Examples with AuthConfigProvider javax.security.auth.message.config.AuthConfigProvider used on opensource projects

Example 1 with AuthConfigProvider

use of javax.security.auth.message.config.AuthConfigProvider in project tomcat by apache.

the class AuthenticatorBase method findJaspicProvider.

private Optional<AuthConfigProvider> findJaspicProvider() {
    AuthConfigFactory factory = AuthConfigFactory.getFactory();
    Optional<AuthConfigProvider> provider;
    if (factory == null) {
        provider = Optional.empty();
    } else {
        provider = Optional.ofNullable(factory.getConfigProvider("HttpServlet", jaspicAppContextID, this));
    }
    jaspicProvider = provider;
    return provider;
}

Example 2 with AuthConfigProvider

use of javax.security.auth.message.config.AuthConfigProvider in project tomcat by apache.

the class AuthConfigFactoryImpl method doRegisterConfigProvider.

@SuppressWarnings("unchecked")
private String doRegisterConfigProvider(String className, @SuppressWarnings("rawtypes") Map properties, String layer, String appContext, String description) {
    if (log.isDebugEnabled()) {
        log.debug(sm.getString("authConfigFactoryImpl.registerClass", className, layer, appContext));
    }
    Class<?> clazz;
    AuthConfigProvider provider = null;
    try {
        clazz = Class.forName(className, true, Thread.currentThread().getContextClassLoader());
    } catch (ClassNotFoundException e) {
    // Ignore so the re-try below can proceed
    }
    try {
        clazz = Class.forName(className);
        Constructor<?> constructor = clazz.getConstructor(Map.class, AuthConfigFactory.class);
        provider = (AuthConfigProvider) constructor.newInstance(properties, null);
    } catch (ClassNotFoundException | NoSuchMethodException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
        throw new SecurityException(e);
    }
    String registrationID = getRegistrationID(layer, appContext);
    RegistrationContextImpl registrationContextImpl = new RegistrationContextImpl(layer, appContext, description, true, provider, properties);
    addRegistrationContextImpl(layer, appContext, registrationID, registrationContextImpl);
    return registrationID;
}

Example 3 with AuthConfigProvider

use of javax.security.auth.message.config.AuthConfigProvider in project tomcat by apache.

the class AuthenticatorBase method logout.

@Override
public void logout(Request request) {
    AuthConfigProvider provider = getJaspicProvider();
    if (provider != null) {
        MessageInfo messageInfo = new MessageInfoImpl(request, request.getResponse(), true);
        Subject client = (Subject) request.getNote(Constants.REQ_JASPIC_SUBJECT_NOTE);
        if (client == null) {
            return;
        }
        ServerAuthContext serverAuthContext;
        try {
            ServerAuthConfig serverAuthConfig = provider.getServerAuthConfig("HttpServlet", jaspicAppContextID, CallbackHandlerImpl.getInstance());
            String authContextID = serverAuthConfig.getAuthContextID(messageInfo);
            serverAuthContext = serverAuthConfig.getAuthContext(authContextID, null, null);
            serverAuthContext.cleanSubject(messageInfo, client);
        } catch (AuthException e) {
            log.debug(sm.getString("authenticator.jaspicCleanSubjectFail"), e);
        }
    }
    Principal p = request.getPrincipal();
    if (p instanceof TomcatPrincipal) {
        try {
            ((TomcatPrincipal) p).logout();
        } catch (Throwable t) {
            ExceptionUtils.handleThrowable(t);
            log.debug(sm.getString("authenticator.tomcatPrincipalLogoutFail"), t);
        }
    }
    register(request, request.getResponse(), null, null, null, null);
}

Example 4 with AuthConfigProvider

use of javax.security.auth.message.config.AuthConfigProvider in project tomcat by apache.

the class AuthenticatorBase method invoke.

