OFBiz OFBiz - Commits

[ofbiz-plugins] branch trunk updated: Fixed: Allowing auth token validation to take place all the time even for auth=true services. Disable it only when header is absent(OFBIZ-11328)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
grv-2
Reply | Threaded
Open this post in threaded view
|

[ofbiz-plugins] branch trunk updated: Fixed: Allowing auth token validation to take place all the time even for auth=true services. Disable it only when header is absent(OFBIZ-11328)

grv-2
This is an automated email from the ASF dual-hosted git repository.

grv pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 8545cfe  Fixed: Allowing auth token validation to take place all the time even for auth=true services. Disable it only when header is absent(OFBIZ-11328)
8545cfe is described below

commit 8545cfebb2193bead7d06bd8e8cdb5108d24b209
Author: Girish Vasmatkar <[hidden email]>
AuthorDate: Thu Oct 1 00:01:43 2020 +0530

    Fixed: Allowing auth token validation to take place all the time even for auth=true services. Disable it only when header is absent(OFBIZ-11328)
---
 .../java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java   | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java b/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
index 3834464..140c75f 100644
--- a/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
+++ b/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/security/auth/APIAuthFilter.java
@@ -75,6 +75,7 @@ public class APIAuthFilter implements ContainerRequestFilter {
      */
     @Override
     public void filter(ContainerRequestContext requestContext) throws IOException {
+        String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
         if (isServiceResource()) {
             String service = (String) RestApiUtil.extractParams(uriInfo.getPathParameters()).get("serviceName");
             if (UtilValidate.isNotEmpty(service)) {
@@ -84,13 +85,13 @@ public class APIAuthFilter implements ContainerRequestFilter {
                 } catch (GenericServiceException e) {
                     Debug.logError(e.getMessage(), MODULE);
                 }
-                // Skip auth for services auth=false in service definition
-                if (mdService != null && !mdService.isAuth()) {
+                // Skip auth for services auth=false in service definition and if Authorization header is absent
+                // Still validate the token if it is present even if service being called is auth=false
+                if (mdService != null && !mdService.isAuth() && authorizationHeader == null) {
                     return;
                 }
             }
         }
-        String authorizationHeader = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
         Delegator delegator = (Delegator) servletContext.getAttribute("delegator");
         if (!isTokenBasedAuthentication(authorizationHeader)) {
             abortWithUnauthorized(requestContext, false, "Unauthorized: Access is denied due to invalid or absent Authorization header.");

Free forum by Nabble Edit this page