Merge pull request #1149 from inoshperera/master

Improvement on the basic auth handling
4.x.x
Ruwan 7 years ago committed by GitHub
commit c6c068fad2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -106,6 +106,14 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
} }
private boolean isNonSecuredEndPoint(Request request) { private boolean isNonSecuredEndPoint(Request request) {
if (request.getCoyoteRequest() != null && request.getCoyoteRequest().getMimeHeaders() !=
null && request.getCoyoteRequest().getMimeHeaders().getValue(Constants
.HTTPHeaders.HEADER_HTTP_AUTHORIZATION) != null) {
//This is to handle the DEP behaviours of the same endpoint being non-secured in the
// first call and then being secured in the second call which comes with the basic
// auth header.
return false;
}
String uri = request.getRequestURI(); String uri = request.getRequestURI();
if (uri == null) { if (uri == null) {
uri = ""; uri = "";
@ -146,8 +154,9 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
String msg = "Failed to authorize incoming request"; String msg = "Failed to authorize incoming request";
if (authenticationInfo.getMessage() != null && !authenticationInfo.getMessage().isEmpty()) { if (authenticationInfo.getMessage() != null && !authenticationInfo.getMessage().isEmpty()) {
msg = authenticationInfo.getMessage(); msg = authenticationInfo.getMessage();
response.setHeader("WWW-Authenticate", msg); response.setHeader("WWW-Authenticate", "Basic");
} }
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug(msg + " , API : " + Encode.forUriComponent(request.getRequestURI())); log.debug(msg + " , API : " + Encode.forUriComponent(request.getRequestURI()));
} }

@ -50,6 +50,14 @@ public class BasicAuthAuthenticator implements WebappAuthenticator {
@Override @Override
public boolean canHandle(Request request) { public boolean canHandle(Request request) {
/*
This is done to avoid every endpoint being able to use basic auth. Add the following to
the required web.xml of the web app.
<context-param>
<param-name>basicAuth</param-name>
<param-value>true</param-value>
</context-param>
*/
if (!isAuthenticationSupported(request)) { if (!isAuthenticationSupported(request)) {
return false; return false;
} }
@ -84,6 +92,7 @@ public class BasicAuthAuthenticator implements WebappAuthenticator {
authenticationInfo.setTenantDomain(Utils.getTenantDomain(tenantId)); authenticationInfo.setTenantDomain(Utils.getTenantDomain(tenantId));
authenticationInfo.setTenantId(tenantId); authenticationInfo.setTenantId(tenantId);
} else { } else {
authenticationInfo.setMessage("Failed to authorize incoming request.");
authenticationInfo.setStatus(Status.FAILURE); authenticationInfo.setStatus(Status.FAILURE);
} }
} catch (UserStoreException e) { } catch (UserStoreException e) {

@ -1918,7 +1918,7 @@
<!-- Nimbus Jose--> <!-- Nimbus Jose-->
<nimbus.orbit.version>2.26.1.wso2v3</nimbus.orbit.version> <nimbus.orbit.version>2.26.1.wso2v3</nimbus.orbit.version>
<commons-json.version>2.0.0.wso2v1</commons-json.version> <commons-json.version>3.0.0.wso2v1</commons-json.version>
<json.smart.version>1.3</json.smart.version> <json.smart.version>1.3</json.smart.version>
<google.gson.version>2.3.1</google.gson.version> <google.gson.version>2.3.1</google.gson.version>
<jsr311.version>1.1.1</jsr311.version> <jsr311.version>1.1.1</jsr311.version>

Loading…
Cancel
Save