...
Here is the session resolver script as it looks in Groovy:
Code Block | ||
---|---|---|
| ||
import dk.itp.security.passticket.PTException; import io.undertow.util.Methods; import io.undertow.util.Headers; import io.undertow.util.HttpString; HttpString ACCESS_CONTROL_REQUEST_METHOD = HttpString.tryFromString("Access-Control-Request-Method"); // For useradmin API, just used the session ID in the query parameter, if present if (context.macro('%{REQUEST_PATH}').startsWith("/useradmin/")) { String sid = context.macro('%{query:session}'); if (sid?.trim()) { try { context.sessionId = new dk.itp.security.utils.UniqueId(sid); } catch(Exception e) { context.httpExchange.getResponseHeaders().add(io.undertow.util.HttpString.tryFromString("Access-Control-Allow-Origin"), "*"); context.gateway.sendAndLogError(context, 401, "Invalid session", e) } return; } } String authHeader = context.macro('%{requestheader:Authorization}'); if (authHeader && authHeader.toLowerCase().startsWith("basic ")) { try { String sessionid = context.agent.getSessionFromTicket(54, authHeader.substring(6), context.config.gateway.segmentId, context.config.gateway.clusterId, context.gateway.getClientSourceIP(context), true); if (sessionid) { context.sessionId = new dk.itp.security.utils.UniqueId(sessionid); } } catch(PTException e) { context.httpExchange.getResponseHeaders().add(io.undertow.util.HttpString.tryFromString("Access-Control-Allow-Origin"), "*"); context.gateway.sendAndLogError(context, 401, "Invalid credentials", e) } } else if (context.httpExchange.getRequestMethod() == Methods.OPTIONS && context.httpExchange.getRequestHeaders().contains(Headers.ORIGIN) && context.httpExchange.getRequestHeaders().contains(ACCESS_CONTROL_REQUEST_METHOD)) { context.trace.trace("Allowing OPTIONS preflight request through without session"); } else { context.httpExchange.getResponseHeaders().add(io.undertow.util.HttpString.tryFromString("Access-Control-Allow-Origin"), "*"); context.httpExchange.getResponseHeaders().add(io.undertow.util.Headers.WWW_AUTHENTICATE, "basic"); context.gateway.sendAndLogError(context, 401, "Authentication Required", "Basic auth required") } |
...
Tip |
---|
The script uses basic authentication and expects same users as the ones who can access the console - see the call in line 26 - for this to work, the authentication plugin; dk.itp.security.passticket.server.ConfigServerAuthenticationPlugin must be installed in the Session Controller. |
...