Commit e67dc615 authored by michael.simon's avatar michael.simon
Browse files

starting security mesaures for direct-auth endpoint

parent 01e5a048
...@@ -20,7 +20,7 @@ import javax.inject.Inject; ...@@ -20,7 +20,7 @@ import javax.inject.Inject;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes; import javax.ws.rs.Consumes;
import javax.ws.rs.POST; import javax.ws.rs.GET;
import javax.ws.rs.Path; import javax.ws.rs.Path;
import javax.ws.rs.PathParam; import javax.ws.rs.PathParam;
import javax.ws.rs.Produces; import javax.ws.rs.Produces;
...@@ -62,19 +62,21 @@ public class DirectAuthController { ...@@ -62,19 +62,21 @@ public class DirectAuthController {
private TextPropertyDao textPropertyDao; private TextPropertyDao textPropertyDao;
@Path("/eppn/{service}") @Path("/eppn/{service}")
@POST @GET
@Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public Map<String, String> ecpLogin(@PathParam("service") String serviceShortName, public Map<String, String> ecpLogin(@PathParam("service") String serviceShortName,
@Context HttpServletRequest request) @Context HttpServletRequest request)
throws IOException, ServletException, RestInterfaceException { throws IOException, ServletException, RestInterfaceException {
//appConfig.getConfigValue(key)
String eppn = (String) request.getAttribute(SecurityFilter.DIRECT_USER_ID); String eppn = (String) request.getAttribute(SecurityFilter.DIRECT_USER_ID);
String password = (String) request.getAttribute(SecurityFilter.DIRECT_USER_PW); String password = (String) request.getAttribute(SecurityFilter.DIRECT_USER_PW);
return userLoginService.ecpLogin(eppn, serviceShortName, password, request.getLocalName()); return userLoginService.ecpLogin(eppn, serviceShortName, password, request.getLocalName());
} }
@Path("/eppn-xml/{service}") @Path("/eppn-xml/{service}")
@POST @GET
@Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_XML) @Produces(MediaType.APPLICATION_XML)
public ECPResponse ecpLoginXml(@PathParam("service") String serviceShortName, public ECPResponse ecpLoginXml(@PathParam("service") String serviceShortName,
......
...@@ -36,6 +36,7 @@ import org.apache.commons.codec.binary.Base64; ...@@ -36,6 +36,7 @@ import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
import edu.kit.scc.webreg.entity.AdminUserEntity; import edu.kit.scc.webreg.entity.AdminUserEntity;
import edu.kit.scc.webreg.entity.RoleEntity; import edu.kit.scc.webreg.entity.RoleEntity;
import edu.kit.scc.webreg.service.AdminUserService; import edu.kit.scc.webreg.service.AdminUserService;
...@@ -66,6 +67,9 @@ public class SecurityFilter implements Filter { ...@@ -66,6 +67,9 @@ public class SecurityFilter implements Filter {
@Inject @Inject
private AdminUserService adminUserService; private AdminUserService adminUserService;
@Inject
private ApplicationConfig appConfig;
@Override @Override
public void destroy() { public void destroy() {
} }
...@@ -206,6 +210,16 @@ public class SecurityFilter implements Filter { ...@@ -206,6 +210,16 @@ public class SecurityFilter implements Filter {
HttpServletResponse response, FilterChain chain) HttpServletResponse response, FilterChain chain)
throws IOException, ServletException { throws IOException, ServletException {
if (appConfig.getConfigValue("direct_auth_allow") == null) {
logger.info("Denying direct-auth from {}", request.getRemoteAddr());
response.sendError( HttpServletResponse.SC_NOT_ACCEPTABLE );
return;
}
String directAuthAllow = appConfig.getConfigValue("direct_auth_allow");
/*
* need to implement subnet matching here
*/
String auth = request.getHeader("Authorization"); String auth = request.getHeader("Authorization");
if (auth != null) { if (auth != null) {
int index = auth.indexOf(' '); int index = auth.indexOf(' ');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment