[OpenbravoERP-commits] devel/pi: related to issue 35164: code review improvements

Tue, 12 Sep 2017 00:30:13 -0700 

details:   https://code.openbravo.com/erp/devel/pi/rev/93aa822ffff3
changeset: 32667:93aa822ffff3
user:      Carlos Aristu <carlos.aristu <at> openbravo.com>
date:      Tue Sep 12 09:21:01 2017 +0200
summary:   related to issue 35164: code review improvements

  - Initialize the ThreadLocal variable (loginName) on every call to 
authenticate. Thus, we ensure that its value is cleaned up when Tomcat reuses a 
thread.
  - Use new UserLoginInfo to keep the login credentials instead of using a map.

diffstat:

 src/org/openbravo/authentication/AuthenticationManager.java              |  61 
+++++++--
 src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java |   7 
+-
 2 files changed, 46 insertions(+), 22 deletions(-)

diffs (155 lines):

diff -r 93358be727d8 -r 93aa822ffff3 
src/org/openbravo/authentication/AuthenticationManager.java
--- a/src/org/openbravo/authentication/AuthenticationManager.java       Fri Sep 
08 14:49:36 2017 +0200
+++ b/src/org/openbravo/authentication/AuthenticationManager.java       Tue Sep 
12 09:21:01 2017 +0200
@@ -20,8 +20,6 @@
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
-import java.util.HashMap;
-import java.util.Map;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -65,8 +63,6 @@
   private static final String SUCCESS_SESSION_CONNECTOR = "WSC";
   private static final String FAILED_SESSION = "F";
 
-  protected static final String LOGIN_USER = "loginUser";
-  protected static final String LOGIN_PASS = "loginPass";
   protected static final String LOGIN_PARAM = "user";
   protected static final String PASSWORD_PARAM = "password";
   public static final String STATELESS_REQUEST_PARAMETER = "stateless";
@@ -177,6 +173,8 @@
       localAdress = HttpBaseUtils.getLocalAddress(request);
     }
 
+    loginName.set("");
+
     final String userId = doAuthenticate(request, response);
 
     if (AuthenticationManager.isStatelessRequest(request)) {
@@ -349,7 +347,7 @@
       dbSessionId = vars.getSessionValue(AD_SESSION_ID_ATTR);
     }
     if (StringUtils.isEmpty(dbSessionId)) {
-      String userName = (loginName != null && loginName.get() != null) ? 
loginName.get() : "";
+      String userName = loginName.get() != null ? loginName.get() : "";
       dbSessionId = createDBSession(request, userName, userId, 
successSessionType);
       if (setSession && vars != null) {
         vars.setSessionValue(AD_SESSION_ID_ATTR, dbSessionId);
@@ -412,16 +410,16 @@
    *         </ul>
    */
   protected String doWebServiceAuthenticate(HttpServletRequest request) {
-    Map<String, String> authenticationData = getAuthenticationData(request);
+    UserLoginInfo authenticationData = getAuthenticationData(request);
     if (authenticationData == null) {
       return null;
     }
-    String user = authenticationData.get(LOGIN_USER);
-    String password = authenticationData.get(LOGIN_PASS);
+    String user = authenticationData.getUserName();
+    String password = authenticationData.getPassword();
     return doWebServiceAuthenticate(user, password);
   }
 
-  private Map<String, String> getAuthenticationData(HttpServletRequest 
request) {
+  private UserLoginInfo getAuthenticationData(HttpServletRequest request) {
     String login = request.getParameter(BaseWebServiceServlet.LOGIN_PARAM);
     if (StringUtils.isEmpty(login)) {
       login = request.getParameter(LOGIN_PARAM);
@@ -431,15 +429,21 @@
       password = request.getParameter(PASSWORD_PARAM);
     }
     if (login != null && password != null) {
-      Map<String, String> authenticationData = new HashMap<>();
-      authenticationData.put(LOGIN_USER, login);
-      authenticationData.put(LOGIN_PASS, password);
-      return authenticationData;
+      return new UserLoginInfo(login, password);
     }
     return decodeBasicAuthenticationData(request);
   }
 
-  protected final Map<String, String> 
decodeBasicAuthenticationData(HttpServletRequest request) {
+  /**
+   * Retrieves the login credentials (user and password) from the basic 
authentication present in a
+   * HttpServletRequest.
+   * 
+   * @param HttpServletRequest
+   *          the request that contains the basic authentication credentials
+   * @return a UserLoginInfo that contains the decoded credentials (user and 
password) or
+   *         <b>null</b> if is not possible to retrieve the credentials.
+   */
+  protected final UserLoginInfo 
decodeBasicAuthenticationData(HttpServletRequest request) {
     try {
       final String auth = request.getHeader("Authorization");
       if (auth == null) {
@@ -458,10 +462,10 @@
       if (index == -1) {
         return null;
       }
-      Map<String, String> authenticationData = new HashMap<>();
-      authenticationData.put(LOGIN_USER, decodedUserPass.substring(0, index));
-      authenticationData.put(LOGIN_PASS, decodedUserPass.substring(index + 1));
-      return authenticationData;
+
+      String user = decodedUserPass.substring(0, index);
+      String password = decodedUserPass.substring(index + 1);
+      return new UserLoginInfo(user, password);
     } catch (final Exception e) {
       throw new OBException(e);
     }
@@ -565,6 +569,27 @@
   }
 
   /**
+   * A class used to keep and recover the login credentials (user and password)
+   */
+  protected class UserLoginInfo {
+    private String userName;
+    private String password;
+
+    public UserLoginInfo(String userName, String password) {
+      this.userName = userName;
+      this.password = password;
+    }
+
+    public String getUserName() {
+      return userName;
+    }
+
+    public String getPassword() {
+      return password;
+    }
+  }
+
+  /**
    * To annotate a certain webservice/service as being stateless, i.e. not 
creating or keeping a
    * http session on the server
    * 
diff -r 93358be727d8 -r 93aa822ffff3 
src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java
--- a/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java  
Fri Sep 08 14:49:36 2017 +0200
+++ b/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java  
Tue Sep 12 09:21:01 2017 +0200
@@ -15,7 +15,6 @@
 import java.io.IOException;
 import java.util.Calendar;
 import java.util.Date;
-import java.util.Map;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -94,10 +93,10 @@
 
       if (StringUtils.isEmpty(user)) {
         // try basic authentication
-        Map<String, String> authenticationData = 
decodeBasicAuthenticationData(request);
+        UserLoginInfo authenticationData = 
decodeBasicAuthenticationData(request);
         if (authenticationData != null) {
-          user = authenticationData.get(LOGIN_USER);
-          pass = authenticationData.get(LOGIN_PASS);
+          user = authenticationData.getUserName();
+          pass = authenticationData.getPassword();
         }
       }
     }

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openbravo-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openbravo-commits

Reply via email to