Alon Bar-Lev has posted comments on this change. Change subject: aaa: Add Bearer and Negotiate auth filters ......................................................................
Patch Set 3: (2 comments) https://gerrit.ovirt.org/#/c/42292/3/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiBaseFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiBaseFilter.java: Line 39: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, Line 40: ServletException { Line 41: HttpServletRequest req = (HttpServletRequest) request; Line 42: if (!FiltersHelper.isAuthenticated(req) || !FiltersHelper.isSessionValid((HttpServletRequest) request, (HttpServletResponse) response)) { Line 43: authenticateWithSSO(req, (HttpServletResponse) response); > It is conditionally called after checking the headers and only called if no I almost sure it cannot return 401 result to the user agent in this state. Line 44: } Line 45: chain.doFilter(request, response); Line 46: } Line 47: https://gerrit.ovirt.org/#/c/42292/3/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiNegotiationFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiNegotiationFilter.java: Line 81: ); Line 82: } Line 83: Line 84: @Override Line 85: protected void authenticateWithSSO(HttpServletRequest req, HttpServletResponse resp) throws ServletException { > I do not understand your comments here. imagine we need to send 401 and get header and extract user from the header. imagine we need to send 401 with digest, get nonsense, send hash, receive password. these sequences are pingping between filter and user agent and should be possible, see the current NegoFilter. I may miss the entire sequence, but for what I can see current implementation assume single request which is not nego. Line 86: try { Line 87: req.setAttribute(FiltersHelper.Constants.REQUEST_SCHEMES_KEY, schemes); Line 88: HttpSession session = req.getSession(false); Line 89: Deque<AuthenticationProfile> stack = null; -- To view, visit https://gerrit.ovirt.org/42292 To unsubscribe, visit https://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Idee5137430cefa7ca99c047cfd2d550222e5809a Gerrit-PatchSet: 3 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ravi Nori <rn...@redhat.com> Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com> Gerrit-Reviewer: Jenkins CI Gerrit-Reviewer: Ravi Nori <rn...@redhat.com> Gerrit-Reviewer: automat...@ovirt.org Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
