use of com.disney.http.auth.server.AuthenticatedPrincipal in project groovity by disney.
the class BasicVerifierImpl method doVerifyInternal.
@Override
protected VerifierResult doVerifyInternal(ServerAuthorizationRequest request) {
VerifierResult result = new VerifierResult();
List<String> basicAuth = request.getHeaders(AUTHORIZATION_HEADER);
if (basicAuth == null || basicAuth.isEmpty()) {
challenge(result, ERROR_MISSING_CREDENTIALS);
return result;
}
BasicAuthorization auth;
try {
auth = new BasicAuthorization(basicAuth.get(0));
} catch (Exception e) {
challenge(result, e.getMessage());
return result;
}
for (int i = 0; i < passwordCheckers.size(); i++) {
PasswordChecker checker = passwordCheckers.get(i);
if (checker.check(auth.getUsername(), auth.getPassword())) {
result.setAuthenticated(true);
result.setPrincipal(new AuthenticatedPrincipal(auth.getUsername()));
return result;
}
}
challenge(result, ERROR_UNKNOWN_CREDENTIALS);
return result;
}
use of com.disney.http.auth.server.AuthenticatedPrincipal in project groovity by disney.
the class DigestVerifierImpl method doVerifyInternal.
@Override
protected VerifierResult doVerifyInternal(ServerAuthorizationRequest request) throws NoSuchAlgorithmException, IOException {
VerifierResult result = new VerifierResult();
List<String> headers = request.getHeaders(AUTHORIZATION_HEADER);
String authHeader = null;
for (String header : headers) {
if (header.startsWith(DIGEST)) {
authHeader = header;
break;
}
}
MessageDigest md5 = MessageDigest.getInstance("MD5");
if (authHeader == null) {
challenge(request, md5, result, ERROR_MISSING_CREDENTIALS, false);
return result;
}
DigestAuthorization authd;
try {
authd = new DigestAuthorization(authHeader);
} catch (Exception e) {
challenge(request, md5, result, e.getMessage(), false);
return result;
}
// validate URI
if (!request.getURI().equals(authd.getUri())) {
challenge(request, md5, result, ERROR_INCORRECT_URI, false);
return result;
}
String nonce = authd.getNonce();
byte[] nonceBytes = DatatypeConverter.parseBase64Binary(nonce);
// validate timestamp
long timestamp = toLong(nonceBytes);
// validate nonce
if (!nonce.equals(makeNonce(md5, timestamp))) {
challenge(request, md5, result, ERROR_INVALID_NONCE, false);
return result;
}
// validate digest
byte[] ha2 = DatatypeConverter.printHexBinary(md5.digest((request.getMethod() + ":" + authd.getUri()).getBytes("UTF-8"))).toLowerCase().getBytes();
for (int i = 0; i < passwordDigesters.size(); i++) {
PasswordDigester digester = passwordDigesters.get(i);
byte[] ha1 = digester.digest(authd.getUsername(), getRealm());
if (ha1 != null) {
ByteArrayOutputStream baos = new ByteArrayOutputStream(200);
baos.write(DatatypeConverter.printHexBinary(ha1).toLowerCase().getBytes());
baos.write((byte) ':');
baos.write(nonce.getBytes());
baos.write((byte) ':');
if ("auth".equals(authd.getQop())) {
baos.write(authd.getNonceCount().getBytes());
baos.write((byte) ':');
baos.write(authd.getCnonce().getBytes("UTF-8"));
baos.write((byte) ':');
baos.write(authd.getQop().getBytes());
baos.write((byte) ':');
}
byte[] rd = baos.toByteArray();
md5.reset();
md5.update(rd);
md5.update(ha2);
byte[] digestVal = md5.digest();
if (Arrays.equals(digestVal, authd.getDigest())) {
if ("auth".equals(authd.getQop())) {
md5.reset();
md5.update(rd);
md5.update(DatatypeConverter.printHexBinary(md5.digest((":" + authd.getUri()).getBytes("UTF-8"))).toLowerCase().getBytes());
byte[] rspAuth = md5.digest();
result.setAuthenticationInfo("qop=\"" + authd.getQop() + "\",cnonce=\"" + authd.getCnonce() + "\",nc=" + authd.getNonceCount() + ",rspauth=\"" + DatatypeConverter.printHexBinary(rspAuth).toLowerCase() + "\"");
}
if ((System.currentTimeMillis() - timestamp) > maxNonceAge) {
challenge(request, md5, result, ERROR_STALE_NONCE, true);
} else {
result.setAuthenticated(true);
result.setPrincipal(new AuthenticatedPrincipal(authd.getUsername()));
}
return result;
}
}
}
challenge(request, md5, result, ERROR_UNKNOWN_CREDENTIALS, false);
return result;
}
use of com.disney.http.auth.server.AuthenticatedPrincipal in project groovity by disney.
the class SignatureVerifierImpl method doVerifyInternal.
/**
* Given a request and response, analyze the request Authorization header and
* look up the appropriate key in the keystore; if the
* header is missing, incomplete or invalid, will send a 401 error on the response
* with WWW-Authenticate header and return null.
*
* If the request contains a Digest header, the returned HttpServletRequest
* will wrap the original with one that will lazily verify the request body.
* Consumers should replace the original ServletRequest with the returned one
* for further processing, and be prepared for the possible VerificationException
*
* @param request
* @throws IOException
* @throws GeneralSecurityException
*/
protected VerifierResult doVerifyInternal(ServerAuthorizationRequest request) throws Exception {
VerifierResult result = new VerifierResult();
List<String> authHeader = request.getHeaders(AUTHORIZATION_HEADER);
if (authHeader == null || authHeader.isEmpty() || !authHeader.get(0).startsWith(SIGNATURE_HEADER)) {
authHeader = request.getHeaders(SIGNATURE_HEADER);
}
// System.out.println("Received auth header "+authHeader);
if (authHeader == null || authHeader.isEmpty()) {
challenge(result, ERROR_MISSING_SIGNATURE);
return result;
}
// this will throw an exception if the auth header is not properly formatted
SignatureAuthorization authSig;
try {
authSig = new SignatureAuthorization(authHeader.get(0));
} catch (Exception e) {
challenge(result, e.getMessage());
return result;
}
// now validate that the authSig was signed with all the required headers
for (String required : requiredHeaders) {
if (!authSig.getHeaders().contains(required.toLowerCase())) {
if (required.toLowerCase().equals("date") && authSig.getHeaders().contains("x-date")) {
// allow x-date to substitute for date
continue;
}
challenge(result, MessageFormat.format(ERROR_MISSING_HEADER_FORMAT, required));
return result;
}
}
List<String> reqDateStr = request.getHeaders("x-date");
if (reqDateStr == null || reqDateStr.isEmpty()) {
reqDateStr = request.getHeaders("date");
}
// now validate the date is in range, use x-date if provided (for ajax support)
long reqDate = -1;
if (reqDateStr != null && !reqDateStr.isEmpty()) {
String rd = reqDateStr.get(0);
SimpleDateFormat dateFormat = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss zzz");
try {
reqDate = dateFormat.parse(rd).getTime();
} catch (ParseException e) {
dateFormat = new SimpleDateFormat("EEE, dd-MMM-yy HH:mm:ss zzz");
try {
reqDate = dateFormat.parse(rd).getTime();
} catch (ParseException e1) {
dateFormat = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy");
reqDate = dateFormat.parse(rd).getTime();
}
}
}
if ((System.currentTimeMillis() - reqDate) > maxDateDrift) {
challenge(result, ERROR_INVALID_DATE);
return result;
}
// now lookup the key
String errorFormat = ERROR_UNKOWN_KEY_ID_FORMAT;
Key[] keys = null;
for (KeyChain keyChain : keyChains) {
if (keyChain.containsKey(authSig.getKeyId())) {
if (authSig.getAlgorithm().startsWith("hmac")) {
try {
keys = keyChain.getSecretKeys(authSig.getKeyId());
} catch (UnrecoverableKeyException e) {
errorFormat = ERROR_EXPECTED_HMAC_FORMAT;
}
} else {
try {
keys = keyChain.getPublicKeys(authSig.getKeyId());
} catch (UnrecoverableKeyException e) {
errorFormat = ERROR_EXPECTED_RSA_FORMAT;
}
}
}
}
if (keys == null || keys.length == 0) {
challenge(result, MessageFormat.format(errorFormat, authSig.getKeyId()));
return result;
}
String errorMessage = null;
for (Key key : keys) {
// validate key algorithm is appropriate
if (key.getAlgorithm().equals("RSA")) {
if (!authSig.getAlgorithm().startsWith("rsa")) {
errorMessage = MessageFormat.format(ERROR_EXPECTED_HMAC_FORMAT, authSig.getKeyId());
continue;
}
}
if (key.getAlgorithm().startsWith("Hmac")) {
if (!authSig.getAlgorithm().startsWith("hmac")) {
errorMessage = MessageFormat.format(ERROR_EXPECTED_RSA_FORMAT, authSig.getKeyId());
continue;
}
}
// now generate the signature to compare
String toSign = authSig.generateSigningString(request);
// System.out.println("Signing string is "+toSign);
if (verifyMessage(key, toSign, authSig.getSignature(), authSig.getAlgorithm())) {
result.setAuthenticated(true);
result.setPrincipal(new AuthenticatedPrincipal(authSig.getKeyId()));
return result;
} else {
errorMessage = ERROR_VERIFICATION_FAILED;
}
}
challenge(result, errorMessage);
return result;
}
Aggregations