Yair Zaslavsky has posted comments on this change. Change subject: aaa: Intorduce filters ......................................................................
Patch Set 8: (11 comments) http://gerrit.ovirt.org/#/c/28022/8/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/BasicAuthenticationFilter.java: Line 47: if (!FiltersHelper.isAuthenticated(req)) { Line 48: chain.doFilter(request, response); Line 49: String headerValue = req.getHeader("Authorization"); Line 50: if (headerValue != null && headerValue.startsWith("Basic ")) { Line 51: String credentials = headerValue.substring("Basic".length()); > are you sure you need credentials temp variable? Done Line 52: String userPass = new String(Base64.decodeBase64(credentials), Charset.defaultCharset().toString()); Line 53: String[] creds = userPass.split(":", 2); Line 54: if (creds != null && creds.length == 2) { Line 55: handleCredentials(request, creds[0], creds[1], getSeparator(creds[0])); Line 48: chain.doFilter(request, response); Line 49: String headerValue = req.getHeader("Authorization"); Line 50: if (headerValue != null && headerValue.startsWith("Basic ")) { Line 51: String credentials = headerValue.substring("Basic".length()); Line 52: String userPass = new String(Base64.decodeBase64(credentials), Charset.defaultCharset().toString()); > are you sure you need userPass temp variable? Done Line 53: String[] creds = userPass.split(":", 2); Line 54: if (creds != null && creds.length == 2) { Line 55: handleCredentials(request, creds[0], creds[1], getSeparator(creds[0])); Line 56: } Line 51: String credentials = headerValue.substring("Basic".length()); Line 52: String userPass = new String(Base64.decodeBase64(credentials), Charset.defaultCharset().toString()); Line 53: String[] creds = userPass.split(":", 2); Line 54: if (creds != null && creds.length == 2) { Line 55: handleCredentials(request, creds[0], creds[1], getSeparator(creds[0])); > decide... either to resolve user/profile here or do this within the functio Done Line 56: } Line 57: } Line 58: } Line 59: chain.doFilter(request, response); Line 62: Line 63: private int getSeparator(String qualified) { Line 64: int result = -1; Line 65: if (userNameFormat == UserNameFormat.UPN && qualified.indexOf("\\") == -1) { Line 66: result = qualified.lastIndexOf("@"); > I think that if this is the new notation you accept it as-is, fall back onl not sure if i understand, at previous round you told me to check for the down_level_logon_name there is no @, and not add the init parameter. So don't I need here to take into consideration the init parameter value which is kept in userNameFormat field? Line 67: } else if (userNameFormat == UserNameFormat.DOWN_LEVEL_LOGON_NAME && qualified.indexOf("@") == -1) { Line 68: result = qualified.lastIndexOf("\\"); Line 69: } Line 70: return result; Line 80: } else { Line 81: // legacy format: profile\\user Line 82: profileName = qualified.substring(0, index); Line 83: user = qualified.substring(index + 1); Line 84: } > resolve the user -> profile + user should be at one place... do not split i Done Line 85: Line 86: AuthenticationProfile profile = AuthenticationProfileRepository.getInstance().getProfile(profileName); Line 87: if (profile == null) { Line 88: String msg = String.format("Error in obtaining profile %1$s", profileName); Line 104: if (outputMap.<Integer> get(Base.InvokeKeys.RESULT) == Base.InvokeResult.SUCCESS && Line 105: outputMap.<Integer> get(Authn.InvokeKeys.RESULT) == Authn.AuthResult.SUCCESS) { Line 106: request.setAttribute(FiltersHelper.Constants.AUTH_RECORD_KEY, outputMap.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD)); Line 107: request.setAttribute(FiltersHelper.Constants.PROFILE_KEY, profileName); Line 108: } else { > here we should also call accouting (in future) of course. Line 109: log.error( Line 110: String.format( Line 111: "Failure in authentication to profile %1$s. Invocation Result code is %2$s. Authn result code is %3$s", Line 112: profileName, http://gerrit.ovirt.org/#/c/28022/8/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/FiltersHelper.java: Line 37: Line 38: public static boolean isAuthenticated(HttpServletRequest request) { Line 39: HttpSession session = request.getSession(false); Line 40: return session != null && session.getAttribute(Constants.AUTHENTICATED_KEY) != null Line 41: && (boolean) session.getAttribute(Constants.AUTHENTICATED_KEY); > maybe? I store boolean and not string here, but of course I can change this. But in other places it means I'll have to perform toString when I store boolean AUTHENTICATED values on the session, and even someting like Boolean.valueOf(func()).toString when func returns boolean (and I dont want to change func to return Boolean - this is for example in the case of the getSucceeded() method that I use at the part where I perform BLL login in LoginFilter). To conclude, I don't think it's worth the hassle. Line 42: } Line 43: http://gerrit.ovirt.org/#/c/28022/8/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java File backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/NegotiationFilter.java: Line 46: */ Line 47: private static final String STACK_ATTR = NegotiationFilter.class.getName() + ".stack"; Line 48: Line 49: Line 50: private static final String CAPABILITIES_PARAMETER = "CAPABILITIES"; > why upper case? Done Line 51: Line 52: @Override Line 53: public void init(FilterConfig filterConfig) throws ServletException { Line 54: String capsParam = filterConfig.getInitParameter(CAPABILITIES_PARAMETER); Line 54: String capsParam = filterConfig.getInitParameter(CAPABILITIES_PARAMETER); Line 55: if (capsParam == null) { Line 56: caps = 0; Line 57: } else { Line 58: for (String nego : capsParam.trim().split("\\|")) { > should be: " *\\| *" Done Line 59: try { Line 60: caps |= Authn.Capabilities.class.getField(nego).getInt(null); Line 61: } catch (IllegalArgumentException | IllegalAccessException | NoSuchFieldException ex) { Line 62: log.error(String.format("Error calculating authn capabilities while accessing constant %1$s", nego)); Line 79: if (profiles == null) { Line 80: synchronized (this) { Line 81: if (profiles == null) { Line 82: schemes = new ArrayList<>(); Line 83: profiles = new ArrayList<AuthenticationProfile>(1); > why 1? Done Line 84: Line 85: for (AuthenticationProfile profile : AuthenticationProfileRepository.getInstance().getProfiles()) { Line 86: if (profile != null) { Line 87: ExtMap authnContext = profile.getAuthn().getContext(); Line 152: Line 153: switch (output.<Integer> get(Authn.InvokeKeys.RESULT)) { Line 154: case Authn.AuthResult.SUCCESS: Line 155: ExtMap authRecord = output.<ExtMap> get(Authn.InvokeKeys.AUTH_RECORD); Line 156: session.setAttribute(FiltersHelper.Constants.AUTH_RECORD_KEY, authRecord); > put profile name? Done Line 157: session.removeAttribute(STACK_ATTR); Line 158: break; Line 159: Line 160: case Authn.AuthResult.NEGOTIATION_UNAUTHORIZED: -- To view, visit http://gerrit.ovirt.org/28022 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ia5536d123b6407acf41b6946dde796bd67d1e073 Gerrit-PatchSet: 8 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Barak Azulay <[email protected]> Gerrit-Reviewer: Juan Hernandez <[email protected]> Gerrit-Reviewer: Oved Ourfali <[email protected]> Gerrit-Reviewer: Yair Zaslavsky <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-Reviewer: oVirt Jenkins CI Server Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
