Search in sources :

Example 1 with CallerPrincipalCallback

use of javax.security.auth.message.callback.CallerPrincipalCallback in project jetty.project by eclipse.

the class JaspiAuthenticator method validateRequest.

public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException {
    try {
        String authContextId = _authConfig.getAuthContextID(messageInfo);
        ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties);
        Subject clientSubject = new Subject();
        AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, _serviceSubject);
        if (authStatus == AuthStatus.SEND_CONTINUE)
            return Authentication.SEND_CONTINUE;
        if (authStatus == AuthStatus.SEND_FAILURE)
            return Authentication.SEND_FAILURE;
        if (authStatus == AuthStatus.SUCCESS) {
            Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
            UserIdentity userIdentity;
            if (ids.size() > 0) {
                userIdentity = ids.iterator().next();
            } else {
                CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback();
                if (principalCallback == null) {
                    return Authentication.UNAUTHENTICATED;
                }
                Principal principal = principalCallback.getPrincipal();
                if (principal == null) {
                    String principalName = principalCallback.getName();
                    Set<Principal> principals = principalCallback.getSubject().getPrincipals();
                    for (Principal p : principals) {
                        if (p.getName().equals(principalName)) {
                            principal = p;
                            break;
                        }
                    }
                    if (principal == null) {
                        return Authentication.UNAUTHENTICATED;
                    }
                }
                GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback();
                String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
                userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups);
            }
            HttpSession session = ((HttpServletRequest) messageInfo.getRequestMessage()).getSession(false);
            Authentication cached = (session == null ? null : (SessionAuthentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED));
            if (cached != null)
                return cached;
            return new UserAuthentication(getAuthMethod(), userIdentity);
        }
        if (authStatus == AuthStatus.SEND_SUCCESS) {
            // we are processing a message in a secureResponse dialog.
            return Authentication.SEND_SUCCESS;
        }
        if (authStatus == AuthStatus.FAILURE) {
            HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
            response.sendError(HttpServletResponse.SC_FORBIDDEN);
            return Authentication.SEND_FAILURE;
        }
        // should not happen
        throw new IllegalStateException("No AuthStatus returned");
    } catch (IOException | AuthException e) {
        throw new ServerAuthException(e);
    }
}
Also used : HttpSession(javax.servlet.http.HttpSession) UserIdentity(org.eclipse.jetty.server.UserIdentity) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthException(javax.security.auth.message.AuthException) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) IOException(java.io.IOException) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Subject(javax.security.auth.Subject) ServerAuthContext(javax.security.auth.message.config.ServerAuthContext) HttpServletRequest(javax.servlet.http.HttpServletRequest) CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback) AuthStatus(javax.security.auth.message.AuthStatus) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) Principal(java.security.Principal)

Example 2 with CallerPrincipalCallback

use of javax.security.auth.message.callback.CallerPrincipalCallback in project jetty.project by eclipse.

the class ServletCallbackHandler method handle.

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (Callback callback : callbacks) {
        // jaspi to server communication
        if (callback instanceof CallerPrincipalCallback) {
            _callerPrincipals.set((CallerPrincipalCallback) callback);
        } else if (callback instanceof GroupPrincipalCallback) {
            _groupPrincipals.set((GroupPrincipalCallback) callback);
        } else if (callback instanceof PasswordValidationCallback) {
            PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback) callback;
            Subject subject = passwordValidationCallback.getSubject();
            UserIdentity user = _loginService.login(passwordValidationCallback.getUsername(), passwordValidationCallback.getPassword(), null);
            if (user != null) {
                passwordValidationCallback.setResult(true);
                passwordValidationCallback.getSubject().getPrincipals().addAll(user.getSubject().getPrincipals());
                passwordValidationCallback.getSubject().getPrivateCredentials().add(user);
            }
        } else if (callback instanceof CredentialValidationCallback) {
            CredentialValidationCallback credentialValidationCallback = (CredentialValidationCallback) callback;
            Subject subject = credentialValidationCallback.getSubject();
            LoginCallback loginCallback = new LoginCallbackImpl(subject, credentialValidationCallback.getUsername(), credentialValidationCallback.getCredential());
            UserIdentity user = _loginService.login(credentialValidationCallback.getUsername(), credentialValidationCallback.getCredential(), null);
            if (user != null) {
                loginCallback.setUserPrincipal(user.getUserPrincipal());
                credentialValidationCallback.getSubject().getPrivateCredentials().add(loginCallback);
                credentialValidationCallback.setResult(true);
                credentialValidationCallback.getSubject().getPrincipals().addAll(user.getSubject().getPrincipals());
                credentialValidationCallback.getSubject().getPrivateCredentials().add(user);
            }
        } else // TODO implement these
        if (callback instanceof CertStoreCallback) {
        } else if (callback instanceof PrivateKeyCallback) {
        } else if (callback instanceof SecretKeyCallback) {
        } else if (callback instanceof TrustStoreCallback) {
        } else {
            throw new UnsupportedCallbackException(callback);
        }
    }
}
Also used : LoginCallback(org.eclipse.jetty.security.authentication.LoginCallback) SecretKeyCallback(javax.security.auth.message.callback.SecretKeyCallback) TrustStoreCallback(javax.security.auth.message.callback.TrustStoreCallback) CertStoreCallback(javax.security.auth.message.callback.CertStoreCallback) UserIdentity(org.eclipse.jetty.server.UserIdentity) CredentialValidationCallback(org.eclipse.jetty.security.jaspi.callback.CredentialValidationCallback) Subject(javax.security.auth.Subject) CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) LoginCallbackImpl(org.eclipse.jetty.security.authentication.LoginCallbackImpl) GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback) TrustStoreCallback(javax.security.auth.message.callback.TrustStoreCallback) LoginCallback(org.eclipse.jetty.security.authentication.LoginCallback) GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback) PasswordValidationCallback(javax.security.auth.message.callback.PasswordValidationCallback) CredentialValidationCallback(org.eclipse.jetty.security.jaspi.callback.CredentialValidationCallback) CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) CertStoreCallback(javax.security.auth.message.callback.CertStoreCallback) PrivateKeyCallback(javax.security.auth.message.callback.PrivateKeyCallback) SecretKeyCallback(javax.security.auth.message.callback.SecretKeyCallback) Callback(javax.security.auth.callback.Callback) PasswordValidationCallback(javax.security.auth.message.callback.PasswordValidationCallback) PrivateKeyCallback(javax.security.auth.message.callback.PrivateKeyCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)

Example 3 with CallerPrincipalCallback

use of javax.security.auth.message.callback.CallerPrincipalCallback in project jetty.project by eclipse.

the class ServletCallbackHandler method getThreadCallerPrincipalCallback.

public CallerPrincipalCallback getThreadCallerPrincipalCallback() {
    CallerPrincipalCallback callerPrincipalCallback = _callerPrincipals.get();
    _callerPrincipals.set(null);
    return callerPrincipalCallback;
}
Also used : CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback)

Example 4 with CallerPrincipalCallback

use of javax.security.auth.message.callback.CallerPrincipalCallback in project jetty.project by eclipse.

the class HttpHeaderAuthModule method validateRequest.

/**
     * Validation occurs here.
     */
@Override
public AuthStatus validateRequest(final MessageInfo messageInfo, final Subject client, final Subject serviceSubject) throws AuthException {
    // Take the request from the messageInfo structure.
    final HttpServletRequest req = (HttpServletRequest) messageInfo.getRequestMessage();
    try {
        // Get the user name from the header. If not there then fail authentication.
        final String userName = req.getHeader("X-Forwarded-User");
        if (userName == null) {
            return AuthStatus.FAILURE;
        }
        // Store the user name that was in the header and also set a group.
        handler.handle(new Callback[] { new CallerPrincipalCallback(client, userName), new GroupPrincipalCallback(client, new String[] { "users" }) });
        return AuthStatus.SUCCESS;
    } catch (final Exception e) {
        throw new AuthException(e.getMessage());
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback) AuthException(javax.security.auth.message.AuthException) AuthException(javax.security.auth.message.AuthException)

Example 5 with CallerPrincipalCallback

use of javax.security.auth.message.callback.CallerPrincipalCallback in project OpenAM by OpenRock.

the class LocalSSOTokenSessionModule method validate.

/**
     * Validates the request by attempting to retrieve the SSOToken ID from the cookies on the request.
     * If the SSOToken ID cookie is not present then the method returns AuthStatus.SEND_FAILURE, otherwise if it is
     * present it is then used to retrieve the actual SSOToken from the SSOTokenManager, if valid then
     * AuthStatus.SUCCESS will be returned, otherwise AuthStatus.SEND_FAILURE will be returned.
     *
     * @param request The HttpServletRequest.
     * @param messageInfo A contextual object that encapsulates the client request and server response objects, and
     *                    that may be used to save state across a sequence of calls made to the methods of this
     *                    interface for the purpose of completing a secure message exchange.
     * @param clientSubject A Subject that represents the source of the service request. It is used by the method
     *                      implementation to store Principals and credentials validated in the request.
     * @return AuthStatus.SUCCESS if the SSOToken ID is valid, otherwise AuthStatus.SEND_FAILURE.
     * @throws AuthException If there is a problem validating the request.
     */
private Promise<AuthStatus, AuthenticationException> validate(HttpServletRequest request, MessageInfoContext messageInfo, Subject clientSubject) {
    String tokenId = getRequestUtils().getTokenId(request);
    if (StringUtils.isEmpty(tokenId)) {
        tokenId = request.getHeader(getCookieHeaderName());
    }
    if (!StringUtils.isEmpty(tokenId)) {
        SSOToken ssoToken = getFactory().getTokenFromId(tokenId);
        if (ssoToken != null) {
            int authLevel;
            try {
                authLevel = ssoToken.getAuthLevel();
                String name = ssoToken.getPrincipal().getName();
                handler.handle(new Callback[] { new CallerPrincipalCallback(clientSubject, name) });
                clientSubject.getPrincipals().add(ssoToken.getPrincipal());
            } catch (SSOException e) {
                return newExceptionPromise(new AuthenticationException(e.getMessage()));
            } catch (UnsupportedCallbackException e) {
                return newExceptionPromise(new AuthenticationException(e.getMessage()));
            } catch (IOException e) {
                return newExceptionPromise(new AuthenticationException(e.getMessage()));
            }
            Map<String, Object> context = (Map<String, Object>) messageInfo.getRequestContextMap().get("org.forgerock.authentication.context");
            context.put("authLevel", authLevel);
            context.put("tokenId", ssoToken.getTokenID().toString());
            return newResultPromise(SUCCESS);
        }
    }
    return newResultPromise(getInvalidSSOTokenAuthStatus());
}
Also used : CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) SSOToken(com.iplanet.sso.SSOToken) AuthenticationException(org.forgerock.caf.authentication.api.AuthenticationException) SSOException(com.iplanet.sso.SSOException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) IOException(java.io.IOException) Map(java.util.Map)

Aggregations

CallerPrincipalCallback (javax.security.auth.message.callback.CallerPrincipalCallback)30 GroupPrincipalCallback (javax.security.auth.message.callback.GroupPrincipalCallback)24 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)21 IOException (java.io.IOException)18 Principal (java.security.Principal)17 AuthException (javax.security.auth.message.AuthException)16 HttpServletRequest (javax.servlet.http.HttpServletRequest)16 Callback (javax.security.auth.callback.Callback)14 PasswordValidationCallback (javax.security.auth.message.callback.PasswordValidationCallback)8 HttpServletResponse (javax.servlet.http.HttpServletResponse)7 Subject (javax.security.auth.Subject)4 CertStoreCallback (javax.security.auth.message.callback.CertStoreCallback)3 PrivateKeyCallback (javax.security.auth.message.callback.PrivateKeyCallback)3 SecretKeyCallback (javax.security.auth.message.callback.SecretKeyCallback)3 TrustStoreCallback (javax.security.auth.message.callback.TrustStoreCallback)3 Map (java.util.Map)2 HttpSession (javax.servlet.http.HttpSession)2 LoginCallbackImpl (org.eclipse.jetty.security.authentication.LoginCallbackImpl)2 CredentialValidationCallback (org.eclipse.jetty.security.jaspi.callback.CredentialValidationCallback)2 UserIdentity (org.eclipse.jetty.server.UserIdentity)2