diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java
index 4727333c0..d5a196f90 100644
--- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java
+++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java
@@ -85,7 +85,7 @@ public class BasicEntryPoint implements AsyncHandlerInterceptor {
_logger.info("recreate new session .");
request.getSession(true);
}
- String basicCredential =request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+ String basicCredential =request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
_logger.info("getSession.getId : "+ request.getSession().getId());
_logger.info("Authorization : " + basicCredential);
diff --git a/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java b/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java
index ac219e36a..7bbd036f4 100644
--- a/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java
+++ b/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java
@@ -17,6 +17,8 @@
package org.maxkey.util;
+import javax.servlet.http.HttpServletRequest;
+
import org.maxkey.crypto.Base64Utils;
/**
@@ -25,7 +27,14 @@ import org.maxkey.crypto.Base64Utils;
*/
public class AuthorizationHeaderUtils {
- public static final String AUTHORIZATION_HEADERNAME = "Authorization";
+ /**
+ * first UpperCase
+ */
+ public static final String HEADER_Authorization = "Authorization";
+ /**
+ * first LowerCase
+ */
+ public static final String HEADER_authorization = "authorization";
public static String createBasic(String username, String password) {
String authUserPass = username + ":" + password;
@@ -34,7 +43,7 @@ public class AuthorizationHeaderUtils {
}
public static AuthorizationHeaderCredential resolve(String authorization) {
- if (isBasic(authorization)) {
+ if (StringUtils.isNotBlank(authorization) && isBasic(authorization)) {
String decodeUserPass = Base64Utils.decode(authorization.split(" ")[1]);
String []userPass =decodeUserPass.split(":");
return new AuthorizationHeaderCredential(userPass[0],userPass[1]);
@@ -56,10 +65,10 @@ public class AuthorizationHeaderUtils {
}
public static String resolveBearer(String bearer) {
- if (isBearer(bearer)) {
+ if (StringUtils.isNotBlank(bearer) && isBearer(bearer)) {
return bearer.split(" ")[1];
} else {
- return null;
+ return bearer;
}
}
@@ -70,5 +79,15 @@ public class AuthorizationHeaderUtils {
return false;
}
}
+
+ public static String resolveBearer(HttpServletRequest request) {
+ String authorization =
+ StringUtils.isNotBlank(request.getHeader(HEADER_Authorization)) ?
+ request.getHeader(HEADER_Authorization) : request.getHeader(HEADER_authorization);
+ if(StringUtils.isNotBlank(authorization)) {
+ return resolveBearer(authorization);
+ }
+ return null;
+ }
}
diff --git a/maxkey-core/src/main/java/org/maxkey/web/WebContext.java b/maxkey-core/src/main/java/org/maxkey/web/WebContext.java
index 33838a9bf..bd03e95b1 100644
--- a/maxkey-core/src/main/java/org/maxkey/web/WebContext.java
+++ b/maxkey-core/src/main/java/org/maxkey/web/WebContext.java
@@ -56,6 +56,10 @@ import org.springframework.web.servlet.support.RequestContextUtils;
* @author Crystal.Sea
* @since 1.5
*/
+/**
+ * @author shimi
+ *
+ */
public final class WebContext {
final static Logger _logger = LoggerFactory.getLogger(WebContext.class);
@@ -275,22 +279,32 @@ public final class WebContext {
}
+ /**
+ * isTraceEnabled print request headers and parameters
+ * see WebInstRequestFilter
+ * @param request
+ */
public static void printRequest(final HttpServletRequest request) {
- _logger.trace("getRequestURL : "+request.getRequestURL());
- _logger.trace("getMethod : "+request.getMethod());
- Enumeration headerNames = request.getHeaderNames();
- while (headerNames.hasMoreElements()) {
- String key = (String) headerNames.nextElement();
- String value = request.getHeader(key);
- _logger.trace("Header key "+key +" , value " + value);
- }
-
- Enumeration parameterNames = request.getParameterNames();
- while (parameterNames.hasMoreElements()) {
- String key = (String) parameterNames.nextElement();
- String value = request.getParameter(key);
- _logger.trace("Parameter "+key +" , value " + value);
- }
+ if(_logger.isTraceEnabled()) {
+ _logger.trace("getContextPath : {}" , request.getContextPath());
+ _logger.trace("getRequestURL : {} " , request.getRequestURL());
+ _logger.trace("URL : {}" , request.getRequestURI().substring(request.getContextPath().length()));
+ _logger.trace("getMethod : {} " , request.getMethod());
+
+ Enumeration headerNames = request.getHeaderNames();
+ while (headerNames.hasMoreElements()) {
+ String key = (String) headerNames.nextElement();
+ String value = request.getHeader(key);
+ _logger.trace("Header key {} , value {}" , key, value);
+ }
+
+ Enumeration parameterNames = request.getParameterNames();
+ while (parameterNames.hasMoreElements()) {
+ String key = (String) parameterNames.nextElement();
+ String value = request.getParameter(key);
+ _logger.trace("Parameter {} , value {}",key , value);
+ }
+ }
}
/**
diff --git a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
index f7beab022..6a425881b 100644
--- a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
+++ b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
@@ -70,15 +70,10 @@ public class WebXssRequestFilter extends GenericFilterBean {
public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
_logger.trace("WebXssRequestFilter");
-
boolean isWebXss = false;
HttpServletRequest request= ((HttpServletRequest)servletRequest);
- String requestURI=request.getRequestURI();
- _logger.trace("getContextPath " +request.getContextPath());
- _logger.trace("getRequestURL " + ((HttpServletRequest)request).getRequestURI());
- _logger.trace("URL " +requestURI.substring(request.getContextPath().length()));
- if(skipUrlMap.containsKey(requestURI.substring(request.getContextPath().length()))) {
+ if(skipUrlMap.containsKey(request.getRequestURI().substring(request.getContextPath().length()))) {
isWebXss = false;
}else {
Enumeration parameterNames = request.getParameterNames();
diff --git a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
index 0d0ff4998..af9745238 100644
--- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
+++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
@@ -136,10 +136,6 @@ public class TokenEndpointAuthenticationFilter implements Filter {
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
- if(_logger.isTraceEnabled()) {
- WebContext.printRequest(request);
- }
-
try {
String grantType = request.getParameter(OAuth2Constants.PARAMETER.GRANT_TYPE);
if (grantType != null && grantType.equals(OAuth2Constants.PARAMETER.GRANT_TYPE_PASSWORD)) {
diff --git a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java
index 6bf24cf9d..231eeee9c 100644
--- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java
+++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java
@@ -18,13 +18,13 @@
package org.maxkey.authz.oauth2.provider.userinfo.endpoint;
import java.lang.reflect.InvocationTargetException;
-import java.util.Enumeration;
import java.util.HashMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.lang3.StringUtils;
import org.maxkey.authn.SigninPrincipal;
import org.maxkey.authz.endpoint.adapter.AbstractAuthorizeAdapter;
import org.maxkey.authz.oauth2.common.OAuth2Constants;
@@ -48,7 +48,6 @@ import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
@@ -83,27 +82,18 @@ public class UserInfoEndpoint {
@RequestMapping(value=OAuth2Constants.ENDPOINT.ENDPOINT_USERINFO, method={RequestMethod.POST, RequestMethod.GET})
public void apiV20UserInfo(
@RequestParam(value = "access_token", required = false) String access_token,
- @RequestHeader(value = "authorization", required = false) String authorization_bearer,
HttpServletRequest request,
HttpServletResponse response) {
- if(access_token == null && authorization_bearer!= null) {
- if(_logger.isTraceEnabled()) {
- _logger.trace("getRequestURL : "+request.getRequestURL());
- Enumeration headerNames = request.getHeaderNames();
- while (headerNames.hasMoreElements()) {
- String key = (String) headerNames.nextElement();
- String value = request.getHeader(key);
- _logger.trace("Header key "+key +" , value " + value);
- }
- }
+ if(StringUtils.isBlank(access_token)) {
//for header authorization bearer