// --------------------------------------------------------- Public Methods
/**
     * Enforce the security restrictions in the web application deployment
     * descriptor of our associated Context.
     *
     * @param request
     *            Request to be processed
     * @param response
     *            Response to be processed
     *
     * @exception IOException
     *                if an input/output error occurs
     * @exception ServletException
     *                if thrown by a processing element
     */
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
    if (log.isDebugEnabled()) {
        log.debug("Security checking request " + request.getMethod() + " " + request.getRequestURI());
    }
    // Have we got a cached authenticated Principal to record?
    if (cache) {
        Principal principal = request.getUserPrincipal();
        if (principal == null) {
            Session session = request.getSessionInternal(false);
            if (session != null) {
                principal = session.getPrincipal();
                if (principal != null) {
                    if (log.isDebugEnabled()) {
                        log.debug("We have cached auth type " + session.getAuthType() + " for principal " + principal);
                    }
                    request.setAuthType(session.getAuthType());
                    request.setUserPrincipal(principal);
                }
            }
        }
    }
    boolean authRequired = isContinuationRequired(request);
    // The Servlet may specify security constraints through annotations.
    // Ensure that they have been processed before constraints are checked
    Wrapper wrapper = request.getWrapper();
    if (wrapper != null) {
        wrapper.servletSecurityAnnotationScan();
    }
    Realm realm = this.context.getRealm();
    // Is this request URI subject to a security constraint?
    SecurityConstraint[] constraints = realm.findSecurityConstraints(request, this.context);
    AuthConfigProvider jaspicProvider = getJaspicProvider();
    if (jaspicProvider != null) {
        authRequired = true;
    }
    if (constraints == null && !context.getPreemptiveAuthentication() && !authRequired) {
        if (log.isDebugEnabled()) {
            log.debug(" Not subject to any constraint");
        }
        getNext().invoke(request, response);
        return;
    }
    // or browsers as caching can provide a security hole
    if (constraints != null && disableProxyCaching && !"POST".equalsIgnoreCase(request.getMethod())) {
        if (securePagesWithPragma) {
            // Note: These can cause problems with downloading files with IE
            response.setHeader("Pragma", "No-cache");
            response.setHeader("Cache-Control", "no-cache");
        } else {
            response.setHeader("Cache-Control", "private");
        }
        response.setHeader("Expires", DATE_ONE);
    }
    if (constraints != null) {
        // Enforce any user data constraint for this security constraint
        if (log.isDebugEnabled()) {
            log.debug(" Calling hasUserDataPermission()");
        }
        if (!realm.hasUserDataPermission(request, response, constraints)) {
            if (log.isDebugEnabled()) {
                log.debug(" Failed hasUserDataPermission() test");
            }
            /*
                 * ASSERT: Authenticator already set the appropriate HTTP status
                 * code, so we do not have to do anything special
                 */
            return;
        }
    }
    // Since authenticate modifies the response on failure,
    // we have to check for allow-from-all first.
    boolean hasAuthConstraint = false;
    if (constraints != null) {
        hasAuthConstraint = true;
        for (int i = 0; i < constraints.length && hasAuthConstraint; i++) {
            if (!constraints[i].getAuthConstraint()) {
                hasAuthConstraint = false;
            } else if (!constraints[i].getAllRoles() && !constraints[i].getAuthenticatedUsers()) {
                String[] roles = constraints[i].findAuthRoles();
                if (roles == null || roles.length == 0) {
                    hasAuthConstraint = false;
                }
            }
        }
    }
    if (!authRequired && hasAuthConstraint) {
        authRequired = true;
    }
    if (!authRequired && context.getPreemptiveAuthentication()) {
        authRequired = request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;
    }
    if (!authRequired && context.getPreemptiveAuthentication() && HttpServletRequest.CLIENT_CERT_AUTH.equals(getAuthMethod())) {
        X509Certificate[] certs = getRequestCertificates(request);
        authRequired = certs != null && certs.length > 0;
    }
    JaspicState jaspicState = null;
    if (authRequired) {
        if (log.isDebugEnabled()) {
            log.debug(" Calling authenticate()");
        }
        if (jaspicProvider != null) {
            jaspicState = getJaspicState(jaspicProvider, request, response, hasAuthConstraint);
            if (jaspicState == null) {
                return;
            }
        }
        if (jaspicProvider == null && !doAuthenticate(request, response) || jaspicProvider != null && !authenticateJaspic(request, response, jaspicState, false)) {
            if (log.isDebugEnabled()) {
                log.debug(" Failed authenticate() test");
            }
            /*
                 * ASSERT: Authenticator already set the appropriate HTTP status
                 * code, so we do not have to do anything special
                 */
            return;
        }
    }
    if (constraints != null) {
        if (log.isDebugEnabled()) {
            log.debug(" Calling accessControl()");
        }
        if (!realm.hasResourcePermission(request, response, constraints, this.context)) {
            if (log.isDebugEnabled()) {
                log.debug(" Failed accessControl() test");
            }
            /*
                 * ASSERT: AccessControl method has already set the appropriate
                 * HTTP status code, so we do not have to do anything special
                 */
            return;
        }
    }
    // Any and all specified constraints have been satisfied
    if (log.isDebugEnabled()) {
        log.debug(" Successfully passed all security constraints");
    }
    getNext().invoke(request, response);
    if (jaspicProvider != null) {
        secureResponseJspic(request, response, jaspicState);
    }
}

Example 5 with AuthConfigProvider

use of javax.security.auth.message.config.AuthConfigProvider in project tomcat by apache.

the class TestAuthConfigFactoryImpl method doTestSearchOrder.

private void doTestSearchOrder(String layer, String appContext, int expected) {
    AuthConfigFactory factory = new AuthConfigFactoryImpl();
    AuthConfigProvider acp1 = new SimpleAuthConfigProvider(null, null);
    factory.registerConfigProvider(acp1, null, null, "1");
    AuthConfigProvider acp2 = new SimpleAuthConfigProvider(null, null);
    factory.registerConfigProvider(acp2, null, "AC_1", "2");
    AuthConfigProvider acp3 = new SimpleAuthConfigProvider(null, null);
    factory.registerConfigProvider(acp3, "L_1", null, "3");
    AuthConfigProvider acp4 = new SimpleAuthConfigProvider(null, null);
    factory.registerConfigProvider(acp4, "L_2", "AC_2", "4");
    AuthConfigProvider searchResult = factory.getConfigProvider(layer, appContext, null);
    int searchIndex;
    if (searchResult == acp1) {
        searchIndex = 1;
    } else if (searchResult == acp2) {
        searchIndex = 2;
    } else if (searchResult == acp3) {
        searchIndex = 3;
    } else if (searchResult == acp4) {
        searchIndex = 4;
    } else {
        searchIndex = -1;
    }
    Assert.assertEquals(expected, searchIndex);
}