protected boolean authenticate( final OHttpRequest iRequest, final OHttpResponse iResponse, final List<String> iAuthenticationParts, final String iDatabaseName) throws IOException { ODatabaseDocumentTx db = null; try { db = OSharedDocumentDatabase.acquire( iDatabaseName, iAuthenticationParts.get(0), iAuthenticationParts.get(1)); // AUTHENTICATED: CREATE THE SESSION iRequest.sessionId = OHttpSessionManager.getInstance() .createSession(iDatabaseName, iAuthenticationParts.get(0)); return true; } catch (OSecurityAccessException e) { // WRONG USER/PASSWD } catch (OLockException e) { OLogManager.instance() .error( this, "Cannot access to the database '" + iDatabaseName + "'", ODatabaseException.class, e); } catch (InterruptedException e) { Thread.currentThread().interrupt(); OLogManager.instance() .error( this, "Cannot access to the database '" + iDatabaseName + "'", ODatabaseException.class, e); } finally { if (db != null) OSharedDocumentDatabase.release(db); else // WRONG USER/PASSWD sendAuthorizationRequest(iRequest, iResponse, iDatabaseName); } return false; }
@Override public boolean beforeExecute(final OHttpRequest iRequest, OHttpResponse iResponse) throws IOException { final String[] urlParts = iRequest.url.substring(1).split("/"); if (urlParts.length < 2) throw new OHttpRequestException( "Syntax error in URL. Expected is: <command>/<database>[/...]"); iRequest.databaseName = urlParts[1].replace(DBNAME_DIR_SEPARATOR, '/'); final List<String> authenticationParts = iRequest.authorization != null ? OStringSerializerHelper.split(iRequest.authorization, ':') : null; if (iRequest.sessionId == null || iRequest.sessionId.length() == 1) { // NO SESSION if (iRequest.authorization == null || SESSIONID_LOGOUT.equals(iRequest.sessionId)) { sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName); return false; } else return authenticate(iRequest, iResponse, authenticationParts, iRequest.databaseName); } else { // CHECK THE SESSION VALIDITY final OHttpSession currentSession = OHttpSessionManager.getInstance().getSession(iRequest.sessionId); if (currentSession == null) { // SESSION EXPIRED sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName); return false; } else if (!currentSession.getDatabaseName().equals(iRequest.databaseName)) { // SECURITY PROBLEM: CROSS DATABASE REQUEST! OLogManager.instance() .warn( this, "Session %s is trying to access to the database '%s', but has been authenticated against the database '%s'", iRequest.sessionId, iRequest.databaseName, currentSession.getDatabaseName()); sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName); return false; } else if (authenticationParts != null && !currentSession.getUserName().equals(authenticationParts.get(0))) { // SECURITY PROBLEM: CROSS DATABASE REQUEST! OLogManager.instance() .warn( this, "Session %s is trying to access to the database '%s' with user '%s', but has been authenticated with user '%s'", iRequest.sessionId, iRequest.databaseName, authenticationParts.get(0), currentSession.getUserName()); sendAuthorizationRequest(iRequest, iResponse, iRequest.databaseName); return false; } return true; } }