In [1]:

!jupyter nbconvert --to html --TemplateExporter.exclude_code_cell=True --TemplateExporter.exclude_input_prompt=True --TemplateExporter.exclude_output_prompt=True scc2425-lab9.ipynb 2> /dev/null
!jupyter nbconvert --to slides --TemplateExporter.exclude_input_prompt=True --TemplateExporter.exclude_output_prompt=True scc2425-lab9.ipynb 2> /dev/null

# Cloud Computing Systems
## 2024/25

Lab 9
https://smduarte.github.io/scc2425/

Sérgio Duarte, Kevin Gallagher 

# Goals

+ Access control for web applications based on Cookies

# Approach to implement access control!


### Step 1 

 Users must log in to the system;
 
### Step 2

Before executing operations, check if the user is allowed to execute the operation.



# Authentication endpoint

### Step 1 - Users must log in to the system;

Endpoint: **GET /login** returns the login page, including a form to supply the **user credentials**;

Endpoint: **POST /login** verifies the users credentials, passed as **form data**. Creates a [Cookie](https://en.wikipedia.org/wiki/HTTP_cookie) to serve as proof of authentication.

### Authentication Endpoint: GET /rest/login 
```java
@Path(Authentication.PATH)
public class Authentication {
	static final String PATH = "login";
    static final String LOGIN_PAGE = "login.html";
	
	@GET
	@Produces(MediaType.TEXT_HTML)
	public String login() {
		try {
			var in = getClass().getClassLoader().getResourceAsStream(LOGIN_PAGE);
			return new String( in.readAllBytes() );			
		} catch( Exception x ) {
			throw new WebApplicationException( Status.INTERNAL_SERVER_ERROR );
		}
	}
```

Note: The GET endpoint in the authentication returns the contents of a login html page stored in the **WAR** archive as a resource.

### Authentication Endpoint: POST /rest/login 

```java
@POST
public Response login( @FormParam(USER) String user, @FormParam(PWD) String password ) {
    boolean pwdOk = ... ; // check user passwd
	if (pwdOk) {
        String uid = UUID.randomUUID().toString();
		var cookie = new NewCookie.Builder(COOKIE_KEY)
					.value(uid).path("/")
					.comment("sessionid")
					.maxAge(MAX_COOKIE_AGE)
					.secure(false)
					.httpOnly(true)
					.build();
			
		FakeRedisLayer.getInstance().putSession( new Session( uid, user));	
			
        return Response.seeOther(URI.create( REDIRECT_TO_AFTER_AUTH ))
                   .cookie(cookie) 
                   .build();
	} else
		throw new NotAuthorizedException("Incorrect login");
}
```

The POST /rest/login endpoint is the target of the form returned previously. 

The user credentials supplied in the form are encoded as *FormData* and can be captured as method parameters using **@FormParam** annotations.

If authentication succeeds, we return a [Cookie](https://en.wikipedia.org/wiki/HTTP_cookie). The cookie will be included by the browser/HTTP client in subsequent requests. It is intended to serve as proof of authentication while it is valid.

The cookie needs a key and value. Here the value is just an unique identifier. It is possible to control the how long the cookie will be valid by providing a maximum allowed age. Other flags can be used to improve security, such as only support https communications.

When the login succeeds the client is redirected automatically to a landing endpoint...

The cookie represents an authenticated user session that can be shared across all application server instances via a RedisCache. In this example, we are faking the RedisCache to provide a simple working example with a local deployment of the web app.

# Access control

###  Step 2 - ... check if the user is allowed to execute the operation.


In methods that require access control, **use the cookie** to know which user is calling the method.

```java
@Path("/ctrl")
public class ControlResource
{
	@Path("/version2")
	@GET
	@Produces(MediaType.TEXT_HTML)
	public String version2( @CookieParam(Authentication.COOKIE_KEY) Cookie cookie) {

        