New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Http server basic auth broken #290

Closed
christophd opened this Issue Sep 26, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@christophd
Member

christophd commented Sep 26, 2017

Server side basic authentication with SecurityHandlerFactory stopped working with Citrus 2.7.2. Reason is a change made in the jetty server API that caused us to refactor login service and user property store. Following from that user store is not automatically started properly and configured users do not get loaded on server startup. This results in 401 Unauthorized responses even if proper user credentials are provided within request.

@christophd christophd added this to the v2.7.3 milestone Sep 26, 2017

@christophd

This comment has been minimized.

Member

christophd commented Sep 26, 2017

Workaround given with extended Java bean configuration:

@Configuration
public class HttpServerBasicAuthConfig {

    private static final String[] USER_ROLES = new String[] { "CitrusRole" };

    @Bean
    public SecurityHandlerFactory basicAuthSecurityHandler() {
        SecurityHandlerFactory securityHandlerFactory = new SecurityHandlerFactory();
        securityHandlerFactory.setUsers(users());
        securityHandlerFactory.setLoginService(basicAuthLoginService(basicAuthUserStore()));
        securityHandlerFactory.setConstraints(Collections.singletonMap("/todo/*", new BasicAuthConstraint(USER_ROLES)));

        return securityHandlerFactory;
    }

    @Bean
    public HashLoginService basicAuthLoginService(PropertyUserStore basicAuthUserStore) {
        return new HashLoginService() {
            @Override
            protected void doStart() throws Exception {
                setUserStore(basicAuthUserStore);
                basicAuthUserStore.start();
                super.doStart();
            }
        };
    }

    @Bean
    public PropertyUserStore basicAuthUserStore() {
        return new PropertyUserStore() {
            @Override
            protected void loadUsers() throws IOException {
                getKnownUserIdentities().clear();

                for (User user : users()) {
                    Credential credential = Credential.getCredential(user.getPassword());

                    Principal userPrincipal = new AbstractLoginService.UserPrincipal(user.getName(),credential);
                    Subject subject = new Subject();
                    subject.getPrincipals().add(userPrincipal);
                    subject.getPrivateCredentials().add(credential);

                    String[] roleArray = IdentityService.NO_ROLES;
                    if (user.getRoles() != null && user.getRoles().length > 0) {
                        roleArray = user.getRoles();
                    }

                    for (String role : roleArray) {
                        subject.getPrincipals().add(new AbstractLoginService.RolePrincipal(role));
                    }

                    subject.setReadOnly();

                    getKnownUserIdentities().put(user.getName(), getIdentityService().newUserIdentity(subject, userPrincipal, roleArray));
                }
            }
        };
    }

    private List<User> users() {
        return Collections.singletonList(new User("citrus", "secr3t", USER_ROLES));
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment