Critical If a token has a context, it's impossible to make an authentication from the front office, the tested context is always null but :
- If a token has a context, the requested context should be the same
- Otherwise, it's always accepted
Maybe we should have something smarter which used the real right context convertors and stored it to limit the access by token.
I tried to do something like this :
/** The sitemap parameter holding the token context */ protected static final String SITEMAP_PARAMETER_TOKEN_CONTEXT = "token-context"; @Override protected boolean _handleAuthenticationToken(Request request, Parameters parameters) { String token = request.getHeader(HEADER_TOKEN); if (StringUtils.isBlank(token)) { token = parameters.getParameter(PARAMETERS_PARAMETER_TOKEN, _getTokenFromRequest(request)); } String tokenContext = parameters.getParameter(SITEMAP_PARAMETER_TOKEN_CONTEXT, null); if (StringUtils.isNotBlank(token)) { UserIdentity userIdentity = _validateToken(token, tokenContext); if (userIdentity != null) { // Save user identity _setUserIdentityInSession(request, userIdentity, new UserDAO.ImpersonateCredentialProvider(), true); _validateCurrentlyConnectedUserIsInAuthorizedPopulation(userIdentity, request, parameters); return true; } } return false; } /** * Validate the given token * @param token The non empty token to validate * @param tokenContext The context token * @return The corresponding user identity or null */ protected UserIdentity _validateToken(String token, String tokenContext) { return _authenticateTokenManager != null ? _authenticateTokenManager.validateToken(token, tokenContext) : null; }
Add a token-context parameter to the action.
Read the token-context parameter in the action.
Validate the token with the context.
But I don't know how we can force the requested context without specific pipelines.
