[ELY-2583] Make requestURI and Source-Address available from RealmSuccessfulAuthenticationEvent and RealmFailedAuthenticationEvent #1952
Conversation
Skyllarr
force-pushed
the
JBEAP-25337
branch
from
2ec6427
to
6c8e29d
Compare
| @@ -53,6 +53,10 @@ public interface MechanismInformation { | |||
| */ | |||
| String getProtocol(); | |||
|
|
|||
| default String getRequestURI() { | |||
There was a problem hiding this comment.
MechanismInformation already provides getHost and getProtocol methods. Just wondering if we can make use of these existing methods instead of introducing a new getRequestURI method. (We'd need to check if the information provided by the host and protocol would be sufficient for the reporter.)
Note that MechanismInformation is public API.
So if we decide that a new method is needed, we should check with @OndrejKotek to see if adding a new method here would be ok for 1.15.x.
There was a problem hiding this comment.
@fjuma We can make use of the existing getHost and getProtocol methods instead. The URI information would not have a full requested path that way, just the host and protocol.
However if we want to avoid adding a new method to the public API we might not have a better choice. So if @OndrejKotek thinks we should not introduce a new API method to the maintenance branch, we can check with the reporter about providing only the host+port information
There was a problem hiding this comment.
This is not up to me to decide. Open a discussion on https://issues.redhat.com/browse/JBEAP-25337 please as it's up to the QE CP (Peter Mackay, Dan Cihak) and SET team to ack such changes.
| @Override | ||
| public void handleRealmEvent(RealmEvent event) { | ||
| if (event instanceof RealmSuccessfulAuthenticationEvent) { | ||
| assertEquals("10.12.14.16", ((RealmSuccessfulAuthenticationEvent) event).getAuthorizationIdentity().getRuntimeAttributes().get("Source-Address").get(0)); |
There was a problem hiding this comment.
As a sanity check, would also be good to verify that it's possible to retrieve the principal in both the successful and failed cases.
…LY-2583] Make requestURI and Source-Address available from RealmSuccessfulAuthenticationEvent and RealmFailedAuthenticationEvent
Skyllarr
force-pushed
the
JBEAP-25337
branch
from
6c8e29d
to
785cbb3
Compare
Skyllarr
force-pushed
the
JBEAP-25337
branch
2 times, most recently
from
ee94a77
to
c84d020
Compare
|
@fjuma This PR was updated to use a new Callback to avoid using |
| import java.net.URI; | ||
|
|
||
| /** | ||
| * A {@link javax.security.auth.callback.Callback} to inform a server authentication context about current authenticaiton request. |
There was a problem hiding this comment.
s/authenticaiton/authentication
| */ | ||
| private final URI requestUri; | ||
|
|
||
| public RequestInformationCallback(URI requestUri) { |
There was a problem hiding this comment.
Should add Javadoc for this.
| this.requestUri = requestUri; | ||
| } | ||
|
|
||
| /** |
There was a problem hiding this comment.
Just minor but since this is public API, we should also add a description for the method.
| @@ -110,7 +113,7 @@ public String getMechanismName() { | |||
| public String getHostName() { | |||
| return hostName; | |||
| } | |||
| })}); | |||
| }), new RequestInformationCallback(request.getRequestURI())}); | |||
There was a problem hiding this comment.
Should we be handling the new RequestInformationCallback from this class? Wondering if it would make more sense to introduce a new SetRequestionInformationMechanismFactory. WildFly Core would need to be updated accordingly.
There was a problem hiding this comment.
@fjuma I was not sure at first since the HttpServerAuthenticationMechanismFactory is documented as Factory to create authentication mechanisms which did not seem related to logging or similar purpose, but it's true that this requestURI is a bit similar to already existing SocketAddressCallbackServerMechanismFactory and its socket address handling. So I made the changes, let me know what you think? Thank you!
There was a problem hiding this comment.
@fjuma Here is affiliated commit for wildfly-core Skyllarr/wildfly-core@f9cf847 , if you like the changes I can create a WFCORE issue and submit this as a PR
There was a problem hiding this comment.
The Core changes look good to me.
Skyllarr
force-pushed
the
JBEAP-25337
branch
from
c84d020
to
d21994a
Compare
| @@ -73,6 +74,7 @@ public String getMechanismName() { | |||
| public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException { | |||
| String host = request.getFirstRequestHeaderValue(HOST); | |||
| String resolvedHostName = null; | |||
| URI requestedUri = request.getRequestURI(); | |||
There was a problem hiding this comment.
Is this needed here? It doesn't look like it's used.
| * | ||
| * @author <a href="mailto:dvilkola@redhat.com">Diana Krepinska</a> | ||
| */ | ||
| public class SetRequestInformationMechanismFactory implements HttpServerAuthenticationMechanismFactory { |
There was a problem hiding this comment.
I think this should be called RequestInformationCallbackServerMechanismFactory to be consistent with other the factories, right?
There was a problem hiding this comment.
I see now, we also have a SetMechanismInformationMechanismFactory so that's probably why you named this SetRequestInformationMechanismFactory. That's fine then.
There was a problem hiding this comment.
@fjuma I renamed this because I was thinking the same before. The SocketAddressCallbackServerMechanismFactory also uses the Callback in its name. I think the RequestInformationCallbackServerMechanismFactory is more clear?
| */ | ||
| public class SetRequestInformationMechanismFactory implements HttpServerAuthenticationMechanismFactory { | ||
|
|
||
| private HttpServerAuthenticationMechanismFactory delegate; |
| * @param delegate the wrapped mechanism factory | ||
| */ | ||
| public SetRequestInformationMechanismFactory(final HttpServerAuthenticationMechanismFactory delegate) { | ||
| this.delegate = delegate; |
There was a problem hiding this comment.
There should be a check here to make sure the delegate isn't null.
| try { | ||
| callbackHandler.handle(new Callback[]{new RequestInformationCallback(request.getRequestURI())}); | ||
| } catch (Throwable e) { | ||
| throw log.unableToLocateMechanismConfiguration(e).toHttpAuthenticationException(); |
There was a problem hiding this comment.
Should this be updated to request configuration?
There was a problem hiding this comment.
@fjuma What do you mean by request configuration? I think now that I should update this to:
catch (IOException | UnsupportedCallbackException e) {
throw new HttpAuthenticationException(e);
}
wdyt?
There was a problem hiding this comment.
"unableToLocateMechanismConfiguration" seems specific to the "SetMechanismInformationMechanismFactory"
Your suggested update looks fine.
There was a problem hiding this comment.
@fjuma Thank you, updated
|
Hi @darranl , this PR now adds a new |
Skyllarr
force-pushed
the
JBEAP-25337
branch
from
d21994a
to
9f0768b
Compare
Skyllarr
force-pushed
the
JBEAP-25337
branch
2 times, most recently
from
4e62872
to
5e79fa5
Compare
@darranl Thanks for review! Based on your comment I decided to change the callback to have a |
Skyllarr
force-pushed
the
JBEAP-25337
branch
2 times, most recently
from
1a53535
to
39d356d
Compare
| HashMap<String, Object> props = ((RequestInformationCallback) callback).getProperties(); | ||
| Attributes runtimeAttributes = new MapAttributes(); | ||
| for (Map.Entry<String, Object> entry : props.entrySet()) { | ||
| runtimeAttributes.addFirst(entry.getKey(), entry.getValue().toString()); |
There was a problem hiding this comment.
@darranl @fjuma Updated this PR to use a map of <String, Function> as properties in the RequestInformationMechanismFactory. I am not sure if it is okay to add all of the properties to the runtimeAttributes and not just Request-URI ? I wanted to introduce a public static final String REQUEST_URI somewhere in this repo, but I did not find a good place without introducing new dependencies or classes with constants, and this is a maintenance branch also. But maybe putting all of the properties from the callback into the runtimeAttributes indiscriminately makes sense now.
"Request-URI" constant is defined in the wildfly-core repo PR.
Also, this is relying on the toString() method being implemented well on the entry.getValue().
Let me know what you think. Thanks!
There was a problem hiding this comment.
Since this is more generic now, adding all of the properties to the runtimeAttributes makes sense to me.
For the REQUEST_URI constant, maybe that could be added to the SetRequestInformationCallbackMechanismFactory and then it could be used from WildFly Core?
There was a problem hiding this comment.
I think I would be tempted to try and keep the list of properties out of Elytron for now but in WildFly Core it should define Functions for all properties.
Late on I think custom implementations of the functions could be added to extract Cookie information etc so may be good to control the default behaviour over there?
There was a problem hiding this comment.
@darranl Okay sounds good to me, and that is the current state of these PRs. Request-URI and its function is currently defined in wildfly-core as seen in the PR and if any other functions will be added in the future, those can be added to the same place in wildfly-core. Please check that your approval on wildfly-core still holds as the code has been changed since your last approval. Thank you!
@fjuma Let us know if you agree and if so, can you please approve this PR and the wildfly-core PR? Thank you!
Skyllarr
force-pushed
the
JBEAP-25337
branch
from
39d356d
to
8337be0
Compare
…cessfulAuthenticationEvent and RealmFailedAuthenticationEvent
Skyllarr
force-pushed
the
JBEAP-25337
branch
from
8337be0
to
8bf64cd
Compare
https://issues.redhat.com/browse/ELY-2583