Ravi Nori has uploaded a new change for review. Change subject: restapi : don't set jsessionid cookie when authentication fails(#927140) ......................................................................
restapi : don't set jsessionid cookie when authentication fails(#927140) Rest APi returns session id when authentication fails and the user makes calls with "prefer: persistent-auth" Change-Id: I84907ab56e99ebb875124f42345d691edad3cdbe Bug-Url: https://bugzilla.redhat.com/927140 Signed-off-by: Ravi Nori <[email protected]> --- M backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java 1 file changed, 13 insertions(+), 11 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/71/13371/1 diff --git a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java index c7e10ee..a1c0ddd 100644 --- a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java +++ b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java @@ -92,10 +92,10 @@ boolean hasAuthorizationHeader = checkAuthorizationHeader(headers); Integer customHttpSessionTtl = getCustomHttpSessionTtl(headers); - // Will create a new one if it is the first session, and we want to persist sessions - // (and then the "isNew" test below will return true) - // Otherwise, it will return null - httpSession = getCurrentSession(preferPersistentAuth); + // Get the current session + // For persistent auth we will create a new session if authentication + // is successful + httpSession = getCurrentSession(false); // If the session isn't new and doesn't carry authorization header, we validate it if (validator != null && httpSession != null && !httpSession.isNew() && !hasAuthorizationHeader) { @@ -107,9 +107,15 @@ httpSession = getCurrentSession(true); } + String engineSessionId = SessionUtils.generateEngineSessionId(); // Authenticate the session - successful = executeBasicAuthentication(headers, httpSession, preferPersistentAuth); - + successful = executeBasicAuthentication(headers, engineSessionId, preferPersistentAuth); + if (successful && httpSession == null) { + httpSession = getCurrentSession(true); + } + if (httpSession != null) { + SessionUtils.setEngineSessionId(httpSession, engineSessionId); + } // Specifies the time, between client requests before the servlet // container will invalidate this session. An interval value of zero // or less indicates that the session should never timeout. @@ -164,13 +170,9 @@ * This method executes the basic authentication, and returns true whether it was successful and false otherwise. * It also sets the logged-in principal and the challenger object in the Current object */ - private boolean executeBasicAuthentication(HttpHeaders headers, HttpSession httpSession, boolean preferPersistentAuth) { + private boolean executeBasicAuthentication(HttpHeaders headers, String engineSessionId, boolean preferPersistentAuth) { boolean successful = false; List<String> auth = headers.getRequestHeader(HttpHeaders.AUTHORIZATION); - - String engineSessionId = SessionUtils.generateEngineSessionId(); - SessionUtils.setEngineSessionId(httpSession, engineSessionId); - if (auth != null && auth.size() != 0) { Principal principal = scheme.decode(headers); if (validator == null || validator.validate(principal, engineSessionId)) { -- To view, visit http://gerrit.ovirt.org/13371 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I84907ab56e99ebb875124f42345d691edad3cdbe Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
