use of javax.security.auth.message.AuthException in project jetty.project by eclipse.
the class DigestAuthModule method validateRequest.
@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
try {
boolean stale = false;
// TODO extract from request
long timestamp = System.currentTimeMillis();
if (credentials != null) {
if (LOG.isDebugEnabled())
LOG.debug("Credentials: " + credentials);
QuotedStringTokenizer tokenizer = new QuotedStringTokenizer(credentials, "=, ", true, false);
final Digest digest = new Digest(request.getMethod());
String last = null;
String name = null;
while (tokenizer.hasMoreTokens()) {
String tok = tokenizer.nextToken();
char c = (tok.length() == 1) ? tok.charAt(0) : '\0';
switch(c) {
case '=':
name = last;
last = tok;
break;
case ',':
name = null;
case ' ':
break;
default:
last = tok;
if (name != null) {
if ("username".equalsIgnoreCase(name))
digest.username = tok;
else if ("realm".equalsIgnoreCase(name))
digest.realm = tok;
else if ("nonce".equalsIgnoreCase(name))
digest.nonce = tok;
else if ("nc".equalsIgnoreCase(name))
digest.nc = tok;
else if ("cnonce".equalsIgnoreCase(name))
digest.cnonce = tok;
else if ("qop".equalsIgnoreCase(name))
digest.qop = tok;
else if ("uri".equalsIgnoreCase(name))
digest.uri = tok;
else if ("response".equalsIgnoreCase(name))
digest.response = tok;
break;
}
}
}
int n = checkNonce(digest.nonce, timestamp);
if (n > 0) {
if (login(clientSubject, digest.username, digest, Constraint.__DIGEST_AUTH, messageInfo)) {
return AuthStatus.SUCCESS;
}
} else if (n == 0)
stale = true;
}
if (!isMandatory(messageInfo)) {
return AuthStatus.SUCCESS;
}
String domain = request.getContextPath();
if (domain == null)
domain = "/";
response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Digest realm=\"" + realmName + "\", domain=\"" + domain + "\", nonce=\"" + newNonce(timestamp) + "\", algorithm=MD5, qop=\"auth\"" + (useStale ? (" stale=" + stale) : ""));
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return AuthStatus.SEND_CONTINUE;
} catch (IOException e) {
throw new AuthException(e.getMessage());
} catch (UnsupportedCallbackException e) {
throw new AuthException(e.getMessage());
}
}
use of javax.security.auth.message.AuthException in project tomcat by apache.
the class SimpleServerAuthConfig method getAuthContext.
// JASPIC API uses raw types
@SuppressWarnings({ "rawtypes", "unchecked" })
@Override
public ServerAuthContext getAuthContext(String authContextID, Subject serviceSubject, Map properties) throws AuthException {
ServerAuthContext serverAuthContext = this.serverAuthContext;
if (serverAuthContext == null) {
synchronized (this) {
if (this.serverAuthContext == null) {
Map<String, String> mergedProperties = new HashMap<>();
if (this.properties != null) {
mergedProperties.putAll(this.properties);
}
if (properties != null) {
mergedProperties.putAll(properties);
}
List<ServerAuthModule> modules = new ArrayList<>();
int moduleIndex = 1;
String key = SERVER_AUTH_MODULE_KEY_PREFIX + moduleIndex;
String moduleClassName = mergedProperties.get(key);
while (moduleClassName != null) {
try {
Class<?> clazz = Class.forName(moduleClassName);
ServerAuthModule module = (ServerAuthModule) clazz.newInstance();
module.initialize(null, null, handler, mergedProperties);
modules.add(module);
} catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) {
AuthException ae = new AuthException();
ae.initCause(e);
throw ae;
}
// Look for the next module
moduleIndex++;
key = SERVER_AUTH_MODULE_KEY_PREFIX + moduleIndex;
moduleClassName = mergedProperties.get(key);
}
if (modules.size() == 0) {
throw new AuthException(sm.getString("simpleServerAuthConfig.noModules"));
}
this.serverAuthContext = createServerAuthContext(modules);
}
serverAuthContext = this.serverAuthContext;
}
}
return serverAuthContext;
}
use of javax.security.auth.message.AuthException in project javaee7-samples by javaee-samples.
the class TestServerAuthModule method validateRequest.
@SuppressWarnings("unchecked")
@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
Callback[] callbacks;
Principal userPrincipal = request.getUserPrincipal();
if (userPrincipal != null && request.getParameter("continueSession") != null) {
// ### If already authenticated before, continue this session
// Execute protocol to signal container registered authentication session be used.
callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, userPrincipal) };
} else if (request.getParameter("doLogin") != null) {
// ### If not authenticated before, do a new login if so requested
// For the test perform a login by directly "returning" the details of the authenticated user.
// Normally credentials would be checked and the details fetched from some repository
callbacks = new Callback[] { request.getParameter("customPrincipal") == null ? // Name based Callback
new CallerPrincipalCallback(clientSubject, "test") : // Custom principal based Callback
new CallerPrincipalCallback(clientSubject, new MyPrincipal("test")), // the roles of the authenticated user
new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) };
// Tell container to register an authentication session.
messageInfo.getMap().put("javax.servlet.http.registerSession", TRUE.toString());
} else {
// ### If no registered session and no login request "do nothing"
// The JASPIC protocol for "do nothing"
callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) };
}
try {
// Communicate the details of the authenticated user to the container. In many
// cases the handler will just store the details and the container will actually handle
// the login after we return from this method.
handler.handle(callbacks);
} catch (IOException | UnsupportedCallbackException e) {
throw (AuthException) new AuthException().initCause(e);
}
return SUCCESS;
}
use of javax.security.auth.message.AuthException in project Payara by payara.
the class JAASAuthContextHelper method loadConstructors.
private <M> void loadConstructors(M[] template, String authContextID) throws AuthException {
if (constructors == null) {
try {
final Class moduleType = template.getClass().getComponentType();
constructors = (Constructor[]) AccessController.doPrivileged(new java.security.PrivilegedExceptionAction() {
@Override
public Object run() throws java.lang.ClassNotFoundException, java.lang.NoSuchMethodException, java.lang.InstantiationException, java.lang.IllegalAccessException, java.lang.reflect.InvocationTargetException {
Constructor[] ctor = new Constructor[entry.length];
ClassLoader loader = Thread.currentThread().getContextClassLoader();
for (int i = 0; i < entry.length; i++) {
ctor[i] = null;
String clazz = entry[i].getLoginModuleName();
try {
Class c = Class.forName(clazz, true, loader);
if (moduleType.isAssignableFrom(c)) {
ctor[i] = c.getConstructor(PARAMS);
}
} catch (Throwable t) {
logIfLevel(Level.WARNING, null, "skipping unloadable class: ", clazz, " of appCOntext: ", appContext);
}
}
return ctor;
}
});
} catch (java.security.PrivilegedActionException pae) {
AuthException ae = new AuthException();
ae.initCause(pae.getCause());
throw ae;
}
}
}
use of javax.security.auth.message.AuthException in project Payara by payara.
the class AdminConsoleAuthModule method forwardToErrorPage.
private AuthStatus forwardToErrorPage(RestResponse validationResult, HttpServletRequest request, HttpServletResponse response) throws AuthException {
if (validationResult.getResponseCode() == 403) {
request.setAttribute("errorText", GuiUtil.getMessage("alert.ConfigurationError"));
request.setAttribute("messageText", GuiUtil.getMessage("alert.EnableSecureAdmin"));
}
try {
request.getRequestDispatcher(loginErrorPage).forward(request, response);
return SEND_FAILURE;
} catch (Exception ex) {
throw (AuthException) new AuthException().initCause(ex);
}
}
Aggregations