[jbosstools-issues] [JBoss JIRA] (JBIDE-22756) Connection: various weirdness in token/password implementations

Wed Apr 18 12:15:09 EDT 2018

     [ https://issues.jboss.org/browse/JBIDE-22756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jeff MAURY updated JBIDE-22756:
-------------------------------
    Fix Version/s: 4.6.x
                       (was: 4.5.x)


> Connection: various weirdness in token/password implementations
> ---------------------------------------------------------------
>
>                 Key: JBIDE-22756
>                 URL: https://issues.jboss.org/browse/JBIDE-22756
>             Project: Tools (JBoss Tools)
>          Issue Type: Task
>          Components: openshift
>    Affects Versions: 4.4.1.AM2
>            Reporter: Andre Dietisheim
>              Labels: connection
>             Fix For: 4.6.x
>
>
> The lifecycle of the token is rather weird and needs a consistent logic:
> When connecting via wizard the token is set in the connection wizard:
> {code:title=ConnectionWizardPageModel#connect}
> ...
> try {
> 	IConnection connection = createConnection(connectionFactory, connectionAuthenticationProvider);
> ...
> {code}
> {code:title=ConnectionWizardPageModel#createConnection}
> ...
> 		if (authProvider != null) {
> 			authProvider.update(connection); // sets the token
> 		}
> ...
> {code}
> {code:title=BearTokenAuthenticationProvider#update}
> ...
> 			connection.setAuthScheme(IAuthorizationContext.AUTHSCHEME_OAUTH);
> connection.setToken(tokenObservable.getValue());
> connection.setRememberToken(rememberTokenObservable.getValue());
> ...
> {code}
> {code:title=Connection#connect}
> if(authorize()) {
> ...
> {code}
> {code:title=Connection#authorized}
> ...
> if (context.isAuthorized()) {
> 	String username = context.getUser().getName();
> 	String token = context.getToken();
> 	updateAuthorized(username, token);
> } else {
> ...
> {code}
> The token is then fetched from client and set to the connection
> {code:title=Connection#updateAuthorized}
> setToken(token);
> ...
> {code}
> and the password is cleared
> {code:Connectoin#savePasswordOrToken}
> 		} else if (IAuthorizationContext.AUTHSCHEME_OAUTH.equals(getAuthScheme())){
> 			boolean success = saveOrClear(SECURE_STORAGE_TOKEN_KEY, this.token, isRememberToken());
> 			if(success) { 
> 				//Avoid second secure storage prompt.
> 				//Token is stored, password should be cleared.
> 				clearPassword();
> {code}
> I suspect the aim here is to clear existing password in secure storage if the user is switching password->token based auth (and vice versa)
> The opposite is then not fully congruent. The token is only cleared in secure storage, not in Connection instance var
> {code:title=Connection#savePasswordOrToken}
> 		if (IAuthorizationContext.AUTHSCHEME_BASIC.equals(getAuthScheme())) {
> 			boolean success = saveOrClear(SECURE_STORAGE_PASSWORD_KEY, this.password, isRememberPassword());
> 			if (success) {
> 				//Avoid second secure storage prompt.
> 				// Password is stored, token should be cleared.
> 				clearToken();
> 			}
> {code:Connection#clearToken}
> 		// dont clear the token instance var: JBIDE-22594
> 		setRememberToken(false);
> 		saveOrClear(SECURE_STORAGE_TOKEN_KEY, null, false);
> {code}
> I suspect that we should only clear in secure storage, not in the Connection instance as we see in JBIDE-22594 (for the opposite case where we dont clear the token in the Connection instance). But then one has to keep in mind that all auth is token based. Even if you auth via password initially, the auth is then switched to token based once the authorization succeeded and we got a token:
> {code:title=Connection#updateAuthorized}
> 		setToken(token);
> 		if (IAuthorizationContext.AUTHSCHEME_OAUTH.equalsIgnoreCase(getAuthScheme())) {
> 			setUsername(username);
> 		}
> 		// force auth strategy to token if authorized
> 		TokenAuthorizationStrategy tokenStrategy = new TokenAuthorizationStrategy(token, username);
> 		client.setAuthorizationStrategy(tokenStrategy);
> {code}
> Another issue is that the connection and the auth schemeare both stored in different classes. The connection is stored via 
> {code:title=ConnectionPersistency#persist}
> preferences.saveConnections(connections.keySet().toArray(new String[] {}));
> ...
> {code}
> while the auth scheme is stored in Connection#saveAuthSchemePreference:
> {code:title=Connection#connect}
> saveAuthSchemePreference();
> {code}


--
This message was sent by Atlassian JIRA
(v7.5.0#75005)