Include authentication scheme in authorization header

This allows the session provider to decide what authorization scheme the browser should present when it makes JSON REST API calls to the server. By default we call it Bearer to match an OAuth2 style of authentication that browsers won't do natively, but this can be changed by modifying what the session tracking implementation returns from getAuthorization(). Change-Id: If0bf3d57f5564bd06811b6c1c509b0ad5e525495
2012-11-14 01:11:22 -08:00
parent 04f041d2e6
commit aada97b178
8 changed files with 19 additions and 19 deletions
--- a/gerrit-common/src/main/java/com/google/gerrit/common/data/HostPageData.java
+++ b/gerrit-common/src/main/java/com/google/gerrit/common/data/HostPageData.java
@@ -23,7 +23,7 @@ import java.util.List;
 public class HostPageData {
  public Account account;
  public AccountDiffPreference accountDiffPref;
-  public String accessToken;
+  public String authorization;
  public GerritConfig config;
  public Theme theme;
  public List<String> plugins;
--- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
+++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java
@@ -93,7 +93,7 @@ public class Gerrit implements EntryPoint {
  private static HostPageData.Theme myTheme;
  private static Account myAccount;
  private static AccountDiffPreference myAccountDiffPref;
-  private static String accessToken;
+  private static String authorization;

  private static MorphingTabPanel menuLeft;
  private static LinkMenuBar menuRight;
@@ -240,8 +240,8 @@ public class Gerrit implements EntryPoint {
  }

  /** @return access token to prove user identity during REST API calls. */
-  public static String getAccessToken() {
-    return accessToken;
+  public static String getAuthorization() {
+    return authorization;
  }

  /** @return the currently signed in users's diff preferences; null if no diff preferences defined for the account */
@@ -338,7 +338,7 @@ public class Gerrit implements EntryPoint {
  static void deleteSessionCookie() {
    myAccount = null;
    myAccountDiffPref = null;
-    accessToken = null;
+    authorization = null;
    refreshMenuBar();

    // If the cookie was HttpOnly, this request to delete it will
@@ -388,7 +388,7 @@ public class Gerrit implements EntryPoint {
        myTheme = result.theme;
        if (result.account != null) {
          myAccount = result.account;
-          accessToken = result.accessToken;
+          authorization = result.authorization;
        }
        if (result.accountDiffPref != null) {
          myAccountDiffPref = result.accountDiffPref;
@@ -535,7 +535,7 @@ public class Gerrit implements EntryPoint {
    JsonUtil.setDefaultXsrfManager(new XsrfManager() {
      @Override
      public String getToken(JsonDefTarget proxy) {
-        return accessToken;
+        return authorization;
      }

      @Override
--- a/gerrit-gwtui/src/main/java/com/google/gerrit/client/rpc/RestApi.java
+++ b/gerrit-gwtui/src/main/java/com/google/gerrit/client/rpc/RestApi.java
@@ -213,8 +213,8 @@ public class RestApi {
      final AsyncCallback<T> cb) {
    RequestBuilder req = new RequestBuilder(method, url.toString());
    req.setHeader("Accept", JsonConstants.JSON_TYPE);
-    if (Gerrit.getAccessToken() != null) {
-      req.setHeader("Authorization", "OAuth " + Gerrit.getAccessToken());
+    if (Gerrit.getAuthorization() != null) {
+      req.setHeader("Authorization", Gerrit.getAuthorization());
    }
    if (contentData != null) {
      req.setHeader("Content-Type", contentType);
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java
@@ -86,8 +86,8 @@ public final class CacheBasedWebSession implements WebSession {
    this.identified = identified;

    String cookie = request.getHeader("Authorization");
-    if (cookie != null && cookie.startsWith("OAuth ")) {
-      cookie = cookie.substring("OAuth ".length());
+    if (cookie != null && cookie.startsWith("Bearer ")) {
+      cookie = cookie.substring("Bearer ".length());
      accessPath = AccessPath.REST_API;
    } else if (cookie != null && GitSmartHttpTools.isGitClient(request)) {
      accessPath = AccessPath.GIT;
@@ -133,8 +133,8 @@ public final class CacheBasedWebSession implements WebSession {
    return val != null;
  }

-  public String getAccessToken() {
-    return isSignedIn() ? key.getToken() : null;
+  public String getAuthorization() {
+    return isSignedIn() ? "Bearer " + key.getToken() : null;
  }

  public AccountExternalId.Key getLastLoginExternalId() {
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/HttpLogoutServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/HttpLogoutServlet.java
@@ -77,7 +77,7 @@ class HttpLogoutServlet extends HttpServlet {
  protected void doGet(final HttpServletRequest req,
      final HttpServletResponse rsp) throws IOException {

-    final String sid = webSession.get().getAccessToken();
+    final String sid = webSession.get().getAuthorization();
    final CurrentUser currentUser = webSession.get().getCurrentUser();
    final String what = "sign out";
    final long when = System.currentTimeMillis();
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSession.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSession.java
@@ -22,7 +22,7 @@ import com.google.gerrit.server.account.AuthResult;
 public interface WebSession {
  public boolean isSignedIn();

-  public String getAccessToken();
+  public String getAuthorization();

  public AccountExternalId.Key getLastLoginExternalId();

--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java
@@ -178,8 +178,8 @@ public class HostPageServlet extends HttpServlet {
      json(((IdentifiedUser) user).getAccount(), w);
      w.write(";");

-      w.write(HPD_ID + ".accessToken=");
-      json(session.get().getAccessToken(), w);
+      w.write(HPD_ID + ".authorization=");
+      json(session.get().getAuthorization(), w);
      w.write(";");

      w.write(HPD_ID + ".accountDiffPref=");
--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/GerritJsonServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/GerritJsonServlet.java
@@ -131,7 +131,7 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
      }
      Audit note = (Audit) method.getAnnotation(Audit.class);
      if (note != null) {
-        final String sid = call.getWebSession().getAccessToken();
+        final String sid = call.getWebSession().getAuthorization();
        final CurrentUser username = call.getWebSession().getCurrentUser();
        final List<Object> args =
            extractParams(note, call);
@@ -249,7 +249,7 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
      } else {
        // The session must exist, and must be using this token.
        //
-        return session.isSignedIn() && keyIn.equals(session.getAccessToken());
+        return session.isSignedIn() && keyIn.equals(session.getAuthorization());
      }
    }