diff options
author | David Ostrovsky <david@ostrovsky.org> | 2018-08-11 10:40:26 +0200 |
---|---|---|
committer | David Ostrovsky <david@ostrovsky.org> | 2018-08-31 08:41:06 +0200 |
commit | b545f0cae553bf0381b5df85079c7e0e11113ad3 (patch) | |
tree | 1c2247ecb4ae5a08826f1e8dab3fdef5e9f8c1a3 | |
parent | 9932a888654ddb34d62d354ed3d0290fc973f4de (diff) |
Ensure user authentication in AllRequestFilter filters
The current order of filters declaration make request authentication
only work when HTTP request is issued from the Gerrit UI, but not
work when REST API is used.
In Daemon#createWebInjector() we have this:
[...]
modules.add(RequestContextFilter.module());
modules.add(AllRequestFilter.module());
modules.add(RequestMetricsFilter.module());
modules.add(H2CacheBasedWebSession.module());
modules.add(sysInjector.getInstance(GitOverHttpModule.class));
[...]
The are two major use cases to consider:
1. Gerrit UI request: when authenticated user session is found and set
in RequestContextFilter, before AllRequestFilter, that's why in
AllRequestFilter we have a user:
Account: 1000000 username: admin
2. REST API request, e.g.:
curl --user user http://localhost:8080/a/config/server/version
"2.14.7-9-g9ebfce95b7-dirty"
Here the AllRequestFilter is bound before GitOverHttpModule, that
provides ProjectBasicAuthFilter filter, and thus, there is no identified
user:
anonymous
Adapt the AllRequestFilter registration order to fix authentication also
for REST API requests.
This is needed for Javamelody's monitoring filter to work properly for
Prometheus scraping request:
curl -u user http://localhost:8080/a/monitoring?format=prometheus
There is more context and discussions in these CLs:
https://gerrit-review.googlesource.com/c/plugins/javamelody/+/192411
https://gerrit-review.googlesource.com/c/plugins/javamelody/+/192170
https://gerrit-review.googlesource.com/c/gerrit/+/164991
Change-Id: I925e952474440cb612080dafd917a01dba8f3330
-rw-r--r-- | gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java | 2 | ||||
-rw-r--r-- | gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java index d6ae6e1c1d..b57dfc6b35 100644 --- a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java +++ b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java @@ -513,10 +513,10 @@ public class Daemon extends SiteProgram { modules.add(new ProjectQoSFilter.Module()); } modules.add(RequestContextFilter.module()); - modules.add(AllRequestFilter.module()); modules.add(RequestMetricsFilter.module()); modules.add(H2CacheBasedWebSession.module()); modules.add(sysInjector.getInstance(GitOverHttpModule.class)); + modules.add(AllRequestFilter.module()); modules.add(sysInjector.getInstance(WebModule.class)); modules.add(sysInjector.getInstance(RequireSslFilter.Module.class)); modules.add(new HttpPluginModule()); diff --git a/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java b/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java index 8bc091a7b7..441f2b5ab5 100644 --- a/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java +++ b/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java @@ -401,9 +401,9 @@ public class WebAppInitializer extends GuiceServletContextListener implements Fi private Injector createWebInjector() { final List<Module> modules = new ArrayList<>(); modules.add(RequestContextFilter.module()); - modules.add(AllRequestFilter.module()); modules.add(RequestMetricsFilter.module()); modules.add(sysInjector.getInstance(GitOverHttpModule.class)); + modules.add(AllRequestFilter.module()); modules.add(sysInjector.getInstance(WebModule.class)); modules.add(sysInjector.getInstance(RequireSslFilter.Module.class)); if (sshInjector != null) { |