refact: enhance auth logic

README.md

@@ -36,7 +36,8 @@ achieved through [Gremlin](https://tinkerpop.apache.org/gremlin.html)(a powerful
 
 We can use `docker run -itd --name=graph -p 8080:8080 hugegraph/hugegraph` to quickly start an inner 
 HugeGraph server with `RocksDB` (in backgrounds) for **test/dev**.
-You can visit [doc page](https://hugegraph.apache.org/docs/quickstart/hugegraph-server/#3-deploy) or the [README](hugegraph-server/hugegraph-dist/docker/READEME.md) for more details.
+You can visit [doc page](https://hugegraph.apache.org/docs/quickstart/hugegraph-server/#3-deploy) or
+the [README](hugegraph-server/hugegraph-dist/docker/READEME.md) for more details. ([Docker Compose](./hugegraph-server/hugegraph-dist/docker/example))
 
 > Note:
 >  
@@ -58,12 +59,11 @@ The project [doc page](https://hugegraph.apache.org/docs/) contains more informa
 and provides detailed documentation for users. (Structure / Usage / API / Configs...)
 
 And here are links of other **HugeGraph** component/repositories:
-1. [hugegraph-toolchain](https://github.com/apache/incubator-hugegraph-toolchain) (graph tools **[loader](https://github.com/apache/incubator-hugegraph-toolchain/tree/master/hugegraph-loader)/[dashboard](https://github.com/apache/incubator-hugegraph-toolchain/tree/master/hugegraph-hubble)/[tool](https://github.com/apache/incubator-hugegraph-toolchain/tree/master/hugegraph-tools)/[client](https://github.com/apache/incubator-hugegraph-toolchain/tree/master/hugegraph-client)**)
-2. [hugegraph-computer](https://github.com/apache/incubator-hugegraph-computer) (integrated **graph computing** system)
-3. [hugegraph-commons](https://github.com/apache/incubator-hugegraph-commons) (**common & rpc** libs)
-4. [hugegraph-website](https://github.com/apache/incubator-hugegraph-doc) (**doc & website** code)
-
-
+1. [hugegraph-toolchain](https://github.com/apache/hugegraph-toolchain) (graph tools **[loader](https://github.com/apache/incubator-hugegraph-toolchain/tree/master/hugegraph-loader)/[dashboard](https://github.com/apache/incubator-hugegraph-toolchain/tree/master/hugegraph-hubble)/[tool](https://github.com/apache/incubator-hugegraph-toolchain/tree/master/hugegraph-tools)/[client](https://github.com/apache/incubator-hugegraph-toolchain/tree/master/hugegraph-client)**)
+2. [hugegraph-computer](https://github.com/apache/hugegraph-computer) (integrated **graph computing** system)
+3. [hugegraph-commons](https://github.com/apache/hugegraph-commons) (**common & rpc** libs)
+4. [hugegraph-website](https://github.com/apache/hugegraph-doc) (**doc & website** code)
+5. [hugegraph-ai](https://github.com/apache/incubator-hugegraph-ai) (integrated **Graph AI/LLM/KG** system)
 
 ## License
 

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/auth/LoginAPI.java

@@ -84,8 +84,7 @@ public String login(@Context GraphManager manager, @PathParam("graph") String gr
     @Status(Status.OK)
     @Consumes(APPLICATION_JSON)
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    public void logout(@Context GraphManager manager,
-                       @PathParam("graph") String graph,
+    public void logout(@Context GraphManager manager, @PathParam("graph") String graph,
                        @HeaderParam(HttpHeaders.AUTHORIZATION) String auth) {
         E.checkArgument(StringUtils.isNotEmpty(auth),
                         "Request header Authorization must not be null");
@@ -105,10 +104,8 @@ public void logout(@Context GraphManager manager,
     @Status(Status.OK)
     @Consumes(APPLICATION_JSON)
     @Produces(APPLICATION_JSON_WITH_CHARSET)
-    public String verifyToken(@Context GraphManager manager,
-                              @PathParam("graph") String graph,
-                              @HeaderParam(HttpHeaders.AUTHORIZATION)
-                              String token) {
+    public String verifyToken(@Context GraphManager manager, @PathParam("graph") String graph,
+                              @HeaderParam(HttpHeaders.AUTHORIZATION) String token) {
         E.checkArgument(StringUtils.isNotEmpty(token),
                         "Request header Authorization must not be null");
         LOG.debug("Graph [{}] get user: {}", graph, token);

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java

@@ -259,8 +259,7 @@ private boolean matchPermission(String required) {
 
             if (LOG.isDebugEnabled()) {
                 LOG.debug("Verify permission {} {} for user '{}' with role {}",
-                          requiredPerm.action().string(),
-                          requiredPerm.resourceObject(),
+                          requiredPerm.action().string(), requiredPerm.resourceObject(),
                           this.user.username(), this.user.role());
             }
 
@@ -269,9 +268,8 @@ private boolean matchPermission(String required) {
 
             if (!valid && LOG.isInfoEnabled() &&
                 !required.equals(HugeAuthenticator.USER_ADMIN)) {
-                LOG.info("User '{}' is denied to {} {}",
-                         this.user.username(), requiredPerm.action().string(),
-                         requiredPerm.resourceObject());
+                LOG.info("User '{}' is denied to {} {}", this.user.username(),
+                         requiredPerm.action().string(), requiredPerm.resourceObject());
             }
             return valid;
         }

