[Engine-patches] Change in ovirt-engine[master]: aaa: Add Bearer and Negotiate auth filters

Mon, 15 Jun 2015 10:53:37 -0700 

Ravi Nori has posted comments on this change.

Change subject: aaa: Add Bearer and Negotiate auth filters
......................................................................


Patch Set 1:

(5 comments)

https://gerrit.ovirt.org/#/c/42292/1/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SSOOAuthServiceUtils.java
File 
backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SSOOAuthServiceUtils.java:

Line 66:                     resp.encodeURL("password"),
Line 67:                     resp.encodeURL((String) payload.get("username")),
Line 68:                     resp.encodeURL(""),
Line 69:                     resp.encodeURL(scope),
Line 70:                     resp.encodeURL(jsonPayload)));
> what is payload?
the user group ids, principal id etc so login on behalf works seamlessly with 
eveything on SSO
Line 71:             return getData(connection);
Line 72:         } finally {
Line 73:             if (connection != null) {
Line 74:                 connection.disconnect();


https://gerrit.ovirt.org/#/c/42292/1/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiBasicAuthFilter.java
File 
backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiBasicAuthFilter.java:

Line 14:     private final Logger log = LoggerFactory.getLogger(getClass());
Line 15:     private static final String scope = "ovirt-app-api";
Line 16: 
Line 17:     protected void authenticateWithSSO(HttpServletRequest req, 
HttpServletResponse res) throws ServletException {
Line 18:         try {
> don't you need to check here if this is "Basic"? same as you have done with
Done
Line 19:             Map<String, Object> response = 
SSOOAuthServiceUtils.authenticate(req, res, scope);
Line 20:             FiltersHelper.isStatusOk(response);
Line 21:             createUserSession(req, 
FiltersHelper.getPayloadForToken(req, res, (String) 
response.get("access_token")));
Line 22:         } catch (Exception e) {


https://gerrit.ovirt.org/#/c/42292/1/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiBearerAuthFilter.java
File 
backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiBearerAuthFilter.java:

Line 17:         String headerValue = 
req.getHeader(FiltersHelper.Constants.HEADER_AUTHORIZATION);
Line 18:         if (headerValue != null && headerValue.startsWith("Bearer ")) {
Line 19:             try {
Line 20:                 createUserSession(req, 
FiltersHelper.getPayloadForToken(req, res,
Line 21:                         new 
String(Base64.decodeBase64(headerValue.substring("Bearer".length())), 
Charset.forName("UTF-8"))
> why do you decode the Bearer?
We are passing the token to tokenInfo servlet on SSO. The token Info servlet is 
used in other places too and accepts the token (decoded). 

So this filter accepts Bearer auth token, decodes and sends to SSO.
Line 22:                 ));
Line 23:             } catch (Exception e) {
Line 24:                 log.error(e.getMessage());
Line 25:                 log.debug("Bearer Authentication with SSO failed", e);


https://gerrit.ovirt.org/#/c/42292/1/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiNegotiationFilter.java
File 
backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/filters/SSORestApiNegotiationFilter.java:

Line 99:             }
Line 100:             Map<String, Object> payload = doAuth(req, resp);
Line 101: 
Line 102:             if (!payload.isEmpty()) {
Line 103:                 Map<String, Object> response = 
SSOOAuthServiceUtils.loginOnBehalf(req, resp, payload, scope);
> ok, I understand what payload now... all we need to have is user@profile an
Ok will change
Line 104:                 FiltersHelper.isStatusOk(response);
Line 105:                 createUserSession(req, 
FiltersHelper.getPayloadForToken(req, resp, (String) 
response.get("access_token")));
Line 106:             }
Line 107:         } catch (Exception e) {


Line 154:                                     Authn.InvokeKeys.AUTH_RECORD,
Line 155:                                     authRecord
Line 156:                             );
Line 157:                         }
Line 158:                         ExtMap outputMap = 
profile.getAuthz().invoke(new ExtMap().mput(
> this ^ is not required, access to authz should be done at sso side, also th
will change
Line 159:                                 Base.InvokeKeys.COMMAND,
Line 160:                                 
Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
Line 161:                         ).mput(
Line 162:                                 Authn.InvokeKeys.AUTH_RECORD,


-- 
To view, visit https://gerrit.ovirt.org/42292
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Idee5137430cefa7ca99c047cfd2d550222e5809a
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Ravi Nori <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Ravi Nori <[email protected]>
Gerrit-Reviewer: [email protected]
Gerrit-HasComments: Yes
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to