diff options
author | Daniel Wiehl | 2015-12-16 14:51:32 +0000 |
---|---|---|
committer | Daniel Wiehl | 2015-12-16 16:17:11 +0000 |
commit | 73d5b52f5d791fd290eecb0cb8a6ac3c202a2973 (patch) | |
tree | 585216ef2cf7d52a3e3b6eca6547562edaa38624 | |
parent | 863094fdfe8d04aa2069db0f03d35f39cb833037 (diff) | |
download | org.eclipse.scout.rt-releases/4.1.x.tar.gz org.eclipse.scout.rt-releases/4.1.x.tar.xz org.eclipse.scout.rt-releases/4.1.x.zip |
JAX-WS: Fix authentication issue in one-way communicationreleases/4.1.x
Problem:
JAX-WS Metro RI v2.2.10 does not exit the call chain if the ongoing request is a one-way communication and AuthHandler returns with 'false'. That results in that the endpoint operation is still invoked.
Solution:
Throw HTTPException with respective HTTP status code instead.
Note:
This issue was already addressed in JAX-WS Scout with Metro RI v2.1.6, but the support to identify one-way-operations was removed in a later Metro version. [currentVersion=v.2.2.10]
Change-Id: Ib4db903ea7b77b423ea2efe87af5a1a7afd26db8
Reviewed-on: https://git.eclipse.org/r/62835
Tested-by: Hudson CI
Reviewed-by: Daniel Wiehl <daniel.wiehl@bsi-software.com>
2 files changed, 23 insertions, 29 deletions
diff --git a/org.eclipse.scout.jaxws216/src/org/eclipse/scout/jaxws/security/provider/BasicAuthenticationHandler.java b/org.eclipse.scout.jaxws216/src/org/eclipse/scout/jaxws/security/provider/BasicAuthenticationHandler.java index 43384a212c..8b217ad174 100644 --- a/org.eclipse.scout.jaxws216/src/org/eclipse/scout/jaxws/security/provider/BasicAuthenticationHandler.java +++ b/org.eclipse.scout.jaxws216/src/org/eclipse/scout/jaxws/security/provider/BasicAuthenticationHandler.java @@ -22,9 +22,9 @@ import javax.xml.namespace.QName; import javax.xml.ws.WebServiceException; import javax.xml.ws.handler.MessageContext; import javax.xml.ws.handler.soap.SOAPMessageContext; +import javax.xml.ws.http.HTTPException; import org.eclipse.scout.commons.Base64Utility; -import org.eclipse.scout.commons.BooleanUtility; import org.eclipse.scout.commons.TypeCastUtility; import org.eclipse.scout.commons.logger.IScoutLogger; import org.eclipse.scout.commons.logger.ScoutLogManager; @@ -36,8 +36,6 @@ import org.eclipse.scout.jaxws.session.IServerSessionFactory; import org.eclipse.scout.rt.server.IServerSession; import org.eclipse.scout.service.ServiceUtility; -import com.sun.xml.internal.ws.client.BindingProviderProperties; - /** * <p> * Handler to protect your webservice with Basic Access Authentication. This requires requests to provide a valid user @@ -51,7 +49,6 @@ import com.sun.xml.internal.ws.client.BindingProviderProperties; * Sockets Layer (SSL) encryption and Transport Layer Security (TLS). * </p> */ -@SuppressWarnings("restriction") @ScoutTransaction public class BasicAuthenticationHandler implements IAuthenticationHandler { private static final IScoutLogger LOG = ScoutLogManager.getLogger(BasicAuthenticationHandler.class); @@ -77,7 +74,7 @@ public class BasicAuthenticationHandler implements IAuthenticationHandler { if (authorizationHeader.length == 0) { // force consumer to include authentication information installAuthHeader(context); - return breakHandlerChain(context); + return breakHandlerChain(context, HttpServletResponse.SC_UNAUTHORIZED); } for (String headerValue : authorizationHeader) { @@ -94,14 +91,18 @@ public class BasicAuthenticationHandler implements IAuthenticationHandler { } return true; } - return breakHandlerChain(context); + return breakHandlerChain(context, HttpServletResponse.SC_FORBIDDEN); + } + catch (HTTPException e) { + throw e; } catch (Exception e) { return breakHandlerChainWithException(context, e); } } } - return breakHandlerChain(context); + + return breakHandlerChain(context, HttpServletResponse.SC_FORBIDDEN); } @Override @@ -141,7 +142,6 @@ public class BasicAuthenticationHandler implements IAuthenticationHandler { basicAuthToken.add("Basic realm=\"" + getRealm() + "\""); httpResponseHeaders.put("WWW-Authenticate", basicAuthToken); - context.put(MessageContext.HTTP_RESPONSE_CODE, HttpServletResponse.SC_UNAUTHORIZED); context.put(MessageContext.HTTP_RESPONSE_HEADERS, httpResponseHeaders); } @@ -155,15 +155,12 @@ public class BasicAuthenticationHandler implements IAuthenticationHandler { return (Map<String, List<String>>) context.get(MessageContext.HTTP_RESPONSE_HEADERS); } - protected boolean breakHandlerChain(SOAPMessageContext context) { - context.put(MessageContext.HTTP_RESPONSE_CODE, HttpServletResponse.SC_UNAUTHORIZED); + protected boolean breakHandlerChain(SOAPMessageContext context, int httpStatusCode) { + context.put(MessageContext.HTTP_RESPONSE_CODE, httpStatusCode); - boolean oneway = BooleanUtility.nvl((Boolean) context.get(BindingProviderProperties.ONE_WAY_OPERATION), false); - if (oneway) { - // do not just return false as in one-way communication, the chain is continued regardless of the status. - throw new WebServiceException("Unauthorized"); - } - return false; + // JAX-WS METRO v2.2.10 does not exit the call chain if the Handler returns with 'false'. + // That happens for one-way communication requests. As a result, the endpoint operation is still invoked. + throw new HTTPException(httpStatusCode); } protected boolean breakHandlerChainWithException(SOAPMessageContext context, Exception exception) { diff --git a/org.eclipse.scout.jaxws216/src/org/eclipse/scout/jaxws/security/provider/WsseUsernameTokenAuthenticationHandler.java b/org.eclipse.scout.jaxws216/src/org/eclipse/scout/jaxws/security/provider/WsseUsernameTokenAuthenticationHandler.java index 86cc81fe9d..d5bb643162 100644 --- a/org.eclipse.scout.jaxws216/src/org/eclipse/scout/jaxws/security/provider/WsseUsernameTokenAuthenticationHandler.java +++ b/org.eclipse.scout.jaxws216/src/org/eclipse/scout/jaxws/security/provider/WsseUsernameTokenAuthenticationHandler.java @@ -21,8 +21,8 @@ import javax.xml.soap.SOAPHeader; import javax.xml.ws.WebServiceException; import javax.xml.ws.handler.MessageContext; import javax.xml.ws.handler.soap.SOAPMessageContext; +import javax.xml.ws.http.HTTPException; -import org.eclipse.scout.commons.BooleanUtility; import org.eclipse.scout.commons.TypeCastUtility; import org.eclipse.scout.commons.logger.IScoutLogger; import org.eclipse.scout.commons.logger.ScoutLogManager; @@ -34,8 +34,6 @@ import org.eclipse.scout.jaxws.session.IServerSessionFactory; import org.eclipse.scout.rt.server.IServerSession; import org.eclipse.scout.service.ServiceUtility; -import com.sun.xml.internal.ws.client.BindingProviderProperties; - /** * <p> * Handler to protect your webservice with Message Level WS-Security with UsernameToken Authentication. This requires @@ -49,7 +47,6 @@ import com.sun.xml.internal.ws.client.BindingProviderProperties; * Layer (SSL) encryption and Transport Layer Security (TLS). * </p> */ -@SuppressWarnings("restriction") @ScoutTransaction public class WsseUsernameTokenAuthenticationHandler implements IAuthenticationHandler { private static final IScoutLogger LOG = ScoutLogManager.getLogger(WsseUsernameTokenAuthenticationHandler.class); @@ -94,7 +91,10 @@ public class WsseUsernameTokenAuthenticationHandler implements IAuthenticationHa } return true; } - return breakHandlerChain(context); + return breakHandlerChain(context, HttpServletResponse.SC_UNAUTHORIZED); + } + catch (HTTPException e) { + throw e; } catch (Exception e) { return breakHandlerChainWithException(context, e); @@ -152,15 +152,12 @@ public class WsseUsernameTokenAuthenticationHandler implements IAuthenticationHa return false; } - protected boolean breakHandlerChain(SOAPMessageContext context) { - context.put(MessageContext.HTTP_RESPONSE_CODE, HttpServletResponse.SC_UNAUTHORIZED); + protected boolean breakHandlerChain(SOAPMessageContext context, int httpStatusCode) { + context.put(MessageContext.HTTP_RESPONSE_CODE, httpStatusCode); - boolean oneway = BooleanUtility.nvl((Boolean) context.get(BindingProviderProperties.ONE_WAY_OPERATION), false); - if (oneway) { - // do not just return false as in one-way communication, the chain is continued regardless of the status. - throw new WebServiceException("Unauthorized"); - } - return false; + // JAX-WS METRO v2.2.10 does not exit the call chain if the Handler returns with 'false'. + // That happens for one-way communication requests. As a result, the endpoint operation is still invoked. + throw new HTTPException(httpStatusCode); } protected boolean breakHandlerChainWithException(SOAPMessageContext context, Exception exception) { |