#2249 Allow admin operations to not require password

pinpoint-apm · Dec 15, 2016 · 37bab5f · 37bab5f
1 parent 355ff50
commit 37bab5f
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/web/src/main/java/com/navercorp/pinpoint/web/controller/AdminController.java b/web/src/main/java/com/navercorp/pinpoint/web/controller/AdminController.java
@@ -20,6 +20,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -35,6 +36,7 @@
  * @author HyunGil Jeong
  */
 @Controller
+@PreAuthorize("hasPermission(null, null, 'admin')")
 @RequestMapping("/admin")
 public class AdminController {
 

diff --git a/web/src/main/java/com/navercorp/pinpoint/web/interceptor/AdminAuthInterceptor.java b/web/src/main/java/com/navercorp/pinpoint/web/interceptor/AdminAuthInterceptor.java
@@ -22,31 +22,63 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.server.ServletServerHttpResponse;
+import org.springframework.util.StringUtils;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
+import java.io.IOException;
+import java.nio.charset.Charset;
+
 /**
  * FIXME temporary interceptor for admin operations.
  * 
  * @author hyungil.jeong
  */
 public class AdminAuthInterceptor extends HandlerInterceptorAdapter {
 
+    private static final Charset UTF_8 = Charset.forName("UTF-8");
+
     private final Logger logger = LoggerFactory.getLogger(this.getClass());
 
-    @Value("#{pinpointWebProps['admin.password']}")
+    @Value("#{pinpointWebProps['admin.password'] ?: ''}")
     private String password;
 
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
         String requestUri = request.getRequestURI();
         String requestIp = request.getRemoteAddr();
         logger.info("{} called from {}", requestUri, requestIp);
+        if (StringUtils.isEmpty(password)) {
+            return true;
+        }
+        return checkAuthorization(request, response);
+    }
+
+    private boolean checkAuthorization(HttpServletRequest request, HttpServletResponse response) throws IOException {
         String requestPassword = request.getParameter("password");
+        if (requestPassword == null) {
+            handleMissingPassword(response);
+            return false;
+        }
         if (password.equals(requestPassword)) {
             return true;
+        } else {
+            handleInvalidPassword(response);
+            return false;
         }
-        response.sendRedirect("/");
-        return false;
+    }
+
+    private void handleMissingPassword(HttpServletResponse response) throws IOException {
+        ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
+        serverResponse.setStatusCode(HttpStatus.BAD_REQUEST);
+        serverResponse.getBody().write("Missing password.".getBytes(UTF_8));
+    }
+
+    private void handleInvalidPassword(HttpServletResponse response) throws IOException {
+        ServletServerHttpResponse serverResponse = new ServletServerHttpResponse(response);
+        serverResponse.setStatusCode(HttpStatus.FORBIDDEN);
+        serverResponse.getBody().write("Invalid password.".getBytes(UTF_8));
     }