This is an automated email from the ASF dual-hosted git repository. heneveld pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/brooklyn-server.git
commit dc9b355b87f42528d1eb7c2ca66539c4765422fb Author: Alex Heneveld <[email protected]> AuthorDate: Wed Jan 9 10:05:44 2019 +0000 add'l tidy for removal of jaas, introduction of SecurityProvider as filter --- .../brooklyn/launcher/WebAppContextProvider.java | 10 +++- .../org/apache/brooklyn/rest/api/LogoutApi.java | 11 ++-- .../BrooklynSecurityProviderFilterHelper.java | 69 ++++------------------ .../BrooklynSecurityProviderFilterJavax.java | 2 +- .../rest/filter/CorsImplSupplierFilter.java | 1 + .../rest/filter/HaHotCheckResourceFilter.java | 1 - .../brooklyn/rest/resources/LogoutResource.java | 14 +++-- .../provider/DelegatingSecurityProvider.java | 12 ++-- .../security/provider/OauthSecurityProvider.java | 39 ++++++++---- .../src/main/resources/web-security.xml | 29 +-------- 10 files changed, 75 insertions(+), 113 deletions(-) diff --git a/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java b/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java index 880aa48..6e269d1 100644 --- a/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java +++ b/launcher/src/main/java/org/apache/brooklyn/launcher/WebAppContextProvider.java @@ -24,6 +24,8 @@ import java.io.File; import java.io.InputStream; import java.util.Map; +import javax.servlet.Servlet; + import org.apache.brooklyn.api.mgmt.ManagementContext; import org.apache.brooklyn.core.server.BrooklynServiceAttributes; import org.apache.brooklyn.launcher.config.CustomResourceLocator; @@ -73,9 +75,11 @@ public class WebAppContextProvider { final WebAppContext context = new WebAppContext(); // use a unique session ID to prevent interference with other web apps on same server (esp for localhost); - // it might be better to make this brooklyn-only or base on the management-plane ID; - // but i think it actually *is* per-server instance, since we don't cache sessions server-side, - // so i think this is write. [Alex 2015-09] + // note however this is only run for the legacy launcher + // TODO would be nice if the various karaf startups rename the session cookie property (from JSESSIONID) + // as the default is likely to conflict with other java-based servers (esp on localhost); + // this can be done e.g. on ServletContext.getSessionCookieConfig(), but will be needed for REST and for JS (static) bundles + // low priority however, if you /etc/hosts a localhost-brooklyn and use that it will stop conflicting context.setInitParameter(SessionHandler.__SessionCookieProperty, SessionHandler.__DefaultSessionCookie + "_" + "BROOKLYN" + Identifiers.makeRandomId(6)); context.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false"); context.setAttribute(BrooklynServiceAttributes.BROOKLYN_MANAGEMENT_CONTEXT, managementContext); diff --git a/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/LogoutApi.java b/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/LogoutApi.java index f0ca328..526a72f 100644 --- a/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/LogoutApi.java +++ b/rest/rest-api/src/main/java/org/apache/brooklyn/rest/api/LogoutApi.java @@ -36,19 +36,22 @@ public interface LogoutApi { @POST @ApiOperation(value = "Request a logout and clean session") @ApiResponses(value = { - @ApiResponse(code = 307, message = "Redirect to /logout/user, keeping the request method") + @ApiResponse(code = 307, message = "Redirect to /logout/{user}, keeping the request method") }) Response logout(); - + // TODO what is this for? misleading as it does not unauthorize the _session_ or log out in any way; + // deprecating as at 2019-01 + /** @deprecated since 1.0 */ + @Deprecated @POST @Path("/unauthorize") - @ApiOperation(value = "Return UNAUTHORIZED 401 response") + @ApiOperation(value = "Return UNAUTHORIZED 401 response, but without disabling the session [deprecated]") Response unAuthorize(); @POST @Path("/{user}") - @ApiOperation(value = "Logout and clean session if matching user logged") + @ApiOperation(value = "Logout and clean session if matching user logged in") Response logoutUser( @ApiParam(value = "User to log out", required = true) @PathParam("user") final String user); diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java index 47180c9..53cb34a 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.java @@ -33,6 +33,7 @@ import org.apache.brooklyn.rest.security.provider.DelegatingSecurityProvider; import org.apache.brooklyn.rest.security.provider.SecurityProvider; import org.apache.brooklyn.rest.security.provider.SecurityProvider.SecurityProviderDeniedAuthentication; import org.apache.brooklyn.util.collections.MutableSet; +import org.apache.brooklyn.util.text.StringEscapes; import org.apache.commons.codec.binary.Base64; import org.eclipse.jetty.http.HttpHeader; import org.eclipse.jetty.server.Request; @@ -72,31 +73,35 @@ public class BrooklynSecurityProviderFilterHelper { */ public static final String AUTHENTICATED_USER_SESSION_ATTRIBUTE = "brooklyn.user"; - // TODO ugly, using a static, but it shares across bundles and all have different instances, so this is reasonable public static Set<SessionHandler> SESSION_MANAGER_CACHE = MutableSet.of(); private static final Logger log = LoggerFactory.getLogger(BrooklynSecurityProviderFilterHelper.class); + + // TODO this should be parametrisable + public static final String BASIC_REALM_NAME = "brooklyn"; + + public static final String BASIC_REALM_HEADER_VALUE = "BASIC realm="+StringEscapes.JavaStringEscapes.wrapJavaString(BASIC_REALM_NAME); /* check all contexts for sessions; surprisingly hard to configure session management for karaf/pax web container. * they _really_ want each servlet to have their own sessions. how you're meant to do oauth for multiple servlets i don't know! */ public HttpSession getSession(HttpServletRequest webRequest, ManagementContext mgmt, boolean create) { String requestedSessionId = webRequest.getRequestedSessionId(); - log.info("SESSION for "+ webRequest.getRequestURI()+", wants session "+requestedSessionId); + log.trace("SESSION for {}, wants session {}", webRequest.getRequestURI(), requestedSessionId); if (webRequest instanceof Request) { SessionHandler sm = ((Request)webRequest).getSessionHandler(); boolean added = SESSION_MANAGER_CACHE.add( sm ); - log.info("SESSION MANAGER found for "+webRequest.getRequestURI()+": "+sm+" ("+added+")"); + log.trace("SESSION MANAGER found for {}: {} (added={})", webRequest.getRequestURI(), sm, added); } else { - log.info("SESSION MANAGER NOT found for "+webRequest.getRequestURI()+" - "+webRequest); + log.trace("SESSION MANAGER NOT found for {}: {}", webRequest.getRequestURI(), webRequest); } if (requestedSessionId!=null) { for (SessionHandler m: SESSION_MANAGER_CACHE) { HttpSession s = m.getHttpSession(requestedSessionId); if (s!=null) { - log.info("SESSION found for "+webRequest.getRequestURI()+": "+s+"; "+m.isValid(s)); + log.trace("SESSION found for {}: {} (valid={})", webRequest.getRequestURI(), s, m.isValid(s)); return s; } } @@ -104,62 +109,14 @@ public class BrooklynSecurityProviderFilterHelper { if (create) { HttpSession session = webRequest.getSession(true); - log.info("SESSION creating for "+webRequest.getRequestURI()+": "+session); + log.trace("SESSION creating for {}: {}", webRequest.getRequestURI(), session); return session; } - return null; - -// HttpSession session = webRequest.getSession(false); -// if (session!=null) return session; -// -// // go through all the known session managers -// -// -// webRequest.getServletContext().getServlets().nextElement().getServletConfig().getServletContext().getser -// BundleContext ctx = (BundleContext) webRequest.getServletContext().getAttribute( -// //WebContainerConstants.BUNDLE_CONTEXT_ATTRIBUTE -// "osgi-bundlecontext"); -// log.info("TEST context "+ctx); -// if (ctx!=null) { -// log.info("TEST server "+ctx.getServiceReference( "org.ops4j.pax.web.service.WebContainer" )); -// } -// ctx.getServiceReference( "org.ops4j.pax.web.service.WebContainer" ); -// -// ctx = FrameworkUtil.getBundle(BrooklynSecurityProviderFilterHelper.class).getBundleContext(); -// -// -// log.info("TEST context2 "+ctx); -// if (ctx!=null) { -// log.info("TEST server2 "+ctx.getServiceReference( "org.ops4j.pax.web.service.WebContainer" )); -// } -// -//// String id = webRequest.getRequestedSessionId(); -//// webRequest.getServletContext().gethan -////// for (Cookie c: webRequest.getCookies()) { -////// if ("JSESSIONID".equals(c.getName())) { -////// c.getValue() -////// } -////// } -//// HttpSession session = getLocalSession(id); -//// if (session == null) { -//// for (SessionHandler manager: getSessionIdManager().getSessionHandlers()) { -//// if (manager.equals(this) || !(manager instanceof CustomSessionHandler)) { -//// continue; -//// } -//// session = ((CustomSessionHandler)manager).getLocalSession(id); -//// if (session != null) { -//// break; -//// } -//// } // should we duplicate sessions in each context? // will we end up with inconsistent sessions? /* if (externalSession != null) { try { getSessionCache().put(id, externalSession); } catch (Exception e) { LOG.warn("Unable to save session to local cache."); } } */ } -//// } -//// return session; -// return null; + return null; // not found } public void run(HttpServletRequest webRequest, ManagementContext mgmt) throws SecurityProviderDeniedAuthentication { - log.info("SEC PROV for "+webRequest.getRequestURI()); - SecurityProvider provider = getProvider(mgmt); HttpSession session = getSession(webRequest, mgmt, false); @@ -203,7 +160,7 @@ public class BrooklynSecurityProviderFilterHelper { private SecurityProviderDeniedAuthentication abort(String msg, boolean requiresUserPass) throws SecurityProviderDeniedAuthentication { ResponseBuilder response = Response.status(Status.UNAUTHORIZED); if (requiresUserPass) { - response.header(HttpHeader.WWW_AUTHENTICATE.asString(), "BASIC realm=\"brooklyn\""); + response.header(HttpHeader.WWW_AUTHENTICATE.asString(), BASIC_REALM_HEADER_VALUE); } response.header(HttpHeader.CONTENT_TYPE.asString(), MediaType.TEXT_PLAIN); response.entity(msg); diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJavax.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJavax.java index 5751872..b2b679b 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJavax.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJavax.java @@ -69,7 +69,7 @@ public class BrooklynSecurityProviderFilterJavax implements Filter { rout.setStatus(rin.getStatus()); - // TODO does content type need to be set explicitly? + // note content-type is explicitly set in some Response objects, but this should set it rin.getHeaders().forEach((k,v) -> v.forEach(v2 -> rout.addHeader(k, Strings.toString(v2)))); Object body = rin.getEntity(); diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CorsImplSupplierFilter.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CorsImplSupplierFilter.java index 51c9e5c..9262c00 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CorsImplSupplierFilter.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/CorsImplSupplierFilter.java @@ -59,6 +59,7 @@ import java.util.List; * Apache Brooklyn API calls do not use CORS annotations so findResourceMethod is set to false. */ @Provider +@SuppressWarnings("serial") public class CorsImplSupplierFilter extends CrossOriginResourceSharingFilter { /** * @see CrossOriginResourceSharingFilter#setAllowOrigins(List<String>) diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/HaHotCheckResourceFilter.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/HaHotCheckResourceFilter.java index 28eac1c..128d06a 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/HaHotCheckResourceFilter.