qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lqu...@apache.org
Subject svn commit: r1774022 - in /qpid/java/trunk: broker-core/src/main/java/org/apache/qpid/server/logging/ broker-core/src/main/java/org/apache/qpid/server/logging/subjects/ broker-core/src/main/java/org/apache/qpid/server/security/auth/ broker-core/src/tes...
Date Tue, 13 Dec 2016 14:27:20 GMT
Author: lquack
Date: Tue Dec 13 14:27:19 2016
New Revision: 1774022

URL: http://svn.apache.org/viewvc?rev=1774022&view=rev
Log:
QPID-7549: [Java Broker] Ensure subject is created for REST requests

 * change the format of operational logging for management operations
 * refactor HTTP Filters

Added:
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java
      - copied, changed from r1774020, qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java
Removed:
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/ForbiddingAuthorisationFilter.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/PreemptiveSessionInvalidationFilter.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java
    qpid/java/trunk/broker-plugins/management-http/src/test/java/org/apache/qpid/server/management/plugin/filter/
Modified:
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java
    qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java
    qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java
    qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java
    qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/AbstractMessageLogger.java Tue Dec 13 14:27:19 2016
@@ -21,6 +21,18 @@
 package org.apache.qpid.server.logging;
 
 
+import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.CHANNEL_FORMAT;
+import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.CONNECTION_FORMAT;
+import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.SOCKET_FORMAT;
+import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.USER_FORMAT;
+
+import java.security.AccessController;
+import java.security.Principal;
+import java.text.MessageFormat;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
 import org.apache.qpid.server.connection.ConnectionPrincipal;
 import org.apache.qpid.server.connection.SessionPrincipal;
 import org.apache.qpid.server.logging.subjects.LogSubjectFormat;
@@ -30,17 +42,6 @@ import org.apache.qpid.server.security.a
 import org.apache.qpid.server.security.auth.TaskPrincipal;
 import org.apache.qpid.server.transport.AMQPConnection;
 
-import javax.security.auth.Subject;
-import java.security.AccessController;
-import java.security.Principal;
-import java.text.MessageFormat;
-import java.util.Set;
-
-import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.CHANNEL_FORMAT;
-import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.CONNECTION_FORMAT;
-import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.SOCKET_FORMAT;
-import static org.apache.qpid.server.logging.subjects.LogSubjectFormat.USER_FORMAT;
-
 public abstract class AbstractMessageLogger implements MessageLogger
 {
     public static final String DEFAULT_LOG_HIERARCHY_PREFIX = "qpid.message.";
@@ -137,7 +138,15 @@ public abstract class AbstractMessageLog
     {
         String remoteAddress = managementConnection.getRemoteAddress().toString();
         String user = userPrincipal == null ? "N/A" : userPrincipal.getName();
-        return "[" + MessageFormat.format(LogSubjectFormat.MANAGEMENT_FORMAT, user, remoteAddress) + "] ";
+        String sessionId = managementConnection.getSessionId();
+        if (sessionId == null)
+        {
+            sessionId = "N/A";
+        }
+        return "[" + MessageFormat.format(LogSubjectFormat.MANAGEMENT_FORMAT,
+                                          sessionId,
+                                          user,
+                                          remoteAddress) + "] ";
     }
 
     private String generateTaskMessage(final TaskPrincipal taskPrincipal)

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/logging/subjects/LogSubjectFormat.java Tue Dec 13 14:27:19 2016
@@ -39,10 +39,11 @@ public class LogSubjectFormat
 
     /**
      * LOG FORMAT for the ManagementActors,
-     * 0 - User ID
-     * 1 - IP[:Port]
+     * 0 - Session ID
+     * 1 - User ID
+     * 2 - IP[:Port]
      */
-    public static final String MANAGEMENT_FORMAT = "mng:{0}({1})";
+    public static final String MANAGEMENT_FORMAT = "mng:{0}({1}@{2})";
 
     /**
      * LOG FORMAT for the Subscription Log Subject

Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/ManagementConnectionPrincipal.java Tue Dec 13 14:27:19 2016
@@ -22,5 +22,7 @@ package org.apache.qpid.server.security.
 
 public interface ManagementConnectionPrincipal extends SocketConnectionPrincipal
 {
-    public String getType();
+    String getType();
+
+    String getSessionId();
 }

Modified: qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java (original)
+++ qpid/java/trunk/broker-core/src/test/java/org/apache/qpid/server/logging/actors/HttpManagementActorTest.java Tue Dec 13 14:27:19 2016
@@ -50,7 +50,12 @@ public class HttpManagementActorTest ext
     };
     private static final String IP = "127.0.0.1";
     private static final int PORT = 1;
-    private static final String SUFFIX = "(/" + IP + ":" + PORT + ")] ";
+    private static final String TEST_USER = "guest";
+    private static final String SESSION_ID = "testSession";
+
+    private static final String FORMAT = "[mng:%s(%s@/" + IP + ":" + PORT + ")] ";
+    private static final Object NA = "N/A";
+
     private ManagementConnectionPrincipal _connectionPrincipal;
 
     @Override
@@ -66,6 +71,12 @@ public class HttpManagementActorTest ext
                                         }
 
                                         @Override
+                                        public String getSessionId()
+                                        {
+                                            return SESSION_ID;
+                                        }
+
+                                        @Override
                                         public SocketAddress getRemoteAddress()
                                         {
                                             return new InetSocketAddress(IP, PORT);
@@ -87,7 +98,7 @@ public class HttpManagementActorTest ext
 
     public void testSubjectPrincipalNameAppearance()
     {
-        Subject subject = TestPrincipalUtils.createTestSubject("guest");
+        Subject subject = TestPrincipalUtils.createTestSubject(TEST_USER);
 
         subject.getPrincipals().add(_connectionPrincipal);
 
@@ -106,7 +117,8 @@ public class HttpManagementActorTest ext
 
         String logMessage = logs.get(0).toString();
         assertTrue("Message was not found in log message", logMessage.contains(message));
-        assertTrue("Message does not contain expected value: " + logMessage, logMessage.contains("[mng:guest" + SUFFIX));
+        assertTrue("Message does not contain expected value: " + logMessage,
+                   logMessage.startsWith(String.format(FORMAT, SESSION_ID, TEST_USER)));
     }
 
     /** It's necessary to test successive calls because HttpManagementActor caches
@@ -137,8 +149,9 @@ public class HttpManagementActorTest ext
 
                 String logMessage = logs.get(0).toString();
                 assertEquals("Unexpected log message",
-                             "[mng:" + "N/A" + SUFFIX,
+                             String.format(FORMAT, SESSION_ID, NA),
                              logMessage);
+
                 return null;
             }
         });
@@ -164,6 +177,6 @@ public class HttpManagementActorTest ext
             }
         });
 
-        assertEquals("Unexpected log message", "[mng:" + principalName + SUFFIX, message);
+        assertTrue("Unexpected log message", message.startsWith(String.format(FORMAT, SESSION_ID, principalName)));
     }
 }

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagement.java Tue Dec 13 14:27:19 2016
@@ -72,12 +72,11 @@ import org.apache.qpid.server.configurat
 import org.apache.qpid.server.logging.messages.ManagementConsoleMessages;
 import org.apache.qpid.server.logging.messages.PortMessages;
 import org.apache.qpid.server.management.plugin.connector.TcpAndSslSelectChannelConnector;
+import org.apache.qpid.server.management.plugin.filter.AuthenticationCheckFilter;
 import org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter;
-import org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter;
 import org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter;
 import org.apache.qpid.server.management.plugin.filter.LoggingFilter;
-import org.apache.qpid.server.management.plugin.filter.RedirectingAuthorisationFilter;
-import org.apache.qpid.server.management.plugin.filter.PreemptiveSessionInvalidationFilter;
+import org.apache.qpid.server.management.plugin.filter.RedirectingFilter;
 import org.apache.qpid.server.management.plugin.filter.RewriteRequestForUncompressedJavascript;
 import org.apache.qpid.server.management.plugin.servlet.FileServlet;
 import org.apache.qpid.server.management.plugin.servlet.RootServlet;
@@ -324,22 +323,20 @@ public class HttpManagement extends Abst
         corsFilter.setInitParameter(CrossOriginFilter.ALLOW_CREDENTIALS_PARAM, String.valueOf(getCorsAllowCredentials()));
         root.addFilter(corsFilter, "/*", EnumSet.of(DispatcherType.REQUEST));
 
-        root.addFilter(new FilterHolder(new PreemptiveSessionInvalidationFilter()), "/api/*", EnumSet.of(DispatcherType.REQUEST));
+        root.addFilter(new FilterHolder(new ForbiddingTraceFilter()), "/*", EnumSet.of(DispatcherType.REQUEST));
 
         FilterHolder loggingFilter = new FilterHolder(new LoggingFilter());
         root.addFilter(loggingFilter, "/api/*", EnumSet.of(DispatcherType.REQUEST));
         root.addFilter(loggingFilter, "/service/*", EnumSet.of(DispatcherType.REQUEST));
 
-        root.addFilter(new FilterHolder(new ForbiddingTraceFilter()), "/*", EnumSet.of(DispatcherType.REQUEST));
-        FilterHolder restAuthorizationFilter = new FilterHolder(new ForbiddingAuthorisationFilter());
-        restAuthorizationFilter.setInitParameter(ForbiddingAuthorisationFilter.INIT_PARAM_ALLOWED, "/service/sasl");
+        FilterHolder restAuthorizationFilter = new FilterHolder(new AuthenticationCheckFilter());
+        restAuthorizationFilter.setInitParameter(AuthenticationCheckFilter.INIT_PARAM_ALLOWED, "/service/sasl");
         root.addFilter(restAuthorizationFilter, "/api/*", EnumSet.of(DispatcherType.REQUEST));
         root.addFilter(restAuthorizationFilter, "/apidocs/*", EnumSet.of(DispatcherType.REQUEST));
         root.addFilter(restAuthorizationFilter, "/service/*", EnumSet.of(DispatcherType.REQUEST));
 
