DaanHoogland commented on code in PR #6393:
URL: https://github.com/apache/cloudstack/pull/6393#discussion_r876837389
##########
server/src/main/java/com/cloud/api/ApiServlet.java:
##########
@@ -278,52 +289,31 @@ void processRequestInContext(final HttpServletRequest
req, final HttpServletResp
// if a API key exists
Long userId = null;
+ if (isNew && s_logger.isTraceEnabled()) {
+ s_logger.trace(String.format("new session: %s", session));
+ }
if (!isNew) {
userId = (Long)session.getAttribute("userid");
final String account = (String)
session.getAttribute("account");
final Object accountObj = session.getAttribute("accountobj");
- if (!HttpUtils.validateSessionKey(session, params,
req.getCookies(), ApiConstants.SESSIONKEY)) {
- try {
- session.invalidate();
- } catch (final IllegalStateException ise) {
- }
- auditTrailSb.append(" " +
HttpServletResponse.SC_UNAUTHORIZED + " " + "unable to verify user
credentials");
- final String serializedResponse =
-
apiServer.getSerializedApiError(HttpServletResponse.SC_UNAUTHORIZED, "unable to
verify user credentials", params, responseType);
- HttpUtils.writeHttpResponse(resp, serializedResponse,
HttpServletResponse.SC_UNAUTHORIZED, responseType,
ApiServer.JSONcontentType.value());
- return;
- }
-
- // Do a sanity check here to make sure the user hasn't already
been deleted
- if ((userId != null) && (account != null) && (accountObj !=
null) && apiServer.verifyUser(userId)) {
- final String[] command =
(String[])params.get(ApiConstants.COMMAND);
- if (command == null) {
- s_logger.info("missing command, ignoring request...");
- auditTrailSb.append(" " +
HttpServletResponse.SC_BAD_REQUEST + " " + "no command specified");
- final String serializedResponse =
apiServer.getSerializedApiError(HttpServletResponse.SC_BAD_REQUEST, "no command
specified", params, responseType);
- HttpUtils.writeHttpResponse(resp, serializedResponse,
HttpServletResponse.SC_BAD_REQUEST, responseType,
ApiServer.JSONcontentType.value());
- return;
- }
- final User user = entityMgr.findById(User.class, userId);
- CallContext.register(user, (Account)accountObj);
+ if (account != null) {
+ if (invalidateHttpSesseionIfNeeded(req, resp,
auditTrailSb, responseType, params, session, account)) return;
} else {
- // Invalidate the session to ensure we won't allow a
request across management server
- // restarts if the userId was serialized to the stored
session
- try {
- session.invalidate();
- } catch (final IllegalStateException ise) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("no account, this request will be
validated through apikey(%s)/signature");
}
+ }
- auditTrailSb.append(" " +
HttpServletResponse.SC_UNAUTHORIZED + " " + "unable to verify user
credentials");
- final String serializedResponse =
-
apiServer.getSerializedApiError(HttpServletResponse.SC_UNAUTHORIZED, "unable to
verify user credentials", params, responseType);
- HttpUtils.writeHttpResponse(resp, serializedResponse,
HttpServletResponse.SC_UNAUTHORIZED, responseType,
ApiServer.JSONcontentType.value());
+ if (! requestChecksoutAsSane(resp, auditTrailSb, responseType,
params, session, command, userId, account, accountObj))
return;
- }
} else {
CallContext.register(accountMgr.getSystemUser(),
accountMgr.getSystemAccount());
}
setProjectContext(params);
+ if (s_logger.isTraceEnabled()) {
+ s_logger.trace(String.format("verifying request for user %s
from %s with params %s",
+ userId, remoteAddress.getHostAddress(),
org.apache.commons.lang3.StringUtils.join(params)));
Review Comment:
```suggestion
s_logger.trace(String.format("verifying request for user %s
from %s with %d parameters",
userId, remoteAddress.getHostAddress(),
params.size()));
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
