use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class AuthProvider method getAuthToken.
/**
* For SOAP, we do not pass in isAdminReq, because with the current flow in SoapEngine,
* at the point when the SOAP context(ZimbraSoapContext) is examined, we haven't looked
* at the SOAP body yet. Whether admin auth is required is based on the SOAP command,
* which has to be extracted from the body. ZimbraAuthProvider always retrieves the
* encoded auth token from the fixed tag, so does YahooYT auth.
* This should be fine for now.
* If any provider in the chain throws AuthTokenException,
* it will be thrown at the end.
* If more than one provider throws AuthTokenException then exception reported
* by last provider will be thrown to caller.
*
* @param soapCtxt <context> element in SOAP header
* @param engineCtxt soap engine context
* @return an AuthToken object, or null if auth data is not present for any of the enabled providers
* @throws AuthTokenException
*/
public static AuthToken getAuthToken(Element soapCtxt, Map engineCtxt) throws AuthTokenException {
AuthToken at = null;
List<AuthProvider> providers = getProviders();
AuthTokenException authTokenExp = null;
for (AuthProvider ap : providers) {
try {
at = ap.authToken(soapCtxt, engineCtxt);
if (at == null) {
authTokenExp = new AuthTokenException("auth provider " + ap.getName() + " returned null");
} else {
return at;
}
} catch (AuthProviderException e) {
// if there is no auth data for this provider, log and continue with next provider
if (e.canIgnore()) {
logger().debug(ap.getName() + ":" + e.getMessage());
} else {
authTokenExp = new AuthTokenException("auth provider error", e);
}
} catch (AuthTokenException e) {
//log and store exception reference
authTokenExp = e;
logger().debug("getAuthToken error: provider=" + ap.getName() + ", err=" + e.getMessage(), e);
}
}
//If multiple auth providers caused AuthTokenException, then last exception is rethrown from here.
if (null != authTokenExp) {
throw authTokenExp;
}
// there is no auth data for any of the enabled providers
return null;
}
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class ZimbraAuthenticator method validateRequest.
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse resp, boolean mandatory) throws ServerAuthException {
if (mandatory && req instanceof HttpServletRequest) {
HttpServletRequest httpReq = (HttpServletRequest) req;
//we want to just ignore rather than potentially flooding auth provider (which may be external)
if (PathMap.match(urlPattern, httpReq.getRequestURI())) {
Cookie[] cookies = httpReq.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (ZimbraCookie.authTokenCookieName(true).equalsIgnoreCase(cookie.getName()) || ZimbraCookie.authTokenCookieName(false).equalsIgnoreCase(cookie.getName())) {
String encoded = cookie.getValue();
AuthToken token;
try {
token = AuthProvider.getAuthToken(encoded);
Account authAcct = AuthProvider.validateAuthToken(Provisioning.getInstance(), token, false);
if (authAcct != null) {
if (_loginService instanceof ZimbraLoginService) {
UserIdentity user = ((ZimbraLoginService) _loginService).makeUserIdentity(authAcct.getMail());
ZimbraLog.security.debug("Auth token validated");
return new UserAuthentication(getAuthMethod(), user);
} else {
ZimbraLog.security.warn("Misconfigured? _loginService not ZimbraLoginService");
assert (false);
}
}
} catch (AuthTokenException e) {
ZimbraLog.security.error("Unable to authenticate due to AuthTokenException", e);
} catch (ServiceException e) {
ZimbraLog.security.error("Unable to authenticate due to ServiceException", e);
}
}
}
ZimbraLog.security.debug("no valid auth token, fallback to basic");
}
}
}
return super.validateRequest(req, resp, mandatory);
}
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class UserServletUtil method getAccount.
// public synchronized static void addFormatter(Formatter f) {
// mFormatters.put(f.getType(), f);
// for (String mimeType : f.getDefaultMimeTypes())
// mDefaultFormatters.put(mimeType, f);
// }
//
// public Formatter getFormatter(String type) {
// return mFormatters.get(type);
// }
public static void getAccount(UserServletContext context) throws IOException, ServletException, UserServletException {
try {
boolean isAdminRequest = AuthUtil.isAdminRequest(context.req);
// check cookie or access key
if (context.cookieAuthAllowed() || AuthProvider.allowAccessKeyAuth(context.req, context.getServlet())) {
try {
AuthToken at = AuthProvider.getAuthToken(context.req, isAdminRequest);
if (at != null) {
if (at.isZimbraUser()) {
if (!at.isRegistered()) {
throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
}
try {
context.setAuthAccount(AuthProvider.validateAuthToken(Provisioning.getInstance(), at, false));
} catch (ServiceException e) {
throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
}
context.cookieAuthHappened = true;
context.authToken = at;
return;
} else {
if (at.isExpired()) {
throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
}
context.setAuthAccount(new GuestAccount(at));
// pretend that we basic authed
context.basicAuthHappened = true;
context.authToken = at;
return;
}
}
} catch (AuthTokenException e) {
// bug 35917: malformed auth token means auth failure
throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
}
}
// check query string
if (context.queryParamAuthAllowed()) {
String auth = context.params.get(ZimbraServlet.QP_ZAUTHTOKEN);
if (auth == null)
// not sure who uses this parameter; zauthtoken is preferred
auth = context.params.get(UserServlet.QP_AUTHTOKEN);
if (auth != null) {
try {
// Only supported by ZimbraAuthProvider
AuthToken at = AuthProvider.getAuthToken(auth);
try {
context.setAuthAccount(AuthProvider.validateAuthToken(Provisioning.getInstance(), at, false));
context.qpAuthHappened = true;
context.authToken = at;
return;
} catch (ServiceException e) {
throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
}
} catch (AuthTokenException e) {
// bug 35917: malformed auth token means auth failure
throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
}
}
}
// fallback to basic auth
if (context.basicAuthAllowed()) {
context.setAuthAccount(AuthUtil.basicAuthRequest(context.req, context.resp, context.servlet, false));
if (context.getAuthAccount() != null) {
context.basicAuthHappened = true;
context.authToken = AuthProvider.getAuthToken(context.getAuthAccount(), isAdminRequest);
// send cookie back if need be.
if (context.setCookie()) {
boolean secureCookie = context.req.getScheme().equals("https");
context.authToken.encode(context.resp, isAdminRequest, secureCookie);
}
}
// always return
return;
}
// there is no credential at this point. assume anonymous public access and continue.
} catch (ServiceException e) {
throw new ServletException(e);
}
}
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class DavServlet method service.
@Override
public void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
ZimbraLog.clearContext();
addRemoteIpToLoggingContext(req);
ZimbraLog.addUserAgentToContext(req.getHeader(DavProtocol.HEADER_USER_AGENT));
//bug fix - send 400 for Range requests
String rangeHeader = req.getHeader(DavProtocol.HEADER_RANGE);
if (null != rangeHeader) {
sendError(resp, HttpServletResponse.SC_BAD_REQUEST, "Range header not supported", null, Level.debug);
return;
}
RequestType rtype = getAllowedRequestType(req);
ZimbraLog.dav.debug("Allowable request types %s", rtype);
if (rtype == RequestType.none) {
sendError(resp, HttpServletResponse.SC_NOT_ACCEPTABLE, "Not an allowed request type", null, Level.debug);
return;
}
logRequestInfo(req);
Account authUser = null;
DavContext ctxt;
try {
AuthToken at = AuthProvider.getAuthToken(req, false);
if (at != null && (at.isExpired() || !at.isRegistered())) {
at = null;
}
if (at != null && (rtype == RequestType.both || rtype == RequestType.authtoken)) {
authUser = Provisioning.getInstance().get(AccountBy.id, at.getAccountId());
} else if (at == null && (rtype == RequestType.both || rtype == RequestType.password)) {
