Send security tokens in Authorization header instead of in querystring (see WOOKIE-427)
git-svn-id: https://svn.apache.org/repos/asf/wookie/trunk@1574556 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/wookie-features/src/main/webapp/features/widget/wookie.js b/wookie-features/src/main/webapp/features/widget/wookie.js
index 2d797a9..1f4deea 100644
--- a/wookie-features/src/main/webapp/features/widget/wookie.js
+++ b/wookie-features/src/main/webapp/features/widget/wookie.js
@@ -328,7 +328,8 @@
*/
loadMetadata: function(){
var xml_request = new XMLHttpRequest();
- xml_request.open("GET", "/wookie/metadata?idkey="+this.instanceid_key, false);
+ xml_request.open("GET", "/wookie/metadata", false);
+ xml_request.setRequestHeader("Authorization",this.instanceid_key);
xml_request.onreadystatechange = function()
{
if(xml_request.readyState == 4 && xml_request.status == 200){
@@ -345,7 +346,8 @@
*/
loadPreferences: function(){
var xml_request = new XMLHttpRequest();
- xml_request.open("GET", "/wookie/preferences?idkey="+this.instanceid_key, false);
+ xml_request.open("GET", "/wookie/preferences", false);
+ xml_request.setRequestHeader("Authorization",this.instanceid_key);
xml_request.onreadystatechange = function()
{
if(xml_request.readyState == 4 && xml_request.status == 200){
@@ -363,7 +365,8 @@
*/
refreshToken: function(async){
var xml_request = new XMLHttpRequest();
- xml_request.open("POST", "/wookie/token?idkey="+this.instanceid_key, async);
+ xml_request.open("POST", "/wookie/token", async);
+ xml_request.setRequestHeader("Authorization",this.instanceid_key);
xml_request.onreadystatechange = function()
{
if(xml_request.readyState == 4 && xml_request.status == 201){
@@ -464,7 +467,8 @@
*/
setPreferenceForKey : function (wName, wValue) {
var xml_request = new XMLHttpRequest();
- xml_request.open("POST", "/wookie/preferences?idkey="+this.instanceid_key+"&name="+wName+"&value="+wValue, true);
+ xml_request.open("POST", "/wookie/preferences?name="+wName+"&value="+wValue, true);
+ xml_request.setRequestHeader("Authorization",this.instanceid_key);
xml_request.setRequestHeader("Cache-Control", "no-cache");
xml_request.send(null);
},
diff --git a/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java b/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java
index 4d56d8c..70d86d2 100644
--- a/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java
+++ b/wookie-server/src/main/java/org/apache/wookie/server/security/WidgetAuthorizationFilter.java
@@ -51,7 +51,7 @@
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
- AuthToken authToken = getAuthToken(request);
+ AuthToken authToken = getAuthToken((HttpServletRequest)request);
if (authToken == null){
((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN);
@@ -68,22 +68,20 @@
}
}
- private AuthToken getAuthToken(ServletRequest request){
+ private AuthToken getAuthToken(HttpServletRequest request){
//
- // Do we have an idkey parameter containing an access token?
+ // Get the AUTH header
//
- String idkey = request.getParameter("idkey");
- if (idkey == null || idkey.trim().equals("")){
- return null;
- }
+ String tokenString = request.getHeader("Authorization");
+ if (tokenString == null) return null;
//
// Do we have a valid token?
//
AuthToken token = null;
try {
- token = AuthTokenUtils.validateAuthToken(idkey);
+ token = AuthTokenUtils.validateAuthToken(tokenString);
} catch (InvalidAuthTokenException e) {
return null;
}
@@ -100,7 +98,7 @@
//
// If the token has been used once already, reject the request
//
- if (!ExpiredSingleUseTokenCache.getInstance().isValid(idkey)){
+ if (!ExpiredSingleUseTokenCache.getInstance().isValid(tokenString)){
return null;
}
@@ -119,7 +117,7 @@
//
// Add the token to the expiry cache
//
- ExpiredSingleUseTokenCache.getInstance().addToken(idkey);
+ ExpiredSingleUseTokenCache.getInstance().addToken(tokenString);
}
return token;