[Fix] Validate SET_PASSWORD request is honored
This commit is contained in:
parent
c9f775334e
commit
d2c3bd8c8f
|
@ -121,17 +121,17 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
||||||
logger.error(e.getMessage());
|
logger.error(e.getMessage());
|
||||||
requestContext.abortWith(
|
requestContext.abortWith(
|
||||||
Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
Response.status(Response.Status.UNAUTHORIZED).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||||
.entity("User is not authenticated!").build()); //$NON-NLS-1$
|
.entity("User is not authenticated!").build());
|
||||||
} catch (StrolchAccessDeniedException e) {
|
} catch (StrolchAccessDeniedException e) {
|
||||||
logger.error(e.getMessage());
|
logger.error(e.getMessage());
|
||||||
requestContext.abortWith(
|
requestContext.abortWith(
|
||||||
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||||
.entity("User is not authorized!").build()); //$NON-NLS-1$
|
.entity("User is not authorized!").build());
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
logger.error(e.getMessage());
|
logger.error(e.getMessage());
|
||||||
requestContext.abortWith(
|
requestContext.abortWith(
|
||||||
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||||
.entity("User cannot access the resource.").build()); //$NON-NLS-1$
|
.entity("User cannot access the resource.").build());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -176,8 +176,7 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
||||||
logger.error("Basic Auth not enabled. Can not process URL " + requestContext.getUriInfo().getPath());
|
logger.error("Basic Auth not enabled. Can not process URL " + requestContext.getUriInfo().getPath());
|
||||||
requestContext.abortWith(
|
requestContext.abortWith(
|
||||||
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||||
.entity("Basic Auth not enabled") //$NON-NLS-1$
|
.entity("Basic Auth not enabled").build());
|
||||||
.build());
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -203,8 +202,7 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
||||||
"No Authorization header or cookie on request to URL " + requestContext.getUriInfo().getPath());
|
"No Authorization header or cookie on request to URL " + requestContext.getUriInfo().getPath());
|
||||||
requestContext.abortWith(
|
requestContext.abortWith(
|
||||||
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
Response.status(Response.Status.FORBIDDEN).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||||
.entity("Missing Authorization!") //$NON-NLS-1$
|
.entity("Missing Authorization!").build());
|
||||||
.build());
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -223,8 +221,7 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
||||||
if (parts.length != 2) {
|
if (parts.length != 2) {
|
||||||
requestContext.abortWith(
|
requestContext.abortWith(
|
||||||
Response.status(Response.Status.BAD_REQUEST).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
Response.status(Response.Status.BAD_REQUEST).header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN)
|
||||||
.entity("Invalid Basic Authorization!") //$NON-NLS-1$
|
.entity("Invalid Basic Authorization!").build());
|
||||||
.build());
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -247,6 +244,16 @@ public class AuthenticationRequestFilter implements ContainerRequestFilter {
|
||||||
StrolchSessionHandler sessionHandler = getSessionHandler();
|
StrolchSessionHandler sessionHandler = getSessionHandler();
|
||||||
Certificate certificate = sessionHandler.validate(sessionId, remoteIp);
|
Certificate certificate = sessionHandler.validate(sessionId, remoteIp);
|
||||||
|
|
||||||
|
if (certificate.getUsage() == Usage.SET_PASSWORD) {
|
||||||
|
if (!requestContext.getUriInfo().getMatchedURIs()
|
||||||
|
.contains("strolch/privilege/users/" + certificate.getUsername() + "/password")) {
|
||||||
|
requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED)
|
||||||
|
.header(HttpHeaders.CONTENT_TYPE, MediaType.TEXT_PLAIN).entity("Can only set password!")
|
||||||
|
.build());
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
requestContext.setProperty(STROLCH_CERTIFICATE, certificate);
|
requestContext.setProperty(STROLCH_CERTIFICATE, certificate);
|
||||||
requestContext.setProperty(STROLCH_REQUEST_SOURCE, remoteIp);
|
requestContext.setProperty(STROLCH_REQUEST_SOURCE, remoteIp);
|
||||||
return certificate;
|
return certificate;
|
||||||
|
|
|
@ -21,7 +21,6 @@ import javax.ws.rs.container.ContainerRequestContext;
|
||||||
import javax.ws.rs.container.ContainerResponseContext;
|
import javax.ws.rs.container.ContainerResponseContext;
|
||||||
import javax.ws.rs.container.ContainerResponseFilter;
|
import javax.ws.rs.container.ContainerResponseFilter;
|
||||||
import javax.ws.rs.ext.Provider;
|
import javax.ws.rs.ext.Provider;
|
||||||
import java.io.IOException;
|
|
||||||
|
|
||||||
import li.strolch.privilege.model.Certificate;
|
import li.strolch.privilege.model.Certificate;
|
||||||
import li.strolch.rest.RestfulStrolchComponent;
|
import li.strolch.rest.RestfulStrolchComponent;
|
||||||
|
@ -38,8 +37,7 @@ public class AuthenticationResponseFilter implements ContainerResponseFilter {
|
||||||
private static final Logger logger = LoggerFactory.getLogger(AuthenticationResponseFilter.class);
|
private static final Logger logger = LoggerFactory.getLogger(AuthenticationResponseFilter.class);
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
|
public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext) {
|
||||||
throws IOException {
|
|
||||||
|
|
||||||
Certificate cert = (Certificate) requestContext.getProperty(STROLCH_CERTIFICATE);
|
Certificate cert = (Certificate) requestContext.getProperty(STROLCH_CERTIFICATE);
|
||||||
if (cert == null)
|
if (cert == null)
|
||||||
|
@ -48,6 +46,9 @@ public class AuthenticationResponseFilter implements ContainerResponseFilter {
|
||||||
if (cert.getUsage().isSingle()) {
|
if (cert.getUsage().isSingle()) {
|
||||||
logger.info("Invalidating single usage certificate for " + cert.getUsername());
|
logger.info("Invalidating single usage certificate for " + cert.getUsername());
|
||||||
RestfulStrolchComponent.getInstance().getSessionHandler().invalidate(cert);
|
RestfulStrolchComponent.getInstance().getSessionHandler().invalidate(cert);
|
||||||
|
} else if (cert.getUsage().isSetPassword()) {
|
||||||
|
logger.info("Invalidating SET_PASSWORD usage certificate for " + cert.getUsername());
|
||||||
|
RestfulStrolchComponent.getInstance().getSessionHandler().invalidate(cert);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue