Merge branch 'rest-auth-fix' into 'master'

Rest auth fix kattonu: @tkfftk

Merge branch 'rest-auth-fix' into 'master'
Rest auth fix kattonu: @tkfftk
Tuukka Kivilahti
Commit e37aec49 authored May 18, 2014 by Tuukka Kivilahti
Showing with 26 additions and 8 deletions
code/MoyaBeans/ejbModule/fi/codecrew/moya/beans/JaasBean.java
code/MoyaWeb/src/fi/codecrew/moya/HostnameFilter.java
--- a/code/MoyaBeans/ejbModule/fi/codecrew/moya/beans/JaasBean.java
+++ b/code/MoyaBeans/ejbModule/fi/codecrew/moya/beans/JaasBean.java
@@ -150,11 +150,13 @@ public class JaasBean implements MoyaRealmBeanRemote {
 	}
 	private String restAuth(String restauth) {
-		String[] authsplit = restauth.split(":");
+		String[] authsplit = restauth.split(":", 6);
+		logger.info("Trying to auth with rest {}", (Object) authsplit);
 		if (authsplit.length != 6 || !authsplit[0].equals("rest")) {
 			return null;
 		}
-		return authenticateApp(authsplit[1], authsplit[2], authsplit[3], authsplit[4], authsplit[5]);
+		return authenticateApp(authsplit[5], authsplit[1], authsplit[2], authsplit[3], authsplit[4]);
 	}
 	@Override
@@ -233,20 +235,33 @@ public class JaasBean implements MoyaRealmBeanRemote {
 	}
 	public String authenticateApp(String pathInfo, String appId, String userId, String appStamp, String mac) {
-		if (mac == null)
+		logger.info("Authenticat app with pathinfo {}, appid {}, userid {}, appstamp {}, mac {}",
+				pathInfo, appId, userId, appStamp, mac
+				);
+		if (mac == null) {
+			logger.warn("Rest auth failed: Mac is null");
 			return null;
+		}
 		ApiApplication app = appfacade.findByAppid(appId);
-		if (app == null)
+		if (app == null) {
+			logger.warn("Rest auth failed: Application not found for appid {}", appId);
 			return null;
+		}
 		ApiApplicationInstance apiInstance = appInstanceFacade.findInstance(app, userId);
-		if (apiInstance == null)
+		if (apiInstance == null) {
+			logger.warn("Rest auth failed; because appInstance not found for app{} and user {}", app, userId);
 			return null;
-		if (!app.isEnabled() || !apiInstance.isEnabled())
+		}
+		if (!app.isEnabled() || !apiInstance.isEnabled()) {
+			logger.warn("Rest auth failed: app or api-instance is disabled: app {}, apiInstance: {}", app, apiInstance);
 			return null;
+		}
 		String ret = null;
 		String macSource = PasswordFunctions.mkSeparatedString("+", pathInfo, appId, userId, appStamp, apiInstance.getSecretKey());
 		String macHash = PasswordFunctions.calculateSha1(macSource);
+		logger.info("Calculated hash {}, comparing to {}", macHash, mac);
 		if (mac.equalsIgnoreCase(macHash))
 		{
 			switch (app.getAuthtype()) {
@@ -261,7 +276,10 @@ public class JaasBean implements MoyaRealmBeanRemote {
 			default:
 				throw new RuntimeException("Unknown application authtype!");
 			}
+		} else {
+			logger.warn("Rest auth failed: Calculated hash does not match received mac: Calculated {}, received {}", machash, mac);
 		}
 		return ret;
 	}
 }
--- a/code/MoyaWeb/src/fi/codecrew/moya/HostnameFilter.java
+++ b/code/MoyaWeb/src/fi/codecrew/moya/HostnameFilter.java
@@ -140,11 +140,11 @@ public class HostnameFilter implements Filter {
 		StringBuilder hashBuilder = new StringBuilder();
 		hashBuilder.append("rest:");
-		hashBuilder.append(httpRequest.getPathInfo()).append(":");
 		hashBuilder.append(httpRequest.getParameter("appkey")).append(":");
 		hashBuilder.append(httpRequest.getParameter("appuser")).append(":");
 		hashBuilder.append(httpRequest.getParameter("appstamp")).append(":");
-		hashBuilder.append(httpRequest.getParameter("appmac"));
+		hashBuilder.append(httpRequest.getParameter("appmac")).append(":");
+		hashBuilder.append(httpRequest.getPathInfo());
 		boolean ret = true;
 		try {