コード例 #1
0
  protected boolean authenticate(
      final OHttpRequest iRequest,
      final OHttpResponse iResponse,
      final List<String> iAuthenticationParts,
      final String iDatabaseName)
      throws IOException {
    ODatabaseDocumentTx db = null;
    try {
      db =
          OSharedDocumentDatabase.acquire(
              iDatabaseName, iAuthenticationParts.get(0), iAuthenticationParts.get(1));

      // AUTHENTICATED: CREATE THE SESSION
      iRequest.sessionId =
          OHttpSessionManager.getInstance()
              .createSession(iDatabaseName, iAuthenticationParts.get(0));
      return true;

    } catch (OSecurityAccessException e) {
      // WRONG USER/PASSWD
    } catch (OLockException e) {
      OLogManager.instance()
          .error(
              this,
              "Cannot access to the database '" + iDatabaseName + "'",
              ODatabaseException.class,
              e);
    } catch (InterruptedException e) {
      Thread.currentThread().interrupt();
      OLogManager.instance()
          .error(
              this,
              "Cannot access to the database '" + iDatabaseName + "'",
              ODatabaseException.class,
              e);
    } finally {
      if (db != null) OSharedDocumentDatabase.release(db);
      else
        // WRONG USER/PASSWD
        sendAuthorizationRequest(iRequest, iResponse, iDatabaseName);
    }
    return false;
  }
コード例 #2
0
  @Override
  public boolean beforeExecute(final OHttpRequest iRequest, OHttpResponse iResponse)
      throws IOException {
    final String[] urlParts = iRequest.url.substring(1).split("/");
    if (urlParts.length < 2)
      throw new OHttpRequestException(
          "Syntax error in URL. Expected is: <command>/<database>[/...]");

    iRequest.databaseName = urlParts[1].replace(DBNAME_DIR_SEPARATOR, '/');
    final List<String> authenticationParts =
        iRequest.authorization != null
            ? OStringSerializerHelper.split(iRequest.authorization, ':')
            : null;

    if (iRequest.sessionId == null || iRequest.sessionId.length() == 1) {
      // NO SESSION
      if (iRequest.authorization == null || SESSIONID_LOGOUT.equals(iRequest.sessionId)) {
        sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName);
        return false;
      } else return authenticate(iRequest, iResponse, authenticationParts, iRequest.databaseName);

    } else {
      // CHECK THE SESSION VALIDITY
      final OHttpSession currentSession =
          OHttpSessionManager.getInstance().getSession(iRequest.sessionId);
      if (currentSession == null) {
        // SESSION EXPIRED
        sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName);
        return false;

      } else if (!currentSession.getDatabaseName().equals(iRequest.databaseName)) {

        // SECURITY PROBLEM: CROSS DATABASE REQUEST!
        OLogManager.instance()
            .warn(
                this,
                "Session %s is trying to access to the database '%s', but has been authenticated against the database '%s'",
                iRequest.sessionId,
                iRequest.databaseName,
                currentSession.getDatabaseName());
        sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName);
        return false;

      } else if (authenticationParts != null
          && !currentSession.getUserName().equals(authenticationParts.get(0))) {

        // SECURITY PROBLEM: CROSS DATABASE REQUEST!
        OLogManager.instance()
            .warn(
                this,
                "Session %s is trying to access to the database '%s' with user '%s', but has been authenticated with user '%s'",
                iRequest.sessionId,
                iRequest.databaseName,
                authenticationParts.get(0),
                currentSession.getUserName());
        sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName);
        return false;
      }

      return true;
    }
  }