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/gremlin/GremlinQueryAPI.java

@@ -37,8 +37,7 @@
 public class GremlinQueryAPI extends API {
 
     private static final Set<String> FORBIDDEN_REQUEST_EXCEPTIONS =
-            ImmutableSet.of("java.lang.SecurityException",
-                            "jakarta.ws.rs.ForbiddenException");
+            ImmutableSet.of("java.lang.SecurityException", "jakarta.ws.rs.ForbiddenException");
     private static final Set<String> BAD_REQUEST_EXCEPTIONS = ImmutableSet.of(
             "java.lang.IllegalArgumentException",
             "java.util.concurrent.TimeoutException",
@@ -56,6 +55,7 @@ public GremlinClient client() {
         if (this.client != null) {
             return this.client;
         }
+
         HugeConfig config = this.configProvider.get();
         String url = config.get(ServerOptions.GREMLIN_SERVER_URL);
         int timeout = config.get(ServerOptions.GREMLIN_SERVER_TIMEOUT) * 1000;
@@ -100,6 +100,7 @@ private static boolean matchBadRequestException(String exClass) {
         if (exClass == null) {
             return false;
         }
+
         if (BAD_REQUEST_EXCEPTIONS.contains(exClass)) {
             return true;
         }

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeFactoryAuthProxy.java

@@ -90,7 +90,28 @@ public static synchronized HugeGraph open(Configuration config) {
         return proxy;
     }
 
+    // TODO: add some test to ensure the effect & partially move to HugeSecurityManager
     private static void registerPrivateActions() {
+        // Sensitive classes (Be careful to add classes here due to JDK compatibility)
+        Reflection.registerMethodsToFilter(java.lang.Class.class, "forName", "newInstance");
+        Reflection.registerMethodsToFilter(java.lang.ClassLoader.class, "loadClass", "newInstance");
+        Reflection.registerMethodsToFilter(java.lang.reflect.Method.class, "invoke",
+                                           "setAccessible");
+        Reflection.registerMethodsToFilter(java.lang.reflect.Field.class, "set",
+                                           "setAccessible");
+        Reflection.registerMethodsToFilter(java.lang.reflect.Constructor.class, "newInstance",
+                                           "setAccessible");
+        Reflection.registerMethodsToFilter(java.lang.Runtime.class, "exec",
+                                           "getRuntime");
+        Reflection.registerMethodsToFilter(java.lang.ProcessBuilder.class, "command", "start",
+                                           "startPipeline");
+        Reflection.registerMethodsToFilter(loadClass("java.lang.ProcessImpl"),
+                                           "forkAndExec", "setAccessible", "start");
+        Reflection.registerMethodsToFilter(loadClass("sun.invoke.util.BytecodeDescriptor"),
+                                           "parseMethod", "parseSig");
+        Reflection.registerMethodsToFilter(loadClass("sun.reflect.misc.MethodUtil"), "invoke");
+        Reflection.registerMethodsToFilter(loadClass("jdk.internal.reflect.MethodAccessor"),
+                                           "invoke");
         // Thread
         Reflection.registerFieldsToFilter(java.lang.Thread.class, "name", "priority", "threadQ",
                                           "eetop", "single_step", "daemon", "stillborn", "target",
@@ -106,7 +127,7 @@ private static void registerPrivateActions() {
                                           "threadLocalRandomSecondarySeed");
         Reflection.registerMethodsToFilter(java.lang.Thread.class, "exit",
                                            "dispatchUncaughtException", "clone", "isInterrupted",
-                                           "registerNatives", "init", "init", "nextThreadNum",
+                                           "registerNatives", "init", "nextThreadNum",
                                            "nextThreadID", "blockedOn", "start0", "isCCLOverridden",
                                            "auditSubclass", "dumpThreads", "getThreads",
                                            "processQueue", "setPriority0", "stop0", "suspend0",
@@ -562,20 +583,18 @@ private static void registerPrivateActions(Class<?> clazz) {
         }
     }
 
-    private static boolean registerClass(Class<?> clazz,
-                                         List<String> fields,
-                                         List<String> methods) {
-        if (clazz.getName().startsWith("java") ||
-            fields.isEmpty() && methods.isEmpty()) {
-            return false;
+    private static void registerClass(Class<?> clazz, List<String> fields, List<String> methods) {
+        if (clazz.getName().startsWith("java") || fields.isEmpty() && methods.isEmpty()) {
+            return;
         }
+
         final String[] array = new String[fields.size()];
         try {
             Reflection.registerFieldsToFilter(clazz, fields.toArray(array));
             Reflection.registerMethodsToFilter(clazz, methods.toArray(array));
         } catch (IllegalArgumentException e) {
             if (e.getMessage().contains("Filter already registered: class")) {
-                return false;
+                return;
             }
             throw e;
         }
@@ -596,8 +615,6 @@ private static boolean registerClass(Class<?> clazz,
             System.out.println(code);
             // CHECKSTYLE:ON
         }
-
-        return true;
     }
 
     private static Class<?> loadClass(String clazz) {