Search in sources :

Example 26 with AuthTokenException

use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.

the class AuthProvider method getAuthToken.

/**
     * For SOAP, we do not pass in isAdminReq, because with the current flow in SoapEngine,
     * at the point when the SOAP context(ZimbraSoapContext) is examined, we haven't looked
     * at the SOAP body yet.  Whether admin auth is required is based on the SOAP command,
     * which has to be extracted from the body.  ZimbraAuthProvider always retrieves the
     * encoded auth token from the fixed tag, so does YahooYT auth.
     * This should be fine for now.
     * If any provider in the chain throws AuthTokenException,
     * it will be thrown at the end.
     * If more than one provider throws AuthTokenException then exception reported
     * by last provider will be thrown to caller.
     *
     * @param soapCtxt <context> element in SOAP header
     * @param engineCtxt soap engine context
     * @return an AuthToken object, or null if auth data is not present for any of the enabled providers
     * @throws AuthTokenException
     */
public static AuthToken getAuthToken(Element soapCtxt, Map engineCtxt) throws AuthTokenException {
    AuthToken at = null;
    List<AuthProvider> providers = getProviders();
    AuthTokenException authTokenExp = null;
    for (AuthProvider ap : providers) {
        try {
            at = ap.authToken(soapCtxt, engineCtxt);
            if (at == null) {
                authTokenExp = new AuthTokenException("auth provider " + ap.getName() + " returned null");
            } else {
                return at;
            }
        } catch (AuthProviderException e) {
            // if there is no auth data for this provider, log and continue with next provider
            if (e.canIgnore()) {
                logger().debug(ap.getName() + ":" + e.getMessage());
            } else {
                authTokenExp = new AuthTokenException("auth provider error", e);
            }
        } catch (AuthTokenException e) {
            //log and store exception reference
            authTokenExp = e;
            logger().debug("getAuthToken error: provider=" + ap.getName() + ", err=" + e.getMessage(), e);
        }
    }
    //If multiple auth providers caused AuthTokenException, then last exception is rethrown from here.
    if (null != authTokenExp) {
        throw authTokenExp;
    }
    // there is no auth data for any of the enabled providers
    return null;
}
Also used : AuthTokenException(com.zimbra.cs.account.AuthTokenException) AuthToken(com.zimbra.cs.account.AuthToken)

Example 27 with AuthTokenException

use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.

the class ZimbraAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse resp, boolean mandatory) throws ServerAuthException {
    if (mandatory && req instanceof HttpServletRequest) {
        HttpServletRequest httpReq = (HttpServletRequest) req;
        //we want to just ignore rather than potentially flooding auth provider (which may be external)
        if (PathMap.match(urlPattern, httpReq.getRequestURI())) {
            Cookie[] cookies = httpReq.getCookies();
            if (cookies != null) {
                for (Cookie cookie : cookies) {
                    if (ZimbraCookie.authTokenCookieName(true).equalsIgnoreCase(cookie.getName()) || ZimbraCookie.authTokenCookieName(false).equalsIgnoreCase(cookie.getName())) {
                        String encoded = cookie.getValue();
                        AuthToken token;
                        try {
                            token = AuthProvider.getAuthToken(encoded);
                            Account authAcct = AuthProvider.validateAuthToken(Provisioning.getInstance(), token, false);
                            if (authAcct != null) {
                                if (_loginService instanceof ZimbraLoginService) {
                                    UserIdentity user = ((ZimbraLoginService) _loginService).makeUserIdentity(authAcct.getMail());
                                    ZimbraLog.security.debug("Auth token validated");
                                    return new UserAuthentication(getAuthMethod(), user);
                                } else {
                                    ZimbraLog.security.warn("Misconfigured? _loginService not ZimbraLoginService");
                                    assert (false);
                                }
                            }
                        } catch (AuthTokenException e) {
                            ZimbraLog.security.error("Unable to authenticate due to AuthTokenException", e);
                        } catch (ServiceException e) {
                            ZimbraLog.security.error("Unable to authenticate due to ServiceException", e);
                        }
                    }
                }
                ZimbraLog.security.debug("no valid auth token, fallback to basic");
            }
        }
    }
    return super.validateRequest(req, resp, mandatory);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ZimbraCookie(com.zimbra.common.util.ZimbraCookie) Cookie(javax.servlet.http.Cookie) Account(com.zimbra.cs.account.Account) ServiceException(com.zimbra.common.service.ServiceException) UserIdentity(org.eclipse.jetty.server.UserIdentity) AuthTokenException(com.zimbra.cs.account.AuthTokenException) AuthToken(com.zimbra.cs.account.AuthToken) UserAuthentication(org.eclipse.jetty.security.UserAuthentication)

Example 28 with AuthTokenException

use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.

the class UserServletUtil method getAccount.

