Skip to content
Snippets Groups Projects
Commit 611cf34e authored by Dustin Jenkins's avatar Dustin Jenkins
Browse files

Story 1731: Re-use the AccessControlFilter for the password change servlet.

parent f7b8e184
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/PasswordServlet.java
+ 60
53
View file @ 611cf34e
...@@ -70,7 +70,6 @@ package ca.nrc.cadc.ac.server.web.users; ...@@ -70,7 +70,6 @@ package ca.nrc.cadc.ac.server.web.users;
import java.io.IOException; import java.io.IOException;
import java.security.AccessControlException; import java.security.AccessControlException;
import java.security.PrivilegedAction;
import java.util.Set; import java.util.Set;
import javax.security.auth.Subject; import javax.security.auth.Subject;
...@@ -87,15 +86,30 @@ import ca.nrc.cadc.auth.HttpPrincipal; ...@@ -87,15 +86,30 @@ import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.log.ServletLogInfo; import ca.nrc.cadc.log.ServletLogInfo;
import ca.nrc.cadc.util.StringUtil; import ca.nrc.cadc.util.StringUtil;
@SuppressWarnings("serial")
/**
* Servlet to handle password changes. Passwords are an integral part of the
* access control system and are handled differently to accommodate stricter
* guidelines.
* <p/>
* This servlet handles POST only. It relies on the Subject being set higher
* up by the AccessControlFilter as configured in the web descriptor.
*/
public class PasswordServlet extends HttpServlet public class PasswordServlet extends HttpServlet
{ {
private static final Logger log = Logger.getLogger(PasswordServlet.class); private static final Logger log = Logger.getLogger(PasswordServlet.class);
/** /**
* Attempt to change password. * Attempt to change password.
*
* @param request The HTTP Request.
* @param response The HTTP Response.
* @throws IOException Any errors that are not expected.
*/ */
public void doPost(final HttpServletRequest request, final HttpServletResponse response) public void doPost(final HttpServletRequest request,
throws IOException final HttpServletResponse response)
throws IOException
{ {
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
final long start = System.currentTimeMillis(); final long start = System.currentTimeMillis();
...@@ -104,68 +118,61 @@ public class PasswordServlet extends HttpServlet ...@@ -104,68 +118,61 @@ public class PasswordServlet extends HttpServlet
try try
{ {
final Subject subject = AuthenticationUtil.getSubject(request); final Subject subject = AuthenticationUtil.getSubject(request);
if ((subject == null) || (subject.getPrincipals(HttpPrincipal.class).isEmpty())) if ((subject == null)
|| (subject.getPrincipals(HttpPrincipal.class).isEmpty()))
{ {
logInfo.setMessage("Missing subject"); logInfo.setMessage("Missing subject");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
} }
else else
{ {
logInfo.setSubject(subject); logInfo.setSubject(subject);
Subject.doAs(subject, new PrivilegedAction<Void>() try
{ {
@Override response.setStatus(HttpServletResponse.SC_OK);
public Void run() final Set<HttpPrincipal> webPrincipals =
{
try
{
response.setStatus(HttpServletResponse.SC_OK);
final Set<HttpPrincipal> webPrincipals =
subject.getPrincipals(HttpPrincipal.class); subject.getPrincipals(HttpPrincipal.class);
final User<HttpPrincipal> user =
User<HttpPrincipal> user = new User<HttpPrincipal>(webPrincipals.iterator().next()); new User<HttpPrincipal>(webPrincipals.iterator().next());
String oldPassword = request.getParameter("old_password"); String oldPassword = request.getParameter("old_password");
String newPassword = request.getParameter("new_password"); String newPassword = request.getParameter("new_password");
if (StringUtil.hasText(oldPassword)) if (StringUtil.hasText(oldPassword))
{ {
if (StringUtil.hasText(newPassword)) if (StringUtil.hasText(newPassword))
{
(new LdapUserPersistence<HttpPrincipal>()).setPassword(user, oldPassword, newPassword);
}
else
{
throw new IllegalArgumentException("Missing new password");
}
}
else
{
throw new IllegalArgumentException("Missing old password");
}
}
catch (IllegalArgumentException e)
{
log.debug(e.getMessage(), e);
logInfo.setMessage(e.getMessage());
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
}
catch (AccessControlException e)
{ {
log.debug(e.getMessage(), e); (new LdapUserPersistence<HttpPrincipal>())
logInfo.setMessage(e.getMessage()); .setPassword(user, oldPassword, newPassword);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
} }
catch (Throwable t) else
{ {
String message = "Internal Server Error: " + t.getMessage(); throw new IllegalArgumentException("Missing new password");
log.error(message, t);
logInfo.setSuccess(false);
logInfo.setMessage(message);
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
} }
return null;
} }
}); else
{
throw new IllegalArgumentException("Missing old password");
}
}
catch (IllegalArgumentException e)
{
log.debug(e.getMessage(), e);
logInfo.setMessage(e.getMessage());
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
}
catch (AccessControlException e)
{
log.debug(e.getMessage(), e);
logInfo.setMessage(e.getMessage());
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
catch (Throwable t)
{
String message = "Internal Server Error: " + t.getMessage();
log.error(message, t);
logInfo.setSuccess(false);
logInfo.setMessage(message);
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
} }
} }
catch (Throwable t) catch (Throwable t)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment