eagle git commit: [MINOR] Fix BasicAuthFilter when username/password is null

Thu, 02 Mar 2017 17:44:51 -0800 

Repository: eagle
Updated Branches:
  refs/heads/master a8d82d55f -> 8d79f0888


[MINOR] Fix BasicAuthFilter when username/password is null

* Fix BasicAuthFilter when username/password is null
* Disable BasicAuthFilter when authentication is disabled.

Author: Hao Chen <[email protected]>

Closes #852 from haoch/FixBasicAuthFilter.


Project: http://git-wip-us.apache.org/repos/asf/eagle/repo
Commit: http://git-wip-us.apache.org/repos/asf/eagle/commit/8d79f088
Tree: http://git-wip-us.apache.org/repos/asf/eagle/tree/8d79f088
Diff: http://git-wip-us.apache.org/repos/asf/eagle/diff/8d79f088

Branch: refs/heads/master
Commit: 8d79f0888eac4e3380bc094907c0ea7728dccbae
Parents: a8d82d5
Author: Hao Chen <[email protected]>
Authored: Fri Mar 3 09:44:11 2017 +0800
Committer: Hao Chen <[email protected]>
Committed: Fri Mar 3 09:44:11 2017 +0800

----------------------------------------------------------------------
 .../apache/eagle/server/ServerApplication.java  |  7 +-
 .../server/security/BasicAuthRequestFilter.java | 75 ++++++++++++--------
 2 files changed, 48 insertions(+), 34 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/eagle/blob/8d79f088/eagle-server/src/main/java/org/apache/eagle/server/ServerApplication.java
----------------------------------------------------------------------
diff --git 
a/eagle-server/src/main/java/org/apache/eagle/server/ServerApplication.java 
b/eagle-server/src/main/java/org/apache/eagle/server/ServerApplication.java
index 9f2a4ef..e594acf 100644
--- a/eagle-server/src/main/java/org/apache/eagle/server/ServerApplication.java
+++ b/eagle-server/src/main/java/org/apache/eagle/server/ServerApplication.java
@@ -118,9 +118,10 @@ public class ServerApplication extends 
Application<ServerConfig> {
         // Register authentication provider
         BasicAuthBuilder authBuilder = new 
BasicAuthBuilder(configuration.getAuthConfig(), environment);
         environment.jersey().register(authBuilder.getBasicAuthProvider());
-        environment.jersey().getResourceConfig().getResourceFilterFactories()
-            .add(new 
BasicAuthResourceFilterFactory(authBuilder.getBasicAuthenticator()));
-
+        if (configuration.getAuthConfig().isEnabled()) {
+            
environment.jersey().getResourceConfig().getResourceFilterFactories()
+                .add(new 
BasicAuthResourceFilterFactory(authBuilder.getBasicAuthenticator()));
+        }
         registerAppServices(environment);
     }
 

http://git-wip-us.apache.org/repos/asf/eagle/blob/8d79f088/eagle-server/src/main/java/org/apache/eagle/server/security/BasicAuthRequestFilter.java
----------------------------------------------------------------------
diff --git 
a/eagle-server/src/main/java/org/apache/eagle/server/security/BasicAuthRequestFilter.java
 
b/eagle-server/src/main/java/org/apache/eagle/server/security/BasicAuthRequestFilter.java
index 405bd19..dffc197 100644
--- 
a/eagle-server/src/main/java/org/apache/eagle/server/security/BasicAuthRequestFilter.java
+++ 
b/eagle-server/src/main/java/org/apache/eagle/server/security/BasicAuthRequestFilter.java
@@ -94,39 +94,50 @@ public class BasicAuthRequestFilter implements 
ContainerRequestFilter {
 
     @Override
     public ContainerRequest filter(ContainerRequest containerRequest) {
-        if (!isSecurityDefined) {
-            return containerRequest;
-        }
-        //Access denied for all
-
-        if (hasDenyAllAnnotation) {
-            throw new WebApplicationException(ALL_ACCESS_DENIED);
-        }
-
-        //Get request headers
-        final MultivaluedMap<String, String> headers = 
containerRequest.getRequestHeaders();
+        try {
+            if (!isSecurityDefined) {
+                return containerRequest;
+            }
+            //Access denied for all
 
-        //Fetch authorization header
-        final List<String> authorization = headers.get(AUTHORIZATION_PROPERTY);
+            if (hasDenyAllAnnotation) {
+                throw new WebApplicationException(ALL_ACCESS_DENIED);
+            }
 
-        //If no authorization information present; block access
-        if ((authorization == null || authorization.isEmpty()) && 
isAuthRequired) {
-            throw new WebApplicationException(UNAUTHORIZED_ACCESS_DENIED);
-        }
+            //Get request headers
+            final MultivaluedMap<String, String> headers = 
containerRequest.getRequestHeaders();
 
-        if (authorization != null) {
-            //Get encoded username and password
-            final String encodedUserPassword = 
authorization.get(0).replaceFirst(AUTHENTICATION_SCHEME + " ", "");
+            //Fetch authorization header
+            final List<String> authorization = 
headers.get(AUTHORIZATION_PROPERTY);
 
-            //Decode username and password
-            String usernameAndPassword = new 
String(Base64.decode(encodedUserPassword.getBytes()));
+            //If no authorization information present; block access
+            if ((authorization == null || authorization.isEmpty()) && 
isAuthRequired) {
+                throw new WebApplicationException(UNAUTHORIZED_ACCESS_DENIED);
+            }
 
-            //Split username and password tokens
-            final StringTokenizer tokenizer = new 
StringTokenizer(usernameAndPassword, ":");
-            final String username = tokenizer.nextToken();
-            final String password = tokenizer.nextToken();
+            if (authorization != null) {
+                //Get encoded username and password
+                final String encodedUserPassword = 
authorization.get(0).replaceFirst(AUTHENTICATION_SCHEME + " ", "");
+
+                //Decode username and password
+                String usernameAndPassword = new 
String(Base64.decode(encodedUserPassword.getBytes()));
+
+                //Split username and password tokens
+                final StringTokenizer tokenizer = new 
StringTokenizer(usernameAndPassword, ":");
+                final String username = tokenizer.hasMoreElements() ? 
tokenizer.nextToken() : null;
+                final String password = tokenizer.hasMoreElements() ? 
tokenizer.nextToken() : null;
+
+                if (username == null || password == null) {
+                    if (this.isSecurityDefined) {
+                        throw new 
WebApplicationException(RESTResponse.builder()
+                            .status(false, Response.Status.FORBIDDEN)
+                            .message("Access forbidden, invalid username or 
password")
+                            .build());
+                    } else {
+                        return containerRequest;
+                    }
+                }
 
-            try {
                 Optional<User> userOptional = 
this.authenticator.authenticate(new BasicCredentials(username, password));
                 if (userOptional.isPresent()) {
                     User user = userOptional.get();
@@ -166,11 +177,13 @@ public class BasicAuthRequestFilter implements 
ContainerRequestFilter {
                 } else {
                     throw new 
WebApplicationException(UNAUTHORIZED_ACCESS_DENIED);
                 }
-            } catch (AuthenticationException e) {
-                LOG.error("Server authentication error: " + e.getMessage(), e);
-                throw new 
WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR)
-                    .entity("Server authentication error: " + 
e.getMessage()).build());
             }
+        } catch (WebApplicationException e) {
+            throw e;
+        } catch (Exception e) {
+            LOG.error("Server authentication error: " + e.getMessage(), e);
+            throw new 
WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR)
+                .entity("Server authentication error: " + 
e.getMessage()).build());
         }
         return containerRequest;
     }

Reply via email to