Search in sources :

Example 26 with AuthToken

use of com.zimbra.cs.account.AuthToken in project zm-mailbox by Zimbra.

the class AuthProvider method getAuthToken.

public static AuthToken getAuthToken(Account acct) throws AuthProviderException {
    List<AuthProvider> providers = getProviders();
    AuthProviderException authProviderExp = null;
    for (AuthProvider ap : providers) {
        try {
            AuthToken at = ap.authToken(acct);
            if (at == null) {
                authProviderExp = AuthProviderException.FAILURE("auth provider " + ap.getName() + " returned null");
            } else {
                return at;
            }
        } catch (AuthProviderException e) {
            if (e.canIgnore()) {
                logger().debug(ap.getName() + ":" + e.getMessage());
            } else {
                authProviderExp = e;
            }
        }
    }
    if (null != authProviderExp) {
        throw authProviderExp;
    }
    throw AuthProviderException.FAILURE("cannot get authtoken from account " + acct.getName());
}
Also used : AuthToken(com.zimbra.cs.account.AuthToken)

Example 27 with AuthToken

use of com.zimbra.cs.account.AuthToken in project zm-mailbox by Zimbra.

the class ZimbraQoSFilter method extractUserId.

public static String extractUserId(ServletRequest request) {
    try {
        if (request instanceof HttpServletRequest) {
            HttpServletRequest req = (HttpServletRequest) request;
            boolean isAdminRequest = AuthUtil.isAdminRequest(req);
            AuthToken at = AuthProvider.getAuthToken(req, isAdminRequest);
            if (at != null)
                return at.getAccountId();
            // Check if this is Http Basic Authentication, if so return authorization string.
            String auth = req.getHeader("Authorization");
            if (auth != null) {
                return auth;
            }
        }
    } catch (Exception e) {
        // ignore
        ZimbraLog.misc.debug("error while extracting authtoken", e);
    }
    return null;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) AuthToken(com.zimbra.cs.account.AuthToken) ServletException(javax.servlet.ServletException) IOException(java.io.IOException)

Example 28 with AuthToken

use of com.zimbra.cs.account.AuthToken in project zm-mailbox by Zimbra.

the class CsrfFilter method doFilter.

/*
     * (non-Javadoc)
     *
     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
     * javax.servlet.ServletResponse, javax.servlet.FilterChain)
     */
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    ZimbraLog.clearContext();
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse resp = (HttpServletResponse) response;
    req.setAttribute(CSRF_SALT, nonceGen.nextInt() + 1);
    if (ZimbraLog.misc.isDebugEnabled()) {
        ZimbraLog.misc.debug("CSRF Request URI: " + req.getRequestURI());
    }
    boolean csrfCheckEnabled = Boolean.FALSE;
    boolean csrfRefererCheckEnabled = Boolean.FALSE;
    Provisioning prov = Provisioning.getInstance();
    try {
        csrfCheckEnabled = prov.getConfig().isCsrfTokenCheckEnabled();
        csrfRefererCheckEnabled = prov.getConfig().isCsrfRefererCheckEnabled();
    } catch (ServiceException e) {
        ZimbraLog.misc.info("Error in CSRF filter." + e.getMessage(), e);
    }
    if (ZimbraLog.misc.isDebugEnabled()) {
        ZimbraLog.misc.debug("CSRF filter was initialized : " + "CSRFcheck enabled: " + csrfCheckEnabled + "CSRF referer check enabled: " + csrfRefererCheckEnabled + ", CSRFAllowedRefHost: [" + Joiner.on(", ").join(this.allowedRefHosts) + "]" + ", CSRFTokenValidity " + this.maxCsrfTokenValidityInMs + "ms.");
    }
    if (ZimbraLog.misc.isTraceEnabled()) {
        Enumeration<String> hdrNames = req.getHeaderNames();
        ZimbraLog.misc.trace("Soap request headers.");
        while (hdrNames.hasMoreElements()) {
            String name = hdrNames.nextElement();
            // we do not want to print cookie headers for security reasons.
            if (name.contains(HttpHeaders.COOKIE))
                continue;
            ZimbraLog.misc.trace(name + "=" + req.getHeader(name));
        }
    }
    if (csrfRefererCheckEnabled) {
        if (!allowReqBasedOnRefererHeaderCheck(req)) {
            ZimbraLog.misc.info("CSRF referer check failed");
            resp.sendError(HttpServletResponse.SC_FORBIDDEN);
            return;
        }
    }
    if (!csrfCheckEnabled) {
        req.setAttribute(CSRF_TOKEN_CHECK, Boolean.FALSE);
        chain.doFilter(req, resp);
    } else {
        req.setAttribute(Provisioning.A_zimbraCsrfTokenCheckEnabled, Boolean.TRUE);
        AuthToken authToken = CsrfUtil.getAuthTokenFromReq(req);
        if (CsrfUtil.doCsrfCheck(req, authToken)) {
            // post request and Auth token is CSRF enabled
            req.setAttribute(CSRF_TOKEN_CHECK, Boolean.TRUE);
        } else {
            req.setAttribute(CSRF_TOKEN_CHECK, Boolean.FALSE);
            ZimbraLog.misc.debug("CSRF check will not be done for URI : %s", req.getRequestURI());
        }
        chain.doFilter(req, resp);
    }
    try {
        // We need virtual host information in DefangFilter
        // Set them in ThreadLocal here
        RequestContext reqCtxt = new RequestContext();
        String host = CsrfUtil.getRequestHost(req);
        reqCtxt.setVirtualHost(host);
        ZThreadLocal.setContext(reqCtxt);
    } finally {
        // Unset the variables set in thread local
        ZThreadLocal.unset();
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ServiceException(com.zimbra.common.service.ServiceException) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthToken(com.zimbra.cs.account.AuthToken) RequestContext(com.zimbra.soap.RequestContext) Provisioning(com.zimbra.cs.account.Provisioning)

Example 29 with AuthToken

use of com.zimbra.cs.account.AuthToken in project zm-mailbox by Zimbra.

the class TestAuthentication method testAuthViaPreauthToken.

/**
     * test auth request with preauth in SOAP instead of login/password
     * @throws Exception
     */
public void testAuthViaPreauthToken() throws Exception {
    long timestamp = System.currentTimeMillis();
    long expires = timestamp + 60000;
    String domainPreAuthKey = setUpAndReturnDomainAuthKey();
    Account a = TestUtil.getAccount(USER_NAME);
    AccountSelector acctSel = new AccountSelector(com.zimbra.soap.type.AccountBy.name, a.getName());
    SoapHttpTransport transport = new SoapHttpTransport(TestUtil.getSoapUrl());
    AuthRequest req = new AuthRequest(acctSel);
    HashMap<String, String> params = new HashMap<String, String>();
    params.put("account", a.getName());
    params.put("by", "name");
    params.put("timestamp", timestamp + "");
    params.put("expires", expires + "");
    PreAuth preAuth = new PreAuth().setExpires(expires).setTimestamp(timestamp).setValue(PreAuthKey.computePreAuth(params, domainPreAuthKey));
    req = req.setPreauth(preAuth);
    Element resp = transport.invoke(JaxbUtil.jaxbToElement(req, SoapProtocol.SoapJS.getFactory()));
    AuthResponse authResp = JaxbUtil.elementToJaxb(resp);
    assertTrue("Lifetime is invalid", authResp.getLifetime() < expires - timestamp);
    String newAuthToken = authResp.getAuthToken();
    assertNotNull("should have received a new authtoken", newAuthToken);
    assertTrue("should have a received a non-empty authtoken", newAuthToken.length() > 0);
    AuthToken at = ZimbraAuthToken.getAuthToken(newAuthToken);
    assertTrue("new auth token should be registered", at.isRegistered());
    assertFalse("new auth token should not be expired yet", at.isExpired());
}
Also used : Account(com.zimbra.cs.account.Account) AuthRequest(com.zimbra.soap.account.message.AuthRequest) PreAuth(com.zimbra.soap.account.type.PreAuth) HashMap(java.util.HashMap) Element(com.zimbra.common.soap.Element) AccountSelector(com.zimbra.soap.type.AccountSelector) ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken) AuthToken(com.zimbra.cs.account.AuthToken) SoapHttpTransport(com.zimbra.common.soap.SoapHttpTransport) AuthResponse(com.zimbra.soap.account.message.AuthResponse)

Example 30 with AuthToken

use of com.zimbra.cs.account.AuthToken in project zm-mailbox by Zimbra.

the class TestPreAuthServlet method testShouldNotAllowPreAuthGetCookieReuse.

public void testShouldNotAllowPreAuthGetCookieReuse() throws Exception {
    Account account = TestUtil.getAccount("user1");
    AuthToken authToken = new ZimbraAuthToken(account);
    System.out.println(authToken.isRegistered());
    HttpClient client = new HttpClient();
    Server localServer = Provisioning.getInstance().getLocalServer();
    String protoHostPort = "http://localhost:" + localServer.getIntAttr(Provisioning.A_zimbraMailPort, 0);
    String url = protoHostPort + PRE_AUTH_URL;
    //allow first request
    HttpMethod method = new GetMethod(url);
    NameValuePair[] queryStringPairArray = new NameValuePair[] { new NameValuePair("isredirect", "1"), new NameValuePair("authtoken", authToken.getEncoded()) };
    method.setQueryString(queryStringPairArray);
    int respCode = HttpClientUtil.executeMethod(client, method);
    //reject second request
    method = new GetMethod(url);
    method.setQueryString(queryStringPairArray);
    respCode = HttpClientUtil.executeMethod(client, method);
    Assert.assertEquals(400, respCode);
}
Also used : Account(com.zimbra.cs.account.Account) NameValuePair(org.apache.commons.httpclient.NameValuePair) Server(com.zimbra.cs.account.Server) ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken) HttpClient(org.apache.commons.httpclient.HttpClient) GetMethod(org.apache.commons.httpclient.methods.GetMethod) ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken) AuthToken(com.zimbra.cs.account.AuthToken) HttpMethod(org.apache.commons.httpclient.HttpMethod)

Aggregations

AuthToken (com.zimbra.cs.account.AuthToken)98 ServiceException (com.zimbra.common.service.ServiceException)46 Account (com.zimbra.cs.account.Account)44 ZimbraAuthToken (com.zimbra.cs.account.ZimbraAuthToken)27 AuthTokenException (com.zimbra.cs.account.AuthTokenException)26 Element (com.zimbra.common.soap.Element)24 Provisioning (com.zimbra.cs.account.Provisioning)23 ZMailbox (com.zimbra.client.ZMailbox)19 ZAuthToken (com.zimbra.common.auth.ZAuthToken)18 IOException (java.io.IOException)14 Server (com.zimbra.cs.account.Server)12 ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)12 HttpClient (org.apache.commons.httpclient.HttpClient)12 HashMap (java.util.HashMap)11 GetMethod (org.apache.commons.httpclient.methods.GetMethod)11 Test (org.junit.Test)11 SoapHttpTransport (com.zimbra.common.soap.SoapHttpTransport)10 ServletException (javax.servlet.ServletException)10 AuthFailedServiceException (com.zimbra.cs.account.AccountServiceException.AuthFailedServiceException)8 MailServiceException (com.zimbra.cs.mailbox.MailServiceException)8