Example 1 with AuthConfigProvider
use of jakarta.security.auth.message.config.AuthConfigProvider in project tomcat by apache.
the class AuthenticatorBase method logout.
@Override
public void logout(Request request) {
AuthConfigProvider provider = getJaspicProvider();
if (provider != null) {
MessageInfo messageInfo = new MessageInfoImpl(request, request.getResponse(), true);
Subject client = (Subject) request.getNote(Constants.REQ_JASPIC_SUBJECT_NOTE);
if (client != null) {
ServerAuthContext serverAuthContext;
try {
ServerAuthConfig serverAuthConfig = provider.getServerAuthConfig("HttpServlet", jaspicAppContextID, getCallbackHandler());
String authContextID = serverAuthConfig.getAuthContextID(messageInfo);
serverAuthContext = serverAuthConfig.getAuthContext(authContextID, null, null);
serverAuthContext.cleanSubject(messageInfo, client);
} catch (AuthException e) {
log.debug(sm.getString("authenticator.jaspicCleanSubjectFail"), e);
}
}
}
Principal p = request.getPrincipal();
if (p instanceof TomcatPrincipal) {
try {
((TomcatPrincipal) p).logout();
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
log.debug(sm.getString("authenticator.tomcatPrincipalLogoutFail"), t);
}
}
register(request, request.getResponse(), null, null, null, null);
}
Also used :
AuthConfigProvider(jakarta.security.auth.message.config.AuthConfigProvider)
MessageInfoImpl(org.apache.catalina.authenticator.jaspic.MessageInfoImpl)
AuthException(jakarta.security.auth.message.AuthException)
Subject(javax.security.auth.Subject)
ServerAuthConfig(jakarta.security.auth.message.config.ServerAuthConfig)
Principal(java.security.Principal)
TomcatPrincipal(org.apache.catalina.TomcatPrincipal)
GenericPrincipal(org.apache.catalina.realm.GenericPrincipal)
MessageInfo(jakarta.security.auth.message.MessageInfo)
ServerAuthContext(jakarta.security.auth.message.config.ServerAuthContext)
TomcatPrincipal(org.apache.catalina.TomcatPrincipal)
Example 2 with AuthConfigProvider
use of jakarta.security.auth.message.config.AuthConfigProvider in project tomcat by apache.
the class AuthenticatorBase method findJaspicProvider.
private Optional<AuthConfigProvider> findJaspicProvider() {
AuthConfigFactory factory = AuthConfigFactory.getFactory();
Optional<AuthConfigProvider> provider;
if (factory == null) {
provider = Optional.empty();
} else {
provider = Optional.ofNullable(factory.getConfigProvider("HttpServlet", jaspicAppContextID, this));
}
jaspicProvider = provider;
return provider;
}
Also used :
AuthConfigProvider(jakarta.security.auth.message.config.AuthConfigProvider)
AuthConfigFactory(jakarta.security.auth.message.config.AuthConfigFactory)
Example 3 with AuthConfigProvider
use of jakarta.security.auth.message.config.AuthConfigProvider in project tomcat by apache.
the class AuthenticatorBase method invoke.
// --------------------------------------------------------- Public Methods
/**
* Enforce the security restrictions in the web application deployment
* descriptor of our associated Context.
*
* @param request
* Request to be processed
* @param response
* Response to be processed
*
* @exception IOException
* if an input/output error occurs
* @exception ServletException
* if thrown by a processing element
*/
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
if (log.isDebugEnabled()) {
log.debug("Security checking request " + request.getMethod() + " " + request.getRequestURI());
}
// Have we got a cached authenticated Principal to record?
if (cache) {
Principal principal = request.getUserPrincipal();
if (principal == null) {
Session session = request.getSessionInternal(false);
if (session != null) {
principal = session.getPrincipal();
if (principal != null) {
if (log.isDebugEnabled()) {
log.debug("We have cached auth type " + session.getAuthType() + " for principal " + principal);
}
request.setAuthType(session.getAuthType());
request.setUserPrincipal(principal);
}
}
}
}
boolean authRequired = isContinuationRequired(request);
Realm realm = this.context.getRealm();
// Is this request URI subject to a security constraint?