-        root.addFilter(new FilterHolder(new RedirectingAuthorisationFilter()), "/index.html", EnumSet.of(DispatcherType.REQUEST));
-        root.addFilter(new FilterHolder(new RedirectingAuthorisationFilter()), "/", EnumSet.of(DispatcherType.REQUEST));
-
+        root.addFilter(new FilterHolder(new RedirectingFilter()), "/index.html", EnumSet.of(DispatcherType.REQUEST));
+        root.addFilter(new FilterHolder(new RedirectingFilter()), "/", EnumSet.of(DispatcherType.REQUEST));
         if (_serveUncompressedDojo)
         {
             root.addFilter(RewriteRequestForUncompressedJavascript.class, "/dojo/dojo/*", EnumSet.of(DispatcherType.REQUEST));

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/HttpManagementUtil.java Tue Dec 13 14:27:19 2016
@@ -103,26 +103,6 @@ public class HttpManagementUtil
         return (session == null ? null : (Subject) session.getAttribute(getRequestSpecificAttributeName(ATTR_SUBJECT,request)));
     }
 
-    public static void checkRequestAuthenticatedAndAccessAuthorized(HttpServletRequest request, Broker broker,
-            HttpManagementConfiguration managementConfig)
-    {
-        Subject subject = getAuthorisedSubject(request);
-        if (subject == null)
-        {
-            subject = tryToAuthenticate(request, managementConfig);
-            if (subject == null)
-            {
-                throw new SecurityException("Only authenticated users can access the management interface");
-            }
-
-            subject = createServletConnectionSubject(request, subject);
-
-            assertManagementAccess(broker, subject);
-
-            saveAuthorisedSubject(request, subject);
-        }
-    }
-
     public static Subject createServletConnectionSubject(final HttpServletRequest request, Subject original)
     {
         Subject subject = new Subject(false,

Added: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java?rev=1774022&view=auto
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java (added)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.java Tue Dec 13 14:27:19 2016
@@ -0,0 +1,210 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.qpid.server.management.plugin.filter;
+
+import java.io.IOException;
+import java.security.AccessControlException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
+import org.apache.qpid.server.management.plugin.HttpManagementUtil;
+import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
+import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.security.auth.ManagementConnectionPrincipal;
+import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
+
+public class AuthenticationCheckFilter implements Filter
+{
+    public static final String INIT_PARAM_ALLOWED = "allowed";
+    private String _allowed = null;
+
+    private Broker _broker;
+    private HttpManagementConfiguration _managementConfiguration;
+
+    @Override
+    public void init(final FilterConfig filterConfig) throws ServletException
+    {
+        String allowed = filterConfig.getInitParameter(INIT_PARAM_ALLOWED);
+        if (allowed != null && !"".equals(allowed))
+        {
+            _allowed = allowed;
+        }
+        ServletContext servletContext = filterConfig.getServletContext();
+        _broker = HttpManagementUtil.getBroker(servletContext);
+        _managementConfiguration = HttpManagementUtil.getManagementConfiguration(servletContext);
+    }
+
+    @Override
+    public void destroy()
+    {
+
+    }
+
+    @Override
+    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
+            throws IOException, ServletException
+    {
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        boolean isPreemptiveAuthentication = false;
+
+        try
+        {
+            Subject subject = HttpManagementUtil.getAuthorisedSubject(httpRequest);
+
+            if (subject == null)
+            {
+                if (_allowed != null && httpRequest.getServletPath().startsWith(_allowed))
+                {
+                    subject = new Subject(true,
+                                          Collections.<Principal>singleton(new ServletConnectionPrincipal(httpRequest)),
+                                          Collections.emptySet(),
+                                          Collections.emptySet());
+                }
+                else
+                {
+                    subject = tryPreemptiveAuthentication(httpRequest);
+                    isPreemptiveAuthentication = true;
+                }
+            }
+            else
+            {
+                Set<Principal> principals = subject.getPrincipals();
+                Set<Principal> newPrincipals = new LinkedHashSet<>();
+                for (Principal principal : principals)
+                {
+                    if (!(principal instanceof ManagementConnectionPrincipal))
+                    {
+                        newPrincipals.add(principal);
+                    }
+                }
+                subject = new Subject(false,
+                                      principals, subject.getPublicCredentials(), subject.getPrivateCredentials());
+                ServletConnectionPrincipal principal = new ServletConnectionPrincipal(httpRequest);
+                subject.getPrincipals().add(principal);
+                subject.setReadOnly();
+            }
+
+            doFilterChainAs(request, response, chain, subject);
+        }
+        catch (AccessControlException e)
+        {
+            httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
+            invalidateSession(httpRequest);
+            return;
+        }
+        catch (SecurityException e)
+        {
+            httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+            invalidateSession(httpRequest);
+            return;
+        }
+        finally
+        {
+            if (isPreemptiveAuthentication)
+            {
+                invalidateSession(httpRequest);
+            }
+        }
+    }
+
+    private void doFilterChainAs(final ServletRequest request,
+                                 final ServletResponse response,
+                                 final FilterChain chain,
+                                 final Subject subject) throws IOException, ServletException
+    {
+        try
+        {
+            Subject.doAs(subject, new PrivilegedExceptionAction<Void>()
+            {
+                @Override
+                public Void run() throws IOException, ServletException
+                {
+                    chain.doFilter(request, response);
+                    return null;
+                }
+            });
+        }
+        catch (PrivilegedActionException e)
+        {
+            Throwable cause = e.getCause();
+
+            if (cause instanceof IOException)
+            {
+                throw (IOException) cause;
+            }
+            else if (cause instanceof ServletException)
+            {
+                throw (ServletException) cause;
+            }
+            else if (cause instanceof Error)
+            {
+                throw (Error) cause;
+            }
+            else if (cause instanceof RuntimeException)
+            {
+                throw (RuntimeException) cause;
+            }
+
+            throw new ConnectionScopedRuntimeException(e.getCause());
+        }
+    }
+
+    private Subject tryPreemptiveAuthentication(final HttpServletRequest httpRequest)
+    {
+        Subject subject = HttpManagementUtil.tryToAuthenticate(httpRequest, _managementConfiguration);
+        if (subject == null)
+        {
+            throw new SecurityException("Only authenticated users can access the management interface");
+        }
+
+        subject = HttpManagementUtil.createServletConnectionSubject(httpRequest, subject);
+
+        HttpManagementUtil.assertManagementAccess(_broker, subject);
+
+        return subject;
+    }
+
+    private void invalidateSession(final HttpServletRequest httpRequest)
+    {
+        HttpSession session = httpRequest.getSession(false);
+        if (session != null)
+        {
+            session.invalidate();
+        }
+    }
+}

Copied: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java (from r1774020, qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java)
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java?p2=qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java&p1=qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java&r1=1774020&r2=1774022&rev=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingAuthorisationFilter.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/RedirectingFilter.java Tue Dec 13 14:27:19 2016
@@ -26,6 +26,7 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 
+import javax.security.auth.Subject;
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@@ -41,8 +42,9 @@ import org.apache.qpid.server.management
 import org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator;
 import org.apache.qpid.server.model.Broker;
 import org.apache.qpid.server.plugin.QpidServiceLoader;
+import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
 
-public class RedirectingAuthorisationFilter implements Filter
+public class RedirectingFilter implements Filter
 {
 
     private static final Collection<HttpRequestInteractiveAuthenticator> AUTHENTICATORS;
@@ -56,8 +58,6 @@ public class RedirectingAuthorisationFil
         AUTHENTICATORS = Collections.unmodifiableList(authenticators);
     }
 
-
-    private Broker _broker;
     private HttpManagementConfiguration _managementConfiguration;
 
     @Override
@@ -69,7 +69,6 @@ public class RedirectingAuthorisationFil
     public void init(FilterConfig config) throws ServletException
     {
         ServletContext servletContext = config.getServletContext();
-        _broker = HttpManagementUtil.getBroker(servletContext);
         _managementConfiguration = HttpManagementUtil.getManagementConfiguration(servletContext);
     }
 
@@ -79,12 +78,12 @@ public class RedirectingAuthorisationFil
     {
         HttpServletRequest httpRequest = (HttpServletRequest) request;
         HttpServletResponse httpResponse = (HttpServletResponse) response;
-        try
+        Subject subject = HttpManagementUtil.getAuthorisedSubject(httpRequest);
+        if (subject != null && !subject.getPrincipals(AuthenticatedPrincipal.class).isEmpty())
         {
-            HttpManagementUtil.checkRequestAuthenticatedAndAccessAuthorized(httpRequest, _broker, _managementConfiguration);
             chain.doFilter(request, response);
         }
-        catch(SecurityException e)
+        else
         {
             HttpRequestInteractiveAuthenticator.AuthenticationHandler handler = null;
             for(HttpRequestInteractiveAuthenticator authenticator : AUTHENTICATORS)

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/ServletConnectionPrincipal.java Tue Dec 13 14:27:19 2016
@@ -20,10 +20,16 @@
  */
 package org.apache.qpid.server.management.plugin.servlet;
 
+import java.io.UnsupportedEncodingException;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import javax.xml.bind.DatatypeConverter;
 
 import org.apache.qpid.server.model.Protocol;
 import org.apache.qpid.server.model.Transport;
@@ -33,14 +39,37 @@ import org.apache.qpid.server.security.a
 public class ServletConnectionPrincipal implements ManagementConnectionPrincipal
 {
     private static final long serialVersionUID = 1L;
+    private static final String UTF8 = StandardCharsets.UTF_8.name();
+    private static final int HASH_TRUNCATION_LENGTH = 8;
 
     private final InetSocketAddress _address;
+    private final String _sessionId;
     private ServletRequestMetaData _metadata;
 
     public ServletConnectionPrincipal(HttpServletRequest request)
     {
         _address = new InetSocketAddress(request.getRemoteHost(), request.getRemotePort());
         _metadata = new ServletRequestMetaData(request);
+        HttpSession session =  request.getSession(false);
+        if (session != null)
+        {
+            MessageDigest md;
+            try
+            {
+                md = MessageDigest.getInstance("SHA-256");
+                md.update(session.getId().getBytes(UTF8));
+            }
+            catch (NoSuchAlgorithmException | UnsupportedEncodingException e)
+            {
+                throw new RuntimeException("Cannot create SHA-256 hash", e);
+            }
+            byte[] digest = md.digest();
+            _sessionId = DatatypeConverter.printBase64Binary(digest).substring(0, HASH_TRUNCATION_LENGTH);
+        }
+        else
+        {
+            _sessionId = null;
+        }
     }
 
     @Override
@@ -95,6 +124,13 @@ public class ServletConnectionPrincipal
         return "HTTP";
     }
 
+    @Override
+    public String getSessionId()
+    {
+        return _sessionId;
+    }
+
+
     private static class ServletRequestMetaData implements SocketConnectionMetaData
     {
         private final HttpServletRequest _request;

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/AbstractServlet.java Tue Dec 13 14:27:19 2016
@@ -27,8 +27,6 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.lang.reflect.Method;
 import java.nio.charset.StandardCharsets;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@@ -36,7 +34,6 @@ import java.util.concurrent.ConcurrentHa
 import java.util.concurrent.ConcurrentMap;
 import java.util.zip.GZIPOutputStream;
 
-import javax.security.auth.Subject;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -71,7 +68,7 @@ public abstract class AbstractServlet ex
 {
     public static final int SC_UNPROCESSABLE_ENTITY = 422;
     private static final Logger LOGGER = LoggerFactory.getLogger(AbstractServlet.class);
-    public static final String CONTENT_DISPOSITION = "Content-disposition";
+    public static final String CONTENT_DISPOSITION = "Content-Disposition";
 
     private transient Broker<?> _broker;
     private transient HttpManagementConfiguration _managementConfiguration;
@@ -93,28 +90,6 @@ public abstract class AbstractServlet ex
         super.init();
     }
 
-    @Override
-    protected final void doGet(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException
-    {
-        doWithSubjectAndActor(
-            new PrivilegedExceptionAction<Void>()
-            {
-                @Override
-                public Void run() throws Exception
-                {
-                    ConfiguredObject<?> managedObject = getManagedObject(request, resp);
-                    if(managedObject != null)
-                    {
-                        doGetWithSubjectAndActor(request, resp, managedObject);
-                    }
-                    return null;
-                }
-            },
-            request,
-            resp
-        );
-    }
-
     private ConfiguredObject<?> getManagedObject(final HttpServletRequest request, final HttpServletResponse resp)
     {
         HttpPort<?> port =  HttpManagement.getPort(request);
@@ -139,13 +114,19 @@ public abstract class AbstractServlet ex
         }
     }
 
-    /**
-     * Performs the GET action as the logged-in {@link Subject}.
-     * Subclasses commonly override this method
-     */
-    protected void doGetWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse resp,
-                                            ConfiguredObject<?> managedObject) throws ServletException, IOException
+    @Override
+    protected final void doGet(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException
+    {
+        ConfiguredObject<?> managedObject = getManagedObject(request, resp);
+        if(managedObject != null)
+        {
+            doGet(request, resp, managedObject);
+        }
+    }
+
+    protected void doGet(HttpServletRequest request,
+                         HttpServletResponse resp,
+                         ConfiguredObject<?> managedObject) throws ServletException, IOException
     {
         throw new UnsupportedOperationException("GET not supported by this servlet");
     }
@@ -154,32 +135,16 @@ public abstract class AbstractServlet ex
     @Override
     protected final void doPost(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException
     {
-        doWithSubjectAndActor(
-            new PrivilegedExceptionAction<Void>()
-            {
-                @Override
-                public Void run()  throws Exception
-                {
-                    ConfiguredObject<?> managedObject = getManagedObject(request, resp);
-                    if(managedObject != null)
-                    {
-                        doPostWithSubjectAndActor(request, resp, managedObject);
-                    }
-                    return null;
-                }
-            },
-            request,
-            resp
-        );
-    }
-
-    /**
-     * Performs the POST action as the logged-in {@link Subject}.
-     * Subclasses commonly override this method
-     */
-    protected void doPostWithSubjectAndActor(HttpServletRequest req,
-                                             HttpServletResponse resp,
-                                             ConfiguredObject<?> managedObject) throws ServletException, IOException
+        ConfiguredObject<?> managedObject = getManagedObject(request, resp);
+        if(managedObject != null)
+        {
+            doPost(request, resp, managedObject);
+        }
+    }
+
+    protected void doPost(HttpServletRequest req,
+                          HttpServletResponse resp,
+                          ConfiguredObject<?> managedObject) throws ServletException, IOException
     {
         throw new UnsupportedOperationException("POST not supported by this servlet");
     }
@@ -187,38 +152,16 @@ public abstract class AbstractServlet ex
     @Override
     protected final void doPut(final HttpServletRequest request, final HttpServletResponse resp) throws ServletException, IOException
     {
-        doWithSubjectAndActor(
-            new PrivilegedExceptionAction<Void>()
-            {
-                @Override
-                public Void run() throws Exception
-                {
-                    ConfiguredObject<?> managedObject = getManagedObject(request, resp);
-                    if(managedObject != null)
-                    {
-                        doPutWithSubjectAndActor(request, resp, managedObject);
-                    }
-                    return null;
-                }
-            },
-            request,
-            resp
-        );
-    }
-
-    public OutputStream getOutputStream(final HttpServletRequest request, final HttpServletResponse response)
-            throws IOException
-    {
-        return HttpManagementUtil.getOutputStream(request, response, _managementConfiguration);
+        ConfiguredObject<?> managedObject = getManagedObject(request, resp);
+        if(managedObject != null)
+        {
+            doPut(request, resp, managedObject);
+        }
     }
 
