details: https://code.openbravo.com/erp/devel/pi/rev/200a7c792da2 changeset: 31506:200a7c792da2 user: Martin Taal <martin.taal <at> openbravo.com> date: Wed Feb 08 09:40:46 2017 +0100 summary: Fixes issue 35171: Support basic authentication in the default authentication manager Add basic authentication support to DefaultAuthenticationManager
details: https://code.openbravo.com/erp/devel/pi/rev/1605b906892b changeset: 31507:1605b906892b user: Martin Taal <martin.taal <at> openbravo.com> date: Wed Feb 08 09:41:56 2017 +0100 summary: Fixes issue 35172: In case of stateless request make sure OBContext is set Prevent VariableBase from creating a session in case of stateless request Set the OBContext explicitly in case of stateless request Add a log statement in case a session is created in case of a stateless request diffstat: src-core/src/org/openbravo/base/VariablesBase.java | 9 +- src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java | 41 ++++++++- src/org/openbravo/base/secureApp/HttpSecureAppServlet.java | 6 + src/org/openbravo/erpCommon/security/SessionListener.java | 9 +- 4 files changed, 54 insertions(+), 11 deletions(-) diffs (182 lines): diff -r 5219c0d19faf -r 1605b906892b src-core/src/org/openbravo/base/VariablesBase.java --- a/src-core/src/org/openbravo/base/VariablesBase.java Tue Feb 07 10:12:15 2017 -0500 +++ b/src-core/src/org/openbravo/base/VariablesBase.java Wed Feb 08 09:41:56 2017 +0100 @@ -1,6 +1,6 @@ /* ************************************************************************************ - * Copyright (C) 2001-2016 Openbravo S.L.U. + * Copyright (C) 2001-2017 Openbravo S.L.U. * Licensed under the Apache Software License version 2.0 * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 * Unless required by applicable law or agreed to in writing, software distributed @@ -76,7 +76,7 @@ this.session = new HttpSessionWrapper(); this.isMultipart = false; } else { - this.session = request.getSession(true); + this.session = request.getSession(!isStatelessRequest(request)); this.httpRequest = request; this.isMultipart = ServletFileUpload.isMultipartContent(new ServletRequestContext(request)); if (isMultipart) { @@ -94,6 +94,11 @@ } } + private boolean isStatelessRequest(HttpServletRequest request) { + return "true".equals(request.getParameter("stateless")) + || "true".equals(request.getAttribute("stateless")); + } + /** * Overloaded constructor, used to prevent session removal in case of multipart requests. * diff -r 5219c0d19faf -r 1605b906892b src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java --- a/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java Tue Feb 07 10:12:15 2017 -0500 +++ b/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java Wed Feb 08 09:41:56 2017 +0100 @@ -1,6 +1,6 @@ /* ************************************************************************************ - * Copyright (C) 2001-2016 Openbravo S.L.U. + * Copyright (C) 2001-2017 Openbravo S.L.U. * Licensed under the Apache Software License version 2.0 * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 * Unless required by applicable law or agreed to in writing, software distributed @@ -21,6 +21,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.hibernate.criterion.Restrictions; @@ -28,6 +29,7 @@ import org.openbravo.authentication.AuthenticationExpirationPasswordException; import org.openbravo.authentication.AuthenticationManager; import org.openbravo.base.HttpBaseUtils; +import org.openbravo.base.exception.OBException; import org.openbravo.base.secureApp.LoginUtils; import org.openbravo.base.secureApp.VariablesHistory; import org.openbravo.base.secureApp.VariablesSecureApp; @@ -78,7 +80,7 @@ VariablesHistory variables = new VariablesHistory(request); String user; - String pass; + String pass = null; // Begins code related to login process if (resetPassword) { User userOB = OBDal.getInstance().get(User.class, sUserId); @@ -88,11 +90,35 @@ if (StringUtils.isEmpty(user)) { user = vars.getStringParameter(BaseWebServiceServlet.LOGIN_PARAM); } + + if (StringUtils.isEmpty(user)) { + // try basic authentication + try { + final String auth = request.getHeader("Authorization"); + if (auth != null && auth.toUpperCase().startsWith("BASIC ")) { + // user and password come after BASIC + final String userpassEncoded = auth.substring(6); + // Decode it, using any base 64 decoder + final String decodedUserPass = new String( + Base64.decodeBase64(userpassEncoded.getBytes())); + final int index = decodedUserPass.indexOf(":"); + if (index != -1) { + user = decodedUserPass.substring(0, index); + pass = decodedUserPass.substring(index + 1); + } + } + } catch (final Exception e) { + throw new OBException(e); + } + } } - pass = vars.getStringParameter(PASSWORD_PARAM); if (StringUtils.isEmpty(pass)) { - pass = vars.getStringParameter(BaseWebServiceServlet.PASSWORD_PARAM); + pass = vars.getStringParameter(PASSWORD_PARAM); + if (StringUtils.isEmpty(pass)) { + pass = vars.getStringParameter(BaseWebServiceServlet.PASSWORD_PARAM); + } } + username = user; if (StringUtils.isEmpty(user)) { // redirects to the menu or the menu with the target @@ -172,16 +198,15 @@ } /** - * Checks the expiration password date from userId, throws - * AuthenticationExpirationPasswordException in case that expiration date is reached + * Checks the expiration password date from userId, throws AuthenticationExpirationPasswordException in case that expiration + * date is reached * * @param userId * The userId of the user to check expiration password date * @param language * Default language for the user * @throws AuthenticationExpirationPasswordException - * AuthenticationExpirationPasswordException is thrown in case that expiration date is - * reached + * AuthenticationExpirationPasswordException is thrown in case that expiration date is reached * */ private void checkIfPasswordExpired(String userId, String language) diff -r 5219c0d19faf -r 1605b906892b src/org/openbravo/base/secureApp/HttpSecureAppServlet.java --- a/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java Tue Feb 07 10:12:15 2017 -0500 +++ b/src/org/openbravo/base/secureApp/HttpSecureAppServlet.java Wed Feb 08 09:41:56 2017 +0100 @@ -69,6 +69,7 @@ import org.openbravo.model.ad.ui.Tab; import org.openbravo.model.ad.ui.WindowTrl; import org.openbravo.service.db.DalConnectionProvider; +import org.openbravo.service.web.UserContextCache; import org.openbravo.utils.FileUtility; import org.openbravo.utils.Replace; import org.openbravo.xmlEngine.XmlDocument; @@ -222,6 +223,11 @@ if (areThereLicenseRestrictions(null)) { throw new AuthenticationException("No valid license"); } + // make sure that there is an OBContext for the logged in user also in case of stateless requests + if (OBContext.getOBContext() == null + || !strUserAuth.equals(OBContext.getOBContext().getUser().getId())) { + OBContext.setOBContext(UserContextCache.getInstance().getCreateOBContext(strUserAuth)); + } super.serviceInitialized(request, response); return; } diff -r 5219c0d19faf -r 1605b906892b src/org/openbravo/erpCommon/security/SessionListener.java --- a/src/org/openbravo/erpCommon/security/SessionListener.java Tue Feb 07 10:12:15 2017 -0500 +++ b/src/org/openbravo/erpCommon/security/SessionListener.java Wed Feb 08 09:41:56 2017 +0100 @@ -11,7 +11,7 @@ * under the License. * The Original Code is Openbravo ERP. * The Initial Developer of the Original Code is Openbravo SLU - * All portions are Copyright (C) 2009-2016 Openbravo SLU + * All portions are Copyright (C) 2009-2017 Openbravo SLU * All Rights Reserved. * Contributor(s): ______________________________________. ************************************************************************ @@ -33,6 +33,8 @@ import javax.servlet.http.HttpSessionListener; import org.apache.log4j.Logger; +import org.openbravo.authentication.AuthenticationManager; +import org.openbravo.client.kernel.RequestContext; import org.openbravo.database.ConnectionProvider; import org.openbravo.database.SessionInfo; @@ -152,6 +154,11 @@ activeHttpSessions.add(event.getSession()); } + if (RequestContext.get().getRequest() != null + && AuthenticationManager.isStatelessRequest(RequestContext.get().getRequest())) { + log.error("Request is stateless, still a session is created ", new Exception()); + } + log.debug("Session created. Active sessions count: " + activeHttpSessions.size()); } ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openbravo-commits mailing list Openbravo-commits@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openbravo-commits
