1 files changed, 12 insertions, 41 deletions

diff --git a/src/org/traccar/web/BaseServlet.java b/src/org/traccar/web/BaseServlet.java
index 283edf1e5..d215c62d0 100644
--- a/src/org/traccar/web/BaseServlet.java
+++ b/src/org/traccar/web/BaseServlet.java
@@ -19,9 +19,10 @@ import org.traccar.helper.Log;
 
 import java.io.IOException;
 import java.io.Writer;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
 import java.security.AccessControlException;
 import java.util.Collection;
-import java.util.Map;
 import javax.json.Json;
 import javax.json.JsonObjectBuilder;
 import javax.json.JsonStructure;
@@ -32,20 +33,14 @@ import javax.servlet.http.HttpServletResponse;
 import org.jboss.netty.handler.codec.http.HttpHeaders;
 import org.jboss.netty.util.CharsetUtil;
 import org.traccar.Context;
-import org.traccar.helper.Authorization;
-import org.traccar.model.User;
 
 public abstract class BaseServlet extends HttpServlet {
 
-    public static final String USER_KEY = "user";
+    public static final String USER_ID_KEY = "user";
     public static final String ALLOW_ORIGIN_VALUE = "*";
     public static final String ALLOW_HEADERS_VALUE = "Origin, X-Requested-With, Content-Type, Accept";
     public static final String ALLOW_METHODS_VALUE = "GET, POST, PUT, DELETE";
     public static final String APPLICATION_JSON = "application/json";
-    public static final String GET = "GET";
-    public static final String POST = "POST";
-    public static final String PUT = "PUT";
-    public static final String DELETE = "DELETE";
 
     @Override
     protected final void service(
@@ -61,7 +56,8 @@ public abstract class BaseServlet extends HttpServlet {
             if (allowed == null) {
                 resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, ALLOW_ORIGIN_VALUE);
             } else if (allowed.contains(origin)) {
-                resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+                String originSafe = URLEncoder.encode(origin, StandardCharsets.UTF_8.displayName());
+                resp.setHeader(HttpHeaders.Names.ACCESS_CONTROL_ALLOW_ORIGIN, originSafe);
             }
 
             if (!handle(getCommand(req), req, resp)) {
@@ -70,7 +66,6 @@ public abstract class BaseServlet extends HttpServlet {
         } catch (Exception error) {
             if (error instanceof AccessControlException) {
                 resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-                resp.addHeader(HttpHeaders.Names.WWW_AUTHENTICATE, Authorization.WWW_AUTHENTICATE_VALUE);
             } else if (error instanceof SecurityException) {
                 resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
             }
@@ -82,21 +77,11 @@ public abstract class BaseServlet extends HttpServlet {
             String command, HttpServletRequest req, HttpServletResponse resp) throws Exception;
 
     public long getUserId(HttpServletRequest req) throws Exception  {
-        String authorization = req.getHeader(HttpHeaders.Names.AUTHORIZATION);
-        if (authorization != null && !authorization.isEmpty()) {
-            Map<String, String> authMap = Authorization.parse(authorization);
-            String username = authMap.get(Authorization.USERNAME);
-            String password = authMap.get(Authorization.PASSWORD);
-            User user = Context.getDataManager().login(username, password);
-            if (user != null) {
-                return user.getId();
-            }
-        }
-        Long userId = (Long) req.getSession().getAttribute(USER_KEY);
-        if (userId == null) {
-            throw new AccessControlException("User not logged in");
+        Object userId = req.getSession().getAttribute(USER_ID_KEY);
+        if (userId != null) {
+            return (Long) userId;
         }
-        return userId;
+        throw new AccessControlException("User not logged in");
     }
 
     public void sendResponse(Writer writer, boolean success) throws IOException {
@@ -129,26 +114,12 @@ public abstract class BaseServlet extends HttpServlet {
         writer.write(result.build().toString());
     }
 
-    private String getCommand(HttpServletRequest req) {
+    protected String getCommand(HttpServletRequest req) {
         String command = req.getPathInfo();
         if (command == null) {
-            switch (req.getMethod()) {
-                case GET:
-                    command = "/get";
-                    break;
-                case POST:
-                    command = "/add";
-                    break;
-                case PUT:
-                    command = "/update";
-                    break;
-                case DELETE:
-                    command = "/remove";
-                    break;
-                default:
-                    command = "";
-            }
+            command = "";
         }
         return command;
     }
+
 }