Skip to content

Commit 91cb47a

Browse files
YeauryYeaury
authored
fix(auth): resolve authentication failure when accessed via remote IP (#3076)
1 parent 0f52876 commit 91cb47a

File tree

1 file changed

+51
-38
lines changed

1 file changed

+51
-38
lines changed

core/src/main/java/com/taobao/arthas/core/shell/term/impl/http/BasicHttpAuthenticatorHandler.java

Lines changed: 51 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -52,66 +52,79 @@ public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception
5252
return;
5353
}
5454

55+
if (!(msg instanceof HttpRequest)) {
56+
ctx.fireChannelRead(msg);
57+
return;
58+
}
59+
60+
HttpRequest httpRequest = (HttpRequest) msg;
61+
5562
boolean authed = false;
56-
if (msg instanceof HttpRequest) {
57-
HttpRequest httpRequest = (HttpRequest) msg;
63+
HttpSession session = httpSessionManager.getOrCreateHttpSession(ctx, httpRequest);
5864

59-
// 判断session里是否有已登陆信息
60-
HttpSession session = httpSessionManager.getOrCreateHttpSession(ctx, httpRequest);
61-
if (session != null && session.getAttribute(ArthasConstants.SUBJECT_KEY) != null) {
62-
authed = true;
65+
// 判断session里是否有已登陆信息
66+
if (session != null) {
67+
Object subjectObj = session.getAttribute(ArthasConstants.SUBJECT_KEY);
68+
if (subjectObj != null) {
69+
authed =true;
70+
setAuthenticatedSubject(ctx, session, subjectObj);
6371
}
72+
}
6473

65-
boolean isMcpRequest = isMcpRequest(httpRequest);
66-
Principal principal = null;
67-
if (!authed) {
68-
if (isMcpRequest) {
69-
principal = extractMcpAuthSubject(httpRequest);
70-
} else {
71-
principal = extractBasicAuthSubject(httpRequest);
72-
if (principal == null) {
73-
principal = extractBasicAuthSubjectFromUrl(httpRequest);
74-
}
74+
Principal principal = null;
75+
boolean isMcpRequest = isMcpRequest(httpRequest);
76+
77+
if (!authed) {
78+
if (isMcpRequest) {
79+
principal = extractMcpAuthSubject(httpRequest);
80+
} else {
81+
principal = extractBasicAuthSubject(httpRequest);
82+
if (principal == null) {
83+
principal = extractBasicAuthSubjectFromUrl(httpRequest);
7584
}
7685
}
77-
if (!authed && principal == null) {
86+
if (principal == null) {
7887
// 判断是否本地连接
7988
principal = AuthUtils.localPrincipal(ctx);
8089
}
8190
Subject subject = securityAuthenticator.login(principal);
8291
if (subject != null) {
8392
authed = true;
84-
if (session != null) {
85-
session.setAttribute(ArthasConstants.SUBJECT_KEY, subject);
86-
}
87-
ctx.channel().attr(SUBJECT_ATTRIBUTE_KEY).set(subject);
93+
setAuthenticatedSubject(ctx, session, subject);
8894
}
95+
}
8996

90-
if (!authed) {
91-
// restricted resource, so send back 401 to require valid username/password
92-
HttpResponse response = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED);
97+
if (!authed) {
98+
// restricted resource, so send back 401 to require valid username/password
99+
HttpResponse response = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED);
93100

94-
if (isMcpRequest) {
95-
response.headers().add(HttpHeaderNames.WWW_AUTHENTICATE, "Bearer realm=\"arthas mcp\"")
96-
.add(HttpHeaderNames.WWW_AUTHENTICATE, "Basic realm=\"arthas mcp\"");
97-
} else {
98-
response.headers().set(HttpHeaderNames.WWW_AUTHENTICATE, "Basic realm=\"arthas webconsole\"");
99-
}
100-
101-
response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/plain");
102-
response.headers().set(HttpHeaderNames.CONTENT_LENGTH, 0);
103-
104-
ctx.writeAndFlush(response);
105-
// close the channel
106-
ctx.channel().close();
107-
return;
101+
if (isMcpRequest) {
102+
response.headers()
103+
.add(HttpHeaderNames.WWW_AUTHENTICATE, "Bearer realm=\"arthas mcp\"")
104+
.add(HttpHeaderNames.WWW_AUTHENTICATE, "Basic realm=\"arthas mcp\"");
105+
} else {
106+
response.headers().set(HttpHeaderNames.WWW_AUTHENTICATE, "Basic realm=\"arthas webconsole\"");
108107
}
109108

109+
response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/plain");
110+
response.headers().set(HttpHeaderNames.CONTENT_LENGTH, 0);
111+
112+
ctx.writeAndFlush(response);
113+
// close the channel
114+
ctx.channel().close();
115+
return;
110116
}
111117

112118
ctx.fireChannelRead(msg);
113119
}
114120

121+
private void setAuthenticatedSubject(ChannelHandlerContext ctx, HttpSession session, Object subject) {
122+
ctx.channel().attr(SUBJECT_ATTRIBUTE_KEY).set(subject);
123+
if (session != null) {
124+
session.setAttribute(ArthasConstants.SUBJECT_KEY, subject);
125+
}
126+
}
127+
115128
@Override
116129
public void write(ChannelHandlerContext ctx, Object msg, ChannelPromise promise) throws Exception {
117130
if (msg instanceof HttpResponse) {

0 commit comments

Comments
 (0)