Fixed authentication data in audit log.

The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
author: Endi S. Dewata <edewata@redhat.com> 2015-04-21 16:29:45 -0400
committer: Endi S. Dewata <edewata@redhat.com> 2015-05-05 15:16:12 -0400
commit: cb32779617947a16a0bfdc519a5ecbd0ae7019aa (patch)
tree: c494909409b00b53a43acacc0bcef9b931bc5474 /base/server/cms/src/org
parent: 31d96e0ba756fd05bad0c9a577bf27ef9041d490 (diff)
download: pki-cb32779617947a16a0bfdc519a5ecbd0ae7019aa.tar.gz
pki-cb32779617947a16a0bfdc519a5ecbd0ae7019aa.tar.xz
pki-cb32779617947a16a0bfdc519a5ecbd0ae7019aa.zip
1 files changed, 100 insertions, 0 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
new file mode 100644
index 000000000..bae25b660
--- /dev/null
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
@@ -0,0 +1,100 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2012 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+package org.dogtagpki.server.rest;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Locale;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.base.ForbiddenException;
+import com.netscape.certsrv.base.SessionContext;
+import com.netscape.cms.realm.PKIPrincipal;
+import com.netscape.cms.servlet.base.UserInfo;
+
+/**
+ * @author Endi S. Dewata
+ */
+@Provider
+public class SessionContextInterceptor implements ContainerRequestFilter {
+
+    @Context
+    HttpServletRequest servletRequest;
+
+    @Context
+    SecurityContext securityContext;
+
+    public Locale getLocale(HttpServletRequest req) {
+        String lang = req.getHeader("accept-language");
+
+        if (lang == null)
+            return Locale.getDefault();
+
+        return new Locale(UserInfo.getUserLanguage(lang), UserInfo.getUserCountry(lang));
+    }
+
+    @Override
+    public void filter(ContainerRequestContext requestContext) throws IOException {
+
+        Principal principal = securityContext.getUserPrincipal();
+
+        // If unauthenticated, ignore.
+        if (principal == null) {
+            CMS.debug("SessionContextInterceptor: Not authenticated.");
+            SessionContext.releaseContext();
+            return;
+        }
+
+        CMS.debug("SessionContextInterceptor: principal: " + principal.getName());
+
+        // If unrecognized principal, reject request.
+        if (!(principal instanceof PKIPrincipal)) {
+            CMS.debug("SessionContextInterceptor: Invalid user principal.");
+            throw new ForbiddenException("Invalid user principal.");
+        }
+
+        PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
+        IAuthToken authToken = pkiPrincipal.getAuthToken();
+
+        // If missing auth token, reject request.
+        if (authToken == null) {
+            CMS.debug("SessionContextInterceptor: No authorization token present.");
+            throw new ForbiddenException("No authorization token present.");
+        }
+
+        SessionContext context = SessionContext.getContext();
+
+        String ip = servletRequest.getRemoteAddr();
+        context.put(SessionContext.IPADDRESS, ip);
+
+        Locale locale = getLocale(servletRequest);
+        context.put(SessionContext.LOCALE, locale);
+
+        context.put(SessionContext.AUTH_TOKEN, authToken);
+        context.put(SessionContext.USER_ID, pkiPrincipal.getName());
+        context.put(SessionContext.USER, pkiPrincipal.getUser());
+    }
+}
author	Endi S. Dewata <edewata@redhat.com>	2015-04-21 16:29:45 -0400
committer	Endi S. Dewata <edewata@redhat.com>	2015-05-05 15:16:12 -0400
commit	cb32779617947a16a0bfdc519a5ecbd0ae7019aa (patch)
tree	c494909409b00b53a43acacc0bcef9b931bc5474 /base/server/cms/src/org
parent	31d96e0ba756fd05bad0c9a577bf27ef9041d490 (diff)
download	pki-cb32779617947a16a0bfdc519a5ecbd0ae7019aa.tar.gz pki-cb32779617947a16a0bfdc519a5ecbd0ae7019aa.tar.xz pki-cb32779617947a16a0bfdc519a5ecbd0ae7019aa.zip