-
Notifications
You must be signed in to change notification settings - Fork 131
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
frontend: add support for user 'anonymous'
Motivation: To avoid browsers prompting users directly for credentials when an anonymous ajax request requires authentication, the JavaScript must always supply a username with requests. Yet we still want to support anonymous access. Modification: Update frontend so that it accepts requests with username 'anonymous' if anonymous access is enabled; all other username+password requests are authenticated as before. If anonymous access is disabled then all requests are processed as before. Result: Javascript can submit AJAX requests with username 'anonymous' to achieve desired anonymous interaction without the browser prompting the user for credentials if it turns out authentication is required. Target: master Patch: https://rb.dcache.org/r/9423 Acked-by: Gerd Behrmann Request: 2.16 Require-notes: yes Require-book: no
- Loading branch information
1 parent
a8d9592
commit 942cca1
Showing
2 changed files
with
98 additions
and
6 deletions.
There are no files selected for viewing
94 changes: 94 additions & 0 deletions
94
modules/dcache-webdav/src/main/java/org/dcache/webdav/AnonymousUserLoginStrategy.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
package org.dcache.webdav; | ||
|
||
import org.springframework.beans.factory.annotation.Required; | ||
|
||
import javax.security.auth.Subject; | ||
|
||
import java.security.Principal; | ||
import java.util.Set; | ||
|
||
import diskCacheV111.util.CacheException; | ||
|
||
import org.dcache.auth.LoginNamePrincipal; | ||
import org.dcache.auth.LoginReply; | ||
import org.dcache.auth.LoginStrategy; | ||
import org.dcache.auth.PasswordCredential; | ||
import org.dcache.auth.Subjects; | ||
import org.dcache.auth.UnionLoginStrategy.AccessLevel; | ||
import org.dcache.auth.attributes.LoginAttribute; | ||
import org.dcache.auth.attributes.Restrictions; | ||
|
||
import static java.util.Collections.emptySet; | ||
import static java.util.Collections.singleton; | ||
import static java.util.Objects.requireNonNull; | ||
import static org.dcache.auth.UnionLoginStrategy.AccessLevel.READONLY; | ||
import static org.dcache.auth.UnionLoginStrategy.AccessLevel.NONE; | ||
|
||
/** | ||
* Add support for logging in a particular user as Users.NOBODY, all other | ||
* requests are passed on to some wrapped LoginStrategy. If AccessLevel is NONE | ||
* then all requests are passed onto the wrapped LoginStrategy. | ||
*/ | ||
public class AnonymousUserLoginStrategy implements LoginStrategy | ||
{ | ||
private LoginStrategy _inner; | ||
private String _username; | ||
private AccessLevel _anonymousAccess = NONE; | ||
|
||
public void setAnonymousAccess(AccessLevel level) | ||
{ | ||
_anonymousAccess = requireNonNull(level); | ||
} | ||
|
||
public AccessLevel getAnonymousAccess() | ||
{ | ||
return _anonymousAccess; | ||
} | ||
|
||
@Required | ||
public void setNonAnonymousStrategy(LoginStrategy strategy) | ||
{ | ||
_inner = requireNonNull(strategy); | ||
} | ||
|
||
@Required | ||
public void setUsername(String username) | ||
{ | ||
_username = requireNonNull(username); | ||
} | ||
|
||
private boolean isAnonymousUser(Subject subject) | ||
{ | ||
return subject.getPrivateCredentials().stream() | ||
.filter(PasswordCredential.class::isInstance) | ||
.map(PasswordCredential.class::cast) | ||
.anyMatch(p -> _username.equals(p.getUsername())) || | ||
subject.getPrincipals().stream() | ||
.filter(LoginNamePrincipal.class::isInstance) | ||
.anyMatch(p -> _username.equals(p.getName())); | ||
} | ||
|
||
@Override | ||
public LoginReply login(Subject subject) throws CacheException | ||
{ | ||
if (_anonymousAccess != NONE && isAnonymousUser(subject)) { | ||
Set<LoginAttribute> attributes = _anonymousAccess == READONLY ? | ||
singleton(Restrictions.readOnly()) : emptySet(); | ||
return new LoginReply(Subjects.NOBODY, attributes); | ||
} | ||
|
||
return _inner.login(subject); | ||
} | ||
|
||
@Override | ||
public Principal map(Principal principal) throws CacheException | ||
{ | ||
return _inner.map(principal); | ||
} | ||
|
||
@Override | ||
public Set<Principal> reverseMap(Principal principal) throws CacheException | ||
{ | ||
return _inner.reverseMap(principal); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters