Search in sources :

Example 1 with SubjectType

use of io.helidon.security.SubjectType in project helidon by oracle.

the class HttpBasicAuthProvider method validateBasicAuth.

private AuthenticationResponse validateBasicAuth(String basicAuthHeader) {
    String b64 = basicAuthHeader.substring(BASIC_PREFIX.length());
    String usernameAndPassword;
    try {
        usernameAndPassword = new String(Base64.getDecoder().decode(b64), StandardCharsets.UTF_8);
    } catch (IllegalArgumentException e) {
        // not a base64 encoded string
        return failOrAbstain("Basic authentication header with invalid content - not base64 encoded");
    }
    Matcher matcher = CREDENTIAL_PATTERN.matcher(usernameAndPassword);
    if (!matcher.matches()) {
        LOGGER.finest(() -> "Basic authentication header with invalid content: " + usernameAndPassword);
        return failOrAbstain("Basic authentication header with invalid content");
    }
    final String username = matcher.group(1);
    final char[] password = matcher.group(2).toCharArray();
    Optional<SecureUserStore.User> foundUser = Optional.empty();
    for (SecureUserStore userStore : userStores) {
        foundUser = userStore.user(username);
        if (foundUser.isPresent()) {
            // find first user from stores
            break;
        }
    }
    return foundUser.map(user -> {
        if (user.isPasswordValid(password)) {
            if (subjectType == SubjectType.USER) {
                return AuthenticationResponse.success(buildSubject(user, password));
            }
            return AuthenticationResponse.successService(buildSubject(user, password));
        } else {
            return invalidUser();
        }
    }).orElseGet(this::invalidUser);
}
Also used : OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) ProviderRequest(io.helidon.security.ProviderRequest) HashMap(java.util.HashMap) UserStoreService(io.helidon.security.providers.httpauth.spi.UserStoreService) AuthenticationProvider(io.helidon.security.spi.AuthenticationProvider) Matcher(java.util.regex.Matcher) Map(java.util.Map) Subject(io.helidon.security.Subject) LinkedList(java.util.LinkedList) ConfiguredOption(io.helidon.config.metadata.ConfiguredOption) Config(io.helidon.config.Config) SubjectType(io.helidon.security.SubjectType) OutboundSecurityProvider(io.helidon.security.spi.OutboundSecurityProvider) Configured(io.helidon.config.metadata.Configured) SecurityProvider(io.helidon.security.spi.SecurityProvider) SynchronousProvider(io.helidon.security.spi.SynchronousProvider) ServiceLoader(java.util.ServiceLoader) SecurityContext(io.helidon.security.SecurityContext) HelidonServiceLoader(io.helidon.common.serviceloader.HelidonServiceLoader) TokenHandler(io.helidon.security.util.TokenHandler) Logger(java.util.logging.Logger) AuthenticationResponse(io.helidon.security.AuthenticationResponse) OutboundConfig(io.helidon.security.providers.common.OutboundConfig) Principal(io.helidon.security.Principal) StandardCharsets(java.nio.charset.StandardCharsets) SecurityResponse(io.helidon.security.SecurityResponse) Base64(java.util.Base64) List(java.util.List) EndpointConfig(io.helidon.security.EndpointConfig) SecurityEnvironment(io.helidon.security.SecurityEnvironment) OutboundTarget(io.helidon.security.providers.common.OutboundTarget) Role(io.helidon.security.Role) Optional(java.util.Optional) Pattern(java.util.regex.Pattern) Matcher(java.util.regex.Matcher)

Example 2 with SubjectType

use of io.helidon.security.SubjectType in project helidon by oracle.

the class HeaderAtnProvider method syncOutbound.

@Override
protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment outboundEnv, EndpointConfig outboundEndpointConfig) {
    Optional<Subject> toPropagate;
    if (subjectType == SubjectType.USER) {
        toPropagate = providerRequest.securityContext().user();
    } else {
        toPropagate = providerRequest.securityContext().service();
    }
    // find the target
    var target = outboundConfig.findTargetCustomObject(outboundEnv, HeaderAtnOutboundConfig.class, HeaderAtnOutboundConfig::create, HeaderAtnOutboundConfig::create);
    // we have no target, let's fall back to original behavior
    if (target.isEmpty()) {
        if (outboundTokenHandler != null) {
            return toPropagate.map(Subject::principal).map(Principal::id).map(id -> respond(outboundEnv, outboundTokenHandler, id)).orElseGet(OutboundSecurityResponse::abstain);
        }
        return OutboundSecurityResponse.abstain();
    }
    // we found a target
    HeaderAtnOutboundConfig outboundConfig = target.get();
    TokenHandler tokenHandler = outboundConfig.tokenHandler().orElse(defaultOutboundTokenHandler);
    return outboundConfig.explicitUser().or(() -> toPropagate.map(Subject::principal).map(Principal::id)).map(id -> respond(outboundEnv, tokenHandler, id)).orElseGet(OutboundSecurityResponse::abstain);
}
Also used : OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) ProviderRequest(io.helidon.security.ProviderRequest) Config(io.helidon.config.Config) SubjectType(io.helidon.security.SubjectType) OutboundSecurityProvider(io.helidon.security.spi.OutboundSecurityProvider) SynchronousProvider(io.helidon.security.spi.SynchronousProvider) HashMap(java.util.HashMap) TokenHandler(io.helidon.security.util.TokenHandler) AuthenticationResponse(io.helidon.security.AuthenticationResponse) OutboundConfig(io.helidon.security.providers.common.OutboundConfig) Principal(io.helidon.security.Principal) List(java.util.List) AuthenticationProvider(io.helidon.security.spi.AuthenticationProvider) EndpointConfig(io.helidon.security.EndpointConfig) SecurityEnvironment(io.helidon.security.SecurityEnvironment) OutboundTarget(io.helidon.security.providers.common.OutboundTarget) Map(java.util.Map) Optional(java.util.Optional) Subject(io.helidon.security.Subject) TokenHandler(io.helidon.security.util.TokenHandler) Subject(io.helidon.security.Subject) Principal(io.helidon.security.Principal) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse)

