Commit e67dc615 authored by michael.simon's avatar michael.simon
Browse files

starting security mesaures for direct-auth endpoint

parent 01e5a048
......@@ -20,7 +20,7 @@ import javax.inject.Inject;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
......@@ -62,19 +62,21 @@ public class DirectAuthController {
private TextPropertyDao textPropertyDao;
@Path("/eppn/{service}")
@POST
@GET
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Map<String, String> ecpLogin(@PathParam("service") String serviceShortName,
@Context HttpServletRequest request)
throws IOException, ServletException, RestInterfaceException {
//appConfig.getConfigValue(key)
String eppn = (String) request.getAttribute(SecurityFilter.DIRECT_USER_ID);
String password = (String) request.getAttribute(SecurityFilter.DIRECT_USER_PW);
return userLoginService.ecpLogin(eppn, serviceShortName, password, request.getLocalName());
}
@Path("/eppn-xml/{service}")
@POST
@GET
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_XML)
public ECPResponse ecpLoginXml(@PathParam("service") String serviceShortName,
......
......@@ -36,6 +36,7 @@ import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
import edu.kit.scc.webreg.entity.AdminUserEntity;
import edu.kit.scc.webreg.entity.RoleEntity;
import edu.kit.scc.webreg.service.AdminUserService;
......@@ -65,7 +66,10 @@ public class SecurityFilter implements Filter {
@Inject
private AdminUserService adminUserService;
@Inject
private ApplicationConfig appConfig;
@Override
public void destroy() {
}
......@@ -206,6 +210,16 @@ public class SecurityFilter implements Filter {
HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (appConfig.getConfigValue("direct_auth_allow") == null) {
logger.info("Denying direct-auth from {}", request.getRemoteAddr());
response.sendError( HttpServletResponse.SC_NOT_ACCEPTABLE );
return;
}
String directAuthAllow = appConfig.getConfigValue("direct_auth_allow");
/*
* need to implement subnet matching here
*/
String auth = request.getHeader("Authorization");
if (auth != null) {
int index = auth.indexOf(' ');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment