Apache
/
archiva-redback-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use POST rather than GET for login to prevent password being in http logs. 

git-svn-id: https://svn.apache.org/repos/asf/archiva/redback/redback-core/trunk@1324829 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Olivier Lamy 2012-04-11 15:58:59 +00:00
parent fc4295ae21
commit 5d696d5de2
4 changed files with 101 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/LoginRequest.java Normal file
View File

@ -0,0 +1,77 @@
package org.apache.archiva.redback.rest.api.model;
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
import javax.xml.bind.annotation.XmlRootElement;
import java.io.Serializable;
/**
* @author Olivier Lamy
* @since 2.0
*/
@XmlRootElement( name = "loginRequest" )
public class LoginRequest
implements Serializable
{
private String username;
private String password;
public LoginRequest()
{
// no op
}
public LoginRequest( String username, String password )
{
this.username = username;
this.password = password;
}
public String getUsername()
{
return username;
}
public void setUsername( String username )
{
this.username = username;
}
public String getPassword()
{
return password;
}
public void setPassword( String password )
{
this.password = password;
}
@Override
public String toString()
{
final StringBuilder sb = new StringBuilder();
sb.append( "LoginRequest" );
sb.append( "{username='" ).append( username ).append( '\'' );
sb.append( ", password='" ).append( password ).append( '\'' );
sb.append( '}' );
return sb.toString();
}
}

6
redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java
View File

@ -20,9 +20,11 @@ package org.apache.archiva.redback.rest.api.services;
*/
import org.apache.archiva.redback.authorization.RedbackAuthorization;
import org.apache.archiva.redback.rest.api.model.LoginRequest;
import org.apache.archiva.redback.rest.api.model.User;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
@ -58,14 +60,14 @@ public interface LoginService
throws RedbackServiceException;
@Path( "logIn" )
@GET
@POST
@RedbackAuthorization( noRestriction = true, noPermission = true )
@Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN } )
/**
* check username/password and create a http session.
* So no more need of reuse username/password for all ajaxRequest
*/
User logIn( @QueryParam( "userName" ) String userName, @QueryParam( "password" ) String password )
User logIn( LoginRequest loginRequest )
throws RedbackServiceException;
@Path( "isLogged" )

21
redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java
View File

@ -18,22 +18,24 @@ package org.apache.archiva.redback.rest.services;
* specific language governing permissions and limitations
* under the License.
*/
import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource;
import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
import org.apache.archiva.redback.keys.AuthenticationKey;
import org.apache.archiva.redback.keys.KeyManager;
import org.apache.archiva.redback.keys.jdo.JdoAuthenticationKey;
import org.apache.archiva.redback.policy.AccountLockedException;
import org.apache.archiva.redback.policy.MustChangePasswordException;
import org.apache.archiva.redback.users.UserNotFoundException;
import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource;
import org.apache.archiva.redback.keys.AuthenticationKey;
import org.apache.archiva.redback.keys.memory.MemoryAuthenticationKey;
import org.apache.archiva.redback.keys.memory.MemoryKeyManager;
import org.apache.archiva.redback.system.SecuritySession;
import org.apache.archiva.redback.system.SecuritySystem;
import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
import org.apache.archiva.redback.policy.AccountLockedException;
import org.apache.archiva.redback.policy.MustChangePasswordException;
import org.apache.archiva.redback.rest.api.model.LoginRequest;
import org.apache.archiva.redback.rest.api.model.User;
import org.apache.archiva.redback.rest.api.services.LoginService;
import org.apache.archiva.redback.rest.api.services.RedbackServiceException;
import org.apache.archiva.redback.system.SecuritySession;
import org.apache.archiva.redback.system.SecuritySystem;
import org.apache.archiva.redback.users.UserNotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
@ -120,9 +122,10 @@ public class DefaultLoginService
return Boolean.TRUE;
}
public User logIn( String userName, String password )
public User logIn( LoginRequest loginRequest )
throws RedbackServiceException
{
String userName = loginRequest.getUsername(), password = loginRequest.getPassword();
PasswordBasedAuthenticationDataSource authDataSource =
new PasswordBasedAuthenticationDataSource( userName, password );
try

15
redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java
View File

@ -19,6 +19,7 @@ package org.apache.archiva.redback.rest.services;
*/
import org.apache.archiva.redback.integration.security.role.RedbackRoleConstants;
import org.apache.archiva.redback.rest.api.model.LoginRequest;
import org.apache.archiva.redback.rest.api.model.User;
import org.apache.archiva.redback.rest.api.services.UserService;
import org.junit.Test;
@ -30,15 +31,15 @@ public class LoginServiceTest
extends AbstractRestServicesTest
{
@Test
public void loginAdmin( )
public void loginAdmin()
throws Exception
{
assertNotNull( getLoginService( null ).logIn( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME,
FakeCreateAdminService.ADMIN_TEST_PWD ) );
assertNotNull( getLoginService( null ).logIn( new LoginRequest( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME,
FakeCreateAdminService.ADMIN_TEST_PWD ) ) );
}
@Test
public void createUserThenLog( )
public void createUserThenLog()
throws Exception
{
try
@ -56,9 +57,9 @@ public class LoginServiceTest
// END SNIPPET: create-user
user = userService.getUser( "toto" );
assertNotNull( user );
assertEquals( "toto the king", user.getFullName( ) );
assertEquals( "toto@toto.fr", user.getEmail( ) );
getLoginService( encode( "toto", "foo123" ) ).pingWithAutz( );
assertEquals( "toto the king", user.getFullName() );
assertEquals( "toto@toto.fr", user.getEmail() );
getLoginService( encode( "toto", "foo123" ) ).pingWithAutz();
}
finally
{