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/filter/HaHotCheckResourceFilter.java @@ -33,7 +33,6 @@ import javax.ws.rs.ext.Provider; import org.apache.brooklyn.api.mgmt.ManagementContext; import org.apache.brooklyn.api.mgmt.ha.ManagementNodeState; -import org.apache.brooklyn.rest.util.BrooklynRestResourceUtils; import org.apache.brooklyn.util.guava.Maybe; import org.apache.brooklyn.util.text.Strings; diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java index 5ce65ba..a03cb24 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/resources/LogoutResource.java @@ -30,6 +30,7 @@ import javax.ws.rs.core.UriInfo; import org.apache.brooklyn.core.mgmt.entitlement.Entitlements; import org.apache.brooklyn.core.mgmt.entitlement.WebEntitlementContext; import org.apache.brooklyn.rest.api.LogoutApi; +import org.apache.brooklyn.rest.filter.BrooklynSecurityProviderFilterHelper; import org.apache.brooklyn.util.exceptions.Exceptions; public class LogoutResource extends AbstractBrooklynRestResource implements LogoutApi { @@ -58,19 +59,21 @@ public class LogoutResource extends AbstractBrooklynRestResource implements Logo @Override public Response unAuthorize() { return Response.status(Status.UNAUTHORIZED) - .build(); + // NB: 2019-01 no longer returns a realm (there might not be a realm; in this code we don't know) + // method is now deprecated anyway + .build(); } @Override public Response logoutUser(String user) { - // Will work when switching users, but will keep re-authenticating if user types in same user name. - // Could improve by keeping state in cookies to decide whether to request auth or declare successfull re-auth. WebEntitlementContext ctx = (WebEntitlementContext) Entitlements.getEntitlementContext(); if (user.equals(ctx.user())) { doLogout(); - return Response.status(Status.UNAUTHORIZED) - .build(); + return Response.status(Status.OK) + // 2019-01 no longer returns unauthorized, returns OK to indicate user is successfully logged out + // also the realm is removed (there might not be a realm; in this code we don't know) + .build(); } else { return Response.temporaryRedirect(uri.getAbsolutePathBuilder().replacePath("/").build()).build(); } @@ -78,6 +81,7 @@ public class LogoutResource extends AbstractBrooklynRestResource implements Logo private void doLogout() { try { + req.getSession().removeAttribute(BrooklynSecurityProviderFilterHelper.AUTHENTICATED_USER_SESSION_ATTRIBUTE); req.logout(); } catch (ServletException e) { Exceptions.propagate(e); diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java index 65567c4..b420501 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/DelegatingSecurityProvider.java @@ -77,14 +77,14 @@ public class DelegatingSecurityProvider implements SecurityProvider { SecurityProvider presetDelegate = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_INSTANCE); if (presetDelegate!=null) { - log.info("REST using pre-set security provider " + presetDelegate); + log.trace("Brooklyn security: using pre-set security provider {}", presetDelegate); return presetDelegate; } String className = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME); if (delegate != null && BrooklynWebConfig.hasNoSecurityOptions(mgmt.getConfig())) { - log.debug("{} refusing to change from {}: No security provider set in reloaded properties.", + log.debug("Brooklyn security: {} refusing to change from {}: No security provider set in reloaded properties.", this, delegate); return delegate; } @@ -93,17 +93,17 @@ public class DelegatingSecurityProvider implements SecurityProvider { String bundle = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_BUNDLE); if (bundle!=null) { String bundleVersion = brooklynProperties.