Fix hostname equality check when principal is null

Tuomas Riihimäki
Commit 6589f3e3 authored Jan 08, 2018 by Tuomas Riihimäki
Showing with 7 additions and 5 deletions
code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
--- a/code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
+++ b/code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
@@ -167,6 +167,7 @@ public class HostnameFilter implements Filter {
 			insertServerLoggingContext(httpRequest, authtype);
 			String hostname = parseHostname(httpRequest);
 			if (httpRequest.getUserPrincipal() == null) {
 				// Check if we are logging in with rest
 				if (RestApplicationEntrypoint.REST_PATH.equals(httpRequest.getServletPath())) {
@@ -281,18 +282,19 @@ public class HostnameFilter implements Filter {
 			scheme = url.substring(0, 5).toLowerCase();
 		}
-		String userDomain = UserLoginUtils.getDomainFromJaas(httpRequest.getUserPrincipal());
+		Principal principal = httpRequest.getUserPrincipal();
-		if (!hostname.equals(userDomain)) {
+		if (principal != null) {
+			String userDomain = UserLoginUtils.getDomainFromJaas(principal);
+			// If there is no logged-in user, we can and should not check userDomain against hostname
+			if (principal != null && !hostname.equals(userDomain)) {
 				logbean.sendMessage(MoyaEventType.USER_PERMISSION_VIOLATION,
 					"Hostname mismatch privilege escalation! User '", httpRequest.getUserPrincipal(), "' tried to change hostname from '",
 					userDomain, "' to '", hostname, ",");
 				throw new RuntimeException("Hostname mismatch!");
+			}
 		}
-		BortalLocalContextHolder.setHostname(hostname);
 		BortalLocalContextHolder.setInDevelopmentMode(developmentMode);
 		return hostname;