diff options
author | Tomek Kaminski <tomasz.kaminski@nokia.com> | 2019-06-06 15:16:36 +0200 |
---|---|---|
committer | Tomek Kaminski <tomasz.kaminski@nokia.com> | 2019-06-06 15:16:36 +0200 |
commit | 93d5487de40e143e4e22d3eb856543ab29b34ab5 (patch) | |
tree | 3eeb802963daa874530fe75633a2664988646aca /src/main/java | |
parent | 32a312c7094841489ee5611d8c9fca55382954bd (diff) |
DMaaPAuthFilter refactor
- added client certificate handling
- fixed forceAAF flag reading
Issue-ID: DMAAP-1214
Signed-off-by: Tomek Kaminski <tomasz.kaminski@nokia.com>
Change-Id: Icaa80cc40f8c6b50f36096c205d67d14cdbebd2a
Diffstat (limited to 'src/main/java')
-rw-r--r-- | src/main/java/org/onap/dmaap/util/DMaaPAuthFilter.java | 116 |
1 files changed, 63 insertions, 53 deletions
diff --git a/src/main/java/org/onap/dmaap/util/DMaaPAuthFilter.java b/src/main/java/org/onap/dmaap/util/DMaaPAuthFilter.java index 547c4cd..5c7170b 100644 --- a/src/main/java/org/onap/dmaap/util/DMaaPAuthFilter.java +++ b/src/main/java/org/onap/dmaap/util/DMaaPAuthFilter.java @@ -8,19 +8,20 @@ * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * http://www.apache.org/licenses/LICENSE-2.0 -* + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * ============LICENSE_END========================================================= - * + * * ECOMP is a trademark and service mark of AT&T Intellectual Property. - * + * *******************************************************************************/ - package org.onap.dmaap.util; +package org.onap.dmaap.util; +import com.att.ajsc.filemonitor.AJSCPropertiesMap; import java.io.IOException; import javax.servlet.FilterChain; @@ -29,62 +30,71 @@ import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; +import org.onap.dmaap.dmf.mr.constants.CambriaConstants; import org.onap.dmaap.dmf.mr.utils.Utils; import com.att.eelf.configuration.EELFLogger; import com.att.eelf.configuration.EELFManager; import org.springframework.stereotype.Component; import org.onap.aaf.cadi.filter.CadiFilter; -//import ajsc.external.plugins.cadi.AjscCadiFilter; -import javax.servlet.FilterConfig; /** - * This is a Servlet Filter class - * overriding the AjscCadiFilter - */ -@Component + * This is a Servlet Filter class overriding the AjscCadiFilter + */ +@Component public class DMaaPAuthFilter extends CadiFilter { - - //private Logger log = Logger.getLogger(DMaaPAuthFilter.class.toString()); - - private static final EELFLogger log = EELFManager.getInstance().getLogger(DMaaPAuthFilter.class); - - public DMaaPAuthFilter() throws Exception { - super(); - } - - /* public void init(FilterConfig filterConfig) throws ServletException { - - super.init(filterConfig); - System.out.println("---------------------------- in init method"); - }*/ - - /** - * This method will disable Cadi Authentication - * if cambria headers are present in the request - * else continue with Cadi Authentication - */ - @Override - public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, - ServletException { - log.info("inside servlet filter Cambria Auth Headers checking before doing other Authentication"); - HttpServletRequest request = (HttpServletRequest) req; - boolean forceAAF = Boolean.valueOf(System.getProperty("forceAAF")); - - //if (forceAAF || null != request.getHeader("Authorization") ){ - if (Utils.isCadiEnabled()&&(forceAAF || null != request.getHeader("Authorization") || - (null != request.getHeader("AppName") && request.getHeader("AppName").equalsIgnoreCase("invenio") && - null != request.getHeader("cookie")))){ - super.doFilter(req, res, chain); - - } else { - System.setProperty("CadiAuthN", "authentication-scheme-2"); - chain.doFilter(req, res); - - - } - - } - - } + + private static final String FORCE_AAF_FLAG = "forceAAF"; + static final String X509_ATTR = "javax.servlet.request.X509Certificate"; + static final String AUTH_HEADER = "Authorization"; + static final String APP_HEADER = "AppName"; + static final String COOKIE_HEADER = "cookie"; + private static final EELFLogger log = EELFManager.getInstance().getLogger(DMaaPAuthFilter.class); + + public DMaaPAuthFilter() { + super(); + } + + /** + * This method will disable Cadi Authentication if cambria headers are present in the request else continue with + * Cadi Authentication + */ + @Override + public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException { + log.info("inside servlet filter Cambria Auth Headers checking before doing other Authentication"); + if (shouldFilterWithCADI((HttpServletRequest) req)) { + super.doFilter(req, res, chain); + } else { + System.setProperty("CadiAuthN", "authentication-scheme-2"); + chain.doFilter(req, res); + } + } + + boolean shouldFilterWithCADI(HttpServletRequest request) { + return isCadiEnabled() && + (isAAFforced() || isAuthDataProvided(request) || isInvenioApp(request)); + } + + private boolean isAuthDataProvided(HttpServletRequest request) { + return (null != request.getHeader(AUTH_HEADER)) || hasClientCertificate(request); + } + + private boolean isInvenioApp(HttpServletRequest request) { + return (null != request.getHeader(APP_HEADER)) && request.getHeader(APP_HEADER).equalsIgnoreCase("invenio") && + (null != request.getHeader(COOKIE_HEADER)); + } + + private boolean hasClientCertificate(HttpServletRequest request) { + return request.getAttribute(X509_ATTR) != null; + } + + boolean isCadiEnabled() { + return Utils.isCadiEnabled(); + } + + boolean isAAFforced() { + return Boolean.valueOf(AJSCPropertiesMap.getProperty(CambriaConstants.msgRtr_prop, FORCE_AAF_FLAG)); + } + +} |