diff --git a/management/server/core/channel-manager/channel-manager-impl/src/main/java/io/subutai/core/channel/impl/interceptor/AccessControlInterceptor.java b/management/server/core/channel-manager/channel-manager-impl/src/main/java/io/subutai/core/channel/impl/interceptor/AccessControlInterceptor.java index a6cbb083dd3..2fd76372b47 100644 --- a/management/server/core/channel-manager/channel-manager-impl/src/main/java/io/subutai/core/channel/impl/interceptor/AccessControlInterceptor.java +++ b/management/server/core/channel-manager/channel-manager-impl/src/main/java/io/subutai/core/channel/impl/interceptor/AccessControlInterceptor.java @@ -53,48 +53,13 @@ public void handleMessage( final Message message ) if ( InterceptorState.SERVER_IN.isActive( message ) ) { HttpServletRequest req = ( HttpServletRequest ) message.get( AbstractHTTPDestination.HTTP_REQUEST ); - Session userSession; - if ( req.getLocalPort() == Common.DEFAULT_PUBLIC_SECURE_PORT ) - { - // auth with system user since bi-SSL port is already secured - userSession = authenticateAccess( null, null ); - } - else - { - - if ( ChannelSettings.checkURLAccess( req.getRequestURI() ) ) - { - // auth with system user b/c this is a public endpoint - userSession = authenticateAccess( null, null ); - } - else - { - //require token auth - userSession = authenticateAccess( message, req ); - } - } + Session userSession = getUserSession( req, message ); //******Authenticate************************************************ if ( userSession != null ) { - Subject.doAs( userSession.getSubject(), new PrivilegedAction() - { - @Override - public Void run() - { - try - { - message.getInterceptorChain().doIntercept( message ); - } - catch ( Exception ex ) - { - Throwable t = ExceptionUtils.getRootCause( ex ); - MessageContentUtil.abortChain( message, t ); - } - return null; - } - } ); + doAs( message, userSession ); } else { @@ -110,6 +75,71 @@ public Void run() } + private Session getUserSession( HttpServletRequest request, Message message ) + { + Session userSession; + if ( isPublicResource( request ) || isPublicSecureResource( request ) ) + { + // auth with system user since bi-SSL port is already secured + userSession = authenticateAccess( null, null ); + } + else + { + //require token auth + userSession = authenticateAccess( message, request ); + } + + return userSession; + } + + + private boolean isPublicSecureResource( HttpServletRequest request ) + { + return request.getLocalPort() == Common.DEFAULT_PUBLIC_SECURE_PORT; + } + + + private String getBearerToken( HttpServletRequest request ) + { + String authorization = request.getHeader( "Authorization" ); + String result = null; + if ( authorization != null && authorization.startsWith( "Bearer" ) ) + { + String[] splittedAuthString = authorization.split( "\\s" ); + result = splittedAuthString.length == 2 ? splittedAuthString[1] : null; + } + return result; + } + + + private boolean isPublicResource( HttpServletRequest request ) + { + return ChannelSettings.checkURLAccess( request.getRequestURI() ); + } + + + private void doAs( final Message message, Session userSession ) + { + Subject.doAs( userSession.getSubject(), new PrivilegedAction() + { + @Override + public Void run() + { + try + { + message.getInterceptorChain().doIntercept( message ); + } + catch ( Exception ex ) + { + Throwable t = ExceptionUtils.getRootCause( ex ); + MessageContentUtil.abortChain( message, t ); + } + return null; + } + } ); + } + + //****************************************************************** protected Session authenticateAccess( Message message, HttpServletRequest req ) { @@ -122,37 +152,47 @@ protected Session authenticateAccess( Message message, HttpServletRequest req ) } else { - sptoken = req.getParameter( "sptoken" ); - - if ( Strings.isNullOrEmpty( sptoken ) ) + String bearerToken = getBearerToken( req ); + if ( bearerToken != null ) { - HttpHeaders headers = new HttpHeadersImpl( message.getExchange().getInMessage() ); - sptoken = headers.getHeaderString( "sptoken" ); + return identityManager.login( bearerToken ); } + else + { + sptoken = req.getParameter( "sptoken" ); - //******************Get sptoken from cookies ***************** + if ( Strings.isNullOrEmpty( sptoken ) ) + { + HttpHeaders headers = new HttpHeadersImpl( message.getExchange().getInMessage() ); + sptoken = headers.getHeaderString( "sptoken" ); + } - if ( Strings.isNullOrEmpty( sptoken ) ) - { - Cookie[] cookies = req.getCookies(); - for ( final Cookie cookie : cookies ) + //******************Get sptoken from cookies ***************** + + if ( Strings.isNullOrEmpty( sptoken ) ) { - if ( "sptoken".equals( cookie.getName() ) ) + Cookie[] cookies = req.getCookies(); + for ( final Cookie cookie : cookies ) { - sptoken = cookie.getValue(); + if ( "sptoken".equals( cookie.getName() ) ) + { + sptoken = cookie.getValue(); + } } } - } - if ( Strings.isNullOrEmpty( sptoken ) ) - { - return null; - } - else - { - return identityManager.login( IdentityManager.TOKEN_ID, sptoken ); + if ( Strings.isNullOrEmpty( sptoken ) ) + { + return null; + } + else + { + return identityManager.login( IdentityManager.TOKEN_ID, sptoken ); + } } } } + + //****************************************************************** } \ No newline at end of file diff --git a/management/server/subutai-common/src/main/java/io/subutai/common/settings/ChannelSettings.java b/management/server/subutai-common/src/main/java/io/subutai/common/settings/ChannelSettings.java index c598e1904fb..2b2b99f7b44 100644 --- a/management/server/subutai-common/src/main/java/io/subutai/common/settings/ChannelSettings.java +++ b/management/server/subutai-common/src/main/java/io/subutai/common/settings/ChannelSettings.java @@ -15,7 +15,7 @@ public class ChannelSettings "/rest/v1/security/keyman/getpublickey", "/rest/v1/security/keyman/getpublickeyfingerprint", "/rest/v1/handshake/info", "/rest/v1/handshake/register", "/rest/v1/handshake/approve", "/rest/v1/handshake/cancel", "/rest/v1/handshake/reject", "/rest/v1/handshake/unregister", - "/rest/v1/handshake/status/{$}", "/rest/v1/registration/public-key", "/rest/v1/environments/{$}/info" + "/rest/v1/handshake/status/{$}", "/rest/v1/registration/public-key", "/rest/v1/environments/{$}/info", "/rest/v1/metadata/token/{$}" };