From db5f3e1fc72065397898bf5e8d1f03f3140600d0 Mon Sep 17 00:00:00 2001 From: Remigiusz Janeczek Date: Thu, 24 Oct 2019 08:50:49 +0200 Subject: Fix security issue in api interceptor Issue-ID: DCAEGEN2-1880 Change-Id: I5b93dd8405ef9a0a364c6e1224afcfacc9df1fba Signed-off-by: Remigiusz Janeczek --- .../java/org/onap/dcae/restapi/ApiAuthInterceptor.java | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'src/main') diff --git a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java index a9281594..f1734080 100644 --- a/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java +++ b/src/main/java/org/onap/dcae/restapi/ApiAuthInterceptor.java @@ -55,8 +55,8 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { SubjectMatcher subjectMatcher = new SubjectMatcher(settings,(X509Certificate[]) request.getAttribute(CERTIFICATE_X_509)); - if(!settings.authMethod().equalsIgnoreCase(AuthMethodType.NO_AUTH.value()) && request.getServerPort() == settings.httpPort() ){ - if(request.getRequestURI().replaceAll("^/|/$", "").equalsIgnoreCase("healthcheck")){ + if(isHttpPortCalledWithAuthTurnedOn(request)){ + if(isHealthcheckCalledFromInsideCluster(request)){ return true; } response.getWriter().write("Operation not permitted"); @@ -78,6 +78,16 @@ public class ApiAuthInterceptor extends HandlerInterceptorAdapter { return true; } + private boolean isHttpPortCalledWithAuthTurnedOn(HttpServletRequest request) { + return !settings.authMethod().equalsIgnoreCase(AuthMethodType.NO_AUTH.value()) + && request.getLocalPort() == settings.httpPort(); + } + + private boolean isHealthcheckCalledFromInsideCluster(HttpServletRequest request) { + return request.getRequestURI().replaceAll("^/|/$", "").equalsIgnoreCase("healthcheck") + && request.getServerPort() == settings.httpPort(); + } + private boolean validateBasicHeader(HttpServletRequest request, HttpServletResponse response) throws IOException { String authorizationHeader = request.getHeader("Authorization"); -- cgit 1.2.3-korg