Yair Zaslavsky has uploaded a new change for review. Change subject: aaa: Rename Authentication filter ......................................................................
aaa: Rename Authentication filter Change-Id: Iee6d0c5805e4509f4011dd9ebc994fba0f419f55 Topic: AAA Signed-off-by: Yair Zaslavsky <[email protected]> --- R backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/NegotiationAuthnFilter.java M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml M frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml M frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml 4 files changed, 48 insertions(+), 17 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/84/27284/1 diff --git a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationFilter.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/NegotiationAuthnFilter.java similarity index 82% rename from backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationFilter.java rename to backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/NegotiationAuthnFilter.java index a4eb6b1..47a0728 100644 --- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticationFilter.java +++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/NegotiationAuthnFilter.java @@ -24,29 +24,35 @@ * This filter should be added to the {@code web.xml} file to the applications that want to use the authentication * mechanism implemented in this package. */ -public class AuthenticationFilter implements Filter { +public class NegotiationAuthnFilter implements Filter { /** * The authentication profiles used to perform the authentication process. */ - private volatile List<AuthenticationProfile> profiles; + private volatile List<AuthenticationProfile> profiles; + + private int caps; /** * We store a boolean flag in the HTTP session that indicates if the user has been already authenticated, this is * the key for that flag. */ - private static final String AUTHENTICATED_ATTR = AuthenticationFilter.class.getName() + ".authenticated"; + private static final String AUTHENTICATED_ATTR = NegotiationAuthnFilter.class.getName() + ".authenticated"; /** * When a user has been authenticated we store its login name in the HTTP session, this is the key for that name. */ - private static final String NAME_ATTR = AuthenticationFilter.class.getName() + ".name"; + private static final String NAME_ATTR = NegotiationAuthnFilter.class.getName() + ".name"; /** * In order to support several alternative authenticators we store their names in a stack inside the HTTP session, * this is the key for that stack. */ - private static final String STACK_ATTR = AuthenticationFilter.class.getName() + ".stack"; + private static final String STACK_ATTR = NegotiationAuthnFilter.class.getName() + ".stack"; + + private static final String AUTH_RECORD_ATTR = "auth_record"; + + private static final String INTERACTIVE_NEGOTIATION_PARAMETER = "negotiation"; @Override public void init(FilterConfig filterConfig) throws ServletException { @@ -67,8 +73,7 @@ profiles = new ArrayList<AuthenticationProfile>(1); for (AuthenticationProfile profile : AuthenticationProfileRepository.getInstance().getProfiles()) { if (profile != null) { - if ((profile.getAuthn().getContext().<Long> get(Authn.ContextKeys.CAPABILITIES).longValue() & - Authn.Capabilities.AUTHENTICATE_NEGOTIATE_NON_INTERACTIVE) != 0) { + if ((profile.getAuthn().getContext().<Long> get(Authn.ContextKeys.CAPABILITIES).longValue() & caps) != 0) { profiles.add(0, profile); } @@ -99,6 +104,7 @@ // If the user has been previously authenticated in this session then we don't need to do it again, but we do // need to replace the principal with the name of the authenticated entity: HttpSession session = req.getSession(); + Boolean authenticated = (Boolean) session.getAttribute(AUTHENTICATED_ATTR); if (authenticated != null && authenticated) { String name = (String) session.getAttribute(NAME_ATTR); @@ -106,6 +112,16 @@ chain.doFilter(req, rsp); return; } + + caps = 0; + for (String nego : req.getServletContext().getInitParameter(INTERACTIVE_NEGOTIATION_PARAMETER).split(",")) { + if (nego.equals("interactive")) { + caps |= Authn.Capabilities.AUTHENTICATE_NEGOTIATE_INTERACTIVE; + } else if (nego.equals("non-interactive")) { + caps |= Authn.Capabilities.AUTHENTICATE_NEGOTIATE_NON_INTERACTIVE; + } + } + // We need to remember which of the profiles was managing the negotiation with the client, so we store a stack // of the available authenticators in the session: @@ -143,9 +159,11 @@ switch (output.<Integer> get(Authn.InvokeKeys.RESULT)) { case Authn.AuthResult.SUCCESS: - String name = output.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD).<String> get(Authn.AuthRecord.PRINCIPAL); + ExtMap authRecord = output.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD); session.setAttribute(AUTHENTICATED_ATTR, true); + String name = authRecord.<String> get(Authn.AuthRecord.PRINCIPAL); session.setAttribute(NAME_ATTR, name); + session.setAttribute(AUTH_RECORD_ATTR, authRecord); session.removeAttribute(STACK_ATTR); req = new AuthenticatedRequestWrapper(req, name); chain.doFilter(req, rsp); diff --git a/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml b/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml index 89b79f1..49378aa 100644 --- a/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml +++ b/backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml @@ -14,11 +14,15 @@ <!-- Perform authentication: --> <filter> - <filter-name>AuthenticationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.AuthenticationFilter</filter-class> + <filter-name>NegotiationAuthnFilter</filter-name> + <filter-class>org.ovirt.engine.core.aaa.NegotiationAuthnFilter</filter-class> + <init-param> + <param-name>negotiation</param-name> + <param-value>non-interactive</param-value> + </init-param> </filter> <filter-mapping> - <filter-name>AuthenticationFilter</filter-name> + <filter-name>NegotiationAuthnFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> diff --git a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml index 82a1013..2a9365d 100644 --- a/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml +++ b/frontend/webadmin/modules/userportal-gwtp/src/main/webapp/WEB-INF/web.xml @@ -22,11 +22,15 @@ <!-- Perform authentication: --> <filter> - <filter-name>AuthenticationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.AuthenticationFilter</filter-class> + <filter-name>NegotiationAuthnFilter</filter-name> + <filter-class>org.ovirt.engine.core.aaa.NegotiationAuthnFilter</filter-class> + <init-param> + <param-name>negotiation</param-name> + <param-value>non-interactive,interactive</param-value> + </init-param> </filter> <filter-mapping> - <filter-name>AuthenticationFilter</filter-name> + <filter-name>NegotiationAuthnFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> diff --git a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml index b637adf..4dc3212 100644 --- a/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml +++ b/frontend/webadmin/modules/webadmin/src/main/webapp/WEB-INF/web.xml @@ -23,11 +23,16 @@ <!-- Perform authentication: --> <filter> - <filter-name>AuthenticationFilter</filter-name> - <filter-class>org.ovirt.engine.core.aaa.AuthenticationFilter</filter-class> + <filter-name>NegotiationAuthnFilter</filter-name> + <filter-class>org.ovirt.engine.core.aaa.NegotiationAuthnFilter</filter-class> + <init-param> + <param-name>negotiation</param-name> + <param-value>non-interactive,interactive</param-value> + </init-param> </filter> + <filter-mapping> - <filter-name>AuthenticationFilter</filter-name> + <filter-name>NegotiationAuthnFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -- To view, visit http://gerrit.ovirt.org/27284 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iee6d0c5805e4509f4011dd9ebc994fba0f419f55 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
