[Fix] Validate SET_PASSWORD request is honored
This commit is contained in:
parent
c9f775334e
commit
d2c3bd8c8f
|
@ -121,17 +121,17 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
|||
logger.error(e.getMessage());
|
||||
requestContext.abortWith(
|
||||
Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||
.entity("User is not authenticated!").build()); //$NON-NLS-1$
|
||||
.entity("User is not authenticated!").build());
|
||||
} catch (StrolchAccessDeniedException e) {
|
||||
logger.error(e.getMessage());
|
||||
requestContext.abortWith(
|
||||
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||
.entity("User is not authorized!").build()); //$NON-NLS-1$
|
||||
.entity("User is not authorized!").build());
|
||||
} catch (Exception e) {
|
||||
logger.error(e.getMessage());
|
||||
requestContext.abortWith(
|
||||
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||
.entity("User cannot access the resource.").build()); //$NON-NLS-1$
|
||||
.entity("User cannot access the resource.").build());
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -176,8 +176,7 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
|||
logger.error("Basic Auth not enabled. Can not process URL " + requestContext.getUriInfo().getPath());
|
||||
requestContext.abortWith(
|
||||
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||
.entity("Basic Auth not enabled") //$NON-NLS-1$
|
||||
.build());
|
||||
.entity("Basic Auth not enabled").build());
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -203,8 +202,7 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
|||
"No Authorization header or cookie on request to URL " + requestContext.getUriInfo().getPath());
|
||||
requestContext.abortWith(
|
||||
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||
.entity("Missing Authorization!") //$NON-NLS-1$
|
||||
.build());
|
||||
.entity("Missing Authorization!").build());
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -223,8 +221,7 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
|||
if (parts.length != 2) {
|
||||
requestContext.abortWith(
|
||||
Response.status(Response.Status.BAD_REQUEST).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||
.entity("Invalid Basic Authorization!") //$NON-NLS-1$
|
||||
.build());
|
||||
.entity("Invalid Basic Authorization!").build());
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -247,6 +244,16 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
|||
StrolchSessionHandler sessionHandler = getSessionHandler();
|
||||
Certificate certificate = sessionHandler.validate(sessionId, remoteIp);
|
||||
|
||||
if (certificate.getUsage() == Usage.SET_PASSWORD) {
|
||||
if (!requestContext.getUriInfo().getMatchedURIs()
|
||||
.contains("strolch/privilege/users/" + certificate.getUsername() + "/password")) {
|
||||
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED)
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN).entity("Can only set password!")
|
||||
.build());
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
requestContext.setProperty(STROLCH_CERTIFICATE, certificate);
|
||||
requestContext.setProperty(STROLCH_REQUEST_SOURCE, remoteIp);
|
||||
return certificate;
|
||||
|
|
|
@ -21,7 +21,6 @@ import javax.ws.rs.container.ContainerRequestContext;
|
|||
import javax.ws.rs.container.ContainerResponseContext;
|
||||
import javax.ws.rs.container.ContainerResponseFilter;
|
||||
import javax.ws.rs.ext.Provider;
|
||||
import java.io.IOException;
|
||||
|
||||
import li.strolch.privilege.model.Certificate;
|
||||
import li.strolch.rest.RestfulStrolchComponent;
|
||||
|
@ -38,8 +37,7 @@ public class AuthenticationResponseFilter implements ContainerResponseFilter {
|
|||
private static final Logger logger = LoggerFactory.getLogger(AuthenticationResponseFilter.class);
|
||||
|
||||
@Override
|
||||
public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
|
||||
throws IOException {
|
||||
public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) {
|
||||
|
||||
Certificate cert = (Certificate) requestContext.getProperty(STROLCH_CERTIFICATE);
|
||||
if (cert == null)
|
||||
|
@ -48,6 +46,9 @@ public class AuthenticationResponseFilter implements ContainerResponseFilter {
|
|||
if (cert.getUsage().isSingle()) {
|
||||
logger.info("Invalidating single usage certificate for " + cert.getUsername());
|
||||
RestfulStrolchComponent.getInstance().getSessionHandler().invalidate(cert);
|
||||
} else if (cert.getUsage().isSetPassword()) {
|
||||
logger.info("Invalidating SET_PASSWORD usage certificate for " + cert.getUsername());
|
||||
RestfulStrolchComponent.getInstance().getSessionHandler().invalidate(cert);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue