githubFork/gitblit.git - Solinfo Gitblit

			@@ -18,6 +18,8 @@
			import java.io.IOException;
			import java.text.MessageFormat;

			import javax.inject.Inject;
			import javax.inject.Singleton;
			import javax.servlet.FilterChain;
			import javax.servlet.ServletException;
			import javax.servlet.ServletRequest;
			@@ -26,27 +28,44 @@
			import javax.servlet.http.HttpServletResponse;

			import com.gitblit.Constants.RpcRequest;
			import com.gitblit.manager.IRuntimeManager;
			import com.gitblit.manager.ISessionManager;
			import com.gitblit.models.UserModel;

			/**
			* The RpcFilter is a servlet filter that secures the RpcServlet.
			*
			*
			* The filter extracts the rpc request type from the url and determines if the
			* requested action requires a Basic authentication prompt. If authentication is
			* required and no credentials are stored in the "Authorization" header, then a
			* basic authentication challenge is issued.
			*
			*
			* http://en.wikipedia.org/wiki/Basic_access_authentication
			*
			*
			* @author James Moger
			*
			*
			*/
			@Singleton
			public class RpcFilter extends AuthenticationFilter {

			private final IStoredSettings settings;

			private final IRuntimeManager runtimeManager;

			@Inject
			public RpcFilter(
			IRuntimeManager runtimeManager,
			ISessionManager sessionManager) {

			super(sessionManager);
			this.settings = runtimeManager.getSettings();
			this.runtimeManager = runtimeManager;
			}

			/**
			* doFilter does the actual work of preprocessing the request to ensure that
			* the user may proceed.
			*
			*
			* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
			* javax.servlet.ServletResponse, javax.servlet.FilterChain)
			*/
			@@ -67,14 +86,14 @@
			boolean adminRequest = requestType.exceeds(RpcRequest.LIST_SETTINGS);

			// conditionally reject all rpc requests
			if (!GitBlit.getBoolean(Keys.web.enableRpcServlet, true)) {
			if (!settings.getBoolean(Keys.web.enableRpcServlet, true)) {
			logger.warn(Keys.web.enableRpcServlet + " must be set TRUE for rpc requests.");
			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
			return;
			}

			boolean authenticateView = GitBlit.getBoolean(Keys.web.authenticateViewPages, false);
			boolean authenticateAdmin = GitBlit.getBoolean(Keys.web.authenticateAdminPages, true);
			boolean authenticateView = settings.getBoolean(Keys.web.authenticateViewPages, false);
			boolean authenticateAdmin = settings.getBoolean(Keys.web.authenticateAdminPages, true);

			// Wrap the HttpServletRequest with the RpcServletRequest which
			// overrides the servlet container user principal methods.
			@@ -85,7 +104,7 @@
			}

			// conditionally reject rpc management/administration requests
			if (adminRequest && !GitBlit.getBoolean(Keys.web.enableRpcManagement, false)) {
			if (adminRequest && !settings.getBoolean(Keys.web.enableRpcManagement, false)) {
			logger.warn(MessageFormat.format("{0} must be set TRUE for {1} rpc requests.",
			Keys.web.enableRpcManagement, requestType.toString()));
			httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
			@@ -96,7 +115,7 @@
			if ((adminRequest && authenticateAdmin) \|\| (!adminRequest && authenticateView)) {
			if (user == null) {
			// challenge client to provide credentials. send 401.
			if (GitBlit.isDebugMode()) {
			if (runtimeManager.isDebugMode()) {
			logger.info(MessageFormat.format("RPC: CHALLENGE {0}", fullUrl));

			}
			@@ -115,7 +134,7 @@
			return;
			}
			// valid user, but not for requested access. send 403.
			if (GitBlit.isDebugMode()) {
			if (runtimeManager.isDebugMode()) {
			logger.info(MessageFormat.format("RPC: {0} forbidden to access {1}",
			user.username, fullUrl));
			}
			@@ -124,7 +143,7 @@
			}
			}

			if (GitBlit.isDebugMode()) {
			if (runtimeManager.isDebugMode()) {
			logger.info(MessageFormat.format("RPC: {0} ({1}) unauthenticated", fullUrl,
			HttpServletResponse.SC_CONTINUE));
			}