Michael Pasternak has uploaded a new change for review. Change subject: restapi: set jsessionid cookie only if "prefer: persistent-auth" header is set ......................................................................
restapi: set jsessionid cookie only if "prefer: persistent-auth" header is set https://bugzilla.redhat.com/show_bug.cgi?id=876641 Change-Id: Id2ee609fb6a80eda82ab73c2ea2351d6b2f5129f Signed-off-by: Michael Pasternak <[email protected]> --- M backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java M backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/SessionUtils.java 2 files changed, 9 insertions(+), 4 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/04/10104/1 diff --git a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java index 7c4685b..bdfddef 100644 --- a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java +++ b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/Challenger.java @@ -77,14 +77,17 @@ @Override public ServerResponse preProcess(HttpRequest request, ResourceMethod method) throws Failure, WebApplicationException { + HttpSession httpSession = null; ServerResponse response = null; boolean successful = false; HttpHeaders headers = request.getHttpHeaders(); boolean preferPersistentAuth = checkPersistentAuthentication(headers); boolean hasAuthorizationHeader = checkAuthorizationHeader(headers); - // Will create a new one if it is the first session, and then the "isNew" test below will return true - HttpSession httpSession = getCurrentSession(true); + if (preferPersistentAuth) { + // Will create a new one if it is the first session, and then the "isNew" test below will return true + httpSession = getCurrentSession(true); + } // If the session isn't new and doesn't carry authorization header, we validate it if (validator != null && httpSession != null && !httpSession.isNew() && !hasAuthorizationHeader) { diff --git a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/SessionUtils.java b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/SessionUtils.java index cec49f2..ccddaae 100644 --- a/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/SessionUtils.java +++ b/backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/ovirt/engine/api/common/security/auth/SessionUtils.java @@ -68,8 +68,10 @@ * This method sets the engine session ID on the http session */ public static void setEngineSessionId(HttpSession session, String sessionId) { - log.debug("setting engine session ID to " + sessionId); - session.setAttribute(ENGINE_SESSION_ID_KEY, sessionId); + if (session != null) { + log.debug("setting engine session ID to " + sessionId); + session.setAttribute(ENGINE_SESSION_ID_KEY, sessionId); + } } /* -- To view, visit http://gerrit.ovirt.org/10104 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id2ee609fb6a80eda82ab73c2ea2351d6b2f5129f Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Michael Pasternak <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
