Example 1 with CredentialException
use of javax.security.auth.login.CredentialException in project hono by eclipse.
the class AbstractHonoAuthenticationService method authenticate.
/**
* The authentication request is required to contain the SASL mechanism in property {@link AuthenticationConstants#FIELD_MECHANISM}
* and the client's SASL response (Base64 encoded byte array) in property {@link AuthenticationConstants#FIELD_SASL_RESPONSE}.
* When the mechanism is {@linkplain AuthenticationConstants#MECHANISM_EXTERNAL EXTERNAL}, the request must also contain
* the <em>subject</em> distinguished name of the verified client certificate in property {@link AuthenticationConstants#FIELD_SUBJECT_DN}.
* <p>
* An example request for a client using SASL EXTERNAL wishing to act as <em>NEW_IDENTITY</em> instead of <em>ORIG_IDENTITY</em>
* looks like this:
* <pre>
* {
* "mechanism": "EXTERNAL",
* "sasl-response": "TkVXX0lERU5USVRZ", // the Base64 encoded UTF-8 representation of "NEW_IDENTITY"
* "subject-dn": "CN=ORIG_IDENTITY" // the subject Distinguished Name from the verified client certificate
* }
* </pre>
*/
@Override
public final void authenticate(final JsonObject authRequest, final Handler<AsyncResult<HonoUser>> resultHandler) {
final String mechanism = Objects.requireNonNull(authRequest).getString(AuthenticationConstants.FIELD_MECHANISM);
log.debug("received authentication request [mechanism: {}]", mechanism);
final boolean isSupportedMechanism = Arrays.asList(getSupportedSaslMechanisms()).contains(mechanism);
if (isSupportedMechanism && AuthenticationConstants.MECHANISM_PLAIN.equals(mechanism)) {
final byte[] saslResponse = authRequest.getBinary(AuthenticationConstants.FIELD_SASL_RESPONSE, new byte[0]);
try {
final String[] fields = AuthenticationConstants.parseSaslResponse(saslResponse);
final String authzid = fields[0];
final String authcid = fields[1];
final String pwd = fields[2];
log.debug("processing PLAIN authentication request [authzid: {}, authcid: {}, pwd: *****]", authzid, authcid);
verifyPlain(authzid, authcid, pwd, resultHandler);
} catch (final CredentialException e) {
// response did not contain expected values
resultHandler.handle(Future.failedFuture(new ClientErrorException(HttpURLConnection.HTTP_BAD_REQUEST, e)));
}
} else if (isSupportedMechanism && AuthenticationConstants.MECHANISM_EXTERNAL.equals(mechanism)) {
final String authzid = new String(authRequest.getBinary(AuthenticationConstants.FIELD_SASL_RESPONSE), StandardCharsets.UTF_8);
final String subject = authRequest.getString(AuthenticationConstants.FIELD_SUBJECT_DN);
log.debug("processing EXTERNAL authentication request [Subject DN: {}]", subject);
verifyExternal(authzid, subject, resultHandler);
} else {
resultHandler.handle(Future.failedFuture(new ClientErrorException(HttpURLConnection.HTTP_BAD_REQUEST, "unsupported SASL mechanism")));
}
}
Also used :
CredentialException(javax.security.auth.login.CredentialException)
ClientErrorException(org.eclipse.hono.client.ClientErrorException)
Example 2 with CredentialException
use of javax.security.auth.login.CredentialException in project hono by eclipse.
the class AbstractHonoAuthenticationService method readFields.
private String[] readFields(final byte[] buffer) throws CredentialException {
List<String> fields = new ArrayList<>();
int pos = 0;
Buffer b = Buffer.buffer();
while (pos < buffer.length) {
byte val = buffer[pos];
if (val == 0x00) {
fields.add(b.toString(StandardCharsets.UTF_8));
b = Buffer.buffer();
} else {
b.appendByte(val);
}
pos++;
}
fields.add(b.toString(StandardCharsets.UTF_8));
if (fields.size() != 3) {
throw new CredentialException("client provided malformed PLAIN response");
} else if (fields.get(1) == null || fields.get(1).length() == 0) {
throw new CredentialException("PLAIN response must contain an authentication ID");
} else if (fields.get(2) == null || fields.get(2).length() == 0) {
throw new CredentialException("PLAIN response must contain a password");
} else {
return fields.toArray(new String[3]);
}
}
Also used :
Buffer(io.vertx.core.buffer.Buffer)
CredentialException(javax.security.auth.login.CredentialException)
ArrayList(java.util.ArrayList)
Example 3 with CredentialException
use of javax.security.auth.login.CredentialException in project kylo by Teradata.
the class KyloRestLoginModule method doLogin.
@Override
protected boolean doLogin() throws Exception {
final LoginJerseyClientConfig userConfig = createClientConfig(true);
final User user;
try {
user = retrieveUser(userConfig);
} catch (final NotAuthorizedException e) {
log.debug("Received unauthorized response from Login API for user: {}", userConfig.getUsername());
throw new CredentialException("The username and password combination do not match.");
} catch (final ProcessingException e) {
log.error("Failed to process response from Login API for user: {}", userConfig.getUsername(), e);
throw new FailedLoginException("The login service is unavailable.");
} catch (final WebApplicationException e) {
log.error("Received unexpected response from Login API for user: {}", userConfig.getUsername(), e);
throw new FailedLoginException("The login service is unavailable.");
}
// Parse response
if (user == null) {
log.debug("No account exists with the name: {}", userConfig.getUsername());
throw new AccountNotFoundException("No account exists with the name: " + userConfig.getUsername());
} else if (!user.isEnabled()) {
log.debug("User from Login API is disabled: {}", userConfig.getUsername());
throw new AccountLockedException("The account \"" + userConfig.getUsername() + "\" is currently disabled");
}
addNewUserPrincipal(user.getSystemName());
user.getGroups().forEach(this::addNewGroupPrincipal);
return true;
}
Also used :
AccountLockedException(javax.security.auth.login.AccountLockedException)
User(com.thinkbiganalytics.security.rest.model.User)
FailedLoginException(javax.security.auth.login.FailedLoginException)
CredentialException(javax.security.auth.login.CredentialException)
WebApplicationException(javax.ws.rs.WebApplicationException)
NotAuthorizedException(javax.ws.rs.NotAuthorizedException)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
ProcessingException(javax.ws.rs.ProcessingException)
Example 4 with CredentialException
use of javax.security.auth.login.CredentialException in project kylo by Teradata.
the class LdapLoginModule method doLogin.
/* (non-Javadoc)
* @see com.thinkbiganalytics.auth.jaas.AbstractLoginModule#doLogin()
*/
@Override
protected boolean doLogin() throws Exception {
final NameCallback nameCallback = new NameCallback("Username: ");
final PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
handle(nameCallback, passwordCallback);
if (nameCallback.getName() == null) {
throw new AccountException("No username provided for authentication");
}
Principal userPrincipal = new UsernamePrincipal(nameCallback.getName());
String password = new String(passwordCallback.getPassword());
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userPrincipal, password);
try {
log.debug("Authenticating: {}", userPrincipal);
DirContextOperations dirContext = this.authenticator.authenticate(authentication);
log.debug("Successfully Authenticated: {}", userPrincipal);
setUserPrincipal(userPrincipal);
for (GrantedAuthority grant : this.authoritiesPopulator.getGrantedAuthorities(dirContext, nameCallback.getName())) {
String groupName = grant.getAuthority();
log.debug("Found group for {}: {}", userPrincipal, groupName);
if (groupName != null) {
addNewGroupPrincipal(groupName);
}
}
return true;
} catch (BadCredentialsException e) {
throw new CredentialException(e.getMessage());
}
}
Also used :
UsernamePrincipal(com.thinkbiganalytics.security.UsernamePrincipal)
NameCallback(javax.security.auth.callback.NameCallback)
AccountException(javax.security.auth.login.AccountException)
DirContextOperations(org.springframework.ldap.core.DirContextOperations)
CredentialException(javax.security.auth.login.CredentialException)
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
BadCredentialsException(org.springframework.security.authentication.BadCredentialsException)
UsernamePrincipal(com.thinkbiganalytics.security.UsernamePrincipal)
Principal(java.security.Principal)
Example 5 with CredentialException
use of javax.security.auth.login.CredentialException in project kylo by Teradata.
the class KyloLoginModule method doLogin.
@Override
protected boolean doLogin() throws Exception {
// Get username and password
final NameCallback nameCallback = new NameCallback("Username: ");
final PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
if (requirePassword) {
handle(nameCallback, passwordCallback);
} else {
handle(nameCallback);
}
// Authenticate user
metadata.read(() -> {
Optional<User> user = userProvider.findUserBySystemName(nameCallback.getName());
if (user.isPresent()) {
if (!user.get().isEnabled()) {
throw new AccountLockedException("The account \"" + nameCallback.getName() + "\" is currently disabled");
} else if (requirePassword && !passwordEncoder.matches(new String(passwordCallback.getPassword()), user.get().getPassword())) {
throw new CredentialException("The username and/or password combination do not match");
}
addPrincipal(user.get().getPrincipal());
addAllPrincipals(user.get().getAllGroupPrincipals());
} else {
throw new AccountNotFoundException("No account exists with name name \"" + nameCallback.getName() + "\"");
}
}, MetadataAccess.SERVICE);
return true;
}
Also used :
AccountLockedException(javax.security.auth.login.AccountLockedException)
NameCallback(javax.security.auth.callback.NameCallback)
User(com.thinkbiganalytics.metadata.api.user.User)
CredentialException(javax.security.auth.login.CredentialException)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
AccountNotFoundException(javax.security.auth.login.AccountNotFoundException)
Aggregations
CredentialException (javax.security.auth.login.CredentialException)7
NameCallback (javax.security.auth.callback.NameCallback)3
PasswordCallback (javax.security.auth.callback.PasswordCallback)3
Buffer (io.vertx.core.buffer.Buffer)2
ArrayList (java.util.ArrayList)2
AccountLockedException (javax.security.auth.login.AccountLockedException)2
AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)2
User (com.thinkbiganalytics.metadata.api.user.User)1
UsernamePrincipal (com.thinkbiganalytics.security.UsernamePrincipal)1
User (com.thinkbiganalytics.security.rest.model.User)1
Principal (java.security.Principal)1
AccountException (javax.security.auth.login.AccountException)1
FailedLoginException (javax.security.auth.login.FailedLoginException)1
NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1
ProcessingException (javax.ws.rs.ProcessingException)1
WebApplicationException (javax.ws.rs.WebApplicationException)1
ClientErrorException (org.eclipse.hono.client.ClientErrorException)1
DirContextOperations (org.springframework.ldap.core.DirContextOperations)1
BadCredentialsException (org.springframework.security.authentication.BadCredentialsException)1
UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)1
