dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 2182: Given api it's own security filter chain, and added an ugly filter that

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Fri, 26 Nov 2010 10:58:39 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 2182
committer: Jo Størset <storset@xxxxxxxxx>
branch nick: dhis2
timestamp: Fri 2010-11-26 16:24:28 +0530
message:
  Given api it's own security filter chain, and added an ugly filter that 
  challenges for Basic auth for these urls. 
added:
  dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/BasicAuthenticationRequiredFilter.java
modified:
  dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== added file 'dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/BasicAuthenticationRequiredFilter.java'
--- dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/BasicAuthenticationRequiredFilter.java	1970-01-01 00:00:00 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/filter/BasicAuthenticationRequiredFilter.java	2010-11-26 10:54:28 +0000
@@ -0,0 +1,52 @@
+package org.hisp.dhis.security.filter;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+/**
+ * Ugly hack, adding a version of {@link BasicAuthenticationFilter} that can
+ * require authentication. Don't think this is the way to do it, but it seems to
+ * be how it's done with {@link RequiredLoginFilter}, so...
+ * <p>
+ * Basically, if not already logged in and the request doesn't supply a Basic
+ * header (those should be handled by super class), ask for it
+ */
+public class BasicAuthenticationRequiredFilter
+    extends BasicAuthenticationFilter
+{
+
+    @Override
+    public void doFilter( ServletRequest req, ServletResponse res, FilterChain chain )
+        throws IOException, ServletException
+    {
+
+        final HttpServletRequest request = (HttpServletRequest) req;
+        final HttpServletResponse response = (HttpServletResponse) res;
+
+        String header = request.getHeader( "Authorization" );
+
+        Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
+
+        if ( (existingAuth == null || !existingAuth.isAuthenticated())
+            && (header == null || !header.startsWith( "Basic " )) )
+        {
+            super.getAuthenticationEntryPoint().commence( request, response,
+                new AuthenticationCredentialsNotFoundException( "Authentication required" ) );
+            return;
+        }
+
+        super.doFilter( req, res, chain );
+    }
+
+}

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml	2010-11-22 20:47:01 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/beans.xml	2010-11-26 10:54:28 +0000
@@ -297,6 +297,7 @@
         <sec:filter-chain pattern="/dhis-web-commons/security/**" filters="none"/>
         <sec:filter-chain pattern="/dhis-web-commons/javascripts/**" filters="none"/>
         <sec:filter-chain pattern="/dhis-web-commons/css/**" filters="none"/>
+        <sec:filter-chain pattern="/api/**/*" filters="httpSessionContextIntegrationFilter,basicAuthenticationRequiredFilter"/>
         <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter,authenticationProcessingFilter,logoutFilter,automaticAccessFilter,basicAuthenticationFilter,requiredLoginFilter"/>
         </sec:filter-chain-map>
     </bean>
@@ -354,6 +355,11 @@
         <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
     </bean>
 
+    <bean id="basicAuthenticationRequiredFilter" class="org.hisp.dhis.security.filter.BasicAuthenticationRequiredFilter">
+        <property name="authenticationManager" ref="authenticationManager" />
+        <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
+    </bean>
+
     <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
         <property name="realmName" value="DHIS2"/>
     </bean>

Follow ups

Re: [Branch ~dhis2-devs-core/dhis2/trunk] Rev 2182: Given api it's own security filter chain, and added an ugly filter that
From: Jo Størset, 2010-11-26