//    public synchronized static void addFormatter(Formatter f) {
//        mFormatters.put(f.getType(), f);
//        for (String mimeType : f.getDefaultMimeTypes())
//            mDefaultFormatters.put(mimeType, f);
//    }
//
//    public Formatter getFormatter(String type) {
//        return mFormatters.get(type);
//    }
public static void getAccount(UserServletContext context) throws IOException, ServletException, UserServletException {
    try {
        boolean isAdminRequest = AuthUtil.isAdminRequest(context.req);
        // check cookie or access key
        if (context.cookieAuthAllowed() || AuthProvider.allowAccessKeyAuth(context.req, context.getServlet())) {
            try {
                AuthToken at = AuthProvider.getAuthToken(context.req, isAdminRequest);
                if (at != null) {
                    if (at.isZimbraUser()) {
                        if (!at.isRegistered()) {
                            throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
                        }
                        try {
                            context.setAuthAccount(AuthProvider.validateAuthToken(Provisioning.getInstance(), at, false));
                        } catch (ServiceException e) {
                            throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
                        }
                        context.cookieAuthHappened = true;
                        context.authToken = at;
                        return;
                    } else {
                        if (at.isExpired()) {
                            throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
                        }
                        context.setAuthAccount(new GuestAccount(at));
                        // pretend that we basic authed
                        context.basicAuthHappened = true;
                        context.authToken = at;
                        return;
                    }
                }
            } catch (AuthTokenException e) {
                // bug 35917: malformed auth token means auth failure
                throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
            }
        }
        // check query string
        if (context.queryParamAuthAllowed()) {
            String auth = context.params.get(ZimbraServlet.QP_ZAUTHTOKEN);
            if (auth == null)
                // not sure who uses this parameter; zauthtoken is preferred
                auth = context.params.get(UserServlet.QP_AUTHTOKEN);
            if (auth != null) {
                try {
                    // Only supported by ZimbraAuthProvider
                    AuthToken at = AuthProvider.getAuthToken(auth);
                    try {
                        context.setAuthAccount(AuthProvider.validateAuthToken(Provisioning.getInstance(), at, false));
                        context.qpAuthHappened = true;
                        context.authToken = at;
                        return;
                    } catch (ServiceException e) {
                        throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
                    }
                } catch (AuthTokenException e) {
                    // bug 35917: malformed auth token means auth failure
                    throw new UserServletException(HttpServletResponse.SC_UNAUTHORIZED, L10nUtil.getMessage(MsgKey.errMustAuthenticate, context.req));
                }
            }
        }
        // fallback to basic auth
        if (context.basicAuthAllowed()) {
            context.setAuthAccount(AuthUtil.basicAuthRequest(context.req, context.resp, context.servlet, false));
            if (context.getAuthAccount() != null) {
                context.basicAuthHappened = true;
                context.authToken = AuthProvider.getAuthToken(context.getAuthAccount(), isAdminRequest);
                // send cookie back if need be.
                if (context.setCookie()) {
                    boolean secureCookie = context.req.getScheme().equals("https");
                    context.authToken.encode(context.resp, isAdminRequest, secureCookie);
                }
            }
            // always return
            return;
        }
    // there is no credential at this point.  assume anonymous public access and continue.
    } catch (ServiceException e) {
        throw new ServletException(e);
    }
}
Also used : ServletException(javax.servlet.ServletException) UserServletException(com.zimbra.cs.service.UserServletException) GuestAccount(com.zimbra.cs.account.GuestAccount) ServiceException(com.zimbra.common.service.ServiceException) MailServiceException(com.zimbra.cs.mailbox.MailServiceException) UserServletException(com.zimbra.cs.service.UserServletException) AuthTokenException(com.zimbra.cs.account.AuthTokenException) AuthToken(com.zimbra.cs.account.AuthToken)

Example 29 with AuthTokenException

use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.

the class DavServlet method service.

