aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAnton Tananaev <anton@traccar.org>2023-02-11 14:27:47 -0800
committerAnton Tananaev <anton@traccar.org>2023-02-11 14:27:47 -0800
commit02d073d6900c401f83493380df3093d72f4d5cf2 (patch)
treed37e80800a54a3631ca99c3379fca1925be1e9e1 /src
parentf4b97f7aa63ce5facd4ce02bb0c16d17c3e39b74 (diff)
downloadtrackermap-server-02d073d6900c401f83493380df3093d72f4d5cf2.tar.gz
trackermap-server-02d073d6900c401f83493380df3093d72f4d5cf2.tar.bz2
trackermap-server-02d073d6900c401f83493380df3093d72f4d5cf2.zip
Improve security filter
Diffstat (limited to 'src')
-rw-r--r--src/main/java/org/traccar/api/security/SecurityRequestFilter.java20
1 files changed, 7 insertions, 13 deletions
diff --git a/src/main/java/org/traccar/api/security/SecurityRequestFilter.java b/src/main/java/org/traccar/api/security/SecurityRequestFilter.java
index 94b6bbf05..9992d49e7 100644
--- a/src/main/java/org/traccar/api/security/SecurityRequestFilter.java
+++ b/src/main/java/org/traccar/api/security/SecurityRequestFilter.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2015 - 2022 Anton Tananaev (anton@traccar.org)
+ * Copyright 2015 - 2023 Anton Tananaev (anton@traccar.org)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -42,13 +42,6 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(SecurityRequestFilter.class);
- public static final String AUTHORIZATION_HEADER = "Authorization";
- public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
- public static final String BASIC_REALM = "Basic realm=\"api\"";
- public static final String BEARER_PREFIX = "Bearer ";
- public static final String X_REQUESTED_WITH = "X-Requested-With";
- public static final String XML_HTTP_REQUEST = "XMLHttpRequest";
-
public static String[] decodeBasicAuth(String auth) {
auth = auth.replaceFirst("[B|b]asic ", "");
byte[] decodedBytes = DataConverter.parseBase64(auth);
@@ -81,13 +74,13 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
try {
- String authHeader = requestContext.getHeaderString(AUTHORIZATION_HEADER);
+ String authHeader = requestContext.getHeaderString("Authorization");
if (authHeader != null) {
try {
User user;
- if (authHeader.startsWith(BEARER_PREFIX)) {
- user = loginService.login(authHeader.substring(BEARER_PREFIX.length()));
+ if (authHeader.startsWith("Bearer ")) {
+ user = loginService.login(authHeader.substring(7));
} else {
String[] auth = decodeBasicAuth(authHeader);
user = loginService.login(auth[0], auth[1]);
@@ -120,8 +113,9 @@ public class SecurityRequestFilter implements ContainerRequestFilter {
Method method = resourceInfo.getResourceMethod();
if (!method.isAnnotationPresent(PermitAll.class)) {
Response.ResponseBuilder responseBuilder = Response.status(Response.Status.UNAUTHORIZED);
- if (!XML_HTTP_REQUEST.equals(request.getHeader(X_REQUESTED_WITH))) {
- responseBuilder.header(WWW_AUTHENTICATE, BASIC_REALM);
+ String accept = request.getHeader("Accept");
+ if (accept != null && accept.contains("text/html")) {
+ responseBuilder.header("WWW-Authenticate", "Basic realm=\"api\"");
}
throw new WebApplicationException(responseBuilder.build());
}