Search in sources :

Example 1 with AuthenticationMechanism

use of io.undertow.security.api.AuthenticationMechanism in project wildfly by wildfly.

the class HTTPSchemeServerAuthModule method validateRequest.

@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
    HttpServerExchange exchange = (HttpServerExchange) messageInfo.getMap().get(JASPICAuthenticationMechanism.HTTP_SERVER_EXCHANGE_ATTACHMENT_KEY);
    SecurityContext securityContext = (SecurityContext) messageInfo.getMap().get(JASPICAuthenticationMechanism.SECURITY_CONTEXT_ATTACHMENT_KEY);
    ServletRequestContext src = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    List<AuthenticationMechanism> mechanisms = src.getDeployment().getAuthenticationMechanisms();
    try {
        boolean success = false;
        for (AuthenticationMechanism mechanism : mechanisms) {
            AuthenticationMechanism.AuthenticationMechanismOutcome result = mechanism.authenticate(exchange, securityContext);
            if (result == AUTHENTICATED) {
                success = true;
                break;
            } else if (result == NOT_AUTHENTICATED) {
                break;
            }
        }
        if (!success) {
            String mandatory = (String) messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory");
            if (mandatory != null && mandatory.toLowerCase().equals("false")) {
                return SUCCESS;
            } else {
                for (AuthenticationMechanism mechanism : mechanisms) {
                    AuthenticationMechanism.ChallengeResult challengeResult = mechanism.sendChallenge(exchange, securityContext);
                    if (challengeResult.getDesiredResponseCode() != null) {
                        exchange.setResponseCode(challengeResult.getDesiredResponseCode());
                    }
                    if (exchange.isResponseComplete()) {
                        break;
                    }
                }
                return SEND_CONTINUE;
            }
        }
    } catch (Exception e) {
        UndertowLogger.ROOT_LOGGER.debug(e);
        throw new AuthException("Could not validateRequest using mechanisms [" + mechanisms + ".");
    }
    return SUCCESS;
}
Also used : HttpServerExchange(io.undertow.server.HttpServerExchange) JASPICAuthenticationMechanism(org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) SecurityContext(io.undertow.security.api.SecurityContext) ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext) AuthException(javax.security.auth.message.AuthException) AuthException(javax.security.auth.message.AuthException)

Example 2 with AuthenticationMechanism

use of io.undertow.security.api.AuthenticationMechanism in project wildfly-swarm by wildfly-swarm.

the class SecureHttpContexts method secureHandler.

/**
 * Wraps the target handler and makes it inheritSecurity.
 * Includes a predicate for relevant web contexts.
 */
private HttpHandler secureHandler(final HttpHandler toWrap, SecurityRealm securityRealm) {
    HttpHandler handler = toWrap;
    handler = new AuthenticationCallHandler(handler);
    handler = new AuthenticationConstraintHandler(handler);
    RealmIdentityManager idm = new RealmIdentityManager(securityRealm);
    Set<AuthMechanism> mechanisms = securityRealm.getSupportedAuthenticationMechanisms();
    List<AuthenticationMechanism> undertowMechanisms = new ArrayList<AuthenticationMechanism>(mechanisms.size());
    undertowMechanisms.add(wrap(new CachedAuthenticatedSessionMechanism(), null));
    for (AuthMechanism current : mechanisms) {
        switch(current) {
            case DIGEST:
                List<DigestAlgorithm> digestAlgorithms = Collections.singletonList(DigestAlgorithm.MD5);
                List<DigestQop> digestQops = Collections.singletonList(DigestQop.AUTH);
                undertowMechanisms.add(wrap(new DigestAuthenticationMechanism(digestAlgorithms, digestQops, securityRealm.getName(), "Monitor", new SimpleNonceManager()), current));
                break;
            case PLAIN:
                undertowMechanisms.add(wrap(new BasicAuthenticationMechanism(securityRealm.getName()), current));
                break;
            case LOCAL:
                break;
            default:
        }
    }
    handler = new AuthenticationMechanismsHandler(handler, undertowMechanisms);
    handler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, idm, handler);
    // the predicate handler takes care that all of the above
    // will only be enacted on relevant web contexts
    handler = new PredicateHandler(exchange -> {
        if (!monitor.getSecurityRealm().isPresent()) {
            return false;
        }
        if (Queries.isAggregatorEndpoint(monitor, exchange.getRelativePath())) {
            return true;
        }
        if (Queries.isDirectAccessToHealthEndpoint(monitor, exchange.getRelativePath())) {
            if (!hasTokenAuth(exchange)) {
                return true;
            }
            return false;
        }
        if (HttpContexts.getDefaultContextNames().contains(exchange.getRelativePath())) {
            return true;
        }
        return false;
    }, handler, toWrap);
    return handler;
}
Also used : DigestQop(io.undertow.security.impl.DigestQop) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) HttpServerExchange(io.undertow.server.HttpServerExchange) NamingException(javax.naming.NamingException) SecurityRealm(org.jboss.as.domain.management.SecurityRealm) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) ArrayList(java.util.ArrayList) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) DigestAlgorithm(io.undertow.security.idm.DigestAlgorithm) AuthenticationMechanismWrapper(org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper) PredicateHandler(io.undertow.server.handlers.PredicateHandler) CachedAuthenticatedSessionMechanism(io.undertow.security.impl.CachedAuthenticatedSessionMechanism) DigestQop(io.undertow.security.impl.DigestQop) DigestAuthenticationMechanism(io.undertow.security.impl.DigestAuthenticationMechanism) Monitor(org.wildfly.swarm.microprofile.health.api.Monitor) Vetoed(javax.enterprise.inject.Vetoed) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) Set(java.util.Set) AuthenticationMode(io.undertow.security.api.AuthenticationMode) AuthMechanism(org.jboss.as.domain.management.AuthMechanism) HttpHandler(io.undertow.server.HttpHandler) List(java.util.List) SimpleNonceManager(io.undertow.security.impl.SimpleNonceManager) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) RealmIdentityManager(org.jboss.as.domain.http.server.security.RealmIdentityManager) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) Optional(java.util.Optional) Collections(java.util.Collections) HttpHandler(io.undertow.server.HttpHandler) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) DigestAuthenticationMechanism(io.undertow.security.impl.DigestAuthenticationMechanism) CachedAuthenticatedSessionMechanism(io.undertow.security.impl.CachedAuthenticatedSessionMechanism) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) DigestAuthenticationMechanism(io.undertow.security.impl.DigestAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) RealmIdentityManager(org.jboss.as.domain.http.server.security.RealmIdentityManager) ArrayList(java.util.ArrayList) PredicateHandler(io.undertow.server.handlers.PredicateHandler) SimpleNonceManager(io.undertow.security.impl.SimpleNonceManager) AuthMechanism(org.jboss.as.domain.management.AuthMechanism) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) DigestAlgorithm(io.undertow.security.idm.DigestAlgorithm)

Example 3 with AuthenticationMechanism

use of io.undertow.security.api.AuthenticationMechanism in project wildfly-swarm by wildfly-swarm.

the class SecureHttpContexts method secureHandler.

