fix(REST API): authorization mechanism exclude pattern (#847)

* make servlet request body readable twice (for permission check and API processing payload) Covers [RUNTIME-885](https://bonitasoft.atlassian.net/browse/RUNTIME-885) This fixes #841
bonitasoft · Feb 28, 2022 · 0561dac · 0561dac
1 parent 18df941
commit 0561dac
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/...in/java/org/bonitasoft/console/common/server/login/filter/RestAPIAuthorizationFilter.java b/...in/java/org/bonitasoft/console/common/server/login/filter/RestAPIAuthorizationFilter.java
@@ -89,7 +89,8 @@ public RestAPIAuthorizationFilter() {
     @Override
     public void proceedWithFiltering(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException {
         try {
-            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+            //we need to use a MultiReadHttpServletRequest wrapper in order to be able to get the inputstream twice (in the filter and in the API servlet)
+            MultiReadHttpServletRequest httpServletRequest = new MultiReadHttpServletRequest((HttpServletRequest) request);
             HttpServletResponse httpServletResponse = (HttpServletResponse)response;
             boolean isAuthorized;
             if (httpServletRequest.getRequestURI().matches(PLATFORM_API_URI_REGEXP)) {
@@ -98,7 +99,7 @@ public void proceedWithFiltering(ServletRequest request, ServletResponse respons
                 isAuthorized = tenantAPIsCheck(httpServletRequest, httpServletResponse);
             }
             if (isAuthorized) {
-                chain.doFilter(request, response);
+                chain.doFilter(httpServletRequest, response);
             }
         } catch (final Exception e) {
             if (LOGGER.isLoggable(Level.SEVERE)) {

diff --git a/...ava/org/bonitasoft/console/common/server/login/filter/RestAPIAuthorizationFilterTest.java b/...ava/org/bonitasoft/console/common/server/login/filter/RestAPIAuthorizationFilterTest.java
@@ -599,7 +599,7 @@ public void should_checkValidCondition_check_unauthorized_if_session_is_invalid(
         final RestAPIAuthorizationFilter restAPIAuthorizationFilterSpy = spy(restAPIAuthorizationFilter);
         doReturn("API/bpm/case/15").when(request).getRequestURI();
         doReturn("/bpm/case/15").when(request).getPathInfo();
-        doThrow(InvalidSessionException.class).when(restAPIAuthorizationFilterSpy).checkPermissions(request);
+        doThrow(InvalidSessionException.class).when(restAPIAuthorizationFilterSpy).checkPermissions(any(HttpServletRequest.class));
         //when
         restAPIAuthorizationFilterSpy.proceedWithFiltering(request, response, chain);
 
@@ -612,7 +612,7 @@ public void should_checkValidCondition_check_permission_if_is_tenant_is_forbidde
         final RestAPIAuthorizationFilter restAPIAuthorizationFilterSpy = spy(restAPIAuthorizationFilter);
         doReturn("API/bpm/case/15").when(request).getRequestURI();
         doReturn("/bpm/case/15").when(request).getPathInfo();
-        doReturn(false).when(restAPIAuthorizationFilterSpy).checkPermissions(request);
+        doReturn(false).when(restAPIAuthorizationFilterSpy).checkPermissions(any(HttpServletRequest.class));
 
         //when
         restAPIAuthorizationFilterSpy.proceedWithFiltering(request, response, chain);