Alon Bar-Lev has posted comments on this change. Change subject: aaa: Intorduce filters ......................................................................
Patch Set 21: (14 comments) http://gerrit.ovirt.org/#/c/28022/21/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java: Line 58: creds = new String( Line 59: Base64.decodeBase64(headerValue.substring("Basic".length())), Line 60: Charset.forName("UTF-8") Line 61: ).split(":", 2); Line 62: } catch (Throwable th) { juan always suggest to catch Exception for all and not Throwable to not catch class not found and such. Line 63: log.error("Error in decoding ", th); Line 64: } Line 65: if (creds != null && creds.length == 2) { Line 66: handleCredentials(req, creds[0], creds[1]); Line 107: ) Line 108: ); Line 109: if (outputMap.<Integer> get(Base.InvokeKeys.RESULT) == Base.InvokeResult.SUCCESS && Line 110: outputMap.<Integer> get(Authn.InvokeKeys.RESULT) == Authn.AuthResult.SUCCESS) { Line 111: request.getSession(true); no... create it only when actually needed. Line 112: request.setAttribute(FiltersHelper.Constants.REQUEST_AUTH_RECORD_KEY, Line 113: outputMap.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD)); Line 114: request.setAttribute(FiltersHelper.Constants.REQUEST_PROFILE_KEY, userProfile.profile); Line 115: } else { http://gerrit.ovirt.org/#/c/28022/21/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java: Line 38: } Line 39: Line 40: public static boolean isAuthenticated(HttpServletRequest request) { Line 41: HttpSession session = request.getSession(false); Line 42: return session != null && session.getAttribute(Constants.SESSION_ENGINE_SESSION_ID_KEY) != null; no... always check for value as well for security variables. it is right that if absent it is false.... but if exists value must be checked. Line 43: } Line 44: http://gerrit.ovirt.org/#/c/28022/21/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/ForceLoginFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/ForceLoginFilter.java: Line 21: private String additionalSchemes; Line 22: Line 23: @Override Line 24: public void init(FilterConfig filterConfig) throws ServletException { Line 25: additionalSchemes = filterConfig.getInitParameter("schemes"); // Additional schemes, not reported by extensions perform the split here if needed, set to empty to avoid null conditionals if none. Line 26: } Line 27: Line 28: @Override Line 29: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, Line 40: if (additionalSchemes != null) { Line 41: allSchemes.addAll(Arrays.asList(additionalSchemes.split(","))); Line 42: } Line 43: for (String scheme: allSchemes) { Line 44: if (scheme.equals("Basic")) { get the entire string as init parameter and just append. Line 45: scheme = "Basic realm=\"ENGINE\""; Line 46: } Line 47: res.setHeader("WWW-Authenticate", scheme); Line 48: } http://gerrit.ovirt.org/#/c/28022/21/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/LoginFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/LoginFilter.java: Line 53: params.setSessionId(engineSessionId); Line 54: params.setActionType(loginAsAdmin ? VdcActionType.LoginAdminUser : VdcActionType.LoginUser); Line 55: InitialContext context = new InitialContext(); Line 56: try { Line 57: HttpSession session = req.getSession(true); no need. Line 58: if (FiltersHelper.getBackend(context).login(params).getSucceeded()) { Line 59: session.setAttribute( Line 60: FiltersHelper.Constants.SESSION_AUTHENTICATED_KEY, Line 61: engineSessionId Line 55: InitialContext context = new InitialContext(); Line 56: try { Line 57: HttpSession session = req.getSession(true); Line 58: if (FiltersHelper.getBackend(context).login(params).getSucceeded()) { Line 59: session.setAttribute( here do req.getSession(true).setAttribute() Line 60: FiltersHelper.Constants.SESSION_AUTHENTICATED_KEY, Line 61: engineSessionId Line 62: ); Line 63: } Line 60: FiltersHelper.Constants.SESSION_AUTHENTICATED_KEY, Line 61: engineSessionId Line 62: ); Line 63: } Line 64: VdcQueryReturnValue result = FiltersHelper.getBackend(context).runPublicQuery(VdcQueryType.GetConfigurationValue, how come you continue at negative path of login? Line 65: new GetConfigurationValueParameters(ConfigurationValues.ApplicationMode, ConfigCommon.defaultConfigurationVersion)); Line 66: ApplicationMode appMode = null; Line 67: if (result.getSucceeded()) { Line 68: appMode = ApplicationMode.from((Integer) result.getReturnValue()); Line 68: appMode = ApplicationMode.from((Integer) result.getReturnValue()); Line 69: } Line 70: else { Line 71: appMode = ApplicationMode.AllModes; Line 72: } why do you do anything if failed? Line 73: session.setAttribute(FiltersHelper.Constants.SESSION_APPLICATION_MODE_KEY, appMode); Line 74: } finally { Line 75: context.close(); Line 76: } Line 75: context.close(); Line 76: } Line 77: } Line 78: } Line 79: chain.doFilter(request, response); remove this from try/catch scope Line 80: } catch (Exception ex) { Line 81: log.error(String.format("Error in login to engine. Message is: %1$s", ex.getMessage())); Line 82: ((HttpServletResponse) response).sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); Line 83: } http://gerrit.ovirt.org/#/c/28022/21/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java: Line 34: try { Line 35: HttpSession httpSession = ((HttpServletRequest) request).getSession(false); Line 36: if (httpSession != null) { Line 37: String engineSession = (String) httpSession.getAttribute(FiltersHelper.Constants.SESSION_ENGINE_SESSION_ID_KEY); Line 38: InitialContext ctx = null; why is this ^ here? Line 39: if (engineSession != null) { Line 40: ctx = new InitialContext(); Line 41: try { Line 42: VdcQueryParametersBase parameters = new VdcQueryParametersBase(); Line 54: ctx.close(); Line 55: } Line 56: } Line 57: } Line 58: chain.doFilter(request, response); remove from try/catch scope Line 59: } catch (Exception ex) { Line 60: String msg = Line 61: String.format("An error has occurred while session validation. Message is %1$s", ex.getMessage()); Line 62: log.error(msg); Line 62: log.error(msg); Line 63: if (log.isDebugEnabled()) { Line 64: log.debug("", ex); Line 65: } Line 66: ((HttpServletResponse) response).sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); I see now... in order to remove the doFilter outside of try/catch scope we should have some boolean if to process it... but there is no reason for us to catch exceptions of other filters. Line 67: } Line 68: } Line 69: Line 70: @Override http://gerrit.ovirt.org/#/c/28022/21/backend/manager/modules/aaa/src/main/modules/org/ovirt/engine/core/aaa/main/module.xml File backend/manager/modules/aaa/src/main/modules/org/ovirt/engine/core/aaa/main/module.xml: Line 13 Line 14 Line 15 Line 16 Line 17 if you add commons logging, please remove the slf4j usage from this module. -- To view, visit http://gerrit.ovirt.org/28022 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ia5536d123b6407acf41b6946dde796bd67d1e073 Gerrit-PatchSet: 21 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Barak Azulay <bazu...@redhat.com> Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com> Gerrit-Reviewer: Yair Zaslavsky <yzasl...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
