Browse Source

Support HTTP basic and digest authentication

Natively support the HTTP basic and digest authentication methods
by setting the Authorization header without going through the JREs
java.net.Authenticator API.  The Authenticator API is difficult to
work with in a multi-threaded server environment, where its using
a singleton for the entire JVM.  Instead compute the Authorization
header from the URIish user and pass, if available.

Change-Id: Ibf83fea57cfb17964020d6aeb3363982be944f87
Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
stable-0.10
Shawn O. Pearce 15 years ago committed by Matthias Sohn
parent
commit
858b2c92e8
  1. 317
      org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java
  2. 71
      org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java
  3. 9
      org.eclipse.jgit/src/org/eclipse/jgit/util/HttpSupport.java

317
org.eclipse.jgit/src/org/eclipse/jgit/transport/HttpAuthMethod.java

@ -0,0 +1,317 @@
/*
* Copyright (C) 2010, Google Inc.
* and other copyright owners as documented in the project's IP log.
*
* This program and the accompanying materials are made available
* under the terms of the Eclipse Distribution License v1.0 which
* accompanies this distribution, is reproduced below, and is
* available at http://www.eclipse.org/org/documents/edl-v10.php
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* - Neither the name of the Eclipse Foundation, Inc. nor the
* names of its contributors may be used to endorse or promote
* products derived from this software without specific prior
* written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
* CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package org.eclipse.jgit.transport;
import static org.eclipse.jgit.util.HttpSupport.HDR_AUTHORIZATION;
import static org.eclipse.jgit.util.HttpSupport.HDR_WWW_AUTHENTICATE;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import org.eclipse.jgit.util.Base64;
/**
* Support class to populate user authentication data on a connection.
* <p>
* Instances of an HttpAuthMethod are not thread-safe, as some implementations
* may need to maintain per-connection state information.
*/
abstract class HttpAuthMethod {
/** No authentication is configured. */
static final HttpAuthMethod NONE = new None();
/**
* Handle an authentication failure and possibly return a new response.
*
* @param conn
* the connection that failed.
* @return new authentication method to try.
*/
static HttpAuthMethod scanResponse(HttpURLConnection conn) {
String hdr = conn.getHeaderField(HDR_WWW_AUTHENTICATE);
if (hdr == null || hdr.length() == 0)
return NONE;
int sp = hdr.indexOf(' ');
if (sp < 0)
return NONE;
String type = hdr.substring(0, sp);
if (Basic.NAME.equals(type))
return new Basic();
else if (Digest.NAME.equals(type))
return new Digest(hdr.substring(sp + 1));
else
return NONE;
}
/**
* Update this method with the credentials from the URIish.
*
* @param uri
* the URI used to create the connection.
*/
void authorize(URIish uri) {
authorize(uri.getUser(), uri.getPass());
}
/**
* Update this method with the given username and password pair.
*
* @param user
* @param pass
*/
abstract void authorize(String user, String pass);
/**
* Update connection properties based on this authentication method.
*
* @param conn
* @throws IOException
*/
abstract void configureRequest(HttpURLConnection conn) throws IOException;
/** Performs no user authentication. */
private static class None extends HttpAuthMethod {
@Override
void authorize(String user, String pass) {
// Do nothing when no authentication is enabled.
}
@Override
void configureRequest(HttpURLConnection conn) throws IOException {
// Do nothing when no authentication is enabled.
}
}
/** Performs HTTP basic authentication (plaintext username/password). */
private static class Basic extends HttpAuthMethod {
static final String NAME = "Basic";
private String user;
private String pass;
@Override
void authorize(final String username, final String password) {
this.user = username;
this.pass = password;
}
@Override
void configureRequest(final HttpURLConnection conn) throws IOException {
String ident = user + ":" + pass;
String enc = Base64.encodeBytes(ident.getBytes("UTF-8"));
conn.setRequestProperty(HDR_AUTHORIZATION, NAME + " " + enc);
}
}
/** Performs HTTP digest authentication. */
private static class Digest extends HttpAuthMethod {
static final String NAME = "Digest";
private static final Random PRNG = new Random();
private final Map<String, String> params;
private int requestCount;
private String user;
private String pass;
Digest(String hdr) {
params = parse(hdr);
final String qop = params.get("qop");
if ("auth".equals(qop)) {
final byte[] bin = new byte[8];
PRNG.nextBytes(bin);
params.put("cnonce", Base64.encodeBytes(bin));
}
}
@Override
void authorize(final String username, final String password) {
this.user = username;
this.pass = password;
}
@SuppressWarnings("boxing")
@Override
void configureRequest(final HttpURLConnection conn) throws IOException {
final Map<String, String> p = new HashMap<String, String>(params);
p.put("username", user);
final String realm = p.get("realm");
final String nonce = p.get("nonce");
final String uri = p.get("uri");
final String qop = p.get("qop");
final String method = conn.getRequestMethod();
final String A1 = user + ":" + realm + ":" + pass;
final String A2 = method + ":" + uri;
final String expect;
if ("auth".equals(qop)) {
final String c = p.get("cnonce");
final String nc = String.format("%8.8x", ++requestCount);
p.put("nc", nc);
expect = KD(H(A1), nonce + ":" + nc + ":" + c + ":" + qop + ":"
+ H(A2));
} else {
expect = KD(H(A1), nonce + ":" + H(A2));
}
p.put("response", expect);
StringBuilder v = new StringBuilder();
for (Map.Entry<String, String> e : p.entrySet()) {
if (v.length() > 0) {
v.append(", ");
}
v.append(e.getKey());
v.append('=');
v.append('"');
v.append(e.getValue());
v.append('"');
}
conn.setRequestProperty(HDR_AUTHORIZATION, NAME + " " + v);
}
private static String H(String data) {
try {
MessageDigest md = newMD5();
md.update(data.getBytes("UTF-8"));
return LHEX(md.digest());
} catch (UnsupportedEncodingException e) {
throw new RuntimeException("UTF-8 encoding not available", e);
}
}
private static String KD(String secret, String data) {
try {
MessageDigest md = newMD5();
md.update(secret.getBytes("UTF-8"));
md.update((byte) ':');
md.update(data.getBytes("UTF-8"));
return LHEX(md.digest());
} catch (UnsupportedEncodingException e) {
throw new RuntimeException("UTF-8 encoding not available", e);
}
}
private static MessageDigest newMD5() {
try {
return MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("No MD5 available", e);
}
}
private static final char[] LHEX = { '0', '1', '2', '3', '4', '5', '6',
'7', '8', '9', //
'a', 'b', 'c', 'd', 'e', 'f' };
private static String LHEX(byte[] bin) {
StringBuilder r = new StringBuilder(bin.length * 2);
for (int i = 0; i < bin.length; i++) {
byte b = bin[i];
r.append(LHEX[(b >>> 4) & 0x0f]);
r.append(LHEX[b & 0x0f]);
}
return r.toString();
}
private static Map<String, String> parse(String auth) {
Map<String, String> p = new HashMap<String, String>();
int next = 0;
while (next < auth.length()) {
if (next < auth.length() && auth.charAt(next) == ',') {
next++;
}
while (next < auth.length()
&& Character.isWhitespace(auth.charAt(next))) {
next++;
}
int eq = auth.indexOf('=', next);
if (eq < 0 || eq + 1 == auth.length()) {
return Collections.emptyMap();
}
final String name = auth.substring(next, eq);
final String value;
if (auth.charAt(eq + 1) == '"') {
int dq = auth.indexOf('"', eq + 2);
if (dq < 0) {
return Collections.emptyMap();
}
value = auth.substring(eq + 2, dq);
next = dq + 1;
} else {
int space = auth.indexOf(' ', eq + 1);
int comma = auth.indexOf(',', eq + 1);
if (space < 0)
space = auth.length();
if (comma < 0)
comma = auth.length();
final int e = Math.min(space, comma);
value = auth.substring(eq + 1, e);
next = e + 1;
}
p.put(name, value);
}
return p;
}
}
}

71
org.eclipse.jgit/src/org/eclipse/jgit/transport/TransportHttp.java

@ -51,6 +51,7 @@ import static org.eclipse.jgit.util.HttpSupport.HDR_CONTENT_ENCODING;
import static org.eclipse.jgit.util.HttpSupport.HDR_CONTENT_TYPE; import static org.eclipse.jgit.util.HttpSupport.HDR_CONTENT_TYPE;
import static org.eclipse.jgit.util.HttpSupport.HDR_PRAGMA; import static org.eclipse.jgit.util.HttpSupport.HDR_PRAGMA;
import static org.eclipse.jgit.util.HttpSupport.HDR_USER_AGENT; import static org.eclipse.jgit.util.HttpSupport.HDR_USER_AGENT;
import static org.eclipse.jgit.util.HttpSupport.METHOD_GET;
import static org.eclipse.jgit.util.HttpSupport.METHOD_POST; import static org.eclipse.jgit.util.HttpSupport.METHOD_POST;
import java.io.BufferedReader; import java.io.BufferedReader;
@ -162,6 +163,8 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
private boolean useSmartHttp = true; private boolean useSmartHttp = true;
private HttpAuthMethod authMethod = HttpAuthMethod.NONE;
TransportHttp(final Repository local, final URIish uri) TransportHttp(final Repository local, final URIish uri)
throws NotSupportedException { throws NotSupportedException {
super(local, uri); super(local, uri);
@ -341,27 +344,42 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
} }
try { try {
final HttpURLConnection conn = httpOpen(u); int authAttempts = 1;
if (useSmartHttp) { for (;;) {
String expType = "application/x-" + service + "-advertisement"; final HttpURLConnection conn = httpOpen(u);
conn.setRequestProperty(HDR_ACCEPT, expType + ", */*"); if (useSmartHttp) {
} else { String exp = "application/x-" + service + "-advertisement";
conn.setRequestProperty(HDR_ACCEPT, "*/*"); conn.setRequestProperty(HDR_ACCEPT, exp + ", */*");
} } else {
final int status = HttpSupport.response(conn); conn.setRequestProperty(HDR_ACCEPT, "*/*");
switch (status) { }
case HttpURLConnection.HTTP_OK: final int status = HttpSupport.response(conn);
return conn; switch (status) {
case HttpURLConnection.HTTP_OK:
case HttpURLConnection.HTTP_NOT_FOUND: return conn;
throw new NoRemoteRepositoryException(uri, MessageFormat.format(JGitText.get().URLNotFound, u));
case HttpURLConnection.HTTP_NOT_FOUND:
case HttpURLConnection.HTTP_FORBIDDEN: throw new NoRemoteRepositoryException(uri, u + " not found");
throw new TransportException(uri, MessageFormat.format(JGitText.get().serviceNotPermitted, service));
case HttpURLConnection.HTTP_UNAUTHORIZED:
default: authMethod = HttpAuthMethod.scanResponse(conn);
String err = status + " " + conn.getResponseMessage(); if (authMethod == HttpAuthMethod.NONE)
throw new TransportException(uri, err); throw new TransportException(uri,
"authentication not supported");
if (1 < authAttempts || uri.getUser() == null)
throw new TransportException(uri, "not authorized");
authMethod.authorize(uri);
authAttempts++;
continue;
case HttpURLConnection.HTTP_FORBIDDEN:
throw new TransportException(uri, service
+ " not permitted");
default:
String err = status + " " + conn.getResponseMessage();
throw new TransportException(uri, err);
}
} }
} catch (NotSupportedException e) { } catch (NotSupportedException e) {
throw e; throw e;
@ -372,15 +390,21 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
} }
} }
final HttpURLConnection httpOpen(final URL u) throws IOException { final HttpURLConnection httpOpen(URL u) throws IOException {
return httpOpen(METHOD_GET, u);
}
final HttpURLConnection httpOpen(String method, URL u) throws IOException {
final Proxy proxy = HttpSupport.proxyFor(proxySelector, u); final Proxy proxy = HttpSupport.proxyFor(proxySelector, u);
HttpURLConnection conn = (HttpURLConnection) u.openConnection(proxy); HttpURLConnection conn = (HttpURLConnection) u.openConnection(proxy);
conn.setRequestMethod(method);
conn.setUseCaches(false); conn.setUseCaches(false);
conn.setRequestProperty(HDR_ACCEPT_ENCODING, ENCODING_GZIP); conn.setRequestProperty(HDR_ACCEPT_ENCODING, ENCODING_GZIP);
conn.setRequestProperty(HDR_PRAGMA, "no-cache");//$NON-NLS-1$ conn.setRequestProperty(HDR_PRAGMA, "no-cache");//$NON-NLS-1$
conn.setRequestProperty(HDR_USER_AGENT, userAgent); conn.setRequestProperty(HDR_USER_AGENT, userAgent);
conn.setConnectTimeout(getTimeout() * 1000); conn.setConnectTimeout(getTimeout() * 1000);
conn.setReadTimeout(getTimeout() * 1000); conn.setReadTimeout(getTimeout() * 1000);
authMethod.configureRequest(conn);
return conn; return conn;
} }
@ -652,8 +676,7 @@ public class TransportHttp extends HttpTransport implements WalkTransport,
} }
void openStream() throws IOException { void openStream() throws IOException {
conn = httpOpen(new URL(baseUrl, serviceName)); conn = httpOpen(METHOD_POST, new URL(baseUrl, serviceName));
conn.setRequestMethod(METHOD_POST);
conn.setInstanceFollowRedirects(false); conn.setInstanceFollowRedirects(false);
conn.setDoOutput(true); conn.setDoOutput(true);
conn.setRequestProperty(HDR_CONTENT_TYPE, requestType); conn.setRequestProperty(HDR_CONTENT_TYPE, requestType);

9
org.eclipse.jgit/src/org/eclipse/jgit/util/HttpSupport.java

@ -59,6 +59,9 @@ import org.eclipse.jgit.JGitText;
/** Extra utilities to support usage of HTTP. */ /** Extra utilities to support usage of HTTP. */
public class HttpSupport { public class HttpSupport {
/** The {@code GET} HTTP method. */
public static final String METHOD_GET = "GET";
/** The {@code POST} HTTP method. */ /** The {@code POST} HTTP method. */
public static final String METHOD_POST = "POST"; public static final String METHOD_POST = "POST";
@ -122,6 +125,12 @@ public class HttpSupport {
/** The standard {@code text/plain} MIME type. */ /** The standard {@code text/plain} MIME type. */
public static final String TEXT_PLAIN = "text/plain"; public static final String TEXT_PLAIN = "text/plain";
/** The {@code Authorization} header. */
public static final String HDR_AUTHORIZATION = "Authorization";
/** The {@code WWW-Authenticate} header. */
public static final String HDR_WWW_AUTHENTICATE = "WWW-Authenticate";
/** /**
* URL encode a value string into an output buffer. * URL encode a value string into an output buffer.
* *

Loading…
Cancel
Save