opendev/gerrit
Code Issues Proposed changes

Include authentication scheme in authorization header

Browse Source 
This allows the session provider to decide what authorization
scheme the browser should present when it makes JSON REST API
calls to the server. By default we call it Bearer to match an
OAuth2 style of authentication that browsers won't do natively,
but this can be changed by modifying what the session tracking
implementation returns from getAuthorization().

Change-Id: If0bf3d57f5564bd06811b6c1c509b0ad5e525495
This commit is contained in:
Shawn O. Pearce
2012-11-14 01:11:22 -08:00
parent 04f041d2e6
commit aada97b178
8 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java
View File

@@ -86,8 +86,8 @@ public final class CacheBasedWebSession implements WebSession {
this.identified = identified;
String cookie = request.getHeader("Authorization");
if (cookie != null && cookie.startsWith("OAuth ")) {
cookie = cookie.substring("OAuth ".length());
if (cookie != null && cookie.startsWith("Bearer ")) {
cookie = cookie.substring("Bearer ".length());
accessPath = AccessPath.REST_API;
} else if (cookie != null && GitSmartHttpTools.isGitClient(request)) {
accessPath = AccessPath.GIT;
@@ -133,8 +133,8 @@ public final class CacheBasedWebSession implements WebSession {
return val != null;
}
public String getAccessToken() {
return isSignedIn() ? key.getToken() : null;
public String getAuthorization() {
return isSignedIn() ? "Bearer " + key.getToken() : null;
}
public AccountExternalId.Key getLastLoginExternalId() {

2
gerrit-httpd/src/main/java/com/google/gerrit/httpd/HttpLogoutServlet.java
View File

@@ -77,7 +77,7 @@ class HttpLogoutServlet extends HttpServlet {
protected void doGet(final HttpServletRequest req,
final HttpServletResponse rsp) throws IOException {
final String sid = webSession.get().getAccessToken();
final String sid = webSession.get().getAuthorization();
final CurrentUser currentUser = webSession.get().getCurrentUser();
final String what = "sign out";
final long when = System.currentTimeMillis();

2
gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSession.java
View File

@@ -22,7 +22,7 @@ import com.google.gerrit.server.account.AuthResult;
public interface WebSession {
public boolean isSignedIn();
public String getAccessToken();
public String getAuthorization();
public AccountExternalId.Key getLastLoginExternalId();

4
gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java
View File

@@ -178,8 +178,8 @@ public class HostPageServlet extends HttpServlet {
json(((IdentifiedUser) user).getAccount(), w);
w.write(";");
w.write(HPD_ID + ".accessToken=");
json(session.get().getAccessToken(), w);
w.write(HPD_ID + ".authorization=");
json(session.get().getAuthorization(), w);
w.write(";");
w.write(HPD_ID + ".accountDiffPref=");

4
gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/GerritJsonServlet.java
View File

@@ -131,7 +131,7 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
}
Audit note = (Audit) method.getAnnotation(Audit.class);
if (note != null) {
final String sid = call.getWebSession().getAccessToken();
final String sid = call.getWebSession().getAuthorization();
final CurrentUser username = call.getWebSession().getCurrentUser();
final List<Object> args =
extractParams(note, call);
@@ -249,7 +249,7 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
} else {
// The session must exist, and must be using this token.
//
return session.isSignedIn() && keyIn.equals(session.getAccessToken());
return session.isSignedIn() && keyIn.equals(session.getAuthorization());
}
}