SecurityConstraint[] constraints = realm.findSecurityConstraints(request, this.context);
AuthConfigProvider jaspicProvider = getJaspicProvider();
if (jaspicProvider != null) {
authRequired = true;
}
if (constraints == null && !context.getPreemptiveAuthentication() && !authRequired) {
if (log.isDebugEnabled()) {
log.debug("Not subject to any constraint");
}
getNext().invoke(request, response);
return;
}
// or browsers as caching can provide a security hole
if (constraints != null && disableProxyCaching && !"POST".equalsIgnoreCase(request.getMethod())) {
if (securePagesWithPragma) {
// Note: These can cause problems with downloading files with IE
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Expires", DATE_ONE);
} else {
response.setHeader("Cache-Control", "private");
}
}
if (constraints != null) {
// Enforce any user data constraint for this security constraint
if (log.isDebugEnabled()) {
log.debug("Calling hasUserDataPermission()");
}
if (!realm.hasUserDataPermission(request, response, constraints)) {
if (log.isDebugEnabled()) {
log.debug("Failed hasUserDataPermission() test");
}
/*
* ASSERT: Authenticator already set the appropriate HTTP status
* code, so we do not have to do anything special
*/
return;
}
}
// Since authenticate modifies the response on failure,
// we have to check for allow-from-all first.
boolean hasAuthConstraint = false;
if (constraints != null) {
hasAuthConstraint = true;
for (int i = 0; i < constraints.length && hasAuthConstraint; i++) {
if (!constraints[i].getAuthConstraint()) {
hasAuthConstraint = false;
} else if (!constraints[i].getAllRoles() && !constraints[i].getAuthenticatedUsers()) {
String[] roles = constraints[i].findAuthRoles();
if (roles == null || roles.length == 0) {
hasAuthConstraint = false;
}
}
}
}
if (!authRequired && hasAuthConstraint) {
authRequired = true;
}
if (!authRequired && context.getPreemptiveAuthentication() && isPreemptiveAuthPossible(request)) {
authRequired = true;
}
JaspicState jaspicState = null;
if ((authRequired || constraints != null) && allowCorsPreflightBypass(request)) {
if (log.isDebugEnabled()) {
log.debug("CORS Preflight request bypassing authentication");
}
getNext().invoke(request, response);
return;
}
if (authRequired) {
if (log.isDebugEnabled()) {
log.debug("Calling authenticate()");
}
if (jaspicProvider != null) {
jaspicState = getJaspicState(jaspicProvider, request, response, hasAuthConstraint);
if (jaspicState == null) {
return;
}
}
if (jaspicProvider == null && !doAuthenticate(request, response) || jaspicProvider != null && !authenticateJaspic(request, response, jaspicState, false)) {
if (log.isDebugEnabled()) {
log.debug("Failed authenticate() test");
}
/*
* ASSERT: Authenticator already set the appropriate HTTP status
* code, so we do not have to do anything special
*/
return;
}
}
if (constraints != null) {
if (log.isDebugEnabled()) {
log.debug("Calling accessControl()");
}
if (!realm.hasResourcePermission(request, response, constraints, this.context)) {
if (log.isDebugEnabled()) {
log.debug("Failed accessControl() test");
}
/*
* ASSERT: AccessControl method has already set the appropriate
* HTTP status code, so we do not have to do anything special
*/
return;
}
}
// Any and all specified constraints have been satisfied
if (log.isDebugEnabled()) {
log.debug("Successfully passed all security constraints");
}
getNext().invoke(request, response);
if (jaspicProvider != null) {
secureResponseJspic(request, response, jaspicState);
}
}
Also used :
AuthConfigProvider(jakarta.security.auth.message.config.AuthConfigProvider)
Realm(org.apache.catalina.Realm)
Principal(java.security.Principal)
TomcatPrincipal(org.apache.catalina.TomcatPrincipal)
GenericPrincipal(org.apache.catalina.realm.GenericPrincipal)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
Session(org.apache.catalina.Session)
Example 4 with AuthConfigProvider
use of jakarta.security.auth.message.config.AuthConfigProvider in project tomcat by apache.
the class AuthConfigFactoryImpl method doRegisterConfigProvider.
@SuppressWarnings("unchecked")
private String doRegisterConfigProvider(String className, @SuppressWarnings("rawtypes") Map properties, String layer, String appContext, String description) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("authConfigFactoryImpl.registerClass", className, layer, appContext));
}
AuthConfigProvider provider = null;
if (className != null) {
provider = createAuthConfigProvider(className, properties);
}
String registrationID = getRegistrationID(layer, appContext);
RegistrationContextImpl registrationContextImpl = new RegistrationContextImpl(layer, appContext, description, true, provider, properties);
addRegistrationContextImpl(layer, appContext, registrationID, registrationContextImpl);
return registrationID;
}
Also used :
AuthConfigProvider(jakarta.security.auth.message.config.AuthConfigProvider)
Example 5 with AuthConfigProvider
use of jakarta.security.auth.message.config.AuthConfigProvider in project tomcat by apache.
the class TestAuthConfigFactoryImpl method doTestRegistration.
private void doTestRegistration(String layer, String appContext, String expectedRegId) {
AuthConfigFactory factory = new AuthConfigFactoryImpl();
AuthConfigProvider acp1 = new SimpleAuthConfigProvider(null, null);
SimpleRegistrationListener listener = new SimpleRegistrationListener(layer, appContext);
String regId = factory.registerConfigProvider(acp1, layer, appContext, null);
Assert.assertEquals(expectedRegId, regId);
factory.getConfigProvider(layer, appContext, listener);
factory.removeRegistration(regId);
Assert.assertTrue(listener.wasCorrectlyCalled());
listener.reset();
factory.registerConfigProvider(acp1, layer, appContext, null);
factory.getConfigProvider(layer, appContext, listener);
// Replace it
AuthConfigProvider acp2 = new SimpleAuthConfigProvider(null, null);
factory.registerConfigProvider(acp2, layer, appContext, null);
Assert.assertTrue(listener.wasCorrectlyCalled());
}
Also used :
AuthConfigProvider(jakarta.security.auth.message.config.AuthConfigProvider)
AuthConfigFactory(jakarta.security.auth.message.config.AuthConfigFactory)
Aggregations
AuthConfigProvider (jakarta.security.auth.message.config.AuthConfigProvider)14
AuthConfigFactory (jakarta.security.auth.message.config.AuthConfigFactory)9
Test (org.junit.Test)4
Principal (java.security.Principal)2
HashSet (java.util.HashSet)2
TomcatPrincipal (org.apache.catalina.TomcatPrincipal)2
GenericPrincipal (org.apache.catalina.realm.GenericPrincipal)2
AuthException (jakarta.security.auth.message.AuthException)1
MessageInfo (jakarta.security.auth.message.MessageInfo)1
ServerAuthConfig (jakarta.security.auth.message.config.ServerAuthConfig)1
ServerAuthContext (jakarta.security.auth.message.config.ServerAuthContext)1
HttpServletResponse (jakarta.servlet.http.HttpServletResponse)1
ArrayList (java.util.ArrayList)1
Subject (javax.security.auth.Subject)1
Realm (org.apache.catalina.Realm)1
Session (org.apache.catalina.Session)1
MessageInfoImpl (org.apache.catalina.authenticator.jaspic.MessageInfoImpl)1
Response (org.apache.catalina.connector.Response)1
SecurityConstraint (org.apache.tomcat.util.descriptor.web.SecurityConstraint)1
