X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Fcore%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Ffilter%2FCadiHTTPManip.java;h=7c63a822725266d3813d29f69905927878bed117;hb=1296352d8eafee57f982a4342ad79ada4aa56d28;hp=3c0f139b8412bddb13704dc8831881a3b0747118;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java index 3c0f139b..7c63a822 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -47,14 +47,20 @@ import org.onap.aaf.cadi.util.UserChainManip; /** * Encapsulate common HTTP Manipulation Behavior. It will appropriately set * HTTPServletResponse for Redirect or Forbidden, as needed. - * + * * Further, this is useful, because it avoids multiple creates of Connections, where some Filters * are created and destroyed regularly. - * + * * @author Jonathan * */ public class CadiHTTPManip { + private static final String ACCESS_DENIED = "Access Denied"; + private static final String NO_TAF_WILL_AUTHORIZE = "No TAF will authorize"; + private static final String AUTHENTICATION_FAILURE = "Authentication Failure"; + private static final String AUTHENTICATING_VIA_REDIRECTION = "Authenticating via redirection"; + private static final String MSG_FMT = "user=%s,ip=%s:%d,msg=\"%s: %s\""; + private static final String AUTHENTICATED = "Authenticated"; private static final String ACCESS_CADI_CONTROL = ".access|cadi|control"; private static final String METH = "OPTIONS"; private static final String CADI = "/cadi/"; @@ -67,7 +73,7 @@ public class CadiHTTPManip { private CredVal up; private Lur lur; private String thisPerm,companyPerm,aaf_id; - + public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems @@ -76,20 +82,20 @@ public class CadiHTTPManip { this.access = access; // Get getter = new AccessGetter(access); Config.setDefaultRealm(access); - + aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_APPID, null)); - if(aaf_id==null) { + if (aaf_id==null) { access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_APPID,Config.CADI_ALIAS); } else { access.printf(Level.INIT, "%s is set to %s",Config.AAF_APPID,aaf_id); } String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id); - if(ns!=null) { + if (ns!=null) { thisPerm = ns+ACCESS_CADI_CONTROL; int dot = ns.indexOf('.'); - if(dot>=0) { + if (dot>=0) { int dot2=ns.indexOf('.',dot+1); - if(dot2<0) { + if (dot2<0) { dot2=dot; } companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL; @@ -101,13 +107,13 @@ public class CadiHTTPManip { } SecurityInfoC si; si = SecurityInfoC.instance(access, HttpURLConnection.class); - + lur = Config.configLur(si, con, additionalTafLurs); - + tc.setLur(lur); - if(lur instanceof EpiLur) { + if (lur instanceof EpiLur) { up = ((EpiLur)lur).getUserPassImpl(); - } else if(lur instanceof CredVal) { + } else if (lur instanceof CredVal) { up = (CredVal)lur; } else { up = null; @@ -120,60 +126,62 @@ public class CadiHTTPManip { TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp); switch(tresp.isAuthenticated()) { case IS_AUTHENTICATED: - access.printf(Level.INFO,"Authenticated: %s from %s:%d", - tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(), + hreq.getRemotePort(),AUTHENTICATED,tresp.desc()); break; case TRY_AUTHENTICATING: switch (tresp.authenticate()) { case IS_AUTHENTICATED: - access.printf(Level.INFO,"Authenticated: %s from %s:%d", - tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(), + hreq.getRemotePort(),AUTHENTICATED,tresp.desc()); break; case HTTP_REDIRECT_INVOKED: - access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc()); + access.printf(Level.DEBUG,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(), + hreq.getRemotePort(),AUTHENTICATING_VIA_REDIRECTION,tresp.desc()); break; case NO_FURTHER_PROCESSING: - access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d" - , tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); + access.printf(Level.AUDIT,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(), + hreq.getRemotePort(),AUTHENTICATION_FAILURE,tresp.desc()); hresp.sendError(403, tresp.desc()); // Forbidden break; default: - access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" - , hreq.getRemoteAddr(), hreq.getRemotePort()); + access.printf(Level.AUDIT,MSG_FMT,tresp.getTarget(),hreq.getRemoteAddr(), + hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc()); hresp.sendError(403, tresp.desc()); // Forbidden } break; case NO_FURTHER_PROCESSING: - access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", - tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, "Access Denied"); // FORBIDDEN + access.printf(Level.AUDIT,MSG_FMT, tresp.getTarget(),hreq.getRemoteAddr(), + hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc()); + hresp.sendError(403, ACCESS_DENIED); // FORBIDDEN break; default: - access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d" - , hreq.getRemoteAddr(), hreq.getRemotePort()); - hresp.sendError(403, "Access Denied"); // FORBIDDEN + access.printf(Level.AUDIT,MSG_FMT, tresp.getTarget(),hreq.getRemoteAddr(), + hreq.getRemotePort(),NO_TAF_WILL_AUTHORIZE,tresp.desc()); + hresp.sendError(403, ACCESS_DENIED); // FORBIDDEN } + return tresp; } - + public boolean notCadi(CadiWrap req, HttpServletResponse resp) { - + String pathInfo = req.getPathInfo(); - if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) { - if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) { + if (METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) { + if (req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) { try { - if(pathInfo.contains(CADI_CACHE_PRINT)) { + if (pathInfo.contains(CADI_CACHE_PRINT)) { resp.getOutputStream().println(lur.toString()); resp.setStatus(200); return false; - } else if(pathInfo.contains(CADI_CACHE_CLEAR)) { + } else if (pathInfo.contains(CADI_CACHE_CLEAR)) { StringBuilder report = new StringBuilder(); lur.clear(req.getUserPrincipal(), report); resp.getOutputStream().println(report.toString()); resp.setStatus(200); return false; - } else if(pathInfo.contains(CADI_LOG_SET)) { + } else if (pathInfo.contains(CADI_LOG_SET)) { Level l; int slash = pathInfo.lastIndexOf('/'); String level = pathInfo.substring(slash+1); @@ -197,10 +205,10 @@ public class CadiHTTPManip { public Lur getLur() { return lur; } - + public void destroy() { access.log(Level.INFO,"CadiHttpChecker destroyed."); - if(lur!=null) { + if (lur!=null) { lur.destroy(); lur=null; }