Cleanup logging in hostname filter

Tuomas Riihimäki
Commit e4cd5f9d authored Apr 09, 2017 by Tuomas Riihimäki
Showing with 71 additions and 56 deletions
code/moya-beans/ejbModule/fi/codecrew/moya/beans/SitePageBean.java
code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
--- a/code/moya-beans/ejbModule/fi/codecrew/moya/beans/SitePageBean.java
+++ b/code/moya-beans/ejbModule/fi/codecrew/moya/beans/SitePageBean.java
@@ -142,7 +142,6 @@ public class SitePageBean implements SitePageBeanLocal {
 		if (page != null && page.getAllowedRoles() != null) {
 			for (Role r : page.getAllowedRoles()) {
 				if (roles.contains(r)) {
-					logger.debug("Has role for page {}, role {}", page, r);
 					ret = sitepagefacade.findContents(page, new Date(), locale);
 					break;
 				}

--- a/code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
+++ b/code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
 /*
 * Copyright Codecrew Ry
- * 
+ *
 * All rights reserved.
- * 
- * This license applies to any software containing a notice placed by the 
- * copyright holder. Such software is herein referred to as the Software. 
- * This license covers modification, distribution and use of the Software. 
- * 
- * Any distribution and use in source and binary forms, with or without 
- * modification is not permitted without explicit written permission from the 
- * copyright owner. 
- * 
- * A non-exclusive royalty-free right is granted to the copyright owner of the 
- * Software to use, modify and distribute all modifications to the Software in 
- * future versions of the Software. 
- * 
+ *
+ * This license applies to any software containing a notice placed by the
+ * copyright holder. Such software is herein referred to as the Software.
+ * This license covers modification, distribution and use of the Software.
+ *
+ * Any distribution and use in source and binary forms, with or without
+ * modification is not permitted without explicit written permission from the
+ * copyright owner.
+ *
+ * A non-exclusive royalty-free right is granted to the copyright owner of the
+ * Software to use, modify and distribute all modifications to the Software in
+ * future versions of the Software.
+ *
 */
 package fi.codecrew.moya;

 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.security.Principal;
+import java.util.Enumeration;

 import javax.ejb.EJB;
 import javax.faces.application.ProjectStage;
@@ -52,7 +53,7 @@ import fi.codecrew.moya.utilities.moyamessage.MoyaEventType;
 /**
 * Servlet Filter implementation class HostnameFilter
 */
-@WebFilter(filterName = "hostnameFilter", displayName = "hostname and authentication filter", urlPatterns = { "/*" })
+@WebFilter(filterName = "hostnameFilter", displayName = "hostname and authentication filter", urlPatterns = {"/*"})
 public class HostnameFilter implements Filter {

 	private static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";
@@ -101,63 +102,69 @@ public class HostnameFilter implements Filter {
 		UNKNOWN, ANON, REST, USER
 	}

+	private void insertServerLoggingContext(HttpServletRequest request, AuthType authType) {
+		if (request == null)
+			return;
+
+		MDC.put("req.xForwardedFor", request.getHeader("X-Forwarded-For"));
+		MDC.put("req.userAgent", request.getHeader("User-Agent"));
+		MDC.put("req.requestURI", request.getRequestURI());
+		MDC.put("req.queryString", request.getQueryString());
+		MDC.put("req.remoteHost", request.getRemoteHost());
+		MDC.put("req.eventhost", request.getHeader("host"));
+	}
+
 	/**
 	 * Add user information to SLF4J MDC context, so current user can be shown
 	 * in logs.
-	 * 
+	 *
 	 * @param request
 	 * @param authType
 	 */
-	void insertLoggingContext(HttpServletRequest request, AuthType authType) {
-		if (request == null)
+	private void insertUserLoggingContext(HttpServletRequest request, AuthType authType) {
+		if (request == null) {
 			return;
-
-		Principal userPrincipal = request.getUserPrincipal();
-		if (userPrincipal != null) {
-			String userString = userPrincipal.getName();
-			MDC.put("user", userString);
-			MDC.put("authtype", authType != null ? authType.name() : "null");
-		} else {
-			MDC.put("user", "null");
-			MDC.put("authtype", "null");
 		}
-		MDC.put("req.remoteHost", request.getRemoteHost());
-		MDC.put("req.requestURI", request.getRequestURI());
-		MDC.put("req.queryString", request.getQueryString());
-		MDC.put("req.userAgent", request.getHeader("User-Agent"));
-		MDC.put("req.xForwardedFor", request.getHeader("X-Forwarded-For"));
+		Principal userPrincipal = request.getUserPrincipal();
+		MDC.put("user", userPrincipal != null ? userPrincipal.getName() : "null");
+		MDC.put("authtype", authType != null ? authType.name() : "null");
 	}

