qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lqu...@apache.org
Subject svn commit: r1751224 - in /qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin: HttpManagementUtil.java filter/ForbiddingAuthorisationFilter.java
Date Mon, 04 Jul 2016 08:13:15 GMT
Author: lquack
Date: Mon Jul  4 08:13:15 2016
New Revision: 1751224

URL: http://svn.apache.org/viewvc?rev=1751224&view=rev
Log:
QPID-7046: [Java Broker] Don't create a HttpSession for preemptively authenticated calls to
the REST API

Modified:
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingAuthorisationFilter.java

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java?rev=1751224&r1=1751223&r2=1751224&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
(original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
Mon Jul  4 08:13:15 2016
@@ -94,14 +94,13 @@ public class HttpManagementUtil
 
     public static Subject getAuthorisedSubject(HttpServletRequest request)
     {
-        HttpSession session = request.getSession();
-        return (Subject) session.getAttribute(getRequestSpecificAttributeName(ATTR_SUBJECT,request));
+        HttpSession session = request.getSession(false);
+        return (session == null ? null : (Subject) session.getAttribute(getRequestSpecificAttributeName(ATTR_SUBJECT,request)));
     }
 
     public static void checkRequestAuthenticatedAndAccessAuthorized(HttpServletRequest request,
Broker broker,
             HttpManagementConfiguration managementConfig)
     {
-        HttpSession session = request.getSession();
         Subject subject = getAuthorisedSubject(request);
         if (subject == null)
         {

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingAuthorisationFilter.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingAuthorisationFilter.java?rev=1751224&r1=1751223&r2=1751224&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingAuthorisationFilter.java
(original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingAuthorisationFilter.java
Mon Jul  4 08:13:15 2016
@@ -32,6 +32,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
 import org.apache.qpid.server.management.plugin.HttpManagementUtil;
@@ -70,6 +71,8 @@ public class ForbiddingAuthorisationFilt
         HttpServletRequest httpRequest = (HttpServletRequest) request;
         HttpServletResponse httpResponse = (HttpServletResponse) response;
         String servletPath = httpRequest.getServletPath();
+        final boolean hasPreexistingSession = (httpRequest.getSession(false) != null);
+
         if (_allowed == null || "".equals(_allowed) || servletPath.indexOf(_allowed) == -1)
         {
             try
@@ -79,15 +82,31 @@ public class ForbiddingAuthorisationFilt
             catch(AccessControlException e)
             {
                 httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+                invalidateSession(httpRequest);
                 return;
             }
             catch(SecurityException e)
             {
                 httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+                invalidateSession(httpRequest);
                 return;
             }
         }
+
         chain.doFilter(request, response);
+
+        if (!hasPreexistingSession && httpRequest.getServletPath().startsWith("/api/"))
+        {
+            invalidateSession(httpRequest);
+        }
     }
 
+    private void invalidateSession(final HttpServletRequest httpRequest)
+    {
+        HttpSession session = httpRequest.getSession(false);
+        if (session != null)
+        {
+            session.invalidate();
+        }
+    }
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message