@Override
public void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    ZimbraLog.clearContext();
    addRemoteIpToLoggingContext(req);
    ZimbraLog.addUserAgentToContext(req.getHeader(DavProtocol.HEADER_USER_AGENT));
    //bug fix - send 400 for Range requests
    String rangeHeader = req.getHeader(DavProtocol.HEADER_RANGE);
    if (null != rangeHeader) {
        sendError(resp, HttpServletResponse.SC_BAD_REQUEST, "Range header not supported", null, Level.debug);
        return;
    }
    RequestType rtype = getAllowedRequestType(req);
    ZimbraLog.dav.debug("Allowable request types %s", rtype);
    if (rtype == RequestType.none) {
        sendError(resp, HttpServletResponse.SC_NOT_ACCEPTABLE, "Not an allowed request type", null, Level.debug);
        return;
    }
    logRequestInfo(req);
    Account authUser = null;
    DavContext ctxt;
    try {
        AuthToken at = AuthProvider.getAuthToken(req, false);
        if (at != null && (at.isExpired() || !at.isRegistered())) {
            at = null;
        }
        if (at != null && (rtype == RequestType.both || rtype == RequestType.authtoken)) {
            authUser = Provisioning.getInstance().get(AccountBy.id, at.getAccountId());
        } else if (at == null && (rtype == RequestType.both || rtype == RequestType.password)) {
            AuthUtil.AuthResult result = AuthUtil.basicAuthRequest(req, resp, true, this);
            if (result.sendErrorCalled) {
                logResponseInfo(resp);
                return;
            }
            authUser = result.authorizedAccount;
        }
        if (authUser == null) {
            try {
                sendError(resp, HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed", null, Level.debug);
            } catch (Exception e) {
            }
            return;
        }
        ZimbraLog.addToContext(ZimbraLog.C_ANAME, authUser.getName());
        ctxt = new DavContext(req, resp, authUser);
    } catch (AuthTokenException e) {
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error getting authenticated user", e);
        return;
    } catch (ServiceException e) {
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error getting authenticated user", e);
        return;
    }
    DavMethod method = sMethods.get(req.getMethod());
    if (method == null) {
        setAllowHeader(resp);
        sendError(resp, HttpServletResponse.SC_METHOD_NOT_ALLOWED, "Not an allowed method", null, Level.debug);
        return;
    }
    long t0 = System.currentTimeMillis();
    CacheStates cache = null;
    try {
        if (ZimbraLog.dav.isDebugEnabled()) {
            try {
                Upload upload = ctxt.getUpload();
                if (upload.getSize() > 0 && upload.getContentType().startsWith("text")) {
                    if (ZimbraLog.dav.isDebugEnabled()) {
                        StringBuilder logMsg = new StringBuilder("REQUEST\n").append(new String(ByteUtil.readInput(upload.getInputStream(), -1, 20480), "UTF-8"));
                        ZimbraLog.dav.debug(logMsg.toString());
                    }
                }
            } catch (DavException de) {
                throw de;
            } catch (Exception e) {
                ZimbraLog.dav.debug("ouch", e);
            }
        }
        cache = checkCachedResponse(ctxt, authUser);
        if (!ctxt.isResponseSent() && !isProxyRequest(ctxt, method)) {
            method.checkPrecondition(ctxt);
            method.handle(ctxt);
            method.checkPostcondition(ctxt);
            if (!ctxt.isResponseSent()) {
                resp.setStatus(ctxt.getStatus());
            }
        }
        if (!ctxt.isResponseSent()) {
            logResponseInfo(resp);
        }
    } catch (DavException e) {
        if (e.getCause() instanceof MailServiceException.NoSuchItemException || e.getStatus() == HttpServletResponse.SC_NOT_FOUND)
            ZimbraLog.dav.info(ctxt.getUri() + " not found");
        else if (e.getStatus() == HttpServletResponse.SC_MOVED_TEMPORARILY || e.getStatus() == HttpServletResponse.SC_MOVED_PERMANENTLY)
            ZimbraLog.dav.info("sending redirect");
        try {
            if (e.isStatusSet()) {
                resp.setStatus(e.getStatus());
                if (e.hasErrorMessage())
                    e.writeErrorMsg(resp.getOutputStream());
                if (ZimbraLog.dav.isDebugEnabled()) {
                    ZimbraLog.dav.info("sending http error %d because: %s", e.getStatus(), e.getMessage(), e);
                } else {
                    ZimbraLog.dav.info("sending http error %d because: %s", e.getStatus(), e.getMessage());
                }
                if (e.getCause() != null)
                    ZimbraLog.dav.debug("exception: ", e.getCause());
            } else {
                sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error handling method " + method.getName(), e);
            }
        } catch (IllegalStateException ise) {
            ZimbraLog.dav.debug("can't write error msg", ise);
        }
    } catch (ServiceException e) {
        if (e instanceof MailServiceException.NoSuchItemException) {
            sendError(resp, HttpServletResponse.SC_NOT_FOUND, ctxt.getUri() + " not found", null, Level.info);
            return;
        }
        sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error handling method " + method.getName(), e);
    } catch (Exception e) {
        try {
            sendError(resp, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "error handling method " + method.getName(), e);
        } catch (Exception ex) {
        }
    } finally {
        long t1 = System.currentTimeMillis();
        ZimbraLog.dav.info("DavServlet operation " + method.getName() + " to " + req.getPathInfo() + " (depth: " + ctxt.getDepth().name() + ") finished in " + (t1 - t0) + "ms");
        if (cache != null)
            cacheCleanUp(ctxt, cache);
        ctxt.cleanup();
    }
}
Also used : Account(com.zimbra.cs.account.Account) DavException(com.zimbra.cs.dav.DavException) Upload(com.zimbra.cs.service.FileUploadServlet.Upload) ServletException(javax.servlet.ServletException) XmlParseException(com.zimbra.common.soap.XmlParseException) ServiceException(com.zimbra.common.service.ServiceException) IOException(java.io.IOException) AuthTokenException(com.zimbra.cs.account.AuthTokenException) DavException(com.zimbra.cs.dav.DavException) MailServiceException(com.zimbra.cs.mailbox.MailServiceException) ServiceException(com.zimbra.common.service.ServiceException) MailServiceException(com.zimbra.cs.mailbox.MailServiceException) AuthTokenException(com.zimbra.cs.account.AuthTokenException) AuthToken(com.zimbra.cs.account.AuthToken) MailServiceException(com.zimbra.cs.mailbox.MailServiceException) DavContext(com.zimbra.cs.dav.DavContext)

