diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 435efa0d250..e60af3b7d50 100644 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -66,6 +66,7 @@ import org.apache.cloudstack.api.BaseListCmd; import org.apache.cloudstack.api.ResponseObject; import org.apache.cloudstack.api.ResponseObject.ResponseView; import org.apache.cloudstack.api.ServerApiException; +import org.apache.cloudstack.api.auth.APIAuthenticationManager; import org.apache.cloudstack.api.command.admin.account.ListAccountsCmdByAdmin; import org.apache.cloudstack.api.command.admin.host.ListHostsCmd; import org.apache.cloudstack.api.command.admin.router.ListRoutersCmd; @@ -204,6 +205,8 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer private ConfigurationDao _configDao; @Inject private EntityManager _entityMgr; + @Inject + APIAuthenticationManager _authManager; List _pluggableServices; List _apiAccessCheckers; @@ -485,6 +488,10 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer } throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, "Invalid request, no command sent"); } else { + // Don't allow Login/Logout APIs to go past this point + if (_authManager.getAPIAuthenticator(command[0]) != null) { + return null; + } final Map paramMap = new HashMap(); final Set keys = params.keySet(); final Iterator keysIter = keys.iterator(); @@ -522,12 +529,10 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer else buildAuditTrail(auditTrailSb, command[0], response); } else { - if (!command[0].equalsIgnoreCase("login") && !command[0].equalsIgnoreCase("logout")) { - final String errorString = "Unknown API command: " + command[0]; - s_logger.warn(errorString); - auditTrailSb.append(" " + errorString); - throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, errorString); - } + final String errorString = "Unknown API command: " + command[0]; + s_logger.warn(errorString); + auditTrailSb.append(" " + errorString); + throw new ServerApiException(ApiErrorCode.UNSUPPORTED_ACTION_ERROR, errorString); } } } catch (final InvalidParameterValueException ex) { diff --git a/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java b/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java index fc21b1913e4..9d0ab684746 100644 --- a/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java +++ b/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java @@ -57,7 +57,7 @@ public class APIAuthenticationManagerImpl extends ManagerBase implements APIAuth APICommand command = authenticator.getAnnotation(APICommand.class); if (command != null && !command.name().isEmpty() && APIAuthenticator.class.isAssignableFrom(authenticator)) { - s_authenticators.put(command.name(), authenticator); + s_authenticators.put(command.name().toLowerCase(), authenticator); } } return true; @@ -81,6 +81,7 @@ public class APIAuthenticationManagerImpl extends ManagerBase implements APIAuth @Override public APIAuthenticator getAPIAuthenticator(String name) { + name = name.toLowerCase(); APIAuthenticator apiAuthenticator = null; if (s_authenticators != null && s_authenticators.containsKey(name)) { try {