Versions Compared

Version Old Version 18 New Version Current
Changes made by

Kim Rasmussen

Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Here is the session resolver script as it looks in Groovy:

Code Block
linenumberstrue
import dk.itp.security.passticket.PTException;
import io.undertow.util.Methods;
import io.undertow.util.Headers;
import io.undertow.util.HttpString;

HttpString ACCESS_CONTROL_REQUEST_METHOD = HttpString.tryFromString("Access-Control-Request-Method");

// For useradmin API, just used the session ID in the query parameter, if present
if (context.macro('%{REQUEST_PATH}').startsWith("/useradmin/")) {
    String sid = context.macro('%{query:session}');
    if (sid?.trim()) {
        try {
            context.sessionId = new dk.itp.security.utils.UniqueId(sid);
        } catch(Exception e) {
            context.httpExchange.getResponseHeaders().add(io.undertow.util.HttpString.tryFromString("Access-Control-Allow-Origin"), "*");
            context.gateway.sendAndLogError(context, 401, "Invalid session", e)
        }
        return;
    }
}

String authHeader = context.macro('%{requestheader:Authorization}');

if (authHeader && authHeader.toLowerCase().startsWith("basic ")) {
    try {
        String sessionid = context.agent.getSessionFromTicket(54, authHeader.substring(6), context.config.gateway.segmentId, context.config.gateway.clusterId, context.gateway.getClientSourceIP(context), true);
        if (sessionid) {
            context.sessionId = new dk.itp.security.utils.UniqueId(sessionid);
        }
    } catch(PTException e) {
        context.httpExchange.getResponseHeaders().add(io.undertow.util.HttpString.tryFromString("Access-Control-Allow-Origin"), "*");
        context.gateway.sendAndLogError(context, 401, "Invalid credentials", e)
    }
} else if (context.httpExchange.getRequestMethod() == Methods.OPTIONS && context.httpExchange.getRequestHeaders().contains(Headers.ORIGIN) && context.httpExchange.getRequestHeaders().contains(ACCESS_CONTROL_REQUEST_METHOD)) {
    context.trace.trace("Allowing OPTIONS preflight request through without session");
} else {
    context.httpExchange.getResponseHeaders().add(io.undertow.util.HttpString.tryFromString("Access-Control-Allow-Origin"), "*");
    context.httpExchange.getResponseHeaders().add(io.undertow.util.Headers.WWW_AUTHENTICATE, "basic");
    context.gateway.sendAndLogError(context, 401, "Authentication Required", "Basic auth required")
}

...

Tip

The script uses basic authentication and expects same users as the ones who can access the console - see the call in line 26 - for this to work, the authentication plugin; dk.itp.security.passticket.server.ConfigServerAuthenticationPlugin must be installed in the Session Controller.

...