diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2017-11-22 16:44:31 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2017-11-22 16:44:31 +0100 |
commit | efa28693c9e9aa0d599f610836d035cd38aa949d (patch) | |
tree | b685c9a9b9dae851cbda97602ef3c81d60f72ef3 /controller-server | |
parent | 47a72fee625e178d82b494a1f172e9f4b0745fa4 (diff) |
Improve error message when user authentication fails
Diffstat (limited to 'controller-server')
3 files changed, 26 insertions, 17 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java index f5e2020d3e3..51865be04fa 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.controller.athenz.filter; import com.google.inject.Inject; +import com.yahoo.jdisc.Response; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; @@ -13,7 +14,7 @@ import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import java.util.concurrent.Executor; -import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendUnauthorized; +import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendErrorResponse; /** * Performs authentication by validating the principal token (NToken) header. @@ -44,7 +45,7 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter { public void filter(DiscFilterRequest request, ResponseHandler responseHandler) { String rawToken = request.getHeader(principalTokenHeader); if (rawToken == null || rawToken.isEmpty()) { - sendUnauthorized(responseHandler, "NToken is missing"); + sendErrorResponse(responseHandler, Response.Status.UNAUTHORIZED, "NToken is missing"); return; } try { @@ -52,7 +53,7 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter { request.setUserPrincipal(principal); request.setRemoteUser(principal.getName()); } catch (InvalidTokenException e) { - sendUnauthorized(responseHandler, e.getMessage()); + sendErrorResponse(responseHandler,Response.Status.UNAUTHORIZED, e.getMessage()); } } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/SecurityFilterUtils.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/SecurityFilterUtils.java index 075e5e76acd..8e193d3848f 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/SecurityFilterUtils.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/SecurityFilterUtils.java @@ -17,8 +17,8 @@ class SecurityFilterUtils { private SecurityFilterUtils() {} - static void sendUnauthorized(ResponseHandler responseHandler, String message) { - Response response = new Response(Response.Status.UNAUTHORIZED); + static void sendErrorResponse(ResponseHandler responseHandler, int statusCode, String message) { + Response response = new Response(statusCode); response.headers().put("Content-Type", "application/json"); ObjectNode errorMessage = mapper.createObjectNode(); errorMessage.put("message", message); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java index 62c54b10a00..44ca7895a33 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.athenz.filter; import com.google.inject.Inject; import com.yahoo.container.jdisc.HttpRequest; +import com.yahoo.jdisc.Response; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.log.LogLevel; @@ -19,7 +20,7 @@ import java.util.concurrent.Executor; import java.util.logging.Logger; import java.util.stream.Stream; -import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendUnauthorized; +import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendErrorResponse; /** * A variant of the {@link AthenzPrincipalFilter} to be used in combination with a cookie-based @@ -46,17 +47,24 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter { public void filter(DiscFilterRequest request, ResponseHandler responseHandler) { if (request.getMethod().equals("OPTIONS")) return; // Skip authentication on OPTIONS - required for Javascript CORS - switch (getUserAuthenticationResult(request)) { - case USER_COOKIE_MISSING: - case USER_COOKIE_ALTERNATIVE_MISSING: - super.filter(request, responseHandler); // Cookie-based authentication failed, delegate to Athenz - break; - case USER_COOKIE_OK: - rewriteUserPrincipalToAthenz(request); - return; // Authenticated using user cookie - case USER_COOKIE_INVALID: - sendUnauthorized(responseHandler, "Your user cookie is invalid (either expired, tampered or invalid ip)"); - break; + try { + switch (getUserAuthenticationResult(request)) { + case USER_COOKIE_MISSING: + case USER_COOKIE_ALTERNATIVE_MISSING: + super.filter(request, responseHandler); // Cookie-based authentication failed, delegate to Athenz + break; + case USER_COOKIE_OK: + rewriteUserPrincipalToAthenz(request); + return; // Authenticated using user cookie + case USER_COOKIE_INVALID: + sendErrorResponse(responseHandler, + Response.Status.UNAUTHORIZED, + "Your user cookie is invalid (either expired, tampered or invalid ip)"); + break; + } + } catch (Exception e) { + log.log(LogLevel.WARNING, "Authentication failed: " + e.getMessage(), e); + sendErrorResponse(responseHandler, Response.Status.INTERNAL_SERVER_ERROR, e.getMessage()); } } |