Merge "Include authentication scheme in authorization header"

gerrit-common/src/main/java/com/google/gerrit/common/data/HostPageData.java

@@ -23,7 +23,7 @@ import java.util.List;
 public class HostPageData {
   public Account account;
   public AccountDiffPreference accountDiffPref;
-  public String accessToken;
+  public String authorization;
   public GerritConfig config;
   public Theme theme;
   public List<String> plugins;

gerrit-gwtui/src/main/java/com/google/gerrit/client/Gerrit.java

@@ -93,7 +93,7 @@ public class Gerrit implements EntryPoint {
   private static HostPageData.Theme myTheme;
   private static Account myAccount;
   private static AccountDiffPreference myAccountDiffPref;
-  private static String accessToken;
+  private static String authorization;
 
   private static MorphingTabPanel menuLeft;
   private static LinkMenuBar menuRight;
@@ -240,8 +240,8 @@ public class Gerrit implements EntryPoint {
   }
 
   /** @return access token to prove user identity during REST API calls. */
-  public static String getAccessToken() {
-    return accessToken;
+  public static String getAuthorization() {
+    return authorization;
   }
 
   /** @return the currently signed in users's diff preferences; null if no diff preferences defined for the account */
@@ -338,7 +338,7 @@ public class Gerrit implements EntryPoint {
   static void deleteSessionCookie() {
     myAccount = null;
     myAccountDiffPref = null;
-    accessToken = null;
+    authorization = null;
     refreshMenuBar();
 
     // If the cookie was HttpOnly, this request to delete it will
@@ -388,7 +388,7 @@ public class Gerrit implements EntryPoint {
         myTheme = result.theme;
         if (result.account != null) {
           myAccount = result.account;
-          accessToken = result.accessToken;
+          authorization = result.authorization;
         }
         if (result.accountDiffPref != null) {
           myAccountDiffPref = result.accountDiffPref;
@@ -535,7 +535,7 @@ public class Gerrit implements EntryPoint {
     JsonUtil.setDefaultXsrfManager(new XsrfManager() {
       @Override
       public String getToken(JsonDefTarget proxy) {
-        return accessToken;
+        return authorization;
       }
 
       @Override

gerrit-gwtui/src/main/java/com/google/gerrit/client/rpc/RestApi.java

@@ -213,8 +213,8 @@ public class RestApi {
       final AsyncCallback<T> cb) {
     RequestBuilder req = new RequestBuilder(method, url.toString());
     req.setHeader("Accept", JsonConstants.JSON_TYPE);
-    if (Gerrit.getAccessToken() != null) {
-      req.setHeader("Authorization", "OAuth " + Gerrit.getAccessToken());
+    if (Gerrit.getAuthorization() != null) {
+      req.setHeader("Authorization", Gerrit.getAuthorization());
     }
     if (contentData != null) {
       req.setHeader("Content-Type", contentType);

gerrit-httpd/src/main/java/com/google/gerrit/httpd/CacheBasedWebSession.java

@@ -86,8 +86,8 @@ public final class CacheBasedWebSession implements WebSession {
     this.identified = identified;
 
     String cookie = request.getHeader("Authorization");
-    if (cookie != null && cookie.startsWith("OAuth ")) {
-      cookie = cookie.substring("OAuth ".length());
+    if (cookie != null && cookie.startsWith("Bearer ")) {
+      cookie = cookie.substring("Bearer ".length());
       accessPath = AccessPath.REST_API;
     } else if (cookie != null && GitSmartHttpTools.isGitClient(request)) {
       accessPath = AccessPath.GIT;
@@ -133,8 +133,8 @@ public final class CacheBasedWebSession implements WebSession {
     return val != null;
   }
 
-  public String getAccessToken() {
-    return isSignedIn() ? key.getToken() : null;
+  public String getAuthorization() {
+    return isSignedIn() ? "Bearer " + key.getToken() : null;
   }
 
   public AccountExternalId.Key getLastLoginExternalId() {

gerrit-httpd/src/main/java/com/google/gerrit/httpd/HttpLogoutServlet.java

@@ -77,7 +77,7 @@ class HttpLogoutServlet extends HttpServlet {
   protected void doGet(final HttpServletRequest req,
       final HttpServletResponse rsp) throws IOException {
 
-    final String sid = webSession.get().getAccessToken();
+    final String sid = webSession.get().getAuthorization();
     final CurrentUser currentUser = webSession.get().getCurrentUser();
     final String what = "sign out";
     final long when = System.currentTimeMillis();

gerrit-httpd/src/main/java/com/google/gerrit/httpd/WebSession.java

@@ -22,7 +22,7 @@ import com.google.gerrit.server.account.AuthResult;
 public interface WebSession {
   public boolean isSignedIn();
 
-  public String getAccessToken();
+  public String getAuthorization();
 
   public AccountExternalId.Key getLastLoginExternalId();
 

gerrit-httpd/src/main/java/com/google/gerrit/httpd/raw/HostPageServlet.java

@@ -178,8 +178,8 @@ public class HostPageServlet extends HttpServlet {
       json(((IdentifiedUser) user).getAccount(), w);
       w.write(";");
 
-      w.write(HPD_ID + ".accessToken=");
-      json(session.get().getAccessToken(), w);
+      w.write(HPD_ID + ".authorization=");
+      json(session.get().getAuthorization(), w);
       w.write(";");
 
       w.write(HPD_ID + ".accountDiffPref=");

gerrit-httpd/src/main/java/com/google/gerrit/httpd/rpc/GerritJsonServlet.java

@@ -131,7 +131,7 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
       }
       Audit note = (Audit) method.getAnnotation(Audit.class);
       if (note != null) {
-        final String sid = call.getWebSession().getAccessToken();
+        final String sid = call.getWebSession().getAuthorization();
         final CurrentUser username = call.getWebSession().getCurrentUser();
         final List<Object> args =
             extractParams(note, call);
@@ -249,7 +249,7 @@ final class GerritJsonServlet extends JsonServlet<GerritJsonServlet.GerritCall>
       } else {
         // The session must exist, and must be using this token.
         //
-        return session.isSignedIn() && keyIn.equals(session.getAccessToken());
+        return session.isSignedIn() && keyIn.equals(session.getAuthorization());
       }
     }