When using session based authentication, we now store the parameters in the session as part of the login processing, instead of returning those parameters so that the caller has to update the session. Authentication now throws an exception on failure and the caught exception is where the session is invalidated.

api/src/com/cloud/exception/CloudAuthenticationException.java

@@ -0,0 +1,32 @@
+/**
+ *  Copyright (C) 2010 Cloud.com, Inc.  All rights reserved.
+ * 
+ * This software is licensed under the GNU General Public License v3 or later.
+ * 
+ * It is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or any later version.
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+package com.cloud.exception;
+
+import com.cloud.utils.SerialVersionUID;
+
+public class CloudAuthenticationException extends RuntimeException {
+    private static final long serialVersionUID = SerialVersionUID.CloudAuthenticationException;
+
+    public CloudAuthenticationException(String message) {
+        super(message);
+    }
+
+    public CloudAuthenticationException(String message, Throwable th) {
+        super(message, th);
+    }
+}

server/src/com/cloud/api/ApiServer.java

@@ -82,6 +82,7 @@ import com.cloud.async.AsyncJobVO;
 import com.cloud.configuration.ConfigurationVO;
 import com.cloud.configuration.dao.ConfigurationDao;
 import com.cloud.domain.DomainVO;
+import com.cloud.exception.CloudAuthenticationException;
 import com.cloud.maid.StackMaid;
 import com.cloud.serializer.GsonHelper;
 import com.cloud.server.ManagementServer;
@@ -492,7 +493,7 @@ public class ApiServer implements HttpRequestHandler {
         return false;
     }
     
-    public List<Pair<String, Object>> loginUser(HttpSession session, String username, String password, Long domainId, String domainPath, Map<String, Object[]> requestParameters) {
+    public void loginUser(HttpSession session, String username, String password, Long domainId, String domainPath, Map<String, Object[]> requestParameters) throws CloudAuthenticationException {
     	// We will always use domainId first.  If that does not exist, we will use domain name.  If THAT doesn't exist
     	// we will default to ROOT
         if (domainId == null) {
@@ -503,14 +504,13 @@ public class ApiServer implements HttpRequestHandler {
         		if (domainObj != null) {
         			domainId = domainObj.getId();
         		} else { // if an unknown path is passed in, fail the login call
-        			return null;
+        			throw new CloudAuthenticationException("Unable to find the domain from the path " + domainPath);
         		}
         	}
         }
 
         UserAccount userAcct = _ms.authenticateUser(username, password, domainId, requestParameters);
-        if (userAcct != null) 
-        {
+        if (userAcct != null) {
         	String timezone = userAcct.getTimezone();
         	float offsetInHrs = 0f;
         	if (timezone!=null) {
@@ -525,7 +525,6 @@ public class ApiServer implements HttpRequestHandler {
         	}
         	
         	Account account = _ms.findAccountById(userAcct.getAccountId());
-            List<Pair<String, Object>> loginParams = new ArrayList<Pair<String, Object>>();
 
             String networkType = _ms.getConfigurationValue("network.type");
             if (networkType == null) 
@@ -574,9 +573,9 @@ public class ApiServer implements HttpRequestHandler {
             String sessionKey = Base64.encodeBytes(sessionKeyBytes);
             session.setAttribute("sessionkey", sessionKey);
 
-            return loginParams;
+            return;
         }
-        return null;
+        throw new CloudAuthenticationException("Unable to find user " + username + " in domain " + domainId);
     }
 
     public void logoutUser(long userId) {

server/src/com/cloud/api/ApiServlet.java

@@ -22,7 +22,6 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.util.Enumeration;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 
 import javax.servlet.http.HttpServlet;
@@ -32,10 +31,10 @@ import javax.servlet.http.HttpSession;
 
 import org.apache.log4j.Logger;
 
+import com.cloud.exception.CloudAuthenticationException;
 import com.cloud.maid.StackMaid;
 import com.cloud.user.Account;
 import com.cloud.user.UserContext;
-import com.cloud.utils.Pair;
 import com.cloud.utils.exception.CloudRuntimeException;
 
 @SuppressWarnings("serial")
@@ -133,20 +132,17 @@ public class ApiServlet extends HttpServlet {
                     }
 
                     if (username != null) {
-                        String pwd = ((password == null) ? null : password[0]);
-                        List<Pair<String, Object>> sessionParams = _apiServer.loginUser(session, username[0], pwd, domainId, domain, params);
-                        if (sessionParams != null) {
-                            for (Pair<String, Object> sessionParam : sessionParams) {
-                                session.setAttribute(sessionParam.first(), sessionParam.second());
-                            }
-                            String loginResponse = getLoginSuccessResponse(session, responseType);
-                            writeResponse(resp, loginResponse, false, responseType);
-                            return;
-                        } else {
-                            // TODO:  fall through to API key, or just fail here w/ auth error? (HTTP 401)
-                            session.invalidate();
-                            resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "failed to authenticated user, check username/password are correct");
-                            return;
+                        String pwd = ((password == null) ? null : password[0]);
+                        try {
+                            _apiServer.loginUser(session, username[0], pwd, domainId, domain, params);
+                            String loginResponse = getLoginSuccessResponse(session, responseType);
+                            writeResponse(resp, loginResponse, false, responseType);
+                            return;
+                        } catch (CloudAuthenticationException ex) {
+                            // TODO:  fall through to API key, or just fail here w/ auth error? (HTTP 401)
+                            session.invalidate();
+                            resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "failed to authenticated user, check username/password are correct");
+                            return;
                         }
                     }
                 } 

utils/src/com/cloud/utils/SerialVersionUID.java

@@ -27,7 +27,7 @@ package com.cloud.utils;
  **/
 public interface SerialVersionUID {
     public static final long Base = 0x564D4F70 << 32;  // 100 brownie points if you guess what this is and tell me.
-    
+
     public static final long UUID = Base | 0x1;
     public static final long CloudRuntimeException = Base | 0x2;
     public static final long CloudStartupServlet = Base | 0x3;
@@ -55,4 +55,5 @@ public interface SerialVersionUID {
     public static final long StorageUnavailableException = Base | 0x19;
     public static final long InfficientVirtualNetworkCapacityException = Base | 0x1a;
     public static final long DiscoveryException = Base | 0x1b;
+    public static final long CloudAuthenticationException = Base | 0x1c;
 }