-    /**
-     * Performs the PUT action as the logged-in {@link Subject}.
-     * Subclasses commonly override this method
-     */
-    protected void doPutWithSubjectAndActor(HttpServletRequest req,
-                                            HttpServletResponse resp,
-                                            final ConfiguredObject<?> managedObject) throws ServletException, IOException
+    protected void doPut(HttpServletRequest req,
+                         HttpServletResponse resp,
+                         final ConfiguredObject<?> managedObject) throws ServletException, IOException
     {
         throw new UnsupportedOperationException("PUT not supported by this servlet");
     }
@@ -227,91 +170,24 @@ public abstract class AbstractServlet ex
     protected final void doDelete(final HttpServletRequest request, final HttpServletResponse resp)
             throws ServletException, IOException
     {
-        doWithSubjectAndActor(
-            new PrivilegedExceptionAction<Void>()
-            {
-                @Override
-                public Void run() throws Exception
-                {
-                    ConfiguredObject<?> managedObject = getManagedObject(request, resp);
-                    if(managedObject != null)
-                    {
-                        doDeleteWithSubjectAndActor(request, resp, managedObject);
-                    }
-                    return null;
-                }
-            },
-            request,
-            resp
-        );
-    }
-
-    /**
-     * Performs the PUT action as the logged-in {@link Subject}.
-     * Subclasses commonly override this method
-     */
-    protected void doDeleteWithSubjectAndActor(HttpServletRequest req,
-                                               HttpServletResponse resp,
-                                               ConfiguredObject<?> managedObject) throws ServletException, IOException
-    {
-        throw new UnsupportedOperationException("DELETE not supported by this servlet");
-    }
-
-    private void doWithSubjectAndActor(
-                    PrivilegedExceptionAction<Void> privilegedExceptionAction,
-                    final HttpServletRequest request,
-                    final HttpServletResponse resp) throws IOException
-    {
-        Subject subject;
-        try
-        {
-            subject = getAuthorisedSubject(request);
-        }
-        catch (SecurityException e)
-        {
-            sendError(resp, HttpServletResponse.SC_UNAUTHORIZED);
-            return;
-        }
-
-        try
-        {
-            Subject.doAs(subject, privilegedExceptionAction);
-        }
-        catch(RuntimeException e)
+        ConfiguredObject<?> managedObject = getManagedObject(request, resp);
+        if(managedObject != null)
         {
-            throw e;
+            doDelete(request, resp, managedObject);
         }
-        catch (PrivilegedActionException e)
-        {
-            Throwable cause = e.getCause();
-
-            // Jetty uses EofException to signal an EOF from the peer (e.g. broken pipe etc). It arises in
-            // situations such as abnormal browser termination etc.
-            if (cause instanceof org.eclipse.jetty.io.EofException)
-            {
-                throw (IOException)cause;
-            }
+    }
 
-            if(cause instanceof RuntimeException)
-            {
-                throw (RuntimeException)cause;
-            }
-            else if(cause instanceof Error)
-            {
-                throw (Error)cause;
-            }
-            throw new ConnectionScopedRuntimeException(e.getCause());
-        }
+    protected void doDelete(HttpServletRequest req,
+                            HttpServletResponse resp,
+                            ConfiguredObject<?> managedObject) throws ServletException, IOException
+    {
+        throw new UnsupportedOperationException("DELETE not supported by this servlet");
     }
 
-    protected Subject getAuthorisedSubject(HttpServletRequest request)
+    protected OutputStream getOutputStream(final HttpServletRequest request, final HttpServletResponse response)
+            throws IOException
     {
-        Subject subject = HttpManagementUtil.getAuthorisedSubject(request);
-        if (subject == null)
-        {
-            throw new SecurityException("Access to management rest interfaces is denied for un-authorised user");
-        }
-        return subject;
+        return HttpManagementUtil.getOutputStream(request, response, _managementConfiguration);
     }
 
     protected Broker<?> getBroker()

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/ApiDocsServlet.java Tue Dec 13 14:27:19 2016
@@ -67,9 +67,9 @@ public class ApiDocsServlet extends Abst
     }
 
