Alon Bar-Lev has posted comments on this change. Change subject: core, webadmin: Modify webadmin to use enginesso for authentication ......................................................................
Patch Set 2: (9 comments) http://gerrit.ovirt.org/#/c/36619/2/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/LogoutUserCommand.java File backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/LogoutUserCommand.java: Line 46: } Line 47: Line 48: if (SessionDataContainer.getInstance().getUser(getParameters().getSessionId(), false) != null) { Line 49: SessionDataContainer.getInstance().removeSessionOnLogout(getParameters().getSessionId()); Line 50: } shouldn't this be in master already? or separate patch that is merged now? but I thought you took care of it in the SessionDataContainer. Line 51: setSucceeded(true); Line 52: } Line 53: Line 54: @Override http://gerrit.ovirt.org/#/c/36619/2/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/CreateUserSessionParameters.java File backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/action/CreateUserSessionParameters.java: Line 13: Line 14: public CreateUserSessionParameters() { Line 15: } Line 16: Line 17: public void setUser(DbUser user) { can we avoid using DbXXX when we actually do not need db access? Line 18: this.user = user; Line 19: } Line 20: Line 21: public DbUser getUser() { http://gerrit.ovirt.org/#/c/36619/2/backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/EngineSSOServlet.java File backend/manager/modules/enginesso/src/main/java/org/ovirt/engine/core/sso/servlets/EngineSSOServlet.java: Line 35: HttpSession existingSession = request.getSession(false); Line 36: if (existingSession != null) { Line 37: existingSession.invalidate(); Line 38: } Line 39: } this should go into previous patch, no? this patch should not touch the sso webapp not sure I follow what is reauthenticate. Line 40: HttpSession session = request.getSession(true); Line 41: if (SSOUtils.isUserAuthenticated(session)) { Line 42: request.getRequestDispatcher("/sso-redirect").forward(request, response); Line 43: } else { http://gerrit.ovirt.org/#/c/36619/2/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/servlet/SSOLoginFilter.java File backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/servlet/SSOLoginFilter.java: Line 41: ServletException { Line 42: HttpServletRequest req = (HttpServletRequest) request; Line 43: String url = req.getRequestURL().toString(); Line 44: if (url.indexOf(loginUrl) != -1) { Line 45: request.getRequestDispatcher(loginUrl).forward(request, response); why can't we do the same by proper uri mapping in web.xml? Line 46: } else { Line 47: HttpSession session = req.getSession(false); Line 48: if (session != null && session.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY) != null) { Line 49: if (SSOUtils.isSessionValid((String) session.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY))) { Line 45: request.getRequestDispatcher(loginUrl).forward(request, response); Line 46: } else { Line 47: HttpSession session = req.getSession(false); Line 48: if (session != null && session.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY) != null) { Line 49: if (SSOUtils.isSessionValid((String) session.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY))) { it should not use SSOUtils, it should only care about if user is authenticated in request property. I thought to avoid using filter at first step, but if you wrote a filter it should be same as any other filter: FiltersHelper.isAuthenticated(req) Line 50: chain.doFilter(request, response); Line 51: } else { Line 52: ((HttpServletResponse) response).sendRedirect(ssoReauthenticateUrl); Line 53: } Line 48: if (session != null && session.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY) != null) { Line 49: if (SSOUtils.isSessionValid((String) session.getAttribute(SessionConstants.HTTP_SESSION_ENGINE_SESSION_ID_KEY))) { Line 50: chain.doFilter(request, response); Line 51: } else { Line 52: ((HttpServletResponse) response).sendRedirect(ssoReauthenticateUrl); this should be done by the the login servlet. the sequence should be the following: web.xml settings: /public/login - servlet /public/login-post - servlet /private/* - filter filter logic: if not authenticated redirect/dispatch to login servlet provide current url as return login servlet logic: if not authenticated redirect to sso service, provide two urls: 1. application return url 2. post process login url login-post servlet logic: accept user identity sent my sso create engine session redirect to original application url Line 53: } Line 54: } else { Line 55: ((HttpServletResponse) response).sendRedirect(ssoUrl); Line 56: } http://gerrit.ovirt.org/#/c/36619/2/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/servlet/SSOPermissionsRoleManager.java File backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/servlet/SSOPermissionsRoleManager.java: Line 19: import java.util.ArrayList; Line 20: import java.util.List; Line 21: import java.util.UUID; Line 22: Line 23: public class SSOPermissionsRoleManager { this is not a servlet... so should go to other location. Line 24: Line 25: public static final String DATA_SOURCE = "java:/ENGINEDataSource"; Line 26: private DataSource ds; Line 27: Line 21: import java.util.UUID; Line 22: Line 23: public class SSOPermissionsRoleManager { Line 24: Line 25: public static final String DATA_SOURCE = "java:/ENGINEDataSource"; 1. can't you use the dao for that? 2. can't you use the mla for that? a. perform login b. check for permission c. create the engine session Line 26: private DataSource ds; Line 27: Line 28: public SSOPermissionsRoleManager() { Line 29: try { http://gerrit.ovirt.org/#/c/36619/2/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/servlet/SSOUtils.java File backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/servlet/SSOUtils.java: too complex for me to review at this point, I think most should be delegated to backend and performed using actions/queries instead of here, but the flow should first be fixed. Line 1: package org.ovirt.engine.core.utils.servlet; Line 2: Line 3: import org.apache.commons.lang.StringUtils; Line 4: import org.ovirt.engine.core.common.VdcObjectType; -- To view, visit http://gerrit.ovirt.org/36619 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Iff0aee9d0f5ee606ff7f397cab69017ca7d9df08 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <rn...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
