use POST rather than GET for login to prevent password being in http logs.

git-svn-id: https://svn.apache.org/repos/asf/archiva/redback/redback-core/trunk@1324829 13f79535-47bb-0310-9956-ffa450edef68

4 files changed, 101 insertions, 18 deletions

diff --git a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/LoginRequest.java b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/LoginRequest.java
new file mode 100644
index 000000000..ae7b0d13e
--- /dev/null
+++ b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/model/LoginRequest.java
@@ -0,0 +1,77 @@
+package org.apache.archiva.redback.rest.api.model;
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import javax.xml.bind.annotation.XmlRootElement;
+import java.io.Serializable;
+
+/**
+ * @author Olivier Lamy
+ * @since 2.0
+ */
+@XmlRootElement( name = "loginRequest" )
+public class LoginRequest
+    implements Serializable
+{
+    private String username;
+
+    private String password;
+
+    public LoginRequest()
+    {
+        // no op
+    }
+
+    public LoginRequest( String username, String password )
+    {
+        this.username = username;
+        this.password = password;
+    }
+
+    public String getUsername()
+    {
+        return username;
+    }
+
+    public void setUsername( String username )
+    {
+        this.username = username;
+    }
+
+    public String getPassword()
+    {
+        return password;
+    }
+
+    public void setPassword( String password )
+    {
+        this.password = password;
+    }
+
+    @Override
+    public String toString()
+    {
+        final StringBuilder sb = new StringBuilder();
+        sb.append( "LoginRequest" );
+        sb.append( "{username='" ).append( username ).append( '\'' );
+        sb.append( ", password='" ).append( password ).append( '\'' );
+        sb.append( '}' );
+        return sb.toString();
+    }
+}
diff --git a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java
index c297b4240..0b3fca16e 100644
--- a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java
+++ b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/LoginService.java
@@ -20,9 +20,11 @@ package org.apache.archiva.redback.rest.api.services;
  */
 
 import org.apache.archiva.redback.authorization.RedbackAuthorization;
+import org.apache.archiva.redback.rest.api.model.LoginRequest;
 import org.apache.archiva.redback.rest.api.model.User;
 
 import javax.ws.rs.GET;
+import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
@@ -58,14 +60,14 @@ public interface LoginService
         throws RedbackServiceException;
 
     @Path( "logIn" )
-    @GET
+    @POST
     @RedbackAuthorization( noRestriction = true, noPermission = true )
     @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN } )
     /**
      * check username/password and create a http session.
      * So no more need of reuse username/password for all ajaxRequest
      */
-    User logIn( @QueryParam( "userName" ) String userName, @QueryParam( "password" ) String password )
+    User logIn( LoginRequest loginRequest )
         throws RedbackServiceException;
 
     @Path( "isLogged" )
diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java
index ec85d7122..85a9bdf24 100644
--- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java
+++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultLoginService.java
@@ -18,22 +18,24 @@ package org.apache.archiva.redback.rest.services;
  * specific language governing permissions and limitations
  * under the License.
  */
+
 import org.apache.archiva.redback.authentication.AuthenticationException;
-import org.apache.archiva.redback.keys.KeyManager;
-import org.apache.archiva.redback.keys.jdo.JdoAuthenticationKey;
-import org.apache.archiva.redback.policy.AccountLockedException;
-import org.apache.archiva.redback.policy.MustChangePasswordException;
-import org.apache.archiva.redback.users.UserNotFoundException;
 import org.apache.archiva.redback.authentication.PasswordBasedAuthenticationDataSource;
+import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
 import org.apache.archiva.redback.keys.AuthenticationKey;
+import org.apache.archiva.redback.keys.KeyManager;
+import org.apache.archiva.redback.keys.jdo.JdoAuthenticationKey;
 import org.apache.archiva.redback.keys.memory.MemoryAuthenticationKey;
 import org.apache.archiva.redback.keys.memory.MemoryKeyManager;
-import org.apache.archiva.redback.system.SecuritySession;
-import org.apache.archiva.redback.system.SecuritySystem;
-import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
+import org.apache.archiva.redback.policy.AccountLockedException;
+import org.apache.archiva.redback.policy.MustChangePasswordException;
+import org.apache.archiva.redback.rest.api.model.LoginRequest;
 import org.apache.archiva.redback.rest.api.model.User;
 import org.apache.archiva.redback.rest.api.services.LoginService;
 import org.apache.archiva.redback.rest.api.services.RedbackServiceException;
+import org.apache.archiva.redback.system.SecuritySession;
+import org.apache.archiva.redback.system.SecuritySystem;
+import org.apache.archiva.redback.users.UserNotFoundException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Service;
@@ -120,9 +122,10 @@ public class DefaultLoginService
         return Boolean.TRUE;
     }
 
-    public User logIn( String userName, String password )
+    public User logIn( LoginRequest loginRequest )
         throws RedbackServiceException
     {
+        String userName = loginRequest.getUsername(), password = loginRequest.getPassword();
         PasswordBasedAuthenticationDataSource authDataSource =
             new PasswordBasedAuthenticationDataSource( userName, password );
         try
diff --git a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java
index a5ec4cb64..ab5565b09 100644
--- a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java
+++ b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/LoginServiceTest.java
@@ -19,6 +19,7 @@ package org.apache.archiva.redback.rest.services;
  */
 
 import org.apache.archiva.redback.integration.security.role.RedbackRoleConstants;
+import org.apache.archiva.redback.rest.api.model.LoginRequest;
 import org.apache.archiva.redback.rest.api.model.User;
 import org.apache.archiva.redback.rest.api.services.UserService;
 import org.junit.Test;
@@ -30,15 +31,15 @@ public class LoginServiceTest
     extends AbstractRestServicesTest
 {
     @Test
-    public void loginAdmin( )
+    public void loginAdmin()
         throws Exception
     {
-        assertNotNull( getLoginService( null ).logIn( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME,
-                                                   FakeCreateAdminService.ADMIN_TEST_PWD ) );
+        assertNotNull( getLoginService( null ).logIn( new LoginRequest( RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME,
+                                                                        FakeCreateAdminService.ADMIN_TEST_PWD ) ) );
     }
 
     @Test
-    public void createUserThenLog( )
+    public void createUserThenLog()
         throws Exception
     {
         try
@@ -56,9 +57,9 @@ public class LoginServiceTest
             // END SNIPPET: create-user
             user = userService.getUser( "toto" );
             assertNotNull( user );
-            assertEquals( "toto the king", user.getFullName( ) );
-            assertEquals( "toto@toto.fr", user.getEmail( ) );
-            getLoginService( encode( "toto", "foo123" ) ).pingWithAutz( );
+            assertEquals( "toto the king", user.getFullName() );
+            assertEquals( "toto@toto.fr", user.getEmail() );
+            getLoginService( encode( "toto", "foo123" ) ).pingWithAutz();
         }
         finally
         {