 	/**
 	 * Remove user info from SLF4J MDC context.
 	 */
-	void removeLoggingContext() {
+	private void removeLoggingContext() {
 		MDC.remove("authtype");
 		MDC.remove("user");
+
 		MDC.remove("req.xForwardedFor");
 		MDC.remove("req.userAgent");
 		MDC.remove("req.queryString");
 		MDC.remove("req.requestURI");
 		MDC.remove("req.remoteHost");
+		MDC.remove("req.eventhost");
 	}
+	private static final String[] NOAUTH_RESTPATHS = new String[]{"/reader/EventRole/", "/user/auth"};

 	/**
 	 * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
 	 */
-
-	private static final String[] NOAUTH_RESTPATHS = new String[] { "/reader/EventRole/", "/user/auth"
-
-	};
-
 	@Override
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-			throws IOException, ServletException {
-		// logger.info("HostnameFilter called!");
+		throws IOException, ServletException {
 		HttpServletRequest httpRequest = null;
 		AuthType authtype = AuthType.UNKNOWN;

-		if (request != null && request instanceof HttpServletRequest) {
-			httpRequest = ((HttpServletRequest) request);
+		// IF request i
+		if (!(request instanceof HttpServletRequest)) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		try {
+			httpRequest = (HttpServletRequest) request;
+			insertServerLoggingContext(httpRequest, authtype);
+
 			parseHostname(httpRequest);

 			if (httpRequest.getUserPrincipal() == null) {
@@ -186,14 +193,14 @@ public class HostnameFilter implements Filter {
 				}
 			} else if (!httpRequest.getUserPrincipal().getName().equals(User.ANONYMOUS_LOGINNAME)) {
 				authtype = AuthType.USER;
-				sessionmgmt.updateSessionUser(httpRequest.getSession().getId(),
-						httpRequest.getUserPrincipal().getName());
+				sessionmgmt.updateSessionUser(httpRequest.getSession().getId(), httpRequest.getUserPrincipal().getName());
 			}

-		}
-		// pass the request along the filter chain
-		try {
-			insertLoggingContext(httpRequest, authtype);
+			// Update logging context
+			insertUserLoggingContext(httpRequest, authtype);
+
+
+			// pass the request along the filter chain
 			chain.doFilter(request, response);
 		} catch (Exception t) {
 			if (AuthType.REST == authtype) {
@@ -251,7 +258,7 @@ public class HostnameFilter implements Filter {
 		} catch (ServletException loginEx) {
 			ret = false;
 			logger.info("Rest api authentication failed for path " + httpRequest.getPathInfo() + " "
-					+ httpRequest.getParameterMap().toString(), loginEx);
+				+ httpRequest.getParameterMap().toString(), loginEx);
 			if (response instanceof HttpServletResponse) {
 				HttpServletResponse httpResp = ((HttpServletResponse) response);
 				httpResp.setStatus(HttpServletResponse.SC_FORBIDDEN);
@@ -263,9 +270,11 @@ public class HostnameFilter implements Filter {

 	protected void parseHostname(HttpServletRequest httpRequest) {
 		StringBuffer url = httpRequest.getRequestURL();
-		// logger.info("Original hostname {}", url);
-		// Subject subj = Subject.getSubject(AccessController.getContext());
-		// int beginindex = 8; // Let's skip http://
+		String requestHostHeader = httpRequest.getHeader("host");
+		String headerHostname = null;
+		if (requestHostHeader != null) {
+			headerHostname = requestHostHeader.split(":")[0];
+		}

 		int beginindex = url.indexOf("//", 0);
 		if (beginindex < 0) {
@@ -289,7 +298,6 @@ public class HostnameFilter implements Filter {
 		}
 		String hostname = url.substring(beginindex, lastindex);

-
 		// if proxy provides scheme in header, use it..
 		String scheme = httpRequest.getHeader(X_FORWARDED_PROTO);
 		if (scheme == null || scheme.isEmpty()) {
@@ -309,12 +317,20 @@ public class HostnameFilter implements Filter {
 				login = principal.getName();
 			}
 			logbean.sendMessage(MoyaEventType.USER_PERMISSION_VIOLATION,
-					"Hostname mismatch privilege escalation! User '", login, "' tried to change hostname from '",
-					sessionHostname, "' to '", hostname, ",");
+				"Hostname mismatch privilege escalation! User '", login, "' tried to change hostname from '",
+				sessionHostname, "' to '", hostname, ",");

 			throw new RuntimeException("Hostname mismatch!");
 		}

+		if (headerHostname != null) {
+			if (!headerHostname.equals(hostname)) {
+				logger.warn("Host header and parsed hostname do not match! Header: {}, Parsed: {}", headerHostname, hostname);
+			}
+		} else {
+			logger.warn("Header Host is null for url {}", hostname);
+		}
+
 		BortalLocalContextHolder.setHostname(hostname);
 		BortalLocalContextHolder.setInDevelopmentMode(developmentMode);