Skip to content
Snippets Groups Projects
Commit ffef3d08 authored by Alinga Yeung's avatar Alinga Yeung
Browse files

Story ac2. Fixed merge conflicts. Simplified code as well.

parents 6f184419 611cf34e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/web/users/PasswordServlet.java
+ 52
56
View file @ ffef3d08
...@@ -70,7 +70,6 @@ package ca.nrc.cadc.ac.server.web.users; ...@@ -70,7 +70,6 @@ package ca.nrc.cadc.ac.server.web.users;
import java.io.IOException; import java.io.IOException;
import java.security.AccessControlException; import java.security.AccessControlException;
import java.security.PrivilegedAction;
import java.util.Set; import java.util.Set;
import javax.security.auth.Subject; import javax.security.auth.Subject;
...@@ -87,15 +86,30 @@ import ca.nrc.cadc.auth.HttpPrincipal; ...@@ -87,15 +86,30 @@ import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.log.ServletLogInfo; import ca.nrc.cadc.log.ServletLogInfo;
import ca.nrc.cadc.util.StringUtil; import ca.nrc.cadc.util.StringUtil;
@SuppressWarnings("serial")
/**
* Servlet to handle password changes. Passwords are an integral part of the
* access control system and are handled differently to accommodate stricter
* guidelines.
* <p/>
* This servlet handles POST only. It relies on the Subject being set higher
* up by the AccessControlFilter as configured in the web descriptor.
*/
public class PasswordServlet extends HttpServlet public class PasswordServlet extends HttpServlet
{ {
private static final Logger log = Logger.getLogger(PasswordServlet.class); private static final Logger log = Logger.getLogger(PasswordServlet.class);
/** /**
* Attempt to change password. * Attempt to change password.
*
* @param request The HTTP Request.
* @param response The HTTP Response.
* @throws IOException Any errors that are not expected.
*/ */
public void doPost(final HttpServletRequest request, final HttpServletResponse response) public void doPost(final HttpServletRequest request,
throws IOException final HttpServletResponse response)
throws IOException
{ {
final long start = System.currentTimeMillis(); final long start = System.currentTimeMillis();
final ServletLogInfo logInfo = new ServletLogInfo(request); final ServletLogInfo logInfo = new ServletLogInfo(request);
...@@ -103,69 +117,51 @@ public class PasswordServlet extends HttpServlet ...@@ -103,69 +117,51 @@ public class PasswordServlet extends HttpServlet
try try
{ {
final Subject subject = AuthenticationUtil.getSubject(request); final Subject subject = AuthenticationUtil.getSubject(request);
if ((subject == null) || (subject.getPrincipals(HttpPrincipal.class).isEmpty())) if ((subject == null)
|| (subject.getPrincipals(HttpPrincipal.class).isEmpty()))
{ {
logInfo.setMessage("Unauthorized subject"); logInfo.setMessage("Unauthorized subject");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
} }
else else
{ {
logInfo.setSubject(subject); logInfo.setSubject(subject);
Subject.doAs(subject, new PrivilegedAction<Void>() final Set<HttpPrincipal> webPrincipals =
subject.getPrincipals(HttpPrincipal.class);
final User<HttpPrincipal> user =
new User<HttpPrincipal>(webPrincipals.iterator().next());
String oldPassword = request.getParameter("old_password");
String newPassword = request.getParameter("new_password");
if (StringUtil.hasText(oldPassword))
{ {
@Override if (StringUtil.hasText(newPassword))
public Void run() {
(new LdapUserPersistence<HttpPrincipal>())
.setPassword(user, oldPassword, newPassword);
}
else
{ {
try throw new IllegalArgumentException("Missing new password");
{
final Set<HttpPrincipal> webPrincipals =
subject.getPrincipals(HttpPrincipal.class);
User<HttpPrincipal> user = new User<HttpPrincipal>(webPrincipals.iterator().next());
String oldPassword = request.getParameter("old_password");
String newPassword = request.getParameter("new_password");
if (StringUtil.hasText(oldPassword))
{
if (StringUtil.hasText(newPassword))
{
(new LdapUserPersistence<HttpPrincipal>()).setPassword(user, oldPassword, newPassword);
}
else
{
throw new IllegalArgumentException("Missing new password");
}
}
else
{
throw new IllegalArgumentException("Missing old password");
}
}
catch (IllegalArgumentException e)
{
log.debug(e.getMessage(), e);
logInfo.setMessage(e.getMessage());
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
}
catch (AccessControlException e)
{
log.debug(e.getMessage(), e);
logInfo.setMessage(e.getMessage());
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
catch (Throwable t)
{
String message = "Internal Server Error: " + t.getMessage();
log.error(message, t);
logInfo.setSuccess(false);
logInfo.setMessage(message);
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
return null;
} }
}); }
else
{
throw new IllegalArgumentException("Missing old password");
}
} }
} }
catch (IllegalArgumentException e)
{
log.debug(e.getMessage(), e);
logInfo.setMessage(e.getMessage());
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
}
catch (AccessControlException e)
{
log.debug(e.getMessage(), e);
logInfo.setMessage(e.getMessage());
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
catch (Throwable t) catch (Throwable t)
{ {
String message = "Internal Server Error: " + t.getMessage(); String message = "Internal Server Error: " + t.getMessage();
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment