Alon Bar-Lev has posted comments on this change. Change subject: aaa: Intorduce filters ......................................................................
Patch Set 24: (12 comments) http://gerrit.ovirt.org/#/c/28022/24/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/LoginFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/LoginFilter.java: Line 34: Line 35: @Override Line 36: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, Line 37: ServletException { Line 38: boolean doFilter = true; always assume failure! set true only if success. Line 39: try { Line 40: HttpServletRequest req = (HttpServletRequest) request; Line 41: if (!FiltersHelper.isAuthenticated(req)) { Line 42: LoginUserParameters params = null; Line 45: ExtMap authRecord = (ExtMap) request.getAttribute(FiltersHelper.Constants.REQUEST_AUTH_RECORD_KEY); Line 46: if (authRecord != null) { Line 47: String engineSessionId = UUID.randomUUID().toString(); Line 48: params = new LoginUserParameters(profileName, authRecord, engineSessionId); Line 49: params.setActionType(loginAsAdmin ? VdcActionType.LoginAdminUser : VdcActionType.LoginUser); if this should be always set move also to constructor? anyway, why don't you set parameters at the point of actual usage? Line 50: InitialContext context = new InitialContext(); Line 51: try { Line 52: VdcReturnValueBase returnValue = FiltersHelper.getBackend(context).login(params); Line 53: if (returnValue.getSucceeded()) { Line 48: params = new LoginUserParameters(profileName, authRecord, engineSessionId); Line 49: params.setActionType(loginAsAdmin ? VdcActionType.LoginAdminUser : VdcActionType.LoginUser); Line 50: InitialContext context = new InitialContext(); Line 51: try { Line 52: VdcReturnValueBase returnValue = FiltersHelper.getBackend(context).login(params); I always expected here something as: xxxxx.login(new LoginUserParameters(xxxxxx)); anyway, at least see the parameters just above the call if you cannot. Line 53: if (returnValue.getSucceeded()) { Line 54: HttpSession session = req.getSession(true); Line 55: session.setAttribute( Line 56: FiltersHelper.Constants.HTTP_SESSION_ENGINE_SESSION_ID_KEY, Line 56: FiltersHelper.Constants.HTTP_SESSION_ENGINE_SESSION_ID_KEY, Line 57: engineSessionId Line 58: ); Line 59: req.setAttribute(FiltersHelper.Constants.REQUEST_USER_KEY, Line 60: returnValue.getActionReturnValue()); this I still don't like. Line 61: } Line 62: } finally { Line 63: context.close(); Line 64: } http://gerrit.ovirt.org/#/c/28022/24/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionMgmtFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/RestApiSessionMgmtFilter.java: Line 33: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, Line 34: ServletException { Line 35: try { Line 36: HttpServletRequest req = (HttpServletRequest) request; Line 37: boolean persistentAuth = "persistent-auth".equals(req.getHeader("Prefer")); I think that you need to check this in any of the Prefer headers, not only the first one. Line 38: HttpSession session = req.getSession(false); Line 39: if (persistentAuth) { Line 40: if (session == null) { Line 41: try { Line 34: ServletException { Line 35: try { Line 36: HttpServletRequest req = (HttpServletRequest) request; Line 37: boolean persistentAuth = "persistent-auth".equals(req.getHeader("Prefer")); Line 38: HttpSession session = req.getSession(false); this when actually used (within the if) Line 39: if (persistentAuth) { Line 40: if (session == null) { Line 41: try { Line 42: int ttlValue = Integer.parseInt(req.getHeader("Session-TTL")) * SECONDS_IN_MINUTE; Line 47: } catch (NumberFormatException ex) { Line 48: log.error("Session-TTL header was not passed. Not setting TTL value"); Line 49: } Line 50: } Line 51: if ((req.getHeader("Authorization") != null)) { I do not understand... if we have sticky session, why do we care about the authorization header? it can be anything, we keep using our session. Line 52: // No need to pass credentials again - if passed, login should be called Line 53: if (session != null) { Line 54: session.removeAttribute(FiltersHelper.Constants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); Line 55: } Line 50: } Line 51: if ((req.getHeader("Authorization") != null)) { Line 52: // No need to pass credentials again - if passed, login should be called Line 53: if (session != null) { Line 54: session.removeAttribute(FiltersHelper.Constants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); but anyway, you should have invalidated the session. Line 55: } Line 56: } Line 57: } Line 58: chain.doFilter(request, response); Line 52: // No need to pass credentials again - if passed, login should be called Line 53: if (session != null) { Line 54: session.removeAttribute(FiltersHelper.Constants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); Line 55: } Line 56: } I still do not understand where you take the sticky cookie and put it at our current http session, and set the HTTP_SESSION_ENGINE_SESSION_ ID_KEY with valid value. Line 57: } Line 58: chain.doFilter(request, response); Line 59: if (FiltersHelper.isAuthenticated(req)) { Line 60: session = req.getSession(); Line 54: session.removeAttribute(FiltersHelper.Constants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); Line 55: } Line 56: } Line 57: } Line 58: chain.doFilter(request, response); this should be out of the try/catch scope. Line 59: if (FiltersHelper.isAuthenticated(req)) { Line 60: session = req.getSession(); Line 61: String engineSessionId = Line 62: (String) session.getAttribute(FiltersHelper.Constants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); Line 57: } Line 58: chain.doFilter(request, response); Line 59: if (FiltersHelper.isAuthenticated(req)) { Line 60: session = req.getSession(); Line 61: String engineSessionId = why do you need to extract it here? extract only if used, and drop the temp var. Line 62: (String) session.getAttribute(FiltersHelper.Constants.HTTP_SESSION_ENGINE_SESSION_ID_KEY); Line 63: if (!persistentAuth) { Line 64: InitialContext ctx = new InitialContext(); Line 65: try { http://gerrit.ovirt.org/#/c/28022/24/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SessionValidationFilter.java: Line 40: InitialContext ctx = null; Line 41: if (engineSession != null) { Line 42: ctx = new InitialContext(); Line 43: try { Line 44: VdcQueryParametersBase parameters = new VdcQueryParametersBase(engineSession); drop this temp variable Line 45: Line 46: VdcQueryReturnValue returnValue = FiltersHelper.getBackend(ctx) Line 47: .runPublicQuery(VdcQueryType.ValidateSession, parameters); Line 48: if (!returnValue.getSucceeded()) { -- To view, visit http://gerrit.ovirt.org/28022 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ia5536d123b6407acf41b6946dde796bd67d1e073 Gerrit-PatchSet: 24 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Barak Azulay <bazu...@redhat.com> Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Oved Ourfali <oourf...@redhat.com> Gerrit-Reviewer: Yair Zaslavsky <yzasl...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