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_BUNDLE_VERSION); - log.info("REST using security provider " + className + " from " + bundle+":"+bundleVersion); + log.info("Brooklyn security: using security provider " + className + " from " + bundle+":"+bundleVersion); BundleContext bundleContext = ((ManagementContextInternal)mgmt).getOsgiManager().get().getFramework().getBundleContext(); delegate = loadProviderFromBundle(mgmt, bundleContext, bundle, bundleVersion, className); } else { - log.info("REST using security provider " + className); + log.info("Brooklyn security: using security provider " + className); ClassLoaderUtils clu = new ClassLoaderUtils(this, mgmt); Class<? extends SecurityProvider> clazz = (Class<? extends SecurityProvider>) clu.loadClass(className); delegate = createSecurityProviderInstance(mgmt, clazz); } } catch (Exception e) { - log.warn("REST unable to instantiate security provider " + className + "; all logins are being disallowed", e); + log.warn("Brooklyn security: unable to instantiate security provider " + className + "; all logins are being disallowed", e); delegate = new BlackholeSecurityProvider(); } @@ -122,7 +122,7 @@ public class DelegatingSecurityProvider implements SecurityProvider { if (bundles.isEmpty()) { throw new IllegalStateException("No bundle " + symbolicName + ":" + version + " found"); } else if (bundles.size() > 1) { - log.warn("Found multiple bundles matching symbolicName " + symbolicName + " and version " + version + + log.warn("Brooklyn security: found multiple bundles matching symbolicName " + symbolicName + " and version " + version + " while trying to load security provider " + className + ". Will use first one that loads the class successfully."); } SecurityProvider p = tryLoadClass(mgmt, className, bundles); diff --git a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/OauthSecurityProvider.java b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/OauthSecurityProvider.java index a3bbcf1..c3c7be4 100644 --- a/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/OauthSecurityProvider.java +++ b/rest/rest-resources/src/main/java/org/apache/brooklyn/rest/security/provider/OauthSecurityProvider.java @@ -30,6 +30,7 @@ import javax.servlet.http.HttpSession; import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.Status; +import org.apache.brooklyn.api.mgmt.ManagementContext; import org.apache.brooklyn.rest.filter.BrooklynSecurityProviderFilterHelper; import org.apache.brooklyn.util.exceptions.Exceptions; import org.apache.brooklyn.util.text.Identifiers; @@ -55,12 +56,15 @@ import org.eclipse.jetty.server.Request; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.common.annotations.Beta; + /** Configurable OAuth redirect security provider * * Redirects all inbound requests to an oath web server unless a session token is specified. */ +@Beta // work in progress public class OauthSecurityProvider implements SecurityProvider { - public static final Logger LOG = LoggerFactory.getLogger(OauthSecurityProvider.class); + public static final Logger log = LoggerFactory.getLogger(OauthSecurityProvider.class); private static final String OAUTH_ACCESS_TOKEN_SESSION_KEY = "org.apache.brooklyn.security.oauth.access_token"; private static final String OAUTH_ACCESS_TOKEN_EXPIRY_UTC_KEY = "org.apache.brooklyn.security.oauth.access_token_expiry_utc"; @@ -68,7 +72,9 @@ public class OauthSecurityProvider implements SecurityProvider { private static final String OAUTH_AUTH_CODE_PARAMETER_FROM_USER = "code"; private static final String OAUTH_AUTH_CODE_PARAMETER_FOR_SERVER = OAUTH_AUTH_CODE_PARAMETER_FROM_USER; - // TODO parameterise +// private static String KEY_PREFIX = BrooklynWebConfig.BASE_NAME_SECURITY+".oauth."; +// ConfigKey<String> URI_GET_TOKEN_KEY = ConfigKeys.newStringConfigKey(KEY_PREFIX+"uriGetToken", "URL where token can be fetched"); + // TODO parameterise values below with keys as above // tempting to use getJettyRequest().getRequestURL().toString(); // but some oauth providers require this to be declared @@ -77,7 +83,7 @@ public class OauthSecurityProvider implements SecurityProvider { private String audience = "audience"; private Duration validity = Duration.hours(1); - // google test data + // google test data - hard-coded for now private String uriGetToken = "https://accounts.google.com/o/oauth2/token";; private String uriAuthorize = "https://accounts.google.com/o/oauth2/auth";; private String uriTokenInfo = "https://www.googleapis.com/oauth2/v1/tokeninfo";; @@ -91,9 +97,22 @@ public class OauthSecurityProvider implements