/**
 * Wraps the target handler and makes it inheritSecurity.
 * Includes a predicate for relevant web contexts.
 */
@SuppressWarnings("deprecation")
private HttpHandler secureHandler(final HttpHandler toWrap, SecurityRealm securityRealm) {
    HttpHandler handler = toWrap;
    handler = new AuthenticationCallHandler(handler);
    handler = new AuthenticationConstraintHandler(handler);
    RealmIdentityManager idm = new RealmIdentityManager(securityRealm);
    Set<AuthMechanism> mechanisms = securityRealm.getSupportedAuthenticationMechanisms();
    List<AuthenticationMechanism> undertowMechanisms = new ArrayList<AuthenticationMechanism>(mechanisms.size());
    undertowMechanisms.add(wrap(new CachedAuthenticatedSessionMechanism(), null));
    for (AuthMechanism current : mechanisms) {
        switch(current) {
            case DIGEST:
                List<DigestAlgorithm> digestAlgorithms = Collections.singletonList(DigestAlgorithm.MD5);
                List<DigestQop> digestQops = Collections.singletonList(DigestQop.AUTH);
                undertowMechanisms.add(wrap(new DigestAuthenticationMechanism(digestAlgorithms, digestQops, securityRealm.getName(), "Monitor", new SimpleNonceManager()), current));
                break;
            case PLAIN:
                undertowMechanisms.add(wrap(new BasicAuthenticationMechanism(securityRealm.getName()), current));
                break;
            case LOCAL:
                break;
            default:
        }
    }
    handler = new AuthenticationMechanismsHandler(handler, undertowMechanisms);
    handler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, idm, handler);
    // the predicate handler takes care that all of the above
    // will only be enacted on relevant web contexts
    handler = new PredicateHandler(exchange -> {
        if (!monitor.getSecurityRealm().isPresent()) {
            return false;
        }
        if (Queries.isAggregatorEndpoint(monitor, exchange.getRelativePath())) {
            return true;
        }
        if (Queries.isDirectAccessToHealthEndpoint(monitor, exchange.getRelativePath())) {
            if (!hasTokenAuth(exchange)) {
                return true;
            }
            return false;
        }
        if (HttpContexts.getDefaultContextNames().contains(exchange.getRelativePath())) {
            return true;
        }
        return false;
    }, handler, toWrap);
    return handler;
}
Also used : DigestQop(io.undertow.security.impl.DigestQop) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) HttpServerExchange(io.undertow.server.HttpServerExchange) NamingException(javax.naming.NamingException) SecurityRealm(org.jboss.as.domain.management.SecurityRealm) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) ArrayList(java.util.ArrayList) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) DigestAlgorithm(io.undertow.security.idm.DigestAlgorithm) AuthenticationMechanismWrapper(org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper) PredicateHandler(io.undertow.server.handlers.PredicateHandler) CachedAuthenticatedSessionMechanism(io.undertow.security.impl.CachedAuthenticatedSessionMechanism) DigestQop(io.undertow.security.impl.DigestQop) DigestAuthenticationMechanism(io.undertow.security.impl.DigestAuthenticationMechanism) Vetoed(javax.enterprise.inject.Vetoed) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) Set(java.util.Set) AuthenticationMode(io.undertow.security.api.AuthenticationMode) AuthMechanism(org.jboss.as.domain.management.AuthMechanism) HttpHandler(io.undertow.server.HttpHandler) List(java.util.List) SimpleNonceManager(io.undertow.security.impl.SimpleNonceManager) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) RealmIdentityManager(org.jboss.as.domain.http.server.security.RealmIdentityManager) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) Optional(java.util.Optional) Collections(java.util.Collections) HttpHandler(io.undertow.server.HttpHandler) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) DigestAuthenticationMechanism(io.undertow.security.impl.DigestAuthenticationMechanism) CachedAuthenticatedSessionMechanism(io.undertow.security.impl.CachedAuthenticatedSessionMechanism) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) DigestAuthenticationMechanism(io.undertow.security.impl.DigestAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) RealmIdentityManager(org.jboss.as.domain.http.server.security.RealmIdentityManager) ArrayList(java.util.ArrayList) PredicateHandler(io.undertow.server.handlers.PredicateHandler) SimpleNonceManager(io.undertow.security.impl.SimpleNonceManager) AuthMechanism(org.jboss.as.domain.management.AuthMechanism) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) DigestAlgorithm(io.undertow.security.idm.DigestAlgorithm)

Example 4 with AuthenticationMechanism

use of io.undertow.security.api.AuthenticationMechanism in project undertow by undertow-io.

the class AuthenticationTestBase method setAuthenticationChain.

@Before
public void setAuthenticationChain() {
    List<AuthenticationMechanism> testMechanisms = getTestMechanisms();
    if (testMechanisms == null) {
        return;
    }
    HttpHandler current = new ResponseHandler();
    current = new AuthenticationCallHandler(current);
    current = new AuthenticationConstraintHandler(current);
    current = new AuthenticationMechanismsHandler(current, testMechanisms);
    // Ensure empty on initialisation.
    auditReceiver.takeNotifications();
    current = new NotificationReceiverHandler(current, Collections.<NotificationReceiver>singleton(auditReceiver));
    if (cachingRequired()) {
        current = new CachedAuthenticatedSessionHandler(current);
    }
    current = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, identityManager, current);
    setRootHandler(current);
}
Also used : HttpHandler(io.undertow.server.HttpHandler) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) CachedAuthenticatedSessionHandler(io.undertow.security.handlers.CachedAuthenticatedSessionHandler) NotificationReceiverHandler(io.undertow.security.handlers.NotificationReceiverHandler) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) NotificationReceiver(io.undertow.security.api.NotificationReceiver) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) Before(org.junit.Before)

Example 5 with AuthenticationMechanism

use of io.undertow.security.api.AuthenticationMechanism in project cxf by apache.

the class UndertowBasicAuthHandler method buildSecurityHandler.

private void buildSecurityHandler() {
    HttpHandler handler = this.next;
    handler = new AuthenticationCallHandler(handler);
    handler = new AuthenticationConstraintHandler(handler);
    final List<AuthenticationMechanism> mechanisms = Collections.<AuthenticationMechanism>singletonList(new BasicAuthenticationMechanism("My Realm"));
    handler = new AuthenticationMechanismsHandler(handler, mechanisms);
    this.securityHandler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, identityManager, handler);
}
Also used : CXFUndertowHttpHandler(org.apache.cxf.transport.http_undertow.CXFUndertowHttpHandler) HttpHandler(io.undertow.server.HttpHandler) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism)

Aggregations

AuthenticationMechanism (io.undertow.security.api.AuthenticationMechanism)16 AuthenticationMechanismsHandler (io.undertow.security.handlers.AuthenticationMechanismsHandler)12 SecurityInitialHandler (io.undertow.security.handlers.SecurityInitialHandler)12 HttpHandler (io.undertow.server.HttpHandler)12 AuthenticationCallHandler (io.undertow.security.handlers.AuthenticationCallHandler)11 AuthenticationConstraintHandler (io.undertow.security.handlers.AuthenticationConstraintHandler)11 BasicAuthenticationMechanism (io.undertow.security.impl.BasicAuthenticationMechanism)10 DigestAuthenticationMechanism (io.undertow.security.impl.DigestAuthenticationMechanism)5 CachedAuthenticatedSessionMechanism (io.undertow.security.impl.CachedAuthenticatedSessionMechanism)4 ArrayList (java.util.ArrayList)4 NotificationReceiver (io.undertow.security.api.NotificationReceiver)3 NotificationReceiverHandler (io.undertow.security.handlers.NotificationReceiverHandler)3 IdentityManager (io.undertow.security.idm.IdentityManager)3 DigestQop (io.undertow.security.impl.DigestQop)3 SimpleNonceManager (io.undertow.security.impl.SimpleNonceManager)3 HttpServerExchange (io.undertow.server.HttpServerExchange)3 AuthenticationMechanismFactory (io.undertow.security.api.AuthenticationMechanismFactory)2 AuthenticationMode (io.undertow.security.api.AuthenticationMode)2 DigestAlgorithm (io.undertow.security.idm.DigestAlgorithm)2 FormAuthenticationMechanism (io.undertow.security.impl.FormAuthenticationMechanism)2