- access_token = AuthorizationHeaderUtils.resolveBearer(authorization_bearer);
+ access_token = AuthorizationHeaderUtils.resolveBearer(request);
}
- String principal="";
if (!StringGenerator.uuidMatches(access_token)) {
httpResponseAdapter.write(response,JsonUtils.gson2Json(accessTokenFormatError(access_token)),"json");
}
+
+ String principal="";
OAuth2Authentication oAuth2Authentication =null;
try{
oAuth2Authentication = oauth20tokenServices.loadAuthentication(access_token);
diff --git a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java
index aac74a75e..bbb6186a6 100644
--- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java
+++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java
@@ -42,6 +42,7 @@ import org.maxkey.entity.UserInfo;
import org.maxkey.entity.apps.oauth2.provider.ClientDetails;
import org.maxkey.persistence.service.AppsService;
import org.maxkey.persistence.service.UserInfoService;
+import org.maxkey.util.AuthorizationHeaderUtils;
import org.maxkey.util.JsonUtils;
import org.maxkey.util.StringGenerator;
import org.maxkey.web.HttpResponseAdapter;
@@ -51,7 +52,6 @@ import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@@ -100,15 +100,15 @@ public class UserInfoOIDCEndpoint {
@Operation(summary = "OIDC 用户信息接口", description = "传递Authorization参数access_token",method="GET")
@RequestMapping(value=OAuth2Constants.ENDPOINT.ENDPOINT_OPENID_CONNECT_USERINFO, method={RequestMethod.POST, RequestMethod.GET})
@ResponseBody
- public String connect10aUserInfo(
- @RequestHeader(value = "Authorization", required = true) String access_token,
- HttpServletRequest request,
- HttpServletResponse response) {
- String principal="";
+ public String connect10aUserInfo(HttpServletRequest request,
+ HttpServletResponse response) {
+ String access_token = AuthorizationHeaderUtils.resolveBearer(request);
+
if (!StringGenerator.uuidMatches(access_token)) {
return JsonUtils.gson2Json(accessTokenFormatError(access_token));
}
+ String principal="";
OAuth2Authentication oAuth2Authentication =null;
try{
oAuth2Authentication = oauth20tokenServices.loadAuthentication(access_token);
diff --git a/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java b/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java
index d468aa463..a43fead7d 100644
--- a/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java
+++ b/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java
@@ -99,8 +99,6 @@ public class LoginEndpoint {
public ModelAndView login(HttpServletRequest request) {
_logger.debug("LoginController /login.");
- WebContext.printRequest(request);
-
boolean isAuthenticated= WebContext.isAuthenticated();
if(isAuthenticated){
diff --git a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java
index 97b8cb510..acab22423 100644
--- a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java
+++ b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java
@@ -61,7 +61,7 @@ public class Oauth20ApiPermissionAdapter implements AsyncHandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
_logger.trace("Oauth20ApiPermissionAdapter preHandle");
- String authorization = request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+ String authorization = request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
String accessToken = AuthorizationHeaderUtils.resolveBearer(authorization);
OAuth2Authentication authentication = oauth20tokenServices.loadAuthentication(accessToken);
diff --git a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java
index f35b87f34..d8c2a266f 100644
--- a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java
+++ b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java
@@ -65,7 +65,7 @@ public class RestApiPermissionAdapter implements AsyncHandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
_logger.trace("RestApiPermissionAdapter preHandle");
- String authorization = request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+ String authorization = request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
AuthorizationHeaderCredential headerCredential = AuthorizationHeaderUtils.resolve(authorization);
//判断应用的AppId和Secret