[jbosstools-issues] [JBoss JIRA] (JBIDE-22756) Connection: varioius weirdness in token/password
Andre Dietisheim (JIRA)
issues at jboss.org
Mon Jul 18 14:50:00 EDT 2016
Andre Dietisheim created JBIDE-22756:
----------------------------------------
Summary: Connection: varioius weirdness in token/password
Key: JBIDE-22756
URL: https://issues.jboss.org/browse/JBIDE-22756
Project: Tools (JBoss Tools)
Issue Type: Task
Components: openshift
Affects Versions: 4.4.1.AM2
Reporter: Andre Dietisheim
The lifecycle of the token is rather weird and needs a consistent logic:
When connecting via wizard the token is set in the connection wizard:
{code:title=ConnectionWizardPageModel#connect}
...
try {
IConnection connection = createConnection(connectionFactory, connectionAuthenticationProvider);
...
{code}
{code:title=ConnectionWizardPageModel#createConnection}
...
if (authProvider != null) {
authProvider.update(connection); // sets the token
}
...
{code}
{code:title=BearTokenAuthenticationProvider#update}
...
connection.setAuthScheme(IAuthorizationContext.AUTHSCHEME_OAUTH);
connection.setToken(tokenObservable.getValue());
connection.setRememberToken(rememberTokenObservable.getValue());
...
{code}
{code:title=Connection#connect}
if(authorize()) {
...
{code}
{code:title=Connection#authorized}
...
if (context.isAuthorized()) {
String username = context.getUser().getName();
String token = context.getToken();
updateAuthorized(username, token);
} else {
...
{code}
The token is then fetched from client and set to the connection
{code:title=Connection#updateAuthorized}
setToken(token);
...
{code}
and the password is cleared
{code:Connectoin#savePasswordOrToken}
} else if (IAuthorizationContext.AUTHSCHEME_OAUTH.equals(getAuthScheme())){
boolean success = saveOrClear(SECURE_STORAGE_TOKEN_KEY, this.token, isRememberToken());
if(success) {
//Avoid second secure storage prompt.
//Token is stored, password should be cleared.
clearPassword();
{code}
I suspect the aim here is to clear existing password in secure storage if the user is switching password->token based auth (and vice versa)
The opposite is then not fully congruent. The token is only cleared in secure storage, not in Connection instance var
{code:title=Connection#savePasswordOrToken}
if (IAuthorizationContext.AUTHSCHEME_BASIC.equals(getAuthScheme())) {
boolean success = saveOrClear(SECURE_STORAGE_PASSWORD_KEY, this.password, isRememberPassword());
if (success) {
//Avoid second secure storage prompt.
// Password is stored, token should be cleared.
clearToken();
}
{code:Connection#clearToken}
// dont clear the token instance var: JBIDE-22594
setRememberToken(false);
saveOrClear(SECURE_STORAGE_TOKEN_KEY, null, false);
{code}
I suspect that we should only clear in secure storage, not in the Connection instance as we see in JBIDE-22594 (for the opposite case where we dont clear the token in the Connection instance). But then one has to keep in mind that all auth is token based. Even if you auth via password initially, the auth is then switched to token based once the authorization succeeded and we got a token:
{code:title=Connection#updateAuthorized}
setToken(token);
if (IAuthorizationContext.AUTHSCHEME_OAUTH.equalsIgnoreCase(getAuthScheme())) {
setUsername(username);
}
// force auth strategy to token if authorized
TokenAuthorizationStrategy tokenStrategy = new TokenAuthorizationStrategy(token, username);
client.setAuthorizationStrategy(tokenStrategy);
{code}
Another issue is that the auth scheme, which determines if we do password or oauth is stored in preferences
{code:title=Connection#connect}
saveAuthSchemePreference();
{code}
while password or token are stored to secure storage. If we're using basic auth, we need a password from secure storage. If we're using oauth we need a token. Both are thus tightly linked while being persisted to different facilities.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jbosstools-issues
mailing list