     @Override
-    protected void doGetWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject) throws ServletException, IOException
+    protected void doGet(HttpServletRequest request,
+                         HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject) throws ServletException, IOException
     {
         ConfiguredObjectFinder finder = getConfiguredObjectFinder(managedObject);
 

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/JsonValueServlet.java Tue Dec 13 14:27:19 2016
@@ -39,9 +39,9 @@ public class JsonValueServlet extends Ab
     }
 
     @Override
-    protected void doGetWithSubjectAndActor(final HttpServletRequest request,
-                                            final HttpServletResponse resp,
-                                            final ConfiguredObject<?> managedObject)
+    protected void doGet(final HttpServletRequest request,
+                         final HttpServletResponse resp,
+                         final ConfiguredObject<?> managedObject)
             throws ServletException, IOException
     {
         sendJsonResponse(_value, request, resp);

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/MetaDataServlet.java Tue Dec 13 14:27:19 2016
@@ -67,9 +67,9 @@ public class MetaDataServlet extends Abs
     }
 
     @Override
-    protected void doGetWithSubjectAndActor(final HttpServletRequest request,
-                                            final HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject)
+    protected void doGet(final HttpServletRequest request,
+                         final HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject)
             throws ServletException, IOException
     {
         response.setContentType("application/json");

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueryServlet.java Tue Dec 13 14:27:19 2016
@@ -44,9 +44,9 @@ public abstract class QueryServlet<X ext
 
 
     @Override
-    protected void doGetWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject)
+    protected void doGet(HttpServletRequest request,
+                         HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject)
             throws IOException, ServletException
     {
         performQuery(request, response, managedObject);
@@ -54,9 +54,9 @@ public abstract class QueryServlet<X ext
 
 
     @Override
-    protected void doPostWithSubjectAndActor(HttpServletRequest request,
-                                             HttpServletResponse response,
-                                             final ConfiguredObject<?> managedObject)
+    protected void doPost(HttpServletRequest request,
+                          HttpServletResponse response,
+                          final ConfiguredObject<?> managedObject)
             throws IOException, ServletException
     {
         performQuery(request, response, managedObject);

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/QueueReportServlet.java Tue Dec 13 14:27:19 2016
@@ -39,9 +39,9 @@ public class QueueReportServlet extends
     private static final long serialVersionUID = 1L;
 
     @Override
-    protected void doGetWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject)
+    protected void doGet(HttpServletRequest request,
+                         HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject)
             throws IOException, ServletException
     {
         List<String> pathInfoElements =

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/RestServlet.java Tue Dec 13 14:27:19 2016
@@ -177,9 +177,9 @@ public class RestServlet extends Abstrac
     }
 
     @Override
-    protected void doGetWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject)
+    protected void doGet(HttpServletRequest request,
+                         HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject)
             throws ServletException, IOException
     {
         ConfiguredObjectFinder finder = getConfiguredObjectFinder(managedObject);
@@ -379,9 +379,9 @@ public class RestServlet extends Abstrac
     }
 
     @Override
-    protected void doPutWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject)
+    protected void doPut(HttpServletRequest request,
+                         HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject)
             throws ServletException, IOException
     {
         performCreateOrUpdate(request, response, managedObject);
@@ -1003,9 +1003,9 @@ public class RestServlet extends Abstrac
     }
 
     @Override
-    protected void doDeleteWithSubjectAndActor(HttpServletRequest request,
-                                               HttpServletResponse response,
-                                               final ConfiguredObject<?> managedObject) throws ServletException, IOException
+    protected void doDelete(HttpServletRequest request,
+                            HttpServletResponse response,
+                            final ConfiguredObject<?> managedObject) throws ServletException, IOException
     {
         ConfiguredObjectFinder finder = getConfiguredObjectFinder(managedObject);
         Class<? extends ConfiguredObject> configuredClass = getConfiguredClass(request, managedObject);
@@ -1059,9 +1059,9 @@ public class RestServlet extends Abstrac
     }
 
     @Override
-    protected void doPostWithSubjectAndActor(HttpServletRequest request,
-                                             HttpServletResponse response,
-                                             final ConfiguredObject<?> managedObject) throws ServletException, IOException
+    protected void doPost(HttpServletRequest request,
+                          HttpServletResponse response,
+                          final ConfiguredObject<?> managedObject) throws ServletException, IOException
     {
         performCreateOrUpdate(request, response, managedObject);
     }

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java Tue Dec 13 14:27:19 2016
@@ -21,6 +21,8 @@
 package org.apache.qpid.server.management.plugin.servlet.rest;
 
 import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessController;
 import java.security.Principal;
 import java.security.SecureRandom;
 import java.util.LinkedHashMap;
@@ -69,11 +71,12 @@ public class SaslServlet extends Abstrac
         super();
     }
 
-    protected void doGetWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject) throws
-                                                                                   ServletException,
-                                                                                   IOException
+
+
+
+    protected void doGet(HttpServletRequest request,
+                         HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject) throws ServletException, IOException
     {
         getRandom(request);
 
