Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30854

Fix marshalling of DocumentModel with unauthenticated requests

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.10-HF54
    • Fix Version/s: 10.10-HF59, 2021.17
    • Component/s: Core IO
    • Release Notes Summary:
      DocumentModel marshalling works with unauthenticated requests
    • Backlog priority:
      900
    • Sprint:
      nxplatform #55, nxplatform #56
    • Story Points:
      2

      Description

      Steps to reproduce:

      1. define an endpoint which calls a page provider in an unrestricted session
            @Path("/pp/city")
            @POST
            public Object getCities(@Context HttpServletRequest request) throws IOException, MessagingException {
                Map<String, Object> params = new HashMap<>(3);
                params.put("providerName", CITY_SUGGESTIONS_PAGE_PROVIDER);
                params.put("pageSize", 200);
                params.put("sortBy", "dc:title");
                params.put("sortOrder", "ASC");
                InputStream in = request.getInputStream();
                String body = IOUtils.toString(in, Charset.defaultCharset());
                params.put("searchTerm", body.isEmpty() ? "" : new ObjectMapper().readValue(body, Map.class).get("searchTerm"));
        
                CoreSession session = CoreInstance.openCoreSessionSystem(null);
                OperationContext ctx = new OperationContext(session);
        
                Object cities = Framework.doPrivileged(() -> {
                    try {
                        return Framework.getService(AutomationService.class).run(ctx, DocumentPageProviderOperation.ID, params);
                    } catch (Exception e) {
                        log.error("Error running DocumentPageProviderOperation: city-suggestions");
                        return null;
                    }
                });
                Object object = ResponseHelper.getResponse(cities, request, HttpStatus.SC_OK);
                if (session != null) {
                    ((CloseableCoreSession) session).close();
                    session = null;
                }
                return object;
            }
        
      2. configure Nuxeo to bypass the authentication for this endpoint
      3. call this endpoint POST http://localhost:8080/nuxeo/site/requestaccess/pp/city without authentication
      4. observe the following error
      Caused by: java.lang.IllegalStateException: Not authenticated user is trying to get a core session
      	at org.nuxeo.ecm.webengine.jaxrs.session.CoreSessionProvider.createSession(CoreSessionProvider.java:67) ~[nuxeo-webengine-jaxrs-10.10-HF44.jar:?]
      	at org.nuxeo.ecm.webengine.jaxrs.session.CoreSessionProvider.getSessionRef(CoreSessionProvider.java:55) ~[nuxeo-webengine-jaxrs-10.10-HF44.jar:?]
      	at org.nuxeo.ecm.webengine.jaxrs.session.CoreSessionProvider.getSession(CoreSessionProvider.java:62) ~[nuxeo-webengine-jaxrs-10.10-HF44.jar:?]
      	at org.nuxeo.ecm.webengine.jaxrs.session.SessionFactory.getSession(SessionFactory.java:109) ~[nuxeo-webengine-jaxrs-10.10-HF44.jar:?]
      	at org.nuxeo.ecm.webengine.jaxrs.session.SessionFactory.getSession(SessionFactory.java:105) ~[nuxeo-webengine-jaxrs-10.10-HF44.jar:?]
      	at org.nuxeo.ecm.webengine.jaxrs.coreiodelegate.RenderingContextWebUtils.lambda$fillContext$0(RenderingContextWebUtils.java:116) ~[nuxeo-webengine-jaxrs-10.10-HF44.jar:?]
      	at org.nuxeo.ecm.core.io.registry.context.RenderingContextImpl.getSession(RenderingContextImpl.java:100) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.registry.context.ThreadSafeRenderingContext.getSession(ThreadSafeRenderingContext.java:75) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelJsonWriter.withDocumentAttached(DocumentModelJsonWriter.java:275) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelJsonWriter.writeEntityBody(DocumentModelJsonWriter.java:154) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelJsonWriter.writeEntityBody(DocumentModelJsonWriter.java:117) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.ExtensibleEntityJsonWriter.write(ExtensibleEntityJsonWriter.java:80) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:81) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.DefaultListJsonWriter.write(DefaultListJsonWriter.java:127) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelListJsonWriter.write(DocumentModelListJsonWriter.java:57) ~[nuxeo-core-io-10.10-HF55.jar:?]
      	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelListJsonWriter.write(DocumentModelListJsonWriter.java:42) ~[nuxeo-core-io-10.10-HF55.jar:?] 

      This is due to the fact that no user can be retrieved from the HTTP request: when it arrives to CoreSessionProvider#createSession, request.getUserPrincipal() returns null and causes this error.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.