Example 1 with JsonWebToken
use of io.hops.hopsworks.jwt.JsonWebToken in project hopsworks by logicalclocks.
the class AuthService method serviceLogin.
@POST
@Path("/service")
@Produces(MediaType.APPLICATION_JSON)
@JWTNotRequired
public Response serviceLogin(@FormParam("email") String email, @FormParam("password") String password, @Context HttpServletRequest request) throws UserException, GeneralSecurityException, SigningKeyNotFoundException, DuplicateSigningKeyException, HopsSecurityException {
if (Strings.isNullOrEmpty(email)) {
throw new IllegalArgumentException("Email cannot be null or empty");
}
if (Strings.isNullOrEmpty(password)) {
throw new IllegalArgumentException("Password cannot be null or empty");
}
Users user = userFacade.findByEmail(email);
if (user == null) {
throw new LoginException("Could not find registered user with email " + email);
}
if (!needLogin(request, user)) {
return Response.ok().build();
}
if (!userController.isUserInRole(user, "AGENT")) {
throw new HopsSecurityException(RESTCodes.SecurityErrorCode.REST_ACCESS_CONTROL, Level.FINE, "Users are not allowed to access this endpoint, use auth/login instead", "User " + user.getUsername() + " tried to login but they don't have AGENT role");
}
request.getSession();
Collection roles = user.getBbcGroupCollection();
if (roles == null || roles.isEmpty()) {
throw new UserException(RESTCodes.UserErrorCode.NO_ROLE_FOUND, Level.FINE);
}
statusValidator.checkStatus(user.getStatus());
String saltedPassword = authController.preCustomRealmLoginCheck(user, password, null);
try {
request.login(user.getEmail(), saltedPassword);
} catch (ServletException ex) {
authController.registerAuthenticationFailure(user);
throw new UserException(RESTCodes.UserErrorCode.AUTHENTICATION_FAILURE, Level.FINE, null, ex.getMessage(), ex);
}
// First generate the one-time tokens for renewal of master token
String renewalKeyName = jwtController.getServiceOneTimeJWTSigningKeyname(user.getUsername(), request.getRemoteHost());
LocalDateTime masterExpiration = DateUtils.getNow().plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
LocalDateTime notBefore = jwtController.computeNotBefore4ServiceRenewalTokens(masterExpiration);
LocalDateTime expiresAt = notBefore.plus(settings.getServiceJWTLifetimeMS(), ChronoUnit.MILLIS);
List<String> userRoles = userController.getUserRoles(user);
JsonWebToken renewalJWTSpec = new JsonWebToken();
renewalJWTSpec.setSubject(user.getUsername());
renewalJWTSpec.setIssuer(settings.getJWTIssuer());
renewalJWTSpec.setAudience(JWTHelper.SERVICE_RENEW_JWT_AUDIENCE);
renewalJWTSpec.setKeyId(renewalKeyName);
renewalJWTSpec.setNotBefore(DateUtils.localDateTime2Date(notBefore));
renewalJWTSpec.setExpiresAt(DateUtils.localDateTime2Date(expiresAt));
Map<String, Object> claims = new HashMap<>(4);
claims.put(Constants.RENEWABLE, false);
claims.put(Constants.EXPIRY_LEEWAY, 3600);
claims.put(Constants.ROLES, userRoles.toArray(new String[1]));
String[] oneTimeRenewalTokens = jwtController.generateOneTimeTokens4ServiceJWTRenewal(renewalJWTSpec, claims, settings.getJWTSigningKeyName());
// Then generate the master service token
try {
String signingKeyID = jwtController.getSignKeyID(oneTimeRenewalTokens[0]);
claims.clear();
// The rest of JWT claims will be added by JWTHelper
claims.put(Constants.RENEWABLE, false);
claims.put(Constants.SERVICE_JWT_RENEWAL_KEY_ID, signingKeyID);
String token = jWTHelper.createToken(user, settings.getJWTIssuer(), claims);
ServiceJWTDTO renewTokensResponse = new ServiceJWTDTO();
renewTokensResponse.setRenewTokens(oneTimeRenewalTokens);
return Response.ok().header(AUTHORIZATION, Constants.BEARER + token).entity(renewTokensResponse).build();
} catch (Exception ex) {
jwtController.deleteSigningKey(renewalKeyName);
throw ex;
}
}
Also used :
LocalDateTime(java.time.LocalDateTime)
HashMap(java.util.HashMap)
Users(io.hops.hopsworks.persistence.entity.user.Users)
JsonWebToken(io.hops.hopsworks.jwt.JsonWebToken)
LoginException(javax.security.auth.login.LoginException)
ServletException(javax.servlet.ServletException)
MessagingException(javax.mail.MessagingException)
GeneralSecurityException(java.security.GeneralSecurityException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException)
DuplicateSigningKeyException(io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException)
SigningKeyNotFoundException(io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException)
UserException(io.hops.hopsworks.exceptions.UserException)
InvalidationException(io.hops.hopsworks.jwt.exception.InvalidationException)
HopsSecurityException(io.hops.hopsworks.exceptions.HopsSecurityException)
ServletException(javax.servlet.ServletException)
LoginException(javax.security.auth.login.LoginException)
Collection(java.util.Collection)
UserException(io.hops.hopsworks.exceptions.UserException)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
JWTNotRequired(io.hops.hopsworks.api.filter.JWTNotRequired)
Aggregations
JWTNotRequired (io.hops.hopsworks.api.filter.JWTNotRequired)1
HopsSecurityException (io.hops.hopsworks.exceptions.HopsSecurityException)1
UserException (io.hops.hopsworks.exceptions.UserException)1
JsonWebToken (io.hops.hopsworks.jwt.JsonWebToken)1
DuplicateSigningKeyException (io.hops.hopsworks.jwt.exception.DuplicateSigningKeyException)1
InvalidationException (io.hops.hopsworks.jwt.exception.InvalidationException)1
SigningKeyNotFoundException (io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException)1
Users (io.hops.hopsworks.persistence.entity.user.Users)1
GeneralSecurityException (java.security.GeneralSecurityException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
LocalDateTime (java.time.LocalDateTime)1
Collection (java.util.Collection)1
HashMap (java.util.HashMap)1
MessagingException (javax.mail.MessagingException)1
LoginException (javax.security.auth.login.LoginException)1
ServletException (javax.servlet.ServletException)1
POST (javax.ws.rs.POST)1
Path (javax.ws.rs.Path)1
Produces (javax.ws.rs.Produces)1
