Author: scottbw
Date: Wed Mar 5 16:08:07 2014
New Revision: 1574556
URL: http://svn.apache.org/r1574556
Log:
Send security tokens in Authorization header instead of in querystring (see
WOOKIE-427)
Modified:
wookie/trunk/wookie-features/src/main/webapp/features/widget/wookie.js
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java
Modified: wookie/trunk/wookie-features/src/main/webapp/features/widget/wookie.js
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-features/src/main/webapp/features/widget/wookie.js?rev=1574556&r1=1574555&r2=1574556&view=diff
==============================================================================
--- wookie/trunk/wookie-features/src/main/webapp/features/widget/wookie.js
(original)
+++ wookie/trunk/wookie-features/src/main/webapp/features/widget/wookie.js Wed
Mar 5 16:08:07 2014
@@ -328,7 +328,8 @@ var Widget = {
*/
loadMetadata: function(){
var xml_request = new XMLHttpRequest();
- xml_request.open("GET", "/wookie/metadata?idkey="+this.instanceid_key,
false);
+ xml_request.open("GET", "/wookie/metadata", false);
+ xml_request.setRequestHeader("Authorization",this.instanceid_key);
xml_request.onreadystatechange = function()
{
if(xml_request.readyState == 4 && xml_request.status == 200){
@@ -345,7 +346,8 @@ var Widget = {
*/
loadPreferences: function(){
var xml_request = new XMLHttpRequest();
- xml_request.open("GET",
"/wookie/preferences?idkey="+this.instanceid_key, false);
+ xml_request.open("GET", "/wookie/preferences", false);
+ xml_request.setRequestHeader("Authorization",this.instanceid_key);
xml_request.onreadystatechange = function()
{
if(xml_request.readyState == 4 && xml_request.status == 200){
@@ -363,7 +365,8 @@ var Widget = {
*/
refreshToken: function(async){
var xml_request = new XMLHttpRequest();
- xml_request.open("POST", "/wookie/token?idkey="+this.instanceid_key,
async);
+ xml_request.open("POST", "/wookie/token", async);
+ xml_request.setRequestHeader("Authorization",this.instanceid_key);
xml_request.onreadystatechange = function()
{
if(xml_request.readyState == 4 && xml_request.status == 201){
@@ -464,7 +467,8 @@ var Widget = {
*/
setPreferenceForKey : function (wName, wValue) {
var xml_request = new XMLHttpRequest();
- xml_request.open("POST",
"/wookie/preferences?idkey="+this.instanceid_key+"&name="+wName+"&value="+wValue,
true);
+ xml_request.open("POST",
"/wookie/preferences?name="+wName+"&value="+wValue, true);
+ xml_request.setRequestHeader("Authorization",this.instanceid_key);
xml_request.setRequestHeader("Cache-Control", "no-cache");
xml_request.send(null);
},
Modified:
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java?rev=1574556&r1=1574555&r2=1574556&view=diff
==============================================================================
---
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java
(original)
+++
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java
Wed Mar 5 16:08:07 2014
@@ -51,7 +51,7 @@ public class WidgetAuthorizationFilter i
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException
{
- AuthToken authToken = getAuthToken(request);
+ AuthToken authToken = getAuthToken((HttpServletRequest)request);
if (authToken == null){
((HttpServletResponse)
response).sendError(HttpServletResponse.SC_FORBIDDEN);
@@ -68,22 +68,20 @@ public class WidgetAuthorizationFilter i
}
}
- private AuthToken getAuthToken(ServletRequest request){
+ private AuthToken getAuthToken(HttpServletRequest request){
//
- // Do we have an idkey parameter containing an access token?
+ // Get the AUTH header
//
- String idkey = request.getParameter("idkey");
- if (idkey == null || idkey.trim().equals("")){
- return null;
- }
+ String tokenString = request.getHeader("Authorization");
+ if (tokenString == null) return null;
//
// Do we have a valid token?
//
AuthToken token = null;
try {
- token = AuthTokenUtils.validateAuthToken(idkey);
+ token = AuthTokenUtils.validateAuthToken(tokenString);
} catch (InvalidAuthTokenException e) {
return null;
}
@@ -100,7 +98,7 @@ public class WidgetAuthorizationFilter i
//
// If the token has been used once already, reject the
request
//
- if
(!ExpiredSingleUseTokenCache.getInstance().isValid(idkey)){
+ if
(!ExpiredSingleUseTokenCache.getInstance().isValid(tokenString)){
return null;
}
@@ -119,7 +117,7 @@ public class WidgetAuthorizationFilter i
//
// Add the token to the expiry cache
//
-
ExpiredSingleUseTokenCache.getInstance().addToken(idkey);
+
ExpiredSingleUseTokenCache.getInstance().addToken(tokenString);
}
return token;
