Author: kwall
Date: Fri Feb 12 13:49:38 2016
New Revision: 1730025
URL: http://svn.apache.org/viewvc?rev=1730025&view=rev
Log:
QPID-7028: [Java Broker] OAuth2 - Report failure to authorise the user with 403
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java?rev=1730025&r1=1730024&r2=1730025&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/SecurityManager.java
Fri Feb 12 13:49:38 2016
@@ -304,7 +304,7 @@ public class SecurityManager
}
}))
{
- throw new AccessControlException("User not authorised for
management");
+ throw new AccessControlException("User is not authorised for
management");
}
}
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java?rev=1730025&r1=1730024&r2=1730025&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2UserPrincipal.java
Fri Feb 12 13:49:38 2016
@@ -82,4 +82,10 @@ public class OAuth2UserPrincipal impleme
result = 31 * result + _name.hashCode();
return result;
}
+
+ @Override
+ public String toString()
+ {
+ return getName();
+ }
}
Modified:
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java?rev=1730025&r1=1730024&r2=1730025&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
(original)
+++
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
Fri Feb 12 13:49:38 2016
@@ -22,6 +22,7 @@ package org.apache.qpid.server.managemen
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
+import java.security.AccessControlException;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.Enumeration;
@@ -159,13 +160,23 @@ public class OAuth2InteractiveAuthentica
public void handleAuthentication(final HttpServletResponse
response) throws IOException
{
AuthenticationResult authenticationResult =
oauth2Provider.authenticateViaAuthorizationCode(authorizationCode, redirectUri);
- createSubject(authenticationResult);
+ try
+ {
+ Subject subject =
createSubject(authenticationResult);
+ authoriseManagement(subject);
+
HttpManagementUtil.saveAuthorisedSubject(httpSession, subject);
- LOGGER.debug("Successful login. Redirect to original
resource {}", originalRequestUri);
- response.sendRedirect(originalRequestUri);
+ LOGGER.debug("Successful login. Redirect to
original resource {}", originalRequestUri);
+ response.sendRedirect(originalRequestUri);
+ }
+ catch (AccessControlException e)
+ {
+ LOGGER.info("User '{}' is not authorised for
management", authenticationResult.getMainPrincipal());
+ response.sendError(403, "User is not authorised
for management");
+ }
}
- private void createSubject(final AuthenticationResult
authenticationResult)
+ private Subject createSubject(final AuthenticationResult
authenticationResult)
{
SubjectCreator subjectCreator =
oauth2Provider.getSubjectCreator(request.isSecure());
SubjectAuthenticationResult result =
subjectCreator.createResultWithGroups(authenticationResult);
@@ -184,11 +195,13 @@ public class OAuth2InteractiveAuthentica
original.getPrivateCredentials());
subject.getPrincipals().add(new
ServletConnectionPrincipal(request));
subject.setReadOnly();
+ return subject;
+ }
+ private void authoriseManagement(final Subject subject)
+ {
Broker broker = (Broker)
oauth2Provider.getParent(Broker.class);
HttpManagementUtil.assertManagementAccess(broker.getSecurityManager(), subject);
-
- HttpManagementUtil.saveAuthorisedSubject(httpSession,
subject);
}
};
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
