protected boolean authenticate(
final OHttpRequest iRequest,
final OHttpResponse iResponse,
final List<String> iAuthenticationParts,
final String iDatabaseName)
throws IOException {
ODatabaseDocumentTx db = null;
try {
db =
OSharedDocumentDatabase.acquire(
iDatabaseName, iAuthenticationParts.get(0), iAuthenticationParts.get(1));
// AUTHENTICATED: CREATE THE SESSION
iRequest.sessionId =
OHttpSessionManager.getInstance()
.createSession(iDatabaseName, iAuthenticationParts.get(0));
return true;
} catch (OSecurityAccessException e) {
// WRONG USER/PASSWD
} catch (OLockException e) {
OLogManager.instance()
.error(
this,
"Cannot access to the database '" + iDatabaseName + "'",
ODatabaseException.class,
e);
} catch (InterruptedException e) {
Thread.currentThread().interrupt();
OLogManager.instance()
.error(
this,
"Cannot access to the database '" + iDatabaseName + "'",
ODatabaseException.class,
e);
} finally {
if (db != null) OSharedDocumentDatabase.release(db);
else
// WRONG USER/PASSWD
sendAuthorizationRequest(iRequest, iResponse, iDatabaseName);
}
return false;
}
@Override
public boolean beforeExecute(final OHttpRequest iRequest, OHttpResponse iResponse)
throws IOException {
final String[] urlParts = iRequest.url.substring(1).split("/");
if (urlParts.length < 2)
throw new OHttpRequestException(
"Syntax error in URL. Expected is: <command>/<database>[/...]");
iRequest.databaseName = urlParts[1].replace(DBNAME_DIR_SEPARATOR, '/');
final List<String> authenticationParts =
iRequest.authorization != null
? OStringSerializerHelper.split(iRequest.authorization, ':')
: null;
if (iRequest.sessionId == null || iRequest.sessionId.length() == 1) {
// NO SESSION
if (iRequest.authorization == null || SESSIONID_LOGOUT.equals(iRequest.sessionId)) {
sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName);
return false;
} else return authenticate(iRequest, iResponse, authenticationParts, iRequest.databaseName);
} else {
// CHECK THE SESSION VALIDITY
final OHttpSession currentSession =
OHttpSessionManager.getInstance().getSession(iRequest.sessionId);
if (currentSession == null) {
// SESSION EXPIRED
sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName);
return false;
} else if (!currentSession.getDatabaseName().equals(iRequest.databaseName)) {
// SECURITY PROBLEM: CROSS DATABASE REQUEST!
OLogManager.instance()
.warn(
this,
"Session %s is trying to access to the database '%s', but has been authenticated against the database '%s'",
iRequest.sessionId,
iRequest.databaseName,
currentSession.getDatabaseName());
sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName);
return false;
} else if (authenticationParts != null
&& !currentSession.getUserName().equals(authenticationParts.get(0))) {
// SECURITY PROBLEM: CROSS DATABASE REQUEST!
OLogManager.instance()
.warn(
this,
"Session %s is trying to access to the database '%s' with user '%s', but has been authenticated with user '%s'",
iRequest.sessionId,
iRequest.databaseName,
authenticationParts.get(0),
currentSession.getUserName());
sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName);
return false;
}
return true;
}
}
