frontend: always fail request if wrong credentials are presented

Motivation: Current behaviour is to treat a failed login in WebDAV, frontend and dcap doors as if the user presented no credentials (i.e., an anonymous request). For frontend, this is undesirable as we wish to have standard-compliant response to incorrect credentials; i.e., 401 status code in the response. Modification: Update UnionLoginStrategy to support a switch to disable treating a failed login as an unauthenticated request. Update frontend to disable the switch. Result: For the frontend, if the user supplies incorrect credentials then their request will always fail. Target: master Patch: https://rb.dcache.org/r/9413 Acked-by: Gerd Behrmann Request: 2.16 Requires-notes: yes Requires-book: no
dCache · Jun 15, 2016 · b21b4b4 · b21b4b4
1 parent 159c422
commit b21b4b4
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/modules/dcache-webdav/src/main/resources/org/dcache/webdav/frontend.xml b/modules/dcache-webdav/src/main/resources/org/dcache/webdav/frontend.xml
@@ -81,6 +81,7 @@
           </bean>
 	  </list>
       </property>
+      <property name="fallbackToAnonymous" value="false"/>
       <property name="anonymousAccess" value="${frontend.authz.anonymous-operations}"/>
   </bean>
 

diff --git a/modules/dcache/src/main/java/org/dcache/auth/UnionLoginStrategy.java b/modules/dcache/src/main/java/org/dcache/auth/UnionLoginStrategy.java
@@ -22,7 +22,10 @@
  * LoginStrategy which forms the union of allowed logins of several
  * access strategies. Login will be granted by the first of a list of
  * LoginStrategies which grants login. If no LoginStrategy grants
- * login, an anonymous login can optionally be generated.
+ * login then the behaviour depends on whether the user supplied any credentials.
+ * If no credentials were presented then the login attempt is treated as
+ * anonymous and the correct level of access is granted.  If credentials were
+ * presented then fallback to anonymous only if that is allowed.
  */
 public class UnionLoginStrategy implements LoginStrategy
 {
@@ -39,6 +42,7 @@ public enum AccessLevel
 
     private List<LoginStrategy> _loginStrategies = Collections.emptyList();
     private AccessLevel _anonymousAccess = AccessLevel.NONE;
+    private boolean _shouldFallback = true;
 
     public void setLoginStrategies(List<LoginStrategy> list)
     {
@@ -61,20 +65,33 @@ public AccessLevel getAnonymousAccess()
         return _anonymousAccess;
     }
 
+    public void setFallbackToAnonymous(boolean fallback)
+    {
+        _shouldFallback = fallback;
+    }
+
+    public boolean hasFallbackToAnonymous()
+    {
+        return _shouldFallback;
+    }
+
     @Override
     public LoginReply login(Subject subject) throws CacheException
     {
         Optional<Principal> origin = subject.getPrincipals().stream()
                 .filter(Origin.class::isInstance)
                 .findFirst();
 
+        boolean areCredentialsSupplied = !subject.getPrivateCredentials().isEmpty()
+                || !subject.getPublicCredentials().isEmpty()
+                || !subject.getPrincipals().stream().allMatch(Origin.class::isInstance);
+
         for (LoginStrategy strategy: _loginStrategies) {
             _log.debug( "Attempting login strategy: {}", strategy.getClass().getName());
 
             try {
                 LoginReply login = strategy.login(subject);
                 _log.debug( "Login strategy returned {}", login.getSubject());
-
                 if (!Subjects.isNobody(login.getSubject())) {
                     return login;
                 }
@@ -93,6 +110,11 @@ public LoginReply login(Subject subject) throws CacheException
                         e.getMessage());
             }
         }
+
+        if (areCredentialsSupplied && !_shouldFallback) {
+            throw new PermissionDeniedCacheException("Access denied");
+        }
+
         _log.debug( "Strategies failed, trying for anonymous access");
 
         LoginReply reply = new LoginReply();