Alon Bar-Lev has uploaded a new change for review. Change subject: aaa: filters: enable accept engine session using header ......................................................................
aaa: filters: enable accept engine session using header new header OVIRT-INTERNAL-ENGINE-AUTH-TOKEN accepts token that contains engine session id. a new query GetEngineSessionIdToken returns this token. ui should use the new query and apply the header to avoid double login. this may be temporary solution for 3.5 life cycle, as such applied only for restapi. when engine session is invalidated, all instances that used it are also invalidated. Change-Id: I028082cced7043b5af0b9fa7b0548ba888996e9d Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1161734 Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1161730 Signed-off-by: Alon Bar-Lev <[email protected]> --- A backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/EngineSessionTokenAuthenticationFilter.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java M backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java A backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetEngineSessionIdTokenQuery.java M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml 6 files changed, 106 insertions(+), 14 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/46/35246/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/EngineSessionTokenAuthenticationFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/EngineSessionTokenAuthenticationFilter.java new file mode 100644 index 0000000..5640776 --- /dev/null +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/EngineSessionTokenAuthenticationFilter.java @@ -0,0 +1,37 @@ +package org.ovirt.engine.core.aaa.filters; + +import java.io.IOException; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; + +import org.ovirt.engine.core.common.constants.SessionConstants; + +public class EngineSessionTokenAuthenticationFilter implements Filter { + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, + ServletException { + HttpServletRequest req = (HttpServletRequest) request; + if (!FiltersHelper.isAuthenticated(req)) { + String token = req.getHeader(FiltersHelper.Constants.HEADER_ENGINE_AUTH_TOKEN); + if (token != null) { + request.setAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY, FiltersHelper.getTokenContent(token)); + } + } + chain.doFilter(request, response); + } + + @Override + public void destroy() { + } +} diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java index be0ed25..69f70f3 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java @@ -23,6 +23,7 @@ public static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate"; public static final String HEADER_PREFER = "Prefer"; public static final String HEADER_JSESSIONID_COOKIE = "JSESSIONID"; + public static final String HEADER_ENGINE_AUTH_TOKEN = "OVIRT-INTERNAL-ENGINE-AUTH-TOKEN"; } public static BackendLocal getBackend(Context context) { @@ -57,4 +58,22 @@ return false; } + public static String getTokenInstance(String content) { + return String.format("0|%s", content); + } + + public static String getTokenContent(String token) { + String s[] = token.split("\\|", 2); + if (s.length != 2) { + throw new IllegalArgumentException("Invalid session token format"); + } + if (!"0".equals(s[0])) { + throw new IllegalArgumentException("Invalid session token version"); + } + if (s[1].isEmpty()) { + throw new IllegalArgumentException("Invalid session token format"); + } + return s[1]; + } + } diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java index 6e69fa9..1df5ee7 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java @@ -3,6 +3,7 @@ import java.io.IOException; import javax.naming.InitialContext; +import javax.naming.NamingException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -24,6 +25,18 @@ private static final Logger log = LoggerFactory.getLogger(SessionValidationFilter.class); + private boolean isSessionValid(String session) throws NamingException { + InitialContext ctx = new InitialContext(); + try { + VdcQueryReturnValue returnValue = + FiltersHelper.getBackend(ctx) + .runPublicQuery(VdcQueryType.ValidateSession, + new VdcQueryParametersBase(session)); + return returnValue.getSucceeded(); + } finally { + ctx.close(); + } + } @Override public void init(FilterConfig filterConfig) throws ServletException { @@ -34,26 +47,23 @@ ServletException { boolean doFilter = false; try { + String requestEngineSession = (String)request.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); + if (requestEngineSession != null) { + if (!isSessionValid(requestEngineSession)) { + request.removeAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); + } + } + HttpSession httpSession = ((HttpServletRequest) request).getSession(false); if (httpSession != null) { - String engineSession = - (String) httpSession.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); - InitialContext ctx = null; + String engineSession = (String) httpSession.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); if (engineSession != null) { - ctx = new InitialContext(); - try { - VdcQueryReturnValue returnValue = - FiltersHelper.getBackend(ctx) - .runPublicQuery(VdcQueryType.ValidateSession, - new VdcQueryParametersBase(engineSession)); - if (!returnValue.getSucceeded()) { - httpSession.invalidate(); - } - } finally { - ctx.close(); + if (!isSessionValid(engineSession)) { + httpSession.invalidate(); } } } + doFilter = true; } catch (Exception ex) { log.error("An error has occurred while session validation.", ex); diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetEngineSessionIdTokenQuery.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetEngineSessionIdTokenQuery.java new file mode 100644 index 0000000..8884dd0 --- /dev/null +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetEngineSessionIdTokenQuery.java @@ -0,0 +1,16 @@ +package org.ovirt.engine.core.bll.aaa; + +import org.ovirt.engine.core.aaa.filters.FiltersHelper; +import org.ovirt.engine.core.bll.QueriesCommandBase; +import org.ovirt.engine.core.common.queries.VdcQueryParametersBase; + +public class GetEngineSessionIdTokenQuery<P extends VdcQueryParametersBase> extends QueriesCommandBase<P> { + public GetEngineSessionIdTokenQuery(P parameters) { + super(parameters); + } + + protected void executeQueryCommand() { + getQueryReturnValue().setReturnValue(FiltersHelper.getTokenInstance(getParameters().getSessionId())); + getQueryReturnValue().setSucceeded(true); + } +} diff --git a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java index 83664cd..4c418b5 100644 --- a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java +++ b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/queries/VdcQueryType.java @@ -152,6 +152,7 @@ GetDbUserByUserId(VdcQueryAuthType.User), GetDbUserByUserNameAndDomain(VdcQueryAuthType.User), GetUserBySessionId(VdcQueryAuthType.User), + GetEngineSessionIdToken(VdcQueryAuthType.User), // Directory queries: GetDirectoryUserById(VdcQueryAuthType.User), diff --git a/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml b/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml index 2000d40..a2a4b32 100644 --- a/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml +++ b/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml @@ -46,6 +46,15 @@ </filter-mapping> <filter> + <filter-name>EngineSessionTokenAuthenticationFilter</filter-name> + <filter-class>org.ovirt.engine.core.aaa.filters.EngineSessionTokenAuthenticationFilter</filter-class> + </filter> + <filter-mapping> + <filter-name>EngineSessionTokenAuthenticationFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> + + <filter> <filter-name>SessionValidationFilter</filter-name> <filter-class>org.ovirt.engine.core.aaa.filters.SessionValidationFilter</filter-class> </filter> -- To view, visit http://gerrit.ovirt.org/35246 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I028082cced7043b5af0b9fa7b0548ba888996e9d Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.5 Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