Example 3 with SubjectType

use of io.helidon.security.SubjectType in project helidon by oracle.

the class HttpDigestAuthProvider method validateDigestAuth.

private AuthenticationResponse validateDigestAuth(String headerValue, SecurityEnvironment env) {
    DigestToken token;
    try {
        token = DigestToken.fromAuthorizationHeader(headerValue.substring(DIGEST_PREFIX.length()), env.method().toLowerCase());
    } catch (HttpAuthException e) {
        LOGGER.log(Level.FINEST, "Failed to process digest token", e);
        return failOrAbstain(e.getMessage());
    }
    // decrypt
    byte[] bytes;
    try {
        bytes = Base64.getDecoder().decode(token.getNonce());
    } catch (IllegalArgumentException e) {
        LOGGER.log(Level.FINEST, "Failed to base64 decode nonce", e);
        // not base 64
        return failOrAbstain("Nonce must be base64 encoded");
    }
    if (bytes.length < 17) {
        return failOrAbstain("Invalid nonce length");
    }
    byte[] salt = new byte[SALT_LENGTH];
    byte[] aesNonce = new byte[AES_NONCE_LENGTH];
    byte[] encryptedBytes = new byte[bytes.length - SALT_LENGTH - AES_NONCE_LENGTH];
    System.arraycopy(bytes, 0, salt, 0, salt.length);
    System.arraycopy(bytes, SALT_LENGTH, aesNonce, 0, aesNonce.length);
    System.arraycopy(bytes, SALT_LENGTH + AES_NONCE_LENGTH, encryptedBytes, 0, encryptedBytes.length);
    Cipher cipher = HttpAuthUtil.cipher(digestServerSecret, salt, aesNonce, Cipher.DECRYPT_MODE);
    try {
        byte[] timestampBytes = cipher.doFinal(encryptedBytes);
        long nonceTimestamp = HttpAuthUtil.toLong(timestampBytes, 0, timestampBytes.length);
        // validate nonce
        if ((System.currentTimeMillis() - nonceTimestamp) > digestNonceTimeoutMillis) {
            return failOrAbstain("Nonce timeout");
        }
    } catch (Exception e) {
        LOGGER.log(Level.FINEST, "Failed to validate nonce", e);
        return failOrAbstain("Invalid nonce value");
    }
    // validate realm
    if (!realm.equals(token.getRealm())) {
        return failOrAbstain("Invalid realm");
    }
    return userStore.user(token.getUsername()).map(user -> {
        if (token.validateLogin(user)) {
            // yay, correct user and password!!!
            if (subjectType == SubjectType.USER) {
                return AuthenticationResponse.success(buildSubject(user));
            } else {
                return AuthenticationResponse.successService(buildSubject(user));
            }
        } else {
            return failOrAbstain("Invalid username or password");
        }
    }).orElse(failOrAbstain("Invalid username or password"));
}
Also used : Arrays(java.util.Arrays) ProviderRequest(io.helidon.security.ProviderRequest) Random(java.util.Random) Cipher(javax.crypto.Cipher) Level(java.util.logging.Level) SecureRandom(java.security.SecureRandom) AuthenticationProvider(io.helidon.security.spi.AuthenticationProvider) Map(java.util.Map) BigInteger(java.math.BigInteger) Subject(io.helidon.security.Subject) LinkedList(java.util.LinkedList) Config(io.helidon.config.Config) SubjectType(io.helidon.security.SubjectType) SynchronousProvider(io.helidon.security.spi.SynchronousProvider) Logger(java.util.logging.Logger) AuthenticationResponse(io.helidon.security.AuthenticationResponse) Collectors(java.util.stream.Collectors) Principal(io.helidon.security.Principal) Objects(java.util.Objects) TimeUnit(java.util.concurrent.TimeUnit) SecurityResponse(io.helidon.security.SecurityResponse) Base64(java.util.Base64) List(java.util.List) SecurityEnvironment(io.helidon.security.SecurityEnvironment) Role(io.helidon.security.Role) Optional(java.util.Optional) Cipher(javax.crypto.Cipher)

Aggregations

Config (io.helidon.config.Config)3 AuthenticationResponse (io.helidon.security.AuthenticationResponse)3 Principal (io.helidon.security.Principal)3 ProviderRequest (io.helidon.security.ProviderRequest)3 SecurityEnvironment (io.helidon.security.SecurityEnvironment)3 Subject (io.helidon.security.Subject)3 SubjectType (io.helidon.security.SubjectType)3 AuthenticationProvider (io.helidon.security.spi.AuthenticationProvider)3 SynchronousProvider (io.helidon.security.spi.SynchronousProvider)3 List (java.util.List)3 Map (java.util.Map)3 Optional (java.util.Optional)3 EndpointConfig (io.helidon.security.EndpointConfig)2 OutboundSecurityResponse (io.helidon.security.OutboundSecurityResponse)2 Role (io.helidon.security.Role)2 SecurityResponse (io.helidon.security.SecurityResponse)2 OutboundConfig (io.helidon.security.providers.common.OutboundConfig)2 OutboundTarget (io.helidon.security.providers.common.OutboundTarget)2 OutboundSecurityProvider (io.helidon.security.spi.OutboundSecurityProvider)2 TokenHandler (io.helidon.security.util.TokenHandler)2