Example 30 with AuthTokenException

use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.

the class EndSession method handle.

@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
    ZimbraSoapContext zsc = getZimbraSoapContext(context);
    if (zsc.hasSession()) {
        Session s = getSession(zsc);
        endSession(s);
    }
    boolean clearCookies = request.getAttributeBool(AccountConstants.A_LOG_OFF, false);
    if (clearCookies || getAuthenticatedAccount(zsc).isForceClearCookies()) {
        context.put(SoapServlet.INVALIDATE_COOKIES, true);
        try {
            zsc.getAuthToken().deRegister();
        } catch (AuthTokenException e) {
            throw ServiceException.FAILURE("Failed to de-register an auth token", e);
        }
    }
    Element response = zsc.createElement(AccountConstants.END_SESSION_RESPONSE);
    return response;
}
Also used : ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext) AuthTokenException(com.zimbra.cs.account.AuthTokenException) Element(com.zimbra.common.soap.Element) Session(com.zimbra.cs.session.Session)

Aggregations

AuthTokenException (com.zimbra.cs.account.AuthTokenException)37 AuthToken (com.zimbra.cs.account.AuthToken)25 ServiceException (com.zimbra.common.service.ServiceException)24 Account (com.zimbra.cs.account.Account)20 Provisioning (com.zimbra.cs.account.Provisioning)8 ZimbraAuthToken (com.zimbra.cs.account.ZimbraAuthToken)7 IOException (java.io.IOException)7 HttpClient (org.apache.commons.httpclient.HttpClient)7 GetMethod (org.apache.commons.httpclient.methods.GetMethod)7 ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)6 ServletException (javax.servlet.ServletException)6 Element (com.zimbra.common.soap.Element)5 Server (com.zimbra.cs.account.Server)5 HttpMethod (org.apache.commons.httpclient.HttpMethod)5 Domain (com.zimbra.cs.account.Domain)4 GuestAccount (com.zimbra.cs.account.GuestAccount)4 HashMap (java.util.HashMap)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 ZMailbox (com.zimbra.client.ZMailbox)3 AccountBy (com.zimbra.common.account.Key.AccountBy)3