Search in sources :

Example 11 with SecurityInitialHandler

use of io.undertow.security.handlers.SecurityInitialHandler in project undertow by undertow-io.

the class BasicAuthServer method addSecurity.

private static HttpHandler addSecurity(final HttpHandler toWrap, final IdentityManager identityManager) {
    HttpHandler handler = toWrap;
    handler = new AuthenticationCallHandler(handler);
    handler = new AuthenticationConstraintHandler(handler);
    final List<AuthenticationMechanism> mechanisms = Collections.<AuthenticationMechanism>singletonList(new BasicAuthenticationMechanism("My Realm"));
    handler = new AuthenticationMechanismsHandler(handler, mechanisms);
    handler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, identityManager, handler);
    return handler;
}
Also used : HttpHandler(io.undertow.server.HttpHandler) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism)

Example 12 with SecurityInitialHandler

use of io.undertow.security.handlers.SecurityInitialHandler in project undertow by undertow-io.

the class SsoTestCase method setup.

@BeforeClass
public static void setup() {
    final SingleSignOnAuthenticationMechanism sso = new SingleSignOnAuthenticationMechanism(new InMemorySingleSignOnManager());
    final PathHandler path = new PathHandler();
    HttpHandler current = new ResponseHandler();
    current = new AuthenticationCallHandler(current);
    current = new AuthenticationConstraintHandler(current);
    List<AuthenticationMechanism> mechs = new ArrayList<>();
    mechs.add(sso);
    mechs.add(new BasicAuthenticationMechanism("Test Realm"));
    current = new AuthenticationMechanismsHandler(current, mechs);
    current = new NotificationReceiverHandler(current, Collections.<NotificationReceiver>singleton(auditReceiver));
    current = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, identityManager, current);
    path.addPrefixPath("/test1", current);
    current = new ResponseHandler();
    current = new AuthenticationCallHandler(current);
    current = new AuthenticationConstraintHandler(current);
    mechs = new ArrayList<>();
    mechs.add(sso);
    mechs.add(new FormAuthenticationMechanism("form", "/login", "/error"));
    current = new AuthenticationMechanismsHandler(current, mechs);
    current = new NotificationReceiverHandler(current, Collections.<NotificationReceiver>singleton(auditReceiver));
    current = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, identityManager, current);
    path.addPrefixPath("/test2", current);
    path.addPrefixPath("/login", new ResponseCodeHandler(StatusCodes.UNAUTHORIZED));
    DefaultServer.setRootHandler(new SessionAttachmentHandler(path, new InMemorySessionManager(""), new SessionCookieConfig()));
}
Also used : HttpHandler(io.undertow.server.HttpHandler) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) FormAuthenticationMechanism(io.undertow.security.impl.FormAuthenticationMechanism) SingleSignOnAuthenticationMechanism(io.undertow.security.impl.SingleSignOnAuthenticationMechanism) SingleSignOnAuthenticationMechanism(io.undertow.security.impl.SingleSignOnAuthenticationMechanism) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) FormAuthenticationMechanism(io.undertow.security.impl.FormAuthenticationMechanism) ArrayList(java.util.ArrayList) PathHandler(io.undertow.server.handlers.PathHandler) ResponseCodeHandler(io.undertow.server.handlers.ResponseCodeHandler) SessionAttachmentHandler(io.undertow.server.session.SessionAttachmentHandler) InMemorySingleSignOnManager(io.undertow.security.impl.InMemorySingleSignOnManager) NotificationReceiverHandler(io.undertow.security.handlers.NotificationReceiverHandler) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) NotificationReceiver(io.undertow.security.api.NotificationReceiver) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) SessionCookieConfig(io.undertow.server.session.SessionCookieConfig) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) InMemorySessionManager(io.undertow.server.session.InMemorySessionManager) BeforeClass(org.junit.BeforeClass)

Example 13 with SecurityInitialHandler

use of io.undertow.security.handlers.SecurityInitialHandler in project undertow by undertow-io.

the class DeploymentManagerImpl method setupSecurityHandlers.

/**
 * sets up the outer security handlers.
 * <p>
 * the handler that actually performs the access check happens later in the chain, it is not setup here
 *
 * @param initialHandler The handler to wrap with security handlers
 */
private HttpHandler setupSecurityHandlers(HttpHandler initialHandler) {
    final DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();
    final LoginConfig loginConfig = deploymentInfo.getLoginConfig();
    HttpHandler current = initialHandler;
    current = new SSLInformationAssociationHandler(current);
    final SecurityPathMatches securityPathMatches = buildSecurityConstraints();
    securityPathMatches.logWarningsAboutUncoveredMethods();
    current = new ServletAuthenticationCallHandler(current);
    for (HandlerWrapper wrapper : deploymentInfo.getSecurityWrappers()) {
        current = wrapper.wrap(current);
    }
    if (deploymentInfo.isDisableCachingForSecuredPages()) {
        current = Handlers.predicate(Predicates.authRequired(), Handlers.disableCache(current), current);
    }
    if (!securityPathMatches.isEmpty()) {
        current = new ServletAuthenticationConstraintHandler(current);
    }
    current = new ServletConfidentialityConstraintHandler(deploymentInfo.getConfidentialPortManager(), current);
    if (!securityPathMatches.isEmpty()) {
        current = new ServletSecurityConstraintHandler(securityPathMatches, current);
    }
    HandlerWrapper initialSecurityWrapper = deploymentInfo.getInitialSecurityWrapper();
    String mechName = null;
    if (initialSecurityWrapper == null) {
        final Map<String, AuthenticationMechanismFactory> factoryMap = new HashMap<>(deploymentInfo.getAuthenticationMechanisms());
        final IdentityManager identityManager = deploymentInfo.getIdentityManager();
        if (!factoryMap.containsKey(BASIC_AUTH)) {
            factoryMap.put(BASIC_AUTH, BasicAuthenticationMechanism.FACTORY);
        }
        if (!factoryMap.containsKey(FORM_AUTH)) {
            factoryMap.put(FORM_AUTH, ServletFormAuthenticationMechanism.FACTORY);
        }
        if (!factoryMap.containsKey(DIGEST_AUTH)) {
            factoryMap.put(DIGEST_AUTH, DigestAuthenticationMechanism.FACTORY);
        }
        if (!factoryMap.containsKey(CLIENT_CERT_AUTH)) {
            factoryMap.put(CLIENT_CERT_AUTH, ClientCertAuthenticationMechanism.FACTORY);
        }
        if (!factoryMap.containsKey(ExternalAuthenticationMechanism.NAME)) {
            factoryMap.put(ExternalAuthenticationMechanism.NAME, ExternalAuthenticationMechanism.FACTORY);
        }
        if (!factoryMap.containsKey(GenericHeaderAuthenticationMechanism.NAME)) {
            factoryMap.put(GenericHeaderAuthenticationMechanism.NAME, GenericHeaderAuthenticationMechanism.FACTORY);
        }
        List<AuthenticationMechanism> authenticationMechanisms = new LinkedList<>();
        if (deploymentInfo.isUseCachedAuthenticationMechanism()) {
            authenticationMechanisms.add(new CachedAuthenticatedSessionMechanism(identityManager));
        }
        if (loginConfig != null || deploymentInfo.getJaspiAuthenticationMechanism() != null) {
            // we don't allow multipart requests, and use the default encoding when it's set
            FormEncodedDataDefinition formEncodedDataDefinition = new FormEncodedDataDefinition();
            String reqEncoding = deploymentInfo.getDefaultRequestEncoding();
            if (reqEncoding == null) {
                reqEncoding = deploymentInfo.getDefaultEncoding();
            }
            if (reqEncoding != null) {
                formEncodedDataDefinition.setDefaultEncoding(reqEncoding);
            }
            FormParserFactory parser = FormParserFactory.builder(false).addParser(formEncodedDataDefinition).build();
            List<AuthMethodConfig> authMethods = Collections.<AuthMethodConfig>emptyList();
            if (loginConfig != null) {
                authMethods = loginConfig.getAuthMethods();
            }
            for (AuthMethodConfig method : authMethods) {
                AuthenticationMechanismFactory factory = factoryMap.get(method.getName());
                if (factory == null) {
                    throw UndertowServletMessages.MESSAGES.unknownAuthenticationMechanism(method.getName());
                }
                if (mechName == null) {
                    mechName = method.getName();
                }
                final Map<String, String> properties = new HashMap<>();
                properties.put(AuthenticationMechanismFactory.CONTEXT_PATH, deploymentInfo.getContextPath());
                properties.put(AuthenticationMechanismFactory.REALM, loginConfig.getRealmName());
                properties.put(AuthenticationMechanismFactory.ERROR_PAGE, loginConfig.getErrorPage());
                properties.put(AuthenticationMechanismFactory.LOGIN_PAGE, loginConfig.getLoginPage());
                properties.putAll(method.getProperties());
                String name = method.getName().toUpperCase(Locale.US);
                // The mechanism name is passed in from the HttpServletRequest interface as the name reported needs to be
                // comparable using '=='
                name = name.equals(FORM_AUTH) ? FORM_AUTH : name;
                name = name.equals(BASIC_AUTH) ? BASIC_AUTH : name;
                name = name.equals(DIGEST_AUTH) ? DIGEST_AUTH : name;
                name = name.equals(CLIENT_CERT_AUTH) ? CLIENT_CERT_AUTH : name;
                authenticationMechanisms.add(factory.create(name, identityManager, parser, properties));
            }
        }
        deployment.setAuthenticationMechanisms(authenticationMechanisms);
        // if the JASPI auth mechanism is set then it takes over
        if (deploymentInfo.getJaspiAuthenticationMechanism() == null) {
            current = new AuthenticationMechanismsHandler(current, authenticationMechanisms);
        } else {
            current = new AuthenticationMechanismsHandler(current, Collections.<AuthenticationMechanism>singletonList(deploymentInfo.getJaspiAuthenticationMechanism()));
        }
        current = new CachedAuthenticatedSessionHandler(current, this.deployment.getServletContext());
    }
    List<NotificationReceiver> notificationReceivers = deploymentInfo.getNotificationReceivers();
    if (!notificationReceivers.isEmpty()) {
        current = new NotificationReceiverHandler(current, notificationReceivers);
    }
    if (initialSecurityWrapper == null) {
        // TODO - A switch to constraint driven could be configurable, however before we can support that with servlets we would
        // need additional tracking within sessions if a servlet has specifically requested that authentication occurs.
        SecurityContextFactory contextFactory = deploymentInfo.getSecurityContextFactory();
        if (contextFactory == null) {
            contextFactory = SecurityContextFactoryImpl.INSTANCE;
        }
        current = new SecurityInitialHandler(deploymentInfo.getAuthenticationMode(), deploymentInfo.getIdentityManager(), mechName, contextFactory, current);
    } else {
        current = initialSecurityWrapper.wrap(current);
    }
    return current;
}
Also used : IdentityManager(io.undertow.security.idm.IdentityManager) HashMap(java.util.HashMap) SecurityPathMatches(io.undertow.servlet.handlers.security.SecurityPathMatches) ServletSecurityConstraintHandler(io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler) HandlerWrapper(io.undertow.server.HandlerWrapper) CachedAuthenticatedSessionHandler(io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler) ServletAuthenticationConstraintHandler(io.undertow.servlet.handlers.security.ServletAuthenticationConstraintHandler) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) ServletAuthenticationCallHandler(io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler) AuthMethodConfig(io.undertow.servlet.api.AuthMethodConfig) LoginConfig(io.undertow.servlet.api.LoginConfig) DeploymentInfo(io.undertow.servlet.api.DeploymentInfo) HttpHandler(io.undertow.server.HttpHandler) CachedAuthenticatedSessionMechanism(io.undertow.security.impl.CachedAuthenticatedSessionMechanism) ClientCertAuthenticationMechanism(io.undertow.security.impl.ClientCertAuthenticationMechanism) ExternalAuthenticationMechanism(io.undertow.security.impl.ExternalAuthenticationMechanism) ServletFormAuthenticationMechanism(io.undertow.servlet.handlers.security.ServletFormAuthenticationMechanism) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) DigestAuthenticationMechanism(io.undertow.security.impl.DigestAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) GenericHeaderAuthenticationMechanism(io.undertow.security.impl.GenericHeaderAuthenticationMechanism) LinkedList(java.util.LinkedList) FormParserFactory(io.undertow.server.handlers.form.FormParserFactory) NotificationReceiverHandler(io.undertow.security.handlers.NotificationReceiverHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) NotificationReceiver(io.undertow.security.api.NotificationReceiver) ServletConfidentialityConstraintHandler(io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler) FormEncodedDataDefinition(io.undertow.server.handlers.form.FormEncodedDataDefinition) AuthenticationMechanismFactory(io.undertow.security.api.AuthenticationMechanismFactory) SSLInformationAssociationHandler(io.undertow.servlet.handlers.security.SSLInformationAssociationHandler) SecurityContextFactory(io.undertow.security.api.SecurityContextFactory)

Example 14 with SecurityInitialHandler

use of io.undertow.security.handlers.SecurityInitialHandler in project syncany by syncany.

the class WebServer method addSecurity.

private static HttpHandler addSecurity(final HttpHandler toWrap, IdentityManager identityManager) {
    List<AuthenticationMechanism> mechanisms = Collections.<AuthenticationMechanism>singletonList(new BasicAuthenticationMechanism("Syncany"));
    HttpHandler handler = toWrap;
    handler = new AuthenticationCallHandler(handler);
    handler = new AuthenticationConstraintHandler(handler);
    handler = new AuthenticationMechanismsHandler(handler, mechanisms);
    handler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, identityManager, handler);
    return handler;
}
Also used : HttpHandler(io.undertow.server.HttpHandler) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) BasicAuthenticationMechanism(io.undertow.security.impl.BasicAuthenticationMechanism)

Example 15 with SecurityInitialHandler

use of io.undertow.security.handlers.SecurityInitialHandler in project keycloak by keycloak.

the class CxfKeycloakAuthHandler method getSecurityHandler.

private HttpHandler getSecurityHandler() {
    if (this.securityHandler.get() == null) {
        HttpHandler handler = this.next;
        handler = new AuthenticationCallHandler(handler);
        handler = new AuthenticationConstraintHandler(handler);
        AdapterDeploymentContext deploymentContext = buildDeploymentContext();
        final List<AuthenticationMechanism> mechanisms = Collections.<AuthenticationMechanism>singletonList(new UndertowAuthenticationMechanism(deploymentContext, userSessionManagement, nodesRegistrationManagement, confidentialPort, null));
        handler = new AuthenticationMechanismsHandler(handler, mechanisms);
        this.securityHandler.compareAndSet(null, new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, IDENTITY_MANAGER, "KEYCLOAK", handler));
    }
    return this.securityHandler.get();
}
Also used : CXFUndertowHttpHandler(org.apache.cxf.transport.http_undertow.CXFUndertowHttpHandler) HttpHandler(io.undertow.server.HttpHandler) AuthenticationConstraintHandler(io.undertow.security.handlers.AuthenticationConstraintHandler) UndertowAuthenticationMechanism(org.keycloak.adapters.undertow.UndertowAuthenticationMechanism) SecurityInitialHandler(io.undertow.security.handlers.SecurityInitialHandler) AuthenticationMechanismsHandler(io.undertow.security.handlers.AuthenticationMechanismsHandler) UndertowAuthenticationMechanism(org.keycloak.adapters.undertow.UndertowAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) AuthenticationCallHandler(io.undertow.security.handlers.AuthenticationCallHandler) AdapterDeploymentContext(org.keycloak.adapters.AdapterDeploymentContext)

Aggregations

AuthenticationMechanismsHandler (io.undertow.security.handlers.AuthenticationMechanismsHandler)22 SecurityInitialHandler (io.undertow.security.handlers.SecurityInitialHandler)22 HttpHandler (io.undertow.server.HttpHandler)22 AuthenticationCallHandler (io.undertow.security.handlers.AuthenticationCallHandler)21 AuthenticationMechanism (io.undertow.security.api.AuthenticationMechanism)20 AuthenticationConstraintHandler (io.undertow.security.handlers.AuthenticationConstraintHandler)20 BasicAuthenticationMechanism (io.undertow.security.impl.BasicAuthenticationMechanism)14 ArrayList (java.util.ArrayList)9 CachedAuthenticatedSessionMechanism (io.undertow.security.impl.CachedAuthenticatedSessionMechanism)6 FormAuthenticationMechanism (io.undertow.security.impl.FormAuthenticationMechanism)5 LightBasicAuthenticationMechanism (com.networknt.oauth.security.LightBasicAuthenticationMechanism)4 LightGSSAPIAuthenticationMechanism (com.networknt.oauth.security.LightGSSAPIAuthenticationMechanism)4 DigestAuthenticationMechanism (io.undertow.security.impl.DigestAuthenticationMechanism)4 InMemorySessionManager (io.undertow.server.session.InMemorySessionManager)4 SessionAttachmentHandler (io.undertow.server.session.SessionAttachmentHandler)4 SessionCookieConfig (io.undertow.server.session.SessionCookieConfig)4 AuthenticationMode (io.undertow.security.api.AuthenticationMode)3 NotificationReceiver (io.undertow.security.api.NotificationReceiver)3 NotificationReceiverHandler (io.undertow.security.handlers.NotificationReceiverHandler)3 IdentityManager (io.undertow.security.idm.IdentityManager)3