Search in sources :

Example 1 with ServletRequestContext

use of io.undertow.servlet.handlers.ServletRequestContext in project wildfly by wildfly.

the class LogoutSessionListener method sessionDestroyed.

@Override
public void sessionDestroyed(HttpSessionEvent se) {
    //we need to get the current account
    //there are two options here, we can look for the account in the current request
    //or we can look for the account that has been saved in the session
    //for maximum compatibility we do both
    ServletRequestContext src = ServletRequestContext.current();
    Account requestAccount = null;
    if (src != null) {
        requestAccount = src.getExchange().getSecurityContext().getAuthenticatedAccount();
        if (requestAccount != null) {
            clearAccount(requestAccount);
        }
    }
    if (se.getSession() instanceof HttpSessionImpl) {
        final HttpSessionImpl impl = (HttpSessionImpl) se.getSession();
        Session session;
        if (WildFlySecurityManager.isChecking()) {
            session = WildFlySecurityManager.doChecked(new PrivilegedAction<Session>() {

                @Override
                public Session run() {
                    return impl.getSession();
                }
            });
        } else {
            session = impl.getSession();
        }
        if (session != null) {
            AuthenticatedSessionManager.AuthenticatedSession authenticatedSession = (AuthenticatedSessionManager.AuthenticatedSession) session.getAttribute(CachedAuthenticatedSessionHandler.class.getName() + ".AuthenticatedSession");
            if (authenticatedSession != null) {
                Account sessionAccount = authenticatedSession.getAccount();
                if (sessionAccount != null && !sessionAccount.equals(requestAccount)) {
                    clearAccount(sessionAccount);
                }
            }
        }
    }
}
Also used : Account(io.undertow.security.idm.Account) CachedAuthenticatedSessionHandler(io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler) HttpSessionImpl(io.undertow.servlet.spec.HttpSessionImpl) PrivilegedAction(java.security.PrivilegedAction) ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext) AuthenticatedSessionManager(io.undertow.security.api.AuthenticatedSessionManager) Session(io.undertow.server.session.Session)

Example 2 with ServletRequestContext

use of io.undertow.servlet.handlers.ServletRequestContext in project wildfly by wildfly.

the class JASPICSecureResponseHandler method handleRequest.

@Override
public void handleRequest(HttpServerExchange exchange) throws Exception {
    try {
        next.handleRequest(exchange);
    } finally {
        try {
            JASPICContext context = exchange.getAttachment(JASPICContext.ATTACHMENT_KEY);
            ServletRequestContext requestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
            String applicationIdentifier = JASPICAuthenticationMechanism.buildApplicationIdentifier(requestContext);
            if (!JASPICAuthenticationMechanism.wasAuthExceptionThrown(exchange) && context != null) {
                UndertowLogger.ROOT_LOGGER.debugf("secureResponse for layer [%s] and applicationContextIdentifier [%s].", JASPICAuthenticationMechanism.JASPI_HTTP_SERVLET_LAYER, applicationIdentifier);
                context.getSam().secureResponse(context.getMessageInfo(), new Subject(), JASPICAuthenticationMechanism.JASPI_HTTP_SERVLET_LAYER, applicationIdentifier, context.getCbh());
                // A SAM can unwrap the HTTP request/response objects - update the servlet request context with the values found in the message info.
                ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
                servletRequestContext.setServletRequest((HttpServletRequest) context.getMessageInfo().getRequestMessage());
                servletRequestContext.setServletResponse((HttpServletResponse) context.getMessageInfo().getResponseMessage());
            }
        } catch (Exception e) {
            UndertowLogger.ROOT_LOGGER.errorInvokingSecureResponse(e);
        }
    }
}
Also used : ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext) Subject(javax.security.auth.Subject)

Example 3 with ServletRequestContext

use of io.undertow.servlet.handlers.ServletRequestContext in project wildfly by wildfly.

the class JASPICSecurityContext method buildAppContext.

/**
     * <p>
     * Builds the JASPIC application context.
     * </p>
     *
     * @return a {@code String} representing the application context.
     */
private String buildAppContext() {
    final ServletRequestContext requestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    ServletRequest servletRequest = requestContext.getServletRequest();
    return servletRequest.getServletContext().getVirtualServerName() + " " + servletRequest.getServletContext().getContextPath();
}
Also used : ServletRequest(javax.servlet.ServletRequest) ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext)

Example 4 with ServletRequestContext

use of io.undertow.servlet.handlers.ServletRequestContext in project wildfly by wildfly.

the class HTTPSchemeServerAuthModule method validateRequest.

@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
    HttpServerExchange exchange = (HttpServerExchange) messageInfo.getMap().get(JASPICAuthenticationMechanism.HTTP_SERVER_EXCHANGE_ATTACHMENT_KEY);
    SecurityContext securityContext = (SecurityContext) messageInfo.getMap().get(JASPICAuthenticationMechanism.SECURITY_CONTEXT_ATTACHMENT_KEY);
    ServletRequestContext src = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
    List<AuthenticationMechanism> mechanisms = src.getDeployment().getAuthenticationMechanisms();
    try {
        boolean success = false;
        for (AuthenticationMechanism mechanism : mechanisms) {
            AuthenticationMechanism.AuthenticationMechanismOutcome result = mechanism.authenticate(exchange, securityContext);
            if (result == AUTHENTICATED) {
                success = true;
                break;
            } else if (result == NOT_AUTHENTICATED) {
                break;
            }
        }
        if (!success) {
            String mandatory = (String) messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory");
            if (mandatory != null && mandatory.toLowerCase().equals("false")) {
                return SUCCESS;
            } else {
                for (AuthenticationMechanism mechanism : mechanisms) {
                    AuthenticationMechanism.ChallengeResult challengeResult = mechanism.sendChallenge(exchange, securityContext);
                    if (challengeResult.getDesiredResponseCode() != null) {
                        exchange.setResponseCode(challengeResult.getDesiredResponseCode());
                    }
                    if (exchange.isResponseComplete()) {
                        break;
                    }
                }
                return SEND_CONTINUE;
            }
        }
    } catch (Exception e) {
        UndertowLogger.ROOT_LOGGER.debug(e);
        throw new AuthException("Could not validateRequest using mechanisms [" + mechanisms + ".");
    }
    return SUCCESS;
}
Also used : HttpServerExchange(io.undertow.server.HttpServerExchange) JASPICAuthenticationMechanism(org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism) AuthenticationMechanism(io.undertow.security.api.AuthenticationMechanism) SecurityContext(io.undertow.security.api.SecurityContext) ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext) AuthException(javax.security.auth.message.AuthException) AuthException(javax.security.auth.message.AuthException)

Example 5 with ServletRequestContext

use of io.undertow.servlet.handlers.ServletRequestContext in project wildfly by wildfly.

the class AuditNotificationReceiver method handleNotification.

@Override
public void handleNotification(SecurityNotification notification) {
    EventType event = notification.getEventType();
    if (event == EventType.AUTHENTICATED || event == EventType.FAILED_AUTHENTICATION) {
        AuditEvent auditEvent = new AuditEvent(event == EventType.AUTHENTICATED ? AuditLevel.SUCCESS : AuditLevel.FAILURE);
        Map<String, Object> ctxMap = new HashMap<String, Object>();
        Account account = notification.getAccount();
        if (account != null) {
            ctxMap.put("principal", account.getPrincipal().getName());
        }
        ctxMap.put("message", notification.getMessage());
        ServletRequestContext src = notification.getExchange().getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        if (src != null) {
            ServletRequest hsr = src.getServletRequest();
            if (hsr instanceof HttpServletRequest) {
                ctxMap.put("request", WebUtil.deriveUsefulInfo((HttpServletRequest) hsr));
            }
        }
        ctxMap.put("Source", getClass().getCanonicalName());
        auditEvent.setContextMap(ctxMap);
        auditManager.audit(auditEvent);
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Account(io.undertow.security.idm.Account) ServletRequest(javax.servlet.ServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) EventType(io.undertow.security.api.SecurityNotification.EventType) HashMap(java.util.HashMap) ServletRequestContext(io.undertow.servlet.handlers.ServletRequestContext) AuditEvent(org.jboss.security.audit.AuditEvent)

Aggregations

ServletRequestContext (io.undertow.servlet.handlers.ServletRequestContext)49 IOException (java.io.IOException)8 HttpServerExchange (io.undertow.server.HttpServerExchange)7 Session (io.undertow.server.session.Session)7 HttpSessionImpl (io.undertow.servlet.spec.HttpSessionImpl)7 ServletException (javax.servlet.ServletException)6 HttpString (io.undertow.util.HttpString)5 HttpServletResponse (javax.servlet.http.HttpServletResponse)5 SecurityContext (io.undertow.security.api.SecurityContext)4 Account (io.undertow.security.idm.Account)4 HttpServletRequestImpl (io.undertow.servlet.spec.HttpServletRequestImpl)4 HttpServletResponseImpl (io.undertow.servlet.spec.HttpServletResponseImpl)4 ArrayList (java.util.ArrayList)4 ServletRequest (javax.servlet.ServletRequest)4 HashMap (java.util.HashMap)3 Subject (javax.security.auth.Subject)3 GenericMessageInfo (org.jboss.security.auth.message.GenericMessageInfo)3 Sender (io.undertow.io.Sender)2 AuthenticatedSessionManager (io.undertow.security.api.AuthenticatedSessionManager)2 HttpHandler (io.undertow.server.HttpHandler)2