Fixed ISE in LoggingDAO when called from JWTFilter

e812c2c9 · Sonia Zorba · ef9122a2 · e812c2c9 · e812c2c9
Commit e812c2c9 authored 5 years ago by Sonia Zorba
--- a/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
@@ -33,7 +33,7 @@ public class JWTFilter implements Filter {
        String authHeader = request.getHeader("Authorization");
        if (authHeader == null) {
-            loggingDAO.logAction("Attempt to access WS without token");
+            loggingDAO.logAction("Attempt to access WS without token", request);
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing Authorization token");
            return;
        }
@@ -42,7 +42,7 @@ public class JWTFilter implements Filter {
        OAuth2AccessToken accessToken = jwkTokenStore.readAccessToken(authHeader);
        if (accessToken.isExpired()) {
-            loggingDAO.logAction("Attempt to access WS with expired token");
+            loggingDAO.logAction("Attempt to access WS with expired token", request);
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Access token is expired");
            return;
        }
@@ -50,13 +50,13 @@ public class JWTFilter implements Filter {
        Map<String, Object> claims = accessToken.getAdditionalInformation();
        if (claims.get("sub") == null) {
-            loggingDAO.logAction("Attempt to access WS with invalid token");
+            loggingDAO.logAction("Attempt to access WS with invalid token", request);
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim");
            return;
        }
        ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, claims);
-        loggingDAO.logAction("WS access from " + wrappedRequest.getUserPrincipal().getName());
+        loggingDAO.logAction("WS access from " + wrappedRequest.getUserPrincipal().getName(), request);
        fc.doFilter(wrappedRequest, res);
    }

--- a/gms/src/main/java/it/inaf/ia2/gms/persistence/LoggingDAO.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/persistence/LoggingDAO.java
@@ -18,7 +18,7 @@ public class LoggingDAO {
    private final JdbcTemplate jdbcTemplate;
-    @Autowired
+    @Autowired(required = false)
    private HttpServletRequest request;
    @Autowired
@@ -53,15 +53,19 @@ public class LoggingDAO {
    }
    public void logAction(String action) {
+        logAction(action, request);
+    }
+    public void logAction(String action, HttpServletRequest request) {
        try {
            String sql = "INSERT INTO audit_log (\"user\", action, ip_address) VALUES (?, ?, ?)";
            jdbcTemplate.update(conn -> {
                PreparedStatement ps = conn.prepareStatement(sql);
                int i = 0;
-                ps.setString(++i, getUser());
+                ps.setString(++i, getUser(request));
                ps.setString(++i, action);
-                ps.setString(++i, getIPAddress());
+                ps.setString(++i, getIPAddress(request));
                return ps;
            });
        } catch (Throwable t) {
@@ -69,7 +73,7 @@ public class LoggingDAO {
        }
    }
-    private String getIPAddress() {
+    private String getIPAddress(HttpServletRequest request) {
        String ipAddress = request.getHeader("X-FORWARDED-FOR");
        if (ipAddress == null) {
            return request.getRemoteAddr();
@@ -78,7 +82,7 @@ public class LoggingDAO {
        }
    }
-    private String getUser() {
+    private String getUser(HttpServletRequest request) {
        if (request.getUserPrincipal() != null) {
            return request.getUserPrincipal().getName();
        }