Add support for application and organization client credentials to be passed in Authorization header.
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/fbcdada6 Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/fbcdada6 Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/fbcdada6 Branch: refs/heads/asf-site Commit: fbcdada6e9c2aa704094857e7182c6a22627c711 Parents: 5fdce93 Author: Michael Russo <mru...@apigee.com> Authored: Wed Sep 7 20:16:52 2016 -0700 Committer: Michael Russo <mru...@apigee.com> Committed: Wed Sep 7 20:16:52 2016 -0700 ---------------------------------------------------------------------- .../usergrid/rest/exceptions/AuthErrorInfo.java | 1 + .../shiro/filters/BasicAuthSecurityFilter.java | 22 ++++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/usergrid/blob/fbcdada6/stack/rest/src/main/java/org/apache/usergrid/rest/exceptions/AuthErrorInfo.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/exceptions/AuthErrorInfo.java b/stack/rest/src/main/java/org/apache/usergrid/rest/exceptions/AuthErrorInfo.java index c9149e5..4d1d138 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/exceptions/AuthErrorInfo.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/exceptions/AuthErrorInfo.java @@ -35,6 +35,7 @@ public enum AuthErrorInfo { OAUTH2_UNSUPPORTED_GRANT_TYPE( "unsupported_grant_type", "Unable to authenticate (OAuth)" ), // OAUTH2_INVALID_SCOPE( "invalid_scope", "Unable to authenticate (OAuth" ), // INVALID_AUTH_ERROR( "auth_invalid", "Unable to authenticate" ), // + INVALID_CLIENT_CREDENTIALS_ERROR( "auth_invalid_credentials", "Unable to authenticate due to invalid client credentials" ), MISSING_CREDENTIALS_ERROR( "auth_missing_credentials", "Unable to authenticate due to missing credentials" ), // BAD_CREDENTIALS_SYNTAX_ERROR( "auth_bad_credentials_syntax", "Unable to authenticate due to improperly constructed credentials" ), // http://git-wip-us.apache.org/repos/asf/usergrid/blob/fbcdada6/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java index 5594a1c..d4d2e60 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java @@ -18,6 +18,9 @@ package org.apache.usergrid.rest.security.shiro.filters; import org.apache.shiro.codec.Base64; +import org.apache.shiro.subject.Subject; +import org.apache.usergrid.security.shiro.PrincipalCredentialsToken; +import org.apache.usergrid.security.shiro.utils.SubjectUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -28,6 +31,8 @@ import javax.ws.rs.ext.Provider; import java.security.Principal; import java.util.Map; +import static org.apache.usergrid.rest.exceptions.AuthErrorInfo.INVALID_CLIENT_CREDENTIALS_ERROR; +import static org.apache.usergrid.rest.exceptions.SecurityException.mappableSecurityException; import static org.apache.usergrid.security.shiro.Realm.ROLE_SERVICE_ADMIN; @@ -61,19 +66,32 @@ public class BasicAuthSecurityFilter extends SecurityFilter { if ( values.length < 2 ) { return; } - String name = values[0].toLowerCase(); + String name = values[0]; String password = values[1]; String sysadmin_login_name = properties.getProperty( "usergrid.sysadmin.login.name" ); String sysadmin_login_password = properties.getProperty( "usergrid.sysadmin.login.password" ); boolean sysadmin_login_allowed = Boolean.parseBoolean( properties.getProperty( "usergrid.sysadmin.login.allowed" ) ); - if ( name.equals( sysadmin_login_name ) && password.equals( sysadmin_login_password ) + if ( name.equalsIgnoreCase( sysadmin_login_name ) && password.equals( sysadmin_login_password ) && sysadmin_login_allowed ) { request.setSecurityContext( new SysAdminRoleAuthenticator() ); if (logger.isTraceEnabled()) { logger.trace("System administrator access allowed"); } + }else{ + + try { + PrincipalCredentialsToken token = + management.getPrincipalCredentialsTokenForClientCredentials( name, password ); + Subject subject = SubjectUtils.getSubject(); + subject.login( token ); + } + catch ( Exception e ) { + throw mappableSecurityException( INVALID_CLIENT_CREDENTIALS_ERROR ); + } + + } }