AuthUtil.AuthResult result = AuthUtil.basicAuthRequest(req, resp, true, this);
if (result.sendErrorCalled) {
logResponseInfo(resp);
return;
}
authUser = result.authorizedAccount;
}
if (authUser == null) {
try {
sendError(resp, HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed", null, Level.debug);
} catch (Exception e) {
}
return;
}
ZimbraLog.addToContext(ZimbraLog.C_ANAME, authUser.getName());
ctxt = new DavContext(req, resp, authUser);
} catch (AuthTokenException e) {
sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error getting authenticated user", e);
return;
} catch (ServiceException e) {
sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error getting authenticated user", e);
return;
}
DavMethod method = sMethods.get(req.getMethod());
if (method == null) {
setAllowHeader(resp);
sendError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, "Not an allowed method", null, Level.debug);
return;
}
long t0 = System.currentTimeMillis();
CacheStates cache = null;
try {
if (ZimbraLog.dav.isDebugEnabled()) {
try {
Upload upload = ctxt.getUpload();
if (upload.getSize() > 0 && upload.getContentType().startsWith("text")) {
if (ZimbraLog.dav.isDebugEnabled()) {
StringBuilder logMsg = new StringBuilder("REQUEST\n").append(new String(ByteUtil.readInput(upload.getInputStream(), -1, 20480), "UTF-8"));
ZimbraLog.dav.debug(logMsg.toString());
}
}
} catch (DavException de) {
throw de;
} catch (Exception e) {
ZimbraLog.dav.debug("ouch", e);
}
}
cache = checkCachedResponse(ctxt, authUser);
if (!ctxt.isResponseSent() && !isProxyRequest(ctxt, method)) {
method.checkPrecondition(ctxt);
method.handle(ctxt);
method.checkPostcondition(ctxt);
if (!ctxt.isResponseSent()) {
resp.setStatus(ctxt.getStatus());
}
}
if (!ctxt.isResponseSent()) {
logResponseInfo(resp);
}
} catch (DavException e) {
if (e.getCause() instanceof MailServiceException.NoSuchItemException || e.getStatus() == HttpServletResponse.SC_NOT_FOUND)
ZimbraLog.dav.info(ctxt.getUri() + " not found");
else if (e.getStatus() == HttpServletResponse.SC_MOVED_TEMPORARILY || e.getStatus() == HttpServletResponse.SC_MOVED_PERMANENTLY)
ZimbraLog.dav.info("sending redirect");
try {
if (e.isStatusSet()) {
resp.setStatus(e.getStatus());
if (e.hasErrorMessage())
e.writeErrorMsg(resp.getOutputStream());
if (ZimbraLog.dav.isDebugEnabled()) {
ZimbraLog.dav.info("sending http error %d because: %s", e.getStatus(), e.getMessage(), e);
} else {
ZimbraLog.dav.info("sending http error %d because: %s", e.getStatus(), e.getMessage());
}
if (e.getCause() != null)
ZimbraLog.dav.debug("exception: ", e.getCause());
} else {
sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error handling method " + method.getName(), e);
}
} catch (IllegalStateException ise) {
ZimbraLog.dav.debug("can't write error msg", ise);
}
} catch (ServiceException e) {
if (e instanceof MailServiceException.NoSuchItemException) {
sendError(resp, HttpServletResponse.SC_NOT_FOUND, ctxt.getUri() + " not found", null, Level.info);
return;
}
sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error handling method " + method.getName(), e);
} catch (Exception e) {
try {
sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error handling method " + method.getName(), e);
} catch (Exception ex) {
}
} finally {
long t1 = System.currentTimeMillis();
ZimbraLog.dav.info("DavServlet operation " + method.getName() + " to " + req.getPathInfo() + " (depth: " + ctxt.getDepth().name() + ") finished in " + (t1 - t0) + "ms");
if (cache != null)
cacheCleanUp(ctxt, cache);
ctxt.cleanup();
}
}
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class EndSession method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
if (zsc.hasSession()) {
Session s = getSession(zsc);
endSession(s);
}
boolean clearCookies = request.getAttributeBool(AccountConstants.A_LOG_OFF, false);
if (clearCookies || getAuthenticatedAccount(zsc).isForceClearCookies()) {
context.put(SoapServlet.INVALIDATE_COOKIES, true);
try {
zsc.getAuthToken().deRegister();
} catch (AuthTokenException e) {
throw ServiceException.FAILURE("Failed to de-register an auth token", e);
}
}
Element response = zsc.createElement(AccountConstants.END_SESSION_RESPONSE);
return response;
}
Aggregations