From e812c2c94049ca9c8ef754a86b54784b7ce5aea6 Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Mon, 27 Jan 2020 18:01:21 +0100
Subject: [PATCH] Fixed ISE in LoggingDAO when called from JWTFilter
---
.../main/java/it/inaf/ia2/gms/authn/JWTFilter.java | 8 ++++----
.../it/inaf/ia2/gms/persistence/LoggingDAO.java | 14 +++++++++-----
2 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java b/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
index ce21e9c..6847193 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
@@ -33,7 +33,7 @@ public class JWTFilter implements Filter {
String authHeader = request.getHeader("Authorization");
if (authHeader == null) {
- loggingDAO.logAction("Attempt to access WS without token");
+ loggingDAO.logAction("Attempt to access WS without token", request);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing Authorization token");
return;
}
@@ -42,7 +42,7 @@ public class JWTFilter implements Filter {
OAuth2AccessToken accessToken = jwkTokenStore.readAccessToken(authHeader);
if (accessToken.isExpired()) {
- loggingDAO.logAction("Attempt to access WS with expired token");
+ loggingDAO.logAction("Attempt to access WS with expired token", request);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Access token is expired");
return;
}
@@ -50,13 +50,13 @@ public class JWTFilter implements Filter {
Map<String, Object> claims = accessToken.getAdditionalInformation();
if (claims.get("sub") == null) {
- loggingDAO.logAction("Attempt to access WS with invalid token");
+ loggingDAO.logAction("Attempt to access WS with invalid token", request);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim");
return;
}
ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, claims);
- loggingDAO.logAction("WS access from " + wrappedRequest.getUserPrincipal().getName());
+ loggingDAO.logAction("WS access from " + wrappedRequest.getUserPrincipal().getName(), request);
fc.doFilter(wrappedRequest, res);
}
diff --git a/gms/src/main/java/it/inaf/ia2/gms/persistence/LoggingDAO.java b/gms/src/main/java/it/inaf/ia2/gms/persistence/LoggingDAO.java
index ae23d57..b236ec7 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/persistence/LoggingDAO.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/persistence/LoggingDAO.java
@@ -18,7 +18,7 @@ public class LoggingDAO {
private final JdbcTemplate jdbcTemplate;
- @Autowired
+ @Autowired(required = false)
private HttpServletRequest request;
@Autowired
@@ -53,15 +53,19 @@ public class LoggingDAO {
}
public void logAction(String action) {
+ logAction(action, request);
+ }
+
+ public void logAction(String action, HttpServletRequest request) {
try {
String sql = "INSERT INTO audit_log (\"user\", action, ip_address) VALUES (?, ?, ?)";
jdbcTemplate.update(conn -> {
PreparedStatement ps = conn.prepareStatement(sql);
int i = 0;
- ps.setString(++i, getUser());
+ ps.setString(++i, getUser(request));
ps.setString(++i, action);
- ps.setString(++i, getIPAddress());
+ ps.setString(++i, getIPAddress(request));
return ps;
});
} catch (Throwable t) {
@@ -69,7 +73,7 @@ public class LoggingDAO {
}
}
- private String getIPAddress() {
+ private String getIPAddress(HttpServletRequest request) {
String ipAddress = request.getHeader("X-FORWARDED-FOR");
if (ipAddress == null) {
return request.getRemoteAddr();
@@ -78,7 +82,7 @@ public class LoggingDAO {
}
}
- private String getUser() {
+ private String getUser(HttpServletRequest request) {
if (request.getUserPrincipal() != null) {
return request.getUserPrincipal().getName();
}
--
GitLab