1717 * CDDL HEADER END
1818 */
1919
20- /*
21- * Copyright (c) 2016, 2017 , Oracle and/or its affiliates. All rights reserved.
20+ /*
21+ * Copyright (c) 2016, 2018 , Oracle and/or its affiliates. All rights reserved.
2222 */
2323package org .opensolaris .opengrok .web ;
2424
3535import javax .servlet .http .HttpServletResponse ;
3636import org .opensolaris .opengrok .configuration .Project ;
3737import org .opensolaris .opengrok .logger .LoggerFactory ;
38+ import org .opensolaris .opengrok .web .api .v1 .RestApp ;
3839
3940public class AuthorizationFilter implements Filter {
4041
@@ -49,9 +50,19 @@ public void doFilter(ServletRequest sr, ServletResponse sr1, FilterChain fc) thr
4950 HttpServletRequest httpReq = (HttpServletRequest ) sr ;
5051 HttpServletResponse httpRes = (HttpServletResponse ) sr1 ;
5152
52- PageConfig config = PageConfig .get (httpReq );
53- long processTime = System .currentTimeMillis ();
53+ // All RESTful API requests are allowed for now (also see LocalhostFilter).
54+ // The /search endpoint will go through authorization via SearchEngine.search()
55+ // so does not have to be exempted here.
56+ if (httpReq .getServletPath ().startsWith (RestApp .API_PATH )) {
57+ LOGGER .log (Level .FINER , "Allowing request to {0} in {1}" ,
58+ new Object []{ httpReq .getServletPath (), AuthorizationFilter .class .getName () });
59+ fc .doFilter (sr , sr1 );
60+ return ;
61+ }
5462
63+ PageConfig config = PageConfig .get (httpReq );
64+ long processTime = System .currentTimeMillis ();
65+
5566 Project p = config .getProject ();
5667 if (p != null && !config .isAllowed (p )) {
5768 if (httpReq .getRemoteUser () != null ) {
0 commit comments