QPID-8529:[Broker-J] Make sure that subject is set for all http requests

This closes #89

broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/AuthenticationResultCacher.java

@@ -115,23 +115,27 @@ private String digestCredentials(final String... content)
             MessageDigest md = MessageDigest.getInstance("SHA-256");
 
             Subject subject = Subject.getSubject(AccessController.getContext());
-            Set<SocketConnectionPrincipal> connectionPrincipals = subject.getPrincipals(SocketConnectionPrincipal.class);
-            if (connectionPrincipals != null && !connectionPrincipals.isEmpty())
+            if (subject != null)
             {
-                SocketConnectionPrincipal connectionPrincipal = connectionPrincipals.iterator().next();
-                SocketAddress remoteAddress = connectionPrincipal.getRemoteAddress();
-                String address;
-                if (remoteAddress instanceof InetSocketAddress)
+                Set<SocketConnectionPrincipal> connectionPrincipals =
+                        subject.getPrincipals(SocketConnectionPrincipal.class);
+                if (!connectionPrincipals.isEmpty())
                 {
-                    address = ((InetSocketAddress) remoteAddress).getHostString();
-                }
-                else
-                {
-                    address = remoteAddress.toString();
-                }
-                if (address != null)
-                {
-                    md.update(address.getBytes(UTF8));
+                    SocketConnectionPrincipal connectionPrincipal = connectionPrincipals.iterator().next();
+                    SocketAddress remoteAddress = connectionPrincipal.getRemoteAddress();
+                    String address;
+                    if (remoteAddress instanceof InetSocketAddress)
+                    {
+                        address = ((InetSocketAddress) remoteAddress).getHostString();
+                    }
+                    else
+                    {
+                        address = remoteAddress.toString();
+                    }
+                    if (address != null)
+                    {
+                        md.update(address.getBytes(UTF8));
+                    }
                 }
             }
 

broker-core/src/test/java/org/apache/qpid/server/security/auth/manager/AuthenticationResultCacherTest.java

@@ -135,6 +135,19 @@ public void testCacheHitDifferentRemoteAddressPorts() throws Exception
         assertGetOrLoad(credentials, expectedResult, expectedHitCount);
     }
 
+    @Test
+    public void testCacheHitNoSubject()
+    {
+        final String credentials = "credentials";
+        final AuthenticationResult result1 = _authenticationResultCacher.getOrLoad(new String[]{credentials}, _loader);
+        assertEquals("Unexpected AuthenticationResult", _successfulAuthenticationResult, result1);
+        assertEquals("Unexpected number of loads before cache hit", 1, _loadCallCount);
+
+        final AuthenticationResult result2 = _authenticationResultCacher.getOrLoad(new String[]{credentials}, _loader);
+        assertEquals("Unexpected AuthenticationResult", _successfulAuthenticationResult, result2);
+        assertEquals("Unexpected number of loads before cache hit", 1, _loadCallCount);
+    }
+
     private void assertGetOrLoad(final String credentials,
                                  final AuthenticationResult expectedResult,
                                  final int expectedHitCount)

broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/filter/InteractiveAuthenticationFilter.java

@@ -21,6 +21,9 @@
 package org.apache.qpid.server.management.plugin.filter;
 
 import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -40,6 +43,7 @@
 import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
 import org.apache.qpid.server.management.plugin.HttpManagementUtil;
 import org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator;
+import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
 import org.apache.qpid.server.plugin.QpidServiceLoader;
 import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
 
@@ -96,7 +100,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 
             if(handler != null)
             {
-                handler.handleAuthentication(httpResponse);
+                invokeAuthenticationHandler(httpRequest, httpResponse, handler);
             }
             else
             {
@@ -105,4 +109,25 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         }
     }
 
+    private void invokeAuthenticationHandler(final HttpServletRequest httpRequest,
+                                             final HttpServletResponse httpResponse,
+                                             final HttpRequestInteractiveAuthenticator.AuthenticationHandler handler)
+            throws ServletException
+    {
+        final Subject tempSubject = new Subject(true,
+                                                Collections.<Principal>singleton(new ServletConnectionPrincipal(httpRequest)),
+                                                Collections.emptySet(),
+                                                Collections.emptySet());
+        try
+        {
+            Subject.doAs(tempSubject, (PrivilegedExceptionAction<Void>) () -> {
+                handler.handleAuthentication(httpResponse);
+                return null;
+            });
+        }
+        catch (PrivilegedActionException e)
+        {
+            throw new ServletException(e);
+        }
+    }
 }