@@ -82,10 +85,10 @@ public class SaslServlet extends Abstrac
         String[] mechanisms = mechanismsList.toArray(new String[mechanismsList.size()]);
         Map<String, Object> outputObject = new LinkedHashMap<String, Object>();
 
-        final Subject subject = getAuthorisedSubject(request);
-        if(subject != null)
+        final Subject subject = Subject.getSubject(AccessController.getContext());
+        final Principal principal = AuthenticatedPrincipal.getOptionalAuthenticatedPrincipalFromSubject(subject);
+        if(principal != null)
         {
-            Principal principal = AuthenticatedPrincipal.getAuthenticatedPrincipalFromSubject(subject);
             outputObject.put("user", principal.getName());
         }
         else if (request.getRemoteUser() != null)
@@ -117,9 +120,9 @@ public class SaslServlet extends Abstrac
 
 
     @Override
-    protected void doPostWithSubjectAndActor(final HttpServletRequest request,
-                                             final HttpServletResponse response,
-                                             final ConfiguredObject<?> managedObject) throws IOException
+    protected void doPost(final HttpServletRequest request,
+                          final HttpServletResponse response,
+                          final ConfiguredObject<?> managedObject) throws IOException
     {
         checkSaslAuthEnabled(request);
 
@@ -293,16 +296,4 @@ public class SaslServlet extends Abstrac
         return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(request).getSubjectCreator(
                 request.isSecure());
     }
-
-    @Override
-    protected Subject getAuthorisedSubject(HttpServletRequest request)
-    {
-        Subject subject = HttpManagementUtil.getAuthorisedSubject(request);
-        if(subject == null)
-        {
-            subject = HttpManagementUtil.tryToAuthenticate(request, HttpManagementUtil.getManagementConfiguration(getServletContext()));
-        }
-        return subject;
-    }
-
 }

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/StructureServlet.java Tue Dec 13 14:27:19 2016
@@ -40,9 +40,9 @@ public class StructureServlet extends Ab
     }
 
     @Override
-    protected void doGetWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject) throws IOException, ServletException
+    protected void doGet(HttpServletRequest request,
+                         HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject) throws IOException, ServletException
     {
 
         // TODO filtering??? request.getParameter("filter"); // filter=1,2,3   /groups/*/*

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/rest/TimeZoneServlet.java Tue Dec 13 14:27:19 2016
@@ -45,10 +45,9 @@ public class TimeZoneServlet extends Abs
     }
 
     @Override
-    protected void doGetWithSubjectAndActor(HttpServletRequest request,
-                                            HttpServletResponse response,
-                                            final ConfiguredObject<?> managedObject) throws ServletException,
-                                                                                            IOException
+    protected void doGet(HttpServletRequest request,
+                         HttpServletResponse response,
+                         final ConfiguredObject<?> managedObject) throws ServletException, IOException
     {
         sendJsonResponse(getTimeZones(), request, response);
     }

Modified: qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java (original)
+++ qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/BrokerRestHttpsClientCertAuthTest.java Tue Dec 13 14:27:19 2016
@@ -80,8 +80,8 @@ public class BrokerRestHttpsClientCertAu
         _restTestHelper.setKeystore(KEYSTORE, KEYSTORE_PASSWORD);
         _restTestHelper.setClientAuthAlias(CERT_ALIAS_APP1);
 
-        Map<String, Object> saslData = getRestTestHelper().getJsonAsMap("/service/sasl");
+        Map<String, Object> saslData = getRestTestHelper().getJsonAsSingletonList("broker");
 
-        Asserts.assertAttributesPresent(saslData, "user");
+        Asserts.assertAttributesPresent(saslData, "modelVersion");
     }
 }

Modified: qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java?rev=1774022&r1=1774021&r2=1774022&view=diff
==============================================================================
--- qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java (original)
+++ qpid/java/trunk/systests/src/test/java/org/apache/qpid/systest/rest/PreemtiveAuthRestTest.java Tue Dec 13 14:27:19 2016
@@ -27,8 +27,10 @@ import static org.apache.qpid.test.utils
 import static org.apache.qpid.test.utils.TestSSLConstants.UNTRUSTED_KEYSTORE;
 
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import javax.servlet.http.HttpServletResponse;
@@ -189,4 +191,17 @@ public class PreemtiveAuthRestTest exten
             e.printStackTrace();
         }
     }
+
+    public void testPreemptiveDoesNotCreateSession() throws Exception
+    {
+        configure(false, false);
+        super.startDefaultBroker();
+        _restTestHelper = new RestTestHelper(getDefaultBroker().getHttpPort());
+
+        _restTestHelper.setUsernameAndPassword(USERNAME, PASSWORD);
+        final HttpURLConnection firstConnection = _restTestHelper.openManagementConnection("broker", "GET");
+        assertEquals("Unexpected server response", HttpServletResponse.SC_OK, firstConnection.getResponseCode());
+        List<String> cookies = firstConnection.getHeaderFields().get("Set-Cookie");
+        assertNull("Should not create session cookies", cookies);
+    }
 }



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message