* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/**
* CadiFilter
- *
+ *
* This class implements Servlet Filter, and ties together CADI implementations
- *
+ *
* This class can be used in a standard J2EE Servlet manner. Optimal usage is for POJO operations, where
- * one can enforce this Filter being first and primary. Depending on the Container, it
- * may be more effective, in some cases, to utilize features that allow earlier determination of
+ * one can enforce this Filter being first and primary. Depending on the Container, it
+ * may be more effective, in some cases, to utilize features that allow earlier determination of
* AUTHN (Authorization). An example would be "Tomcat Valve". These implementations, however, should
* be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes.
- *
- *
+ *
+ *
* @author Jonathan
*
*/
private Object[] additionalTafLurs;
private SideChain sideChain;
private static int count=0;
-
+
public Lur getLur() {
return httpChecker.getLur();
}
-
+
/**
* Construct a viable Filter
- *
- * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on
+ *
+ * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on
* them at a later time. Therefore, this object creates with an object that denies all access
* until appropriate Init happens, just in case the container lets something slip by in the meantime.
- *
+ *
*/
public CadiFilter() {
additionalTafLurs = CadiHTTPManip.noAdditional;
/**
* This constructor to be used when directly constructing and placing in HTTP Engine
- *
+ *
* @param access
* @param moreTafLurs
- * @throws ServletException
+ * @throws ServletException
*/
public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException {
additionalTafLurs = moreTafLurs;
/**
* Init
- *
+ *
* Standard Filter "init" call with FilterConfig to obtain properties. POJOs can construct a
* FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
* mechanism already.
//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions
public void init(FilterConfig filterConfig) throws ServletException {
// need the Context for Logging, instantiating ClassLoader, etc
- ServletContextAccess sca=new ServletContextAccess(filterConfig);
+ ServletContextAccess sca=new ServletContextAccess(filterConfig);
if (access==null) {
access = sca;
}
-
+
// Set Protected getter with base Access, for internal class instantiations
init(new FCGet(access, sca.context(), filterConfig));
}
-
+
@SuppressWarnings("unchecked")
- private void init(Get getter) throws ServletException {
+ protected void init(Get getter) throws ServletException {
sideChain = new SideChain();
// Start with the assumption of "Don't trust anyone".
TrustChecker tc = TrustChecker.NOTRUST; // default position
} catch (Exception e) {
access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());
}
-
+
try {
Class<Filter> cf=null;
try {
cf= (Class<Filter>) Class.forName("org.onap.aaf.cadi.oauth.OAuthFilter");
sideChain.add(cf.newInstance());
} catch (ClassNotFoundException e) {
- access.log(Level.DEBUG, "OAuthFilter not enabled");
+ access.log(Level.DEBUG, "OAuthFilter not enabled");
}
} catch (Exception e) {
access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());
}
-
+
// Synchronize, because some instantiations call init several times on the same object
// In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice.
synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) {
pathExceptions = str.split("\\s*:\\s*");
}
}
-
- /*
+
+ /*
* SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions
*/
if (mapPairs==null) {
}
// Add API Enforcement Point
- String enforce = getter.get(Config.CADI_API_ENFORCEMENT, null, true);
+ String enforce = getter.get(Config.CADI_API_ENFORCEMENT, null, true);
if(enforce!=null && enforce.length()>0) {
- sideChain.add(new CadiApiEnforcementFilter(access,enforce));
+ sideChain.add(new CadiApiEnforcementFilter(access,enforce));
}
// Remove Getter
getter = Get.NULL;
}
/**
- * Containers call "destroy" when time to cleanup
+ * Containers call "destroy" when time to cleanup
*/
public void destroy() {
// Synchronize, in case multiCadiFilters are used.
/**
* doFilter
- *
+ *
* This is the standard J2EE invocation. Analyze the request, modify response as necessary, and
* only call the next item in the filterChain if request is suitably Authenticated.
*/
float code=0f, validate=0f;
String user = "n/a";
String tag = "";
+ TafResp tresp = null;
try {
HttpServletRequest hreq = (HttpServletRequest)request;
if (noAuthn(hreq)) {
} else {
HttpServletResponse hresp = (HttpServletResponse)response;
startValidate=System.nanoTime();
- TafResp tresp = httpChecker.validate(hreq, hresp, hreq);
+ tresp = httpChecker.validate(hreq, hresp, hreq);
validate = Timing.millis(startValidate);
if (tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) {
user = tresp.getPrincipal().personalName();
} catch (ClassCastException e) {
throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e);
} finally {
- access.printf(Level.WARN, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f",
- user,tag,request.getRemoteAddr(),
- Timing.millis(startAll),validate,code);
+ if (tresp != null) {
+ access.printf(Level.INFO, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f,result=%s",
+ user,tag,request.getRemoteAddr(),
+ Timing.millis(startAll),validate,code,tresp.isAuthenticated().toString());
+ } else {
+ access.printf(Level.INFO, "Trans: user=%s[%s],ip=%s,ms=%f,validate=%f,code=%f,result=FAIL",
+ user,tag,request.getRemoteAddr(),
+ Timing.millis(startAll),validate,code);
+ }
}
}
- /**
+ /**
* If PathExceptions exist, report if these should not have Authn applied.
* @param hreq
* @return
private boolean noAuthn(HttpServletRequest hreq) {
if (pathExceptions!=null) {
String pi = hreq.getPathInfo();
- if (pi==null) return false; // JBoss sometimes leaves null
+ if (pi==null) {
+ // Attempt to get from URI only (Daniel Rose)
+ pi = hreq.getRequestURI().substring(hreq.getContextPath().length());
+ if(pi==null) {
+ // Nothing works.
+ return false; // JBoss sometimes leaves null
+ }
+ }
for (String pe : pathExceptions) {
if (pi.startsWith(pe))return true;
}
}
return false;
}
-
+
/**
* Get Converter by Path
*/
}
return NullPermConverter.singleton();
}
-
+
/**
* store PermConverters by Path prefix
* @author Jonathan
Code Review / aaf / authz.git / blobdiff