Changeset 1140


Ignore:
Timestamp:
2009-03-12 15:36:46 (4 years ago)
Author:
bruno
Message:

security:

  • fix authentication strength logic, which would not work in case auth info for multiple auth methods is available on the request (e.g. in a header and in a cookie)
  • decode the request path for matching by the protect-rules.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/modules/kauri-security/kauri-security-impl/src/main/java/org/kauriproject/security/infrastructure/SecurityFilter.java

    r1139 r1140  
    8484        // but reuse the existing Authentication token. 
    8585        Authentication existingAuthToken = SecurityContextHolder.getContext().getAuthentication(); 
    86         Authentication authToken = null; 
     86        Authentication selectedAuthToken = null; 
    8787        AuthenticationMethodEntry selectedAuthMethod = null; 
    8888 
     
    9191            // Look for authentication information on the request by querying all authentication methods 
    9292            // 
    93  
    94             for (AuthenticationMethodEntry authenticationMethod : filterContext.realm.getAuthenticationMethods()) { 
     93            for (AuthenticationMethodEntry authMethod : filterContext.realm.getAuthenticationMethods()) { 
     94                Authentication currentAuthToken; 
    9595                try { 
    96                     authToken = authenticationMethod.get().getAuthentication(request, response, filterContext.realm); 
     96                    currentAuthToken = authMethod.get().getAuthentication(request, response, filterContext.realm); 
    9797                } catch (AuthenticationException ae) { 
    98                     return handleException(request, response, authToken, authenticationMethod.get(), ae, filterContext); 
     98                    return handleException(request, response, selectedAuthToken, authMethod.get(), ae, filterContext); 
    9999                } 
    100100 
    101                 if (authToken != null) { 
    102                     selectedAuthMethod = authenticationMethod; 
    103                     break; 
     101                if (currentAuthToken != null 
     102                        && (selectedAuthMethod == null || authMethod.getStrength() > selectedAuthMethod.getStrength())) { 
     103                    selectedAuthMethod = authMethod; 
     104                    selectedAuthToken = currentAuthToken; 
    104105                } 
    105106            } 
    106107 
    107108            // If no authentication info found on the request, send a challenge 
    108             if (authToken == null) { 
     109            if (selectedAuthToken == null) { 
    109110                return sendChallenge(request, response, filterContext, null); 
    110111            } 
     
    119120            // 
    120121            try { 
    121                 authToken = filterContext.realm.getAuthenticationManager().authenticate(authToken); 
    122                 if (authToken == null) { 
     122                selectedAuthToken = filterContext.realm.getAuthenticationManager().authenticate(selectedAuthToken); 
     123                if (selectedAuthToken == null) { 
    123124                    throw new IllegalStateException("Contract violation: AuthenticationManager.authenticate(Authentication) returned null authentication."); 
    124125                } 
    125126            } catch (AuthenticationException ae) { 
    126                 return handleException(request, response, authToken, selectedAuthMethod.get(), ae, filterContext); 
     127                return handleException(request, response, selectedAuthToken, selectedAuthMethod.get(), ae, filterContext); 
    127128            } 
    128129        } else { 
    129             authToken = existingAuthToken; 
     130            selectedAuthToken = existingAuthToken; 
    130131        } 
    131132 
     
    138139                SecurityContext ctx = generateNewContext(); 
    139140                SecurityContextHolder.setContext(ctx); 
    140                 SecurityContextHolder.getContext().setAuthentication(authToken); 
    141             } 
    142  
    143             populateRestletContext(request, authToken, filterContext); 
     141                SecurityContextHolder.getContext().setAuthentication(selectedAuthToken); 
     142            } 
     143 
     144            populateRestletContext(request, selectedAuthToken, filterContext); 
    144145 
    145146            try { 
    146                 filterContext.realm.getAccessDecisionManager().decide(authToken, filterContext.invocation, filterContext.configAttrDef); 
     147                filterContext.realm.getAccessDecisionManager().decide(selectedAuthToken, filterContext.invocation, filterContext.configAttrDef); 
    147148            } catch (AccessDeniedException ade) { 
    148                 return handleException(request, response, authToken, selectedAuthMethod.get(), ade, filterContext); 
     149                return handleException(request, response, selectedAuthToken, selectedAuthMethod.get(), ade, filterContext); 
    149150            } catch (AuthenticationException ae) { 
    150                 return handleException(request, response, authToken, selectedAuthMethod.get(), ae, filterContext); 
     151                return handleException(request, response, selectedAuthToken, selectedAuthMethod.get(), ae, filterContext); 
    151152            } 
    152153 
     
    256257    private SecurityFilterContext determineSecurity(Request request) { 
    257258        String moduleId = module.getId(); 
    258         String requestPath = request.getResourceRef().getRemainingPart(false, false); 
     259        String requestPath = request.getResourceRef().getRemainingPart(true, false); 
    259260        String restserviceName = (String)request.getAttributes().get("org.kauriproject.restservice.name"); 
    260261 
Note: See TracChangeset for help on using the changeset viewer.