X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Fcore%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Ffilter%2FCadiFilter.java;h=31785795d7105050598f4c3a9349050464dc18ab;hb=HEAD;hp=2305eacd64f2b9ab3529bc282e6cc4f013071886;hpb=5677039c46e3514174f1bc299f5c8e6e8a568824;p=aaf%2Fauthz.git diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java index 2305eacd..31785795 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -52,16 +52,16 @@ import org.onap.aaf.cadi.util.Timing; /** * CadiFilter - * + * * This class implements Servlet Filter, and ties together CADI implementations - * + * * This class can be used in a standard J2EE Servlet manner. Optimal usage is for POJO operations, where - * one can enforce this Filter being first and primary. Depending on the Container, it - * may be more effective, in some cases, to utilize features that allow earlier determination of + * one can enforce this Filter being first and primary. Depending on the Container, it + * may be more effective, in some cases, to utilize features that allow earlier determination of * AUTHN (Authorization). An example would be "Tomcat Valve". These implementations, however, should * be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes. - * - * + * + * * @author Jonathan * */ @@ -73,18 +73,18 @@ public class CadiFilter implements Filter { private Object[] additionalTafLurs; private SideChain sideChain; private static int count=0; - + public Lur getLur() { return httpChecker.getLur(); } - + /** * Construct a viable Filter - * - * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on + * + * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on * them at a later time. Therefore, this object creates with an object that denies all access * until appropriate Init happens, just in case the container lets something slip by in the meantime. - * + * */ public CadiFilter() { additionalTafLurs = CadiHTTPManip.noAdditional; @@ -92,10 +92,10 @@ public class CadiFilter implements Filter { /** * This constructor to be used when directly constructing and placing in HTTP Engine - * + * * @param access * @param moreTafLurs - * @throws ServletException + * @throws ServletException */ public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException { additionalTafLurs = moreTafLurs; @@ -120,7 +120,7 @@ public class CadiFilter implements Filter { /** * Init - * + * * Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this * mechanism already. @@ -128,18 +128,18 @@ public class CadiFilter implements Filter { //TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions public void init(FilterConfig filterConfig) throws ServletException { // need the Context for Logging, instantiating ClassLoader, etc - ServletContextAccess sca=new ServletContextAccess(filterConfig); + ServletContextAccess sca=new ServletContextAccess(filterConfig); if (access==null) { access = sca; } - + // Set Protected getter with base Access, for internal class instantiations init(new FCGet(access, sca.context(), filterConfig)); } - + @SuppressWarnings("unchecked") - private void init(Get getter) throws ServletException { + protected void init(Get getter) throws ServletException { sideChain = new SideChain(); // Start with the assumption of "Don't trust anyone". TrustChecker tc = TrustChecker.NOTRUST; // default position @@ -154,20 +154,20 @@ public class CadiFilter implements Filter { } catch (Exception e) { access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); } - + try { Class cf=null; try { cf= (Class) Class.forName("org.onap.aaf.cadi.oauth.OAuthFilter"); sideChain.add(cf.newInstance()); } catch (ClassNotFoundException e) { - access.log(Level.DEBUG, "OAuthFilter not enabled"); + access.log(Level.DEBUG, "OAuthFilter not enabled"); } } catch (Exception e) { access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage()); } - + // Synchronize, because some instantiations call init several times on the same object // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice. synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) { @@ -194,8 +194,8 @@ public class CadiFilter implements Filter { pathExceptions = str.split("\\s*:\\s*"); } } - - /* + + /* * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions */ if (mapPairs==null) { @@ -227,16 +227,16 @@ public class CadiFilter implements Filter { } // Add API Enforcement Point - String enforce = getter.get(Config.CADI_API_ENFORCEMENT, null, true); + String enforce = getter.get(Config.CADI_API_ENFORCEMENT, null, true); if(enforce!=null && enforce.length()>0) { - sideChain.add(new CadiApiEnforcementFilter(access,enforce)); + sideChain.add(new CadiApiEnforcementFilter(access,enforce)); } // Remove Getter getter = Get.NULL; } /** - * Containers call "destroy" when time to cleanup + * Containers call "destroy" when time to cleanup */ public void destroy() { // Synchronize, in case multiCadiFilters are used. @@ -252,7 +252,7 @@ public class CadiFilter implements Filter { /** * doFilter - * + * * This is the standard J2EE invocation. Analyze the request, modify response as necessary, and * only call the next item in the filterChain if request is suitably Authenticated. */ @@ -263,6 +263,7 @@ public class CadiFilter implements Filter { float code=0f, validate=0f; String user = "n/a"; String tag = ""; + TafResp tresp = null; try { HttpServletRequest hreq = (HttpServletRequest)request; if (noAuthn(hreq)) { @@ -272,7 +273,7 @@ public class CadiFilter implements Filter { } else { HttpServletResponse hresp = (HttpServletResponse)response; startValidate=System.nanoTime(); - TafResp tresp = httpChecker.validate(hreq, hresp, hreq); + tresp = httpChecker.validate(hreq, hresp, hreq); validate = Timing.millis(startValidate); if (tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) { user = tresp.getPrincipal().personalName(); @@ -288,14 +289,20 @@ public class CadiFilter implements Filter { } catch (ClassCastException e) { throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e); } finally { - access.printf(Level.WARN, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f", - user,tag,request.getRemoteAddr(), - Timing.millis(startAll),validate,code); + if (tresp != null) { + access.printf(Level.INFO, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f,result=%s", + user,tag,request.getRemoteAddr(), + Timing.millis(startAll),validate,code,tresp.isAuthenticated().toString()); + } else { + access.printf(Level.INFO, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f,result=FAIL", + user,tag,request.getRemoteAddr(), + Timing.millis(startAll),validate,code); + } } } - /** + /** * If PathExceptions exist, report if these should not have Authn applied. * @param hreq * @return @@ -303,14 +310,21 @@ public class CadiFilter implements Filter { private boolean noAuthn(HttpServletRequest hreq) { if (pathExceptions!=null) { String pi = hreq.getPathInfo(); - if (pi==null) return false; // JBoss sometimes leaves null + if (pi==null) { + // Attempt to get from URI only (Daniel Rose) + pi = hreq.getRequestURI().substring(hreq.getContextPath().length()); + if(pi==null) { + // Nothing works. + return false; // JBoss sometimes leaves null + } + } for (String pe : pathExceptions) { if (pi.startsWith(pe))return true; } } return false; } - + /** * Get Converter by Path */ @@ -325,7 +339,7 @@ public class CadiFilter implements Filter { } return NullPermConverter.singleton(); } - + /** * store PermConverters by Path prefix * @author Jonathan