SecurityProvider { // private String clientId = "7f76b9970d8ac15b30b0"; // private String clientSecret = "9e15f8dd651f0b1896a3a582f17fa82f049fc910"; + protected final ManagementContext mgmt; + + public OauthSecurityProvider(ManagementContext mgmt) { + this.mgmt = mgmt; + initialize(); + } + + private synchronized void initialize() { + // TODO set these keys +// Preconditions.checkNotNull(mgmt.getConfig().getConfig(URI_GET_TOKEN_KEY), "URI to get token must be set: "+URI_GET_TOKEN_KEY.getName()); + } + @Override public boolean isAuthenticated(HttpSession session) { - LOG.info("isAuthenticated 1 "+getJettyRequest().getRequestURI()+" "+session+" ... "+this); + // TODO tidy log messages + log.info("isAuthenticated 1 "+getJettyRequest().getRequestURI()+" "+session+" ... "+this); Object token = session.getAttribute(OAUTH_ACCESS_TOKEN_SESSION_KEY); // TODO is it valid? return token!=null; @@ -101,7 +120,7 @@ public class OauthSecurityProvider implements SecurityProvider { @Override public boolean authenticate(HttpSession session, String user, String password) throws SecurityProviderDeniedAuthentication { - LOG.info("authenticate "+session+" "+user); + log.info("authenticate "+session+" "+user); if (isAuthenticated(session)) { return true; @@ -127,14 +146,14 @@ public class OauthSecurityProvider implements SecurityProvider { } catch (SecurityProviderDeniedAuthentication e) { throw e; } catch (Exception e) { - LOG.warn("Error performing OAuth: "+e, e); + log.warn("Error performing OAuth: "+e, e); throw Exceptions.propagate(e); } } @Override public boolean logout(HttpSession session) { - LOG.info("logout"); + log.info("logout"); session.removeAttribute(OAUTH_ACCESS_TOKEN_SESSION_KEY); session.removeAttribute(OAUTH_ACCESS_TOKEN_EXPIRY_UTC_KEY); return true; @@ -161,10 +180,10 @@ public class OauthSecurityProvider implements SecurityProvider { // get the access token from json and request info from Google try { jsonObject = (Map<?,?>) Yamls.parseAll(body).iterator().next(); - LOG.info("Parsed '"+body+"' as "+jsonObject); + log.info("Parsed '"+body+"' as "+jsonObject); } catch (Exception e) { Exceptions.propagateIfFatal(e); - LOG.info("Unable to parse: '"+body+"'"); + log.info("Unable to parse: '"+body+"'"); // throw new RuntimeException("Unable to parse json " + body); return redirectUserToOauthLoginUi(); } @@ -179,7 +198,7 @@ public class OauthSecurityProvider implements SecurityProvider { // request.getSession().setAttribute(SESSION_KEY_CODE, code); // TODO is it valid? - LOG.debug("Got token/code "+accessToken+"/"+code+" from "+jsonObject); + log.debug("Got token/code "+accessToken+"/"+code+" from "+jsonObject); // eg Got token/code // ya29.GluHBtzZ-R-CaoWMlso6KB6cq3DrbmwX6B3kjMmzWqzU-vO76WjKuNS3Ktog7vt9CJnxSZ63NmqO4p5bg20wl0-M14yO1LuoXNV5JX3qHDmXl2rl-z1LbCPEYJ-o // / 4/yADFJRSRCxLgZFcpD_KU2jQiCXBGNHTsw0eGZqZ2t6IJJh2O1oWBnBDx4eWl4ZLCRAFJx3QjPYtl7LF9zj_DNlA diff --git a/rest/rest-server/src/main/resources/web-security.xml b/rest/rest-server/src/main/resources/web-security.xml index a03c448..c6a3974 100644 --- a/rest/rest-server/src/main/resources/web-security.xml +++ b/rest/rest-server/src/main/resources/web-security.xml @@ -21,31 +21,6 @@ xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"; version="3.1"> - <security-constraint> - <web-resource-collection> - <web-resource-name>Logout</web-resource-name> - <url-pattern>/v1/logout</url-pattern> - </web-resource-collection> - </security-constraint> - - <!-- Ignored programmatically if noConsoleSecurity --> - <security-constraint> - <web-resource-collection> - <web-resource-name>All</web-resource-name> - <url-pattern>/</url-pattern> - </web-resource-collection> - <auth-constraint> - <role-name>webconsole</role-name> - </auth-constraint> - </security-constraint> - - <login-config> - <!--<auth-method>BASIC</auth-method>--> - <realm-name>webconsole</realm-name> - </login-config> - - <security-role> - <role-name>webconsole</role-name> - </security-role> - + <!-- now done with filters --> + </web-app>
