticationToken} from the given request.
@@ -216,7 +223,11 @@ public class AuthenticationFilter extends HttpFilter {
      processChain(request, response, chain, subject);
    } catch (TokenExpiredException ex) {
      // Rethrow to be caught by TokenExpiredFilter
+      logger.trace("handle token expired exception");
      handleTokenExpiredException(request, response, chain, ex);
+    } catch (TokenValidationFailedException ex) {
+      logger.trace("handle token validation failed exception");
+      handleTokenValidationFailedException(request, response, chain, ex);
    } catch (AuthenticationException ex) {
      logger.warn("authentication failed", ex);
      handleUnauthorized(request, response, chain);
@@ -259,7 +270,7 @@ public class AuthenticationFilter extends HttpFilter {
   *
   * @return {@code true} if anonymous access is enabled
   */
-  private boolean isAnonymousAccessEnabled() {
+  protected boolean isAnonymousAccessEnabled() {
    return (configuration != null) && configuration.getAnonymousMode() != AnonymousMode.OFF;
  }
 }