Example 1 with HttpMessageInfo
use of com.sun.jaspic.config.servlet.HttpMessageInfo in project Payara by payara.
the class JaspicRealm method validateRequest.
private boolean validateRequest(HttpRequest request, HttpResponse response, LoginConfig config, Authenticator authenticator, boolean calledFromAuthenticate, Function<HttpServletRequest, Boolean> isMandatoryFn) throws IOException {
HttpServletRequest servletRequest = (HttpServletRequest) request.getRequest();
HttpServletResponse servletResponse = (HttpServletResponse) response.getResponse();
Subject subject = new Subject();
MessageInfo messageInfo = new HttpMessageInfo(servletRequest, servletResponse);
boolean isValidateSuccess = false;
boolean isMandatory = true;
ServerAuthContext authContext = null;
try {
isMandatory = isMandatoryFn.apply(servletRequest);
// Produce caller challenge if call originates from HttpServletRequest#authenticate
if (isMandatory || calledFromAuthenticate) {
setMandatory(messageInfo);
}
// Obtain the JASIC ServerAuthContext, which represents the authentication mechanism that interacts with the caller
authContext = getServerAuthContext(messageInfo);
// Call the JASPIC ServerAuthContext which should eventually call the ServerAuthModule (SAM)
// Notice a null is passed in as the service subject
// Additionally notice we only care about SUCCESS being returned or not and ignore
// all other JASPIC AuthStatus values.
isValidateSuccess = SUCCESS.equals(authContext.validateRequest(messageInfo, subject, null));
if (!isValidateSuccess) {
return false;
}
} catch (AuthException | RuntimeException e) {
logger.log(WARNING, "JASPIC: http msg authentication fail", e);
servletResponse.setStatus(SC_INTERNAL_SERVER_ERROR);
}
// When a SAM has returned SUCCESS, it can mean 3 different things:
// 1. The SAM authenticated the caller and a new Principal has been set
// 2. The SAM "did nothing" and a NULL has been set
// 3. The SAM wants to use the session and the sets the (non null) Principal it obtained from the passed-in request
// Store the messageInfo and ServerAuthContext so that the exact same ones can be used again when the SAM
// needs to be called again later in this request (for example, when secureResponse is called).
storeMessageInfoInRequest(servletRequest, messageInfo, authContext);
// There must be at least one new principal to count as SAM having authenticated
if (hasNewPrincipal(subject.getPrincipals())) {
// Handle case 1: The SAM authenticated the caller and a new Principal has been set
handleSamAuthenticated(subject, messageInfo, request, response, config, authenticator);
} else {
// Handle case 2: The SAM "did nothing" and a NULL has been set.
isValidateSuccess = handleSamNotAuthenticated(messageInfo, isMandatory, isValidateSuccess, request, response);
}
if (isValidateSuccess) {
// Check if the SAM instructed us to wrap the request and response, and if so do the wrapping
checkRequestResponseWrappingNeeded(messageInfo, request, response, servletRequest, servletResponse);
}
return isValidateSuccess;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthException(javax.security.auth.message.AuthException)
HttpMessageInfo(com.sun.jaspic.config.servlet.HttpMessageInfo)
Subject(javax.security.auth.Subject)
HttpMessageInfo(com.sun.jaspic.config.servlet.HttpMessageInfo)
MessageInfo(javax.security.auth.message.MessageInfo)
ServerAuthContext(javax.security.auth.message.config.ServerAuthContext)
Example 2 with HttpMessageInfo
use of com.sun.jaspic.config.servlet.HttpMessageInfo in project Payara by payara.
the class JaspicRealm method cleanSubject.
public void cleanSubject(HttpRequest httpRequest) throws AuthException {
MessageInfo messageInfo = (MessageInfo) httpRequest.getRequest().getAttribute(MESSAGE_INFO);
if (messageInfo == null) {
messageInfo = new HttpMessageInfo((HttpServletRequest) httpRequest.getRequest(), (HttpServletResponse) httpRequest.getResponse().getResponse());
}
messageInfo.getMap().put(IS_MANDATORY, TRUE.toString());
ServerAuthContext serverAuthContext = jaspicServices.getServerAuthContext(messageInfo, null);
if (serverAuthContext != null) {
// Check for the default/server-generated/unauthenticated security context.
SecurityContext securityContext = SecurityContext.getCurrent();
Subject subject = securityContext.didServerGenerateCredentials() ? new Subject() : securityContext.getSubject();
if (subject == null) {
subject = new Subject();
}
if (subject.isReadOnly()) {
logger.log(WARNING, "Read-only subject found during logout processing");
}
try {
httpRequest.getContext().fireContainerEvent(BEFORE_LOGOUT, null);
serverAuthContext.cleanSubject(messageInfo, subject);
} finally {
httpRequest.getContext().fireContainerEvent(AFTER_LOGOUT, null);
}
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityContext(com.sun.enterprise.security.SecurityContext)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HttpMessageInfo(com.sun.jaspic.config.servlet.HttpMessageInfo)
Subject(javax.security.auth.Subject)
HttpMessageInfo(com.sun.jaspic.config.servlet.HttpMessageInfo)
MessageInfo(javax.security.auth.message.MessageInfo)
ServerAuthContext(javax.security.auth.message.config.ServerAuthContext)
Aggregations
HttpMessageInfo (com.sun.jaspic.config.servlet.HttpMessageInfo)2
Subject (javax.security.auth.Subject)2
MessageInfo (javax.security.auth.message.MessageInfo)2
ServerAuthContext (javax.security.auth.message.config.ServerAuthContext)2
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
SecurityContext (com.sun.enterprise.security.SecurityContext)1
AuthException (javax.security.auth.message.AuthException)1
