Author: scottbw
Date: Wed Feb 19 10:57:16 2014
New Revision: 1569679
URL: http://svn.apache.org/r1569679
Log:
Added the HMAC filter to all REST APIs. Only exception is GET /widgets[/*] for
metadata access.
Modified:
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/AuthorizationFilter.java
wookie/trunk/wookie-server/src/main/webapp/WEB-INF/web.xml
Modified:
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/AuthorizationFilter.java
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/AuthorizationFilter.java?rev=1569679&r1=1569678&r2=1569679&view=diff
==============================================================================
---
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/AuthorizationFilter.java
(original)
+++
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/AuthorizationFilter.java
Wed Feb 19 10:57:16 2014
@@ -36,13 +36,19 @@ import org.apache.log4j.Logger;
public class AuthorizationFilter implements Filter {
static Logger _logger =
Logger.getLogger(AuthorizationFilter.class.getName());
+
+ private String scheme;
+
+ private static final String HMAC_AUTH_SCHEME = "HMAC";
+ private static final String API_KEY_SCHEME = "APIKEY";
/*
* (non-Javadoc)
*
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
- public void init(FilterConfig filterConfig) throws ServletException {
+ public void init(FilterConfig filterConfig) throws ServletException {
+ scheme = filterConfig.getInitParameter("authorization-scheme");
}
/*
@@ -65,7 +71,13 @@ public class AuthorizationFilter impleme
//
// Choose the authorization method required
//
- boolean isAuthorized =
this.isAuthorizedUsingPlainMessaging((HttpServletRequest) request);
+ boolean isAuthorized = false;
+ if (scheme.equals(API_KEY_SCHEME)){
+ isAuthorized =
this.isAuthorizedUsingPlainMessaging((HttpServletRequest) request);
+ }
+ if (scheme.equals(HMAC_AUTH_SCHEME)){
+ isAuthorized = this.isAuthorizedUsingHmac((HttpServletRequest)request);
+ }
//
// return 403 if not authorised, otherwise continue
@@ -95,10 +107,16 @@ public class AuthorizationFilter impleme
* should be processed normally
*/
private boolean isException(HttpServletRequest request) {
- if (request.getServletPath().equalsIgnoreCase("flatpack")
- && request.getMethod().equals("GET"))
- return true;
- return false;
+
+ //
+ // GET /widgets
+ //
+ if (request.getServletPath().equalsIgnoreCase("/widgets")
+ && request.getMethod().equals("GET"))
+ return true;
+
+
+ return false;
}
/**
@@ -128,6 +146,29 @@ public class AuthorizationFilter impleme
return isRegistered(key);
}
+ private boolean isAuthorizedUsingHmac(HttpServletRequest request){
+
+ //
+ // Verify the message hash
+ //
+ if (Hmac.isValidSignedRequest(request)){
+
+ //
+ // if the request contains an API key parameter, ensure it
matches the one
+ // used to sign the message
+ //
+ String key = request.getParameter("api_key");
+ if (key != null){
+ if (!key.equals(Hmac.getPublicKey(request))){
+ return false;
+ }
+ }
+
+ return true;
+ }
+ return false;
+ }
+
/**
* Looks up an API key
* @param apiKey
Modified: wookie/trunk/wookie-server/src/main/webapp/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/main/webapp/WEB-INF/web.xml?rev=1569679&r1=1569678&r2=1569679&view=diff
==============================================================================
--- wookie/trunk/wookie-server/src/main/webapp/WEB-INF/web.xml (original)
+++ wookie/trunk/wookie-server/src/main/webapp/WEB-INF/web.xml Wed Feb 19
10:57:16 2014
@@ -182,10 +182,6 @@
<servlet-name>WidgetServlet</servlet-name>
<url-pattern>/widgets/*</url-pattern>
</servlet-mapping>
- <servlet-mapping>
- <servlet-name>WidgetServlet</servlet-name>
- <url-pattern>/advertise/*</url-pattern>
- </servlet-mapping>
<servlet>
<description></description>
@@ -262,6 +258,11 @@
<filter>
<filter-name>AuthorizationFilter</filter-name>
