Plugin with doFIlter gived authentication false whereas I am authenticated

Hello,

I have a small problem with my own stash plugin.

I have implemented a doFilter to manage user authentication.

Here is my atlassian-plugin.xml description:

<component-import key="userService" interface="com.atlassian.stash.user.UserService"/>
    <component-import key="userAdminService" interface="com.atlassian.stash.user.UserAdminService"/>
    <component-import key="securityService" interface="com.atlassian.stash.user.SecurityService"/>

    <component key="OAuthFilter" class="net.exemple.oauth.authentication.OAuthFilter"/>

    <servlet-filter name="OAuth Filter" key="stash-oauth-filter"
                    class="bean:OAuthFilter"
                    location="before-login" weight="10">
        <url-pattern>*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
    </servlet-filter>

My doFilter function looks like:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
    	      throws IOException, ServletException {
    	HttpServletRequest req = (HttpServletRequest) request;
    	HttpServletResponse resp = (HttpServletResponse) response;

    	Boolean standard_authent = false;
		if (req.getParameter("standard-authent") != null) {
			standard_authent = true;
		}
		
		System.out.println("URI => " + req.getRequestURI() + " and Next => " +req.getParameter("next"));
		System.out.println("Is Authenticated ? " + authenticationContext.isAuthenticated() + " with username = " + authenticationContext.getCurrentUser());
		
		
		if(req.getRequestURI().equals("/stash/login")){
			if( !standard_authent ){
				//I do some stuff to authenticate enduser
				//with the preauthenticate method
			}
		}
	    chain.doFilter(req, resp);
	}

Let's say I type:

http//localohost:7990/stash/login?standard-authent=true

I will then get the standard login form and I enter admin credentials. I access to project the page.

Now If I refresh the projects page, I can see that in the logs:

[INFO] [talledLocalContainer] URI => /stash/projects and Next => null
[INFO] [talledLocalContainer] Is Authenticated ? false with username = null
[INFO] [talledLocalContainer] URI => /stash/mvc/projects and Next => null
[INFO] [talledLocalContainer] Is Authenticated ? false with username = null
[INFO] [talledLocalContainer] URI => /stash/rest/inbox/latest/pull-requests/count and Next => null
[INFO] [talledLocalContainer] Is Authenticated ? false with username = null
[INFO] [talledLocalContainer] URI => /stash/plugins/servlet/dev-toolbar and Next => null
[INFO] [talledLocalContainer] Is Authenticated ? false with username = null
[INFO] [talledLocalContainer] 2013-05-21 11:39:47,186 DEBUG [http-bio-7990-exec-18] admin 699x2289x2 1iauojk 172.16.231.139 "GET /rest/inbox/latest/pull-requests/count HTTP/1.1" c.a.s.p.inbox.rest.InboxResource Retrieving pull request count for user Administrator
[INFO] [talledLocalContainer] URI => /stash/projects/PROJECT_1/avatar.png and Next => null
[INFO] [talledLocalContainer] Is Authenticated ? false with username = null
[INFO] [talledLocalContainer] URI => /stash/mvc/projects/PROJECT_1/avatar.png and Next => null
[INFO] [talledLocalContainer] Is Authenticated ? false with username = null
[INFO] [talledLocalContainer] URI => /stash/rest/api/latest/profile/recent/repos and Next => null
[INFO] [talledLocalContainer] Is Authenticated ? false with username = null

Each time I enter in my doFilter I am considered as unauthenticated whereas I can access all pages and I also can see my user loggedin name:

[INFO] [talledLocalContainer] 2013-05-21 11:39:47,186 DEBUG [http-bio-7990-exec-18] admin 699x2289x2 1iauojk 172.16.231.139 "GET /rest/inbox/latest/pull-requests/count HTTP/1.1" c.a.s.p.inbox.rest.InboxResource Retrieving pull request count for user Administrator

Am I missing something ?

Thanks for your help !

1 answer

1 accepted

This widget could not be displayed.
Jason Hinch Atlassian Team May 21, 2013

servlet-filter modules allow you to intercept requests at different parts of the filter change. For the full list and a description of each see the servlet-filter module documentation. In your situation you are using the 'before-login' location which means it will be applied before any of Stash's authentication filters. As a result stash doesn't know that a user is logined in yet for that request.

You may want to investigate using the http-authentication-handler module instead. This has the benefit of allowing you to specify a 'weight' if you would prefer to take lower precedence than Stash's standard authentication.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted yesterday in Teamwork

What teamwork quotes inspire you?

Hey everyone! My name is Natalie and I'm an editor of the Atlassian Blog and I've got a question for you: What's your favorite quote about teamwork?  We've compiled a list here, along with...

34 views 3 4
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you