Example 1 with AuthenticationStatus
use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.
the class RememberMeInterceptor method validateRequest.
private AuthenticationStatus validateRequest(final InvocationContext invocationContext) throws Exception {
final HttpMessageContext httpMessageContext = (HttpMessageContext) invocationContext.getParameters()[2];
final RememberMe rememberMe = TomEEELInvocationHandler.of(RememberMe.class, getRememberMe(), getElProcessor(invocationContext, httpMessageContext));
final Optional<Cookie> cookie = getCookie(httpMessageContext.getRequest(), rememberMe.cookieName());
if (cookie.isPresent() && !isEmpty(cookie.get().getValue())) {
final RememberMeCredential rememberMeCredential = new RememberMeCredential(cookie.get().getValue());
final CredentialValidationResult validate = rememberMeIdentityStore.get().validate(rememberMeCredential);
if (VALID.equals(validate.getStatus())) {
return httpMessageContext.notifyContainerAboutLogin(validate);
} else {
cookie.get().setMaxAge(0);
httpMessageContext.getResponse().addCookie(cookie.get());
}
}
final AuthenticationStatus status = (AuthenticationStatus) invocationContext.proceed();
if (SUCCESS.equals(status) && httpMessageContext.getCallerPrincipal() != null) {
if (rememberMe.isRememberMe()) {
final CallerPrincipal principal = new CallerPrincipal(httpMessageContext.getCallerPrincipal().getName());
final Set<String> groups = httpMessageContext.getGroups();
final String loginToken = rememberMeIdentityStore.get().generateLoginToken(principal, groups);
final Cookie rememberMeCookie = new Cookie(rememberMe.cookieName(), loginToken);
rememberMeCookie.setPath(isEmpty(httpMessageContext.getRequest().getContextPath()) ? "/" : httpMessageContext.getRequest().getContextPath());
rememberMeCookie.setMaxAge(rememberMe.cookieMaxAgeSeconds());
rememberMeCookie.setHttpOnly(rememberMe.cookieHttpOnly());
rememberMeCookie.setSecure(rememberMe.cookieSecureOnly());
httpMessageContext.getResponse().addCookie(rememberMeCookie);
}
}
return status;
}
Also used :
Cookie(javax.servlet.http.Cookie)
AuthenticationStatus(javax.security.enterprise.AuthenticationStatus)
CredentialValidationResult(javax.security.enterprise.identitystore.CredentialValidationResult)
RememberMe(javax.security.enterprise.authentication.mechanism.http.RememberMe)
HttpMessageContext(javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)
CallerPrincipal(javax.security.enterprise.CallerPrincipal)
RememberMeCredential(javax.security.enterprise.credential.RememberMeCredential)
Example 2 with AuthenticationStatus
use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.
the class LoginToContinueInterceptor method processContainerInitiatedAuthentication.
private AuthenticationStatus processContainerInitiatedAuthentication(final InvocationContext invocationContext, final HttpMessageContext httpMessageContext) throws Exception {
if (isOnInitialProtectedURL(httpMessageContext)) {
saveRequest(httpMessageContext.getRequest());
final LoginToContinue loginToContinue = getLoginToContinue(invocationContext);
if (loginToContinue.useForwardToLogin()) {
return httpMessageContext.forward(loginToContinue.loginPage());
} else {
return httpMessageContext.redirect(toAbsoluteUrl(httpMessageContext.getRequest(), loginToContinue.loginPage()));
}
}
if (isOnLoginPostback(httpMessageContext)) {
final AuthenticationStatus authenticationStatus = (AuthenticationStatus) invocationContext.proceed();
if (authenticationStatus.equals(SUCCESS)) {
if (httpMessageContext.getCallerPrincipal() == null) {
return SUCCESS;
}
if (matchRequest(httpMessageContext.getRequest())) {
return SUCCESS;
}
saveAuthentication(httpMessageContext.getRequest(), httpMessageContext.getCallerPrincipal(), httpMessageContext.getGroups());
final SavedRequest savedRequest = getRequest(httpMessageContext.getRequest());
return httpMessageContext.redirect(savedRequest.getRequestURLWithQueryString());
} else if (authenticationStatus.equals(SEND_FAILURE)) {
final LoginToContinue loginToContinue = getLoginToContinue(invocationContext);
if (!loginToContinue.errorPage().isEmpty()) {
return httpMessageContext.redirect(toAbsoluteUrl(httpMessageContext.getRequest(), loginToContinue.errorPage()));
}
return authenticationStatus;
} else {
// SEND_CONTINUE
return authenticationStatus;
}
}
if (isOnOriginalURLAfterAuthenticate(httpMessageContext)) {
final SavedRequest savedRequest = getRequest(httpMessageContext.getRequest());
final SavedAuthentication savedAuthentication = getAuthentication(httpMessageContext.getRequest());
clearRequestAndAuthentication(httpMessageContext.getRequest());
final SavedHttpServletRequest savedHttpServletRequest = new SavedHttpServletRequest(httpMessageContext.getRequest(), savedRequest);
return httpMessageContext.withRequest(savedