Search in sources :

Example 36 with AuthException

use of javax.security.auth.message.AuthException in project jetty.project by eclipse.

the class DigestAuthModule method validateRequest.

@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
    HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
    HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
    String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
    try {
        boolean stale = false;
        // TODO extract from request
        long timestamp = System.currentTimeMillis();
        if (credentials != null) {
            if (LOG.isDebugEnabled())
                LOG.debug("Credentials: " + credentials);
            QuotedStringTokenizer tokenizer = new QuotedStringTokenizer(credentials, "=, ", true, false);
            final Digest digest = new Digest(request.getMethod());
            String last = null;
            String name = null;
            while (tokenizer.hasMoreTokens()) {
                String tok = tokenizer.nextToken();
                char c = (tok.length() == 1) ? tok.charAt(0) : '\0';
                switch(c) {
                    case '=':
                        name = last;
                        last = tok;
                        break;
                    case ',':
                        name = null;
                    case ' ':
                        break;
                    default:
                        last = tok;
                        if (name != null) {
                            if ("username".equalsIgnoreCase(name))
                                digest.username = tok;
                            else if ("realm".equalsIgnoreCase(name))
                                digest.realm = tok;
                            else if ("nonce".equalsIgnoreCase(name))
                                digest.nonce = tok;
                            else if ("nc".equalsIgnoreCase(name))
                                digest.nc = tok;
                            else if ("cnonce".equalsIgnoreCase(name))
                                digest.cnonce = tok;
                            else if ("qop".equalsIgnoreCase(name))
                                digest.qop = tok;
                            else if ("uri".equalsIgnoreCase(name))
                                digest.uri = tok;
                            else if ("response".equalsIgnoreCase(name))
                                digest.response = tok;
                            break;
                        }
                }
            }
            int n = checkNonce(digest.nonce, timestamp);
            if (n > 0) {
                if (login(clientSubject, digest.username, digest, Constraint.__DIGEST_AUTH, messageInfo)) {
                    return AuthStatus.SUCCESS;
                }
            } else if (n == 0)
                stale = true;
        }
        if (!isMandatory(messageInfo)) {
            return AuthStatus.SUCCESS;
        }
        String domain = request.getContextPath();
        if (domain == null)
            domain = "/";
        response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Digest realm=\"" + realmName + "\", domain=\"" + domain + "\", nonce=\"" + newNonce(timestamp) + "\", algorithm=MD5, qop=\"auth\"" + (useStale ? (" stale=" + stale) : ""));
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
        return AuthStatus.SEND_CONTINUE;
    } catch (IOException e) {
        throw new AuthException(e.getMessage());
    } catch (UnsupportedCallbackException e) {
        throw new AuthException(e.getMessage());
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) QuotedStringTokenizer(org.eclipse.jetty.util.QuotedStringTokenizer) MessageDigest(java.security.MessageDigest) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthException(javax.security.auth.message.AuthException) IOException(java.io.IOException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) Constraint(org.eclipse.jetty.util.security.Constraint)

Example 37 with AuthException

use of javax.security.auth.message.AuthException in project tomcat by apache.

the class SimpleServerAuthConfig method getAuthContext.

// JASPIC API uses raw types
@SuppressWarnings({ "rawtypes", "unchecked" })
@Override
public ServerAuthContext getAuthContext(String authContextID, Subject serviceSubject, Map properties) throws AuthException {
    ServerAuthContext serverAuthContext = this.serverAuthContext;
    if (serverAuthContext == null) {
        synchronized (this) {
            if (this.serverAuthContext == null) {
                Map<String, String> mergedProperties = new HashMap<>();
                if (this.properties != null) {
                    mergedProperties.putAll(this.properties);
                }
                if (properties != null) {
                    mergedProperties.putAll(properties);
                }
                List<ServerAuthModule> modules = new ArrayList<>();
                int moduleIndex = 1;
                String key = SERVER_AUTH_MODULE_KEY_PREFIX + moduleIndex;
                String moduleClassName = mergedProperties.get(key);
                while (moduleClassName != null) {
                    try {
                        Class<?> clazz = Class.forName(moduleClassName);
                        ServerAuthModule module = (ServerAuthModule) clazz.newInstance();
                        module.initialize(null, null, handler, mergedProperties);
                        modules.add(module);
                    } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) {
                        AuthException ae = new AuthException();
                        ae.initCause(e);
                        throw ae;
                    }
                    // Look for the next module
                    moduleIndex++;
                    key = SERVER_AUTH_MODULE_KEY_PREFIX + moduleIndex;
                    moduleClassName = mergedProperties.get(key);
                }
                if (modules.size() == 0) {
                    throw new AuthException(sm.getString("simpleServerAuthConfig.noModules"));
                }
                this.serverAuthContext = createServerAuthContext(modules);
            }
            serverAuthContext = this.serverAuthContext;
        }
    }
    return serverAuthContext;
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) ServerAuthModule(javax.security.auth.message.module.ServerAuthModule) AuthException(javax.security.auth.message.AuthException) ServerAuthContext(javax.security.auth.message.config.ServerAuthContext)

Example 38 with AuthException

use of javax.security.auth.message.AuthException in project javaee7-samples by javaee-samples.

the class TestServerAuthModule method validateRequest.

@SuppressWarnings("unchecked")
@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
    HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
    Callback[] callbacks;
    Principal userPrincipal = request.getUserPrincipal();
    if (userPrincipal != null && request.getParameter("continueSession") != null) {
        // ### If already authenticated before, continue this session
        // Execute protocol to signal container registered authentication session be used.
        callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, userPrincipal) };
    } else if (request.getParameter("doLogin") != null) {
        // ### If not authenticated before, do a new login if so requested
        // For the test perform a login by directly "returning" the details of the authenticated user.
        // Normally credentials would be checked and the details fetched from some repository
        callbacks = new Callback[] { request.getParameter("customPrincipal") == null ? // Name based Callback 
        new CallerPrincipalCallback(clientSubject, "test") : // Custom principal based Callback
        new CallerPrincipalCallback(clientSubject, new MyPrincipal("test")), // the roles of the authenticated user
        new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) };
        // Tell container to register an authentication session.
        messageInfo.getMap().put("javax.servlet.http.registerSession", TRUE.toString());
    } else {
        // ### If no registered session and no login request "do nothing"
        // The JASPIC protocol for "do nothing"
        callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) };
    }
    try {
        // Communicate the details of the authenticated user to the container. In many
        // cases the handler will just store the details and the container will actually handle
        // the login after we return from this method.
        handler.handle(callbacks);
    } catch (IOException | UnsupportedCallbackException e) {
        throw (AuthException) new AuthException().initCause(e);
    }
    return SUCCESS;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback) GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback) CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) Callback(javax.security.auth.callback.Callback) AuthException(javax.security.auth.message.AuthException) IOException(java.io.IOException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) Principal(java.security.Principal)

Example 39 with AuthException

use of javax.security.auth.message.AuthException in project Payara by payara.

the class JAASAuthContextHelper method loadConstructors.

private <M> void loadConstructors(M[] template, String authContextID) throws AuthException {
    if (constructors == null) {
        try {
            final Class moduleType = template.getClass().getComponentType();
            constructors = (Constructor[]) AccessController.doPrivileged(new java.security.PrivilegedExceptionAction() {

                @Override
                public Object run() throws java.lang.ClassNotFoundException, java.lang.NoSuchMethodException, java.lang.InstantiationException, java.lang.IllegalAccessException, java.lang.reflect.InvocationTargetException {
                    Constructor[] ctor = new Constructor[entry.length];
                    ClassLoader loader = Thread.currentThread().getContextClassLoader();
                    for (int i = 0; i < entry.length; i++) {
                        ctor[i] = null;
                        String clazz = entry[i].getLoginModuleName();
                        try {
                            Class c = Class.forName(clazz, true, loader);
                            if (moduleType.isAssignableFrom(c)) {
                                ctor[i] = c.getConstructor(PARAMS);
                            }
                        } catch (Throwable t) {
                            logIfLevel(Level.WARNING, null, "skipping unloadable class: ", clazz, " of appCOntext: ", appContext);
                        }
                    }
                    return ctor;
                }
            });
        } catch (java.security.PrivilegedActionException pae) {
            AuthException ae = new AuthException();
            ae.initCause(pae.getCause());
            throw ae;
        }
    }
}
Also used : PrivilegedActionException(java.security.PrivilegedActionException) Constructor(java.lang.reflect.Constructor) AuthException(javax.security.auth.message.AuthException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) InvocationTargetException(java.lang.reflect.InvocationTargetException)

Example 40 with AuthException

use of javax.security.auth.message.AuthException in project Payara by payara.

the class AdminConsoleAuthModule method forwardToErrorPage.

private AuthStatus forwardToErrorPage(RestResponse validationResult, HttpServletRequest request, HttpServletResponse response) throws AuthException {
    if (validationResult.getResponseCode() == 403) {
        request.setAttribute("errorText", GuiUtil.getMessage("alert.ConfigurationError"));
        request.setAttribute("messageText", GuiUtil.getMessage("alert.EnableSecureAdmin"));
    }
    try {
        request.getRequestDispatcher(loginErrorPage).forward(request, response);
        return SEND_FAILURE;
    } catch (Exception ex) {
        throw (AuthException) new AuthException().initCause(ex);
    }
}
Also used : AuthException(javax.security.auth.message.AuthException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) AuthException(javax.security.auth.message.AuthException)

Aggregations

AuthException (javax.security.auth.message.AuthException)40 IOException (java.io.IOException)25 HttpServletRequest (javax.servlet.http.HttpServletRequest)23 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)21 CallerPrincipalCallback (javax.security.auth.message.callback.CallerPrincipalCallback)16 Principal (java.security.Principal)15 GroupPrincipalCallback (javax.security.auth.message.callback.GroupPrincipalCallback)14 HttpServletResponse (javax.servlet.http.HttpServletResponse)13 Callback (javax.security.auth.callback.Callback)10 Subject (javax.security.auth.Subject)7 ServerAuthContext (javax.security.auth.message.config.ServerAuthContext)7 MessageInfo (javax.security.auth.message.MessageInfo)6 AuthStatus (javax.security.auth.message.AuthStatus)5 MalformedURLException (java.net.MalformedURLException)3 PrivilegedActionException (java.security.PrivilegedActionException)3 ServerAuthConfig (javax.security.auth.message.config.ServerAuthConfig)3 ServerAuthModule (javax.security.auth.message.module.ServerAuthModule)3 HttpSession (javax.servlet.http.HttpSession)3 SecurityContext (com.sun.enterprise.security.SecurityContext)2 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2