public static void addSecuritySanityCheckFilter( ServletContextHandler root, ObjectMapper jsonMapper ) { root.addFilter( new FilterHolder( new SecuritySanityCheckFilter(jsonMapper) ), "/*", null ); }
@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse httpResponse = (HttpServletResponse) response; OutputStream out = httpResponse.getOutputStream(); // make sure the original request isn't trying to fake the auth token checks Boolean authInfoChecked = (Boolean) request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED); Boolean allowUnsecured = (Boolean) request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH); AuthenticationResult result = (AuthenticationResult) request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT); if (authInfoChecked != null || result != null || allowUnsecured != null) { sendJsonError(httpResponse, HttpServletResponse.SC_FORBIDDEN, unauthorizedMessage, out); out.close(); return; } chain.doFilter(request, response); }
@Test public void testValidRequest() throws Exception { HttpServletRequest req = EasyMock.createStrictMock(HttpServletRequest.class); HttpServletResponse resp = EasyMock.createStrictMock(HttpServletResponse.class); FilterChain filterChain = EasyMock.createStrictMock(FilterChain.class); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(null).once(); filterChain.doFilter(req, resp); EasyMock.expectLastCall().once(); EasyMock.replay(req, filterChain); SecuritySanityCheckFilter filter = new SecuritySanityCheckFilter(new DefaultObjectMapper()); filter.doFilter(req, resp, filterChain); EasyMock.verify(req, filterChain); }
@Test public void testInvalidRequest() throws Exception { HttpServletRequest req = EasyMock.createStrictMock(HttpServletRequest.class); HttpServletResponse resp = EasyMock.createStrictMock(HttpServletResponse.class); FilterChain filterChain = EasyMock.createStrictMock(FilterChain.class); ServletOutputStream outputStream = EasyMock.createNiceMock(ServletOutputStream.class); AuthenticationResult authenticationResult = new AuthenticationResult("does-not-belong", "does-not-belong", null, null); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(true).once(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).once(); EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).once(); resp.setStatus(403); EasyMock.expectLastCall().once(); resp.setContentType("application/json"); EasyMock.expectLastCall().once(); resp.setCharacterEncoding("UTF-8"); EasyMock.expectLastCall().once(); EasyMock.replay(req, resp, filterChain, outputStream); SecuritySanityCheckFilter filter = new SecuritySanityCheckFilter(new DefaultObjectMapper()); filter.doFilter(req, resp, filterChain); EasyMock.verify(req, resp, filterChain, outputStream); } }
public static void addSecuritySanityCheckFilter( ServletContextHandler root, ObjectMapper jsonMapper ) { root.addFilter( new FilterHolder( new SecuritySanityCheckFilter(jsonMapper) ), "/*", null ); }
@Override public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException { HttpServletResponse httpResponse = (HttpServletResponse) response; OutputStream out = httpResponse.getOutputStream(); // make sure the original request isn't trying to fake the auth token checks Boolean authInfoChecked = (Boolean) request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED); Boolean allowUnsecured = (Boolean) request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH); AuthenticationResult result = (AuthenticationResult) request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT); if (authInfoChecked != null || result != null || allowUnsecured != null) { sendJsonError(httpResponse, Response.SC_FORBIDDEN, unauthorizedMessage, out); out.close(); return; } chain.doFilter(request, response); }