Ensure user authentication in AllRequestFilter filters
The current order of filters declaration make request authentication
only work when HTTP request is issued from the Gerrit UI, but not
work when REST API is used.
In Daemon#createWebInjector() we have this:
[...]
modules.add(RequestContextFilter.module());
modules.add(AllRequestFilter.module());
modules.add(RequestMetricsFilter.module());
modules.add(H2CacheBasedWebSession.module());
modules.add(sysInjector.getInstance(GitOverHttpModule.class));
[...]
The are two major use cases to consider:
1. Gerrit UI request: when authenticated user session is found and set
in RequestContextFilter, before AllRequestFilter, that's why in
AllRequestFilter we have a user:
Account: 1000000 username: admin
2. REST API request, e.g.:
curl --user user http://localhost:8080/a/config/server/version
"2.14.7-9-g9ebfce95b7-dirty"
Here the AllRequestFilter is bound before GitOverHttpModule, that
provides ProjectBasicAuthFilter filter, and thus, there is no identified
user:
anonymous
Adapt the AllRequestFilter registration order to fix authentication also
for REST API requests.
This is needed for Javamelody's monitoring filter to work properly for
Prometheus scraping request:
curl -u user http://localhost:8080/a/monitoring?format=prometheus
There is more context and discussions in these CLs:
https://gerrit-review.googlesource.com/c/plugins/javamelody/+/192411
https://gerrit-review.googlesource.com/c/plugins/javamelody/+/192170
https://gerrit-review.googlesource.com/c/gerrit/+/164991
Change-Id: I925e952474440cb612080dafd917a01dba8f3330
diff --git a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java
index d6ae6e1..b57dfc6 100644
--- a/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java
+++ b/gerrit-pgm/src/main/java/com/google/gerrit/pgm/Daemon.java
@@ -513,10 +513,10 @@
modules.add(new ProjectQoSFilter.Module());
}
modules.add(RequestContextFilter.module());
- modules.add(AllRequestFilter.module());
modules.add(RequestMetricsFilter.module());
modules.add(H2CacheBasedWebSession.module());
modules.add(sysInjector.getInstance(GitOverHttpModule.class));
+ modules.add(AllRequestFilter.module());
modules.add(sysInjector.getInstance(WebModule.class));
modules.add(sysInjector.getInstance(RequireSslFilter.Module.class));
modules.add(new HttpPluginModule());
diff --git a/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java b/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java
index 8bc091a..441f2b5 100644
--- a/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java
+++ b/gerrit-war/src/main/java/com/google/gerrit/httpd/WebAppInitializer.java
@@ -401,9 +401,9 @@
private Injector createWebInjector() {
final List<Module> modules = new ArrayList<>();
modules.add(RequestContextFilter.module());
- modules.add(AllRequestFilter.module());
modules.add(RequestMetricsFilter.module());
modules.add(sysInjector.getInstance(GitOverHttpModule.class));
+ modules.add(AllRequestFilter.module());
modules.add(sysInjector.getInstance(WebModule.class));
modules.add(sysInjector.getInstance(RequireSslFilter.Module.class));
if (sshInjector != null) {
