From 5d696d5de29052d9240e7b83782ccb6442f7ab23 Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Wed, 11 Apr 2012 15:58:59 +0000 Subject: [PATCH] use POST rather than GET for login to prevent password being in http logs. git-svn-id: https://svn.apache.org/repos/asf/archiva/redback/redback-core/trunk@1324829 13f79535-47bb-0310-9956-ffa450edef68 --- .../redback/rest/api/model/LoginRequest.java | 77 +++++++++++++++++++ .../rest/api/services/LoginService.java | 6 +- .../rest/services/DefaultLoginService.java | 21 ++--- .../rest/services/LoginServiceTest.java | 15 ++-- 4 files changed, 101 insertions(+), 18 deletions(-) create mode 100644 redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/LoginRequest.java diff --git a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/LoginRequest.java b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/LoginRequest.java new file mode 100644 index 00000000..ae7b0d13 --- /dev/null +++ b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/LoginRequest.java @@ -0,0 +1,77 @@ +package org.apache.archiva.redback.rest.api.model; +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import javax.xml.bind.annotation.XmlRootElement; +import java.io.Serializable; + +/** + * @author Olivier Lamy + * @since 2.0 + */ +@XmlRootElement( name = "loginRequest" ) +public class LoginRequest + implements Serializable +{ + private String username; + + private String password; + + public LoginRequest() + { + // no op + } + + public LoginRequest( String username, String password ) + { + this.username = username; + this.password = password; + } + + public String getUsername() + { + return username; + } + + public void setUsername( String username ) + { + this.username = username; + } + + public String getPassword() + { + return password; + } + + public void setPassword( String password ) + { + this.password = password; + } + + @Override + public String toString() + { + final StringBuilder sb = new StringBuilder(); + sb.append( "LoginRequest" ); + sb.append( "{username='" ).append( username ).append( '\'' ); + sb.append( ", password='" ).append( password ).append( '\'' ); + sb.append( '}' ); + return sb.toString(); + } +} diff --git a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java index c297b424..0b3fca16 100644 --- a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java +++ b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java @@ -20,9 +20,11 @@ package org.apache.archiva.redback.rest.api.services; */ import org.apache.archiva.redback.authorization.RedbackAuthorization; +import org.apache.archiva.redback.rest.api.model.LoginRequest; import org.apache.archiva.redback.rest.api.model.User; import javax.ws.rs.GET; +import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; @@ -58,14 +60,14 @@ public interface LoginService throws RedbackServiceException; @Path( "logIn" ) - @GET + @POST @RedbackAuthorization( noRestriction = true, noPermission = true ) @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN } ) /** * check username/password and create a http session. * So no more need of reuse username/password for all ajaxRequest */ - User logIn( @QueryParam( "userName" ) String userName, @QueryParam( "password" ) String password ) + User logIn( LoginRequest loginRequest ) throws RedbackServiceException; @Path( "isLogged" ) diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java index ec85d712..85a9bdf2 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java @@ -18,22 +18,24 @@ package org.apache.archiva.redback.rest.services; * specific language governing permissions and limitations * under the License. */ + import org.apache.archiva.redback.authentication.AuthenticationException; +import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource; +import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator; +import org.apache.archiva.redback.keys.AuthenticationKey; import org.apache.archiva.redback.keys.KeyManager; import org.apache.archiva.redback.keys.jdo.JdoAuthenticationKey; -import org.apache.archiva.redback.policy.AccountLockedException; -import org.apache.archiva.redback.policy.MustChangePasswordException; -import org.apache.archiva.redback.users.UserNotFoundException; -import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource; -import org.apache.archiva.redback.keys.AuthenticationKey; import org.apache.archiva.redback.keys.memory.MemoryAuthenticationKey; import org.apache.archiva.redback.keys.memory.MemoryKeyManager; -import org.apache.archiva.redback.system.SecuritySession; -import org.apache.archiva.redback.system.SecuritySystem; -import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator; +import org.apache.archiva.redback.policy.AccountLockedException; +import org.apache.archiva.redback.policy.MustChangePasswordException; +import org.apache.archiva.redback.rest.api.model.LoginRequest; import org.apache.archiva.redback.rest.api.model.User; import org.apache.archiva.redback.rest.api.services.LoginService; import org.apache.archiva.redback.rest.api.services.RedbackServiceException; +import org.apache.archiva.redback.system.SecuritySession; +import org.apache.archiva.redback.system.SecuritySystem; +import org.apache.archiva.redback.users.UserNotFoundException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; @@ -120,9 +122,10 @@ public class DefaultLoginService return Boolean.TRUE; } - public User logIn( String userName, String password ) + public User logIn( LoginRequest loginRequest ) throws RedbackServiceException { + String userName = loginRequest.getUsername(), password = loginRequest.getPassword(); PasswordBasedAuthenticationDataSource authDataSource = new PasswordBasedAuthenticationDataSource( userName, password ); try diff --git a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java index a5ec4cb6..ab5565b0 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java @@ -19,6 +19,7 @@ package org.apache.archiva.redback.rest.services; */ import org.apache.archiva.redback.integration.security.role.RedbackRoleConstants; +import org.apache.archiva.redback.rest.api.model.LoginRequest; import org.apache.archiva.redback.rest.api.model.User; import org.apache.archiva.redback.rest.api.services.UserService; import org.junit.Test; @@ -30,15 +31,15 @@ public class LoginServiceTest extends AbstractRestServicesTest { @Test - public void loginAdmin( ) + public void loginAdmin() throws Exception { - assertNotNull( getLoginService( null ).logIn( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME, - FakeCreateAdminService.ADMIN_TEST_PWD ) ); + assertNotNull( getLoginService( null ).logIn( new LoginRequest( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME, + FakeCreateAdminService.ADMIN_TEST_PWD ) ) ); } @Test - public void createUserThenLog( ) + public void createUserThenLog() throws Exception { try @@ -56,9 +57,9 @@ public class LoginServiceTest // END SNIPPET: create-user user = userService.getUser( "toto" ); assertNotNull( user ); - assertEquals( "toto the king", user.getFullName( ) ); - assertEquals( "toto@toto.fr", user.getEmail( ) ); - getLoginService( encode( "toto", "foo123" ) ).pingWithAutz( ); + assertEquals( "toto the king", user.getFullName() ); + assertEquals( "toto@toto.fr", user.getEmail() ); + getLoginService( encode( "toto", "foo123" ) ).pingWithAutz(); } finally {