<filter-class>org.apache.wookie.server.security.AuthorizationFilter</filter-class>
+ <init-param>
+ <param-name>authorization-scheme</param-name>
+ <param-value>HMAC</param-value>
+ <description>Use HMAC for authenticating API calls</description>
+ </init-param>
</filter>
<filter-mapping>
<filter-name>AuthorizationFilter</filter-name>
@@ -277,102 +278,20 @@
</filter-mapping>
<filter-mapping>
<filter-name>AuthorizationFilter</filter-name>
- <servlet-name>Flatpack</servlet-name>
- </filter-mapping>
-
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>Widget Admin
Section</web-resource-name>
- <url-pattern>/admin/*</url-pattern>
- </web-resource-collection>
- <auth-constraint>
- <role-name>widgetadmin</role-name>
- </auth-constraint>
- </security-constraint>
-
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>WidgetServices
Controller</web-resource-name>
- <url-pattern>/services/*</url-pattern>
- <http-method>DELETE</http-method>
- <http-method>PUT</http-method>
- <http-method>POST</http-method>
- </web-resource-collection>
- <auth-constraint>
- <role-name>widgetadmin</role-name>
- </auth-constraint>
- </security-constraint>
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>Policies
Controller</web-resource-name>
- <url-pattern>/policies/*</url-pattern>
- <http-method>GET</http-method>
- <http-method>DELETE</http-method>
- <http-method>PUT</http-method>
- <http-method>POST</http-method>
- </web-resource-collection>
- <auth-constraint>
- <role-name>widgetadmin</role-name>
- </auth-constraint>
- </security-constraint>
- <security-constraint>
- <web-resource-collection>
-
<web-resource-name>ApiKeyController</web-resource-name>
- <url-pattern>/keys/*</url-pattern>
- <http-method>GET</http-method>
- <http-method>DELETE</http-method>
- <http-method>PUT</http-method>
- <http-method>POST</http-method>
- </web-resource-collection>
- <auth-constraint>
- <role-name>widgetadmin</role-name>
- </auth-constraint>
- </security-constraint>
- <security-constraint>
- <web-resource-collection>
-
<web-resource-name>UpdatesController</web-resource-name>
- <url-pattern>/updates/*</url-pattern>
- <http-method>GET</http-method>
- <http-method>DELETE</http-method>
- <http-method>PUT</http-method>
- <http-method>POST</http-method>
- </web-resource-collection>
- <auth-constraint>
- <role-name>widgetadmin</role-name>
- </auth-constraint>
- </security-constraint>
- <security-constraint>
- <web-resource-collection>
-
<web-resource-name>WidgetServlet</web-resource-name>
- <url-pattern>/widgets/*</url-pattern>
- <http-method>POST</http-method>
- <http-method>DELETE</http-method>
- <http-method>PUT</http-method>
- </web-resource-collection>
- <auth-constraint>
- <role-name>widgetadmin</role-name>
- </auth-constraint>
- </security-constraint>
- <security-constraint>
- <web-resource-collection>
-
<web-resource-name>WidgetInstancesController</web-resource-name>
- <url-pattern>/widgetinstances/*</url-pattern>
- <http-method>DELETE</http-method>
- </web-resource-collection>
- <auth-constraint>
- <role-name>widgetadmin</role-name>
- </auth-constraint>
- </security-constraint>
-
- <login-config>
- <auth-method>BASIC</auth-method>
- <realm-name>Authentication Required</realm-name>
- </login-config>
-
- <security-role>
- <description></description>
- <role-name>widgetadmin</role-name>
- </security-role>
+ <servlet-name>PoliciesServlet</servlet-name>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>AuthorizationFilter</filter-name>
+ <servlet-name>ApiKeyController</servlet-name>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>AuthorizationFilter</filter-name>
+ <servlet-name>UpdatesServlet</servlet-name>
+ </filter-mapping>
+ <filter-mapping>
+ <filter-name>AuthorizationFilter</filter-name>
+ <servlet-name>WidgetServlet</servlet-name>
+ </filter-mapping>
<error-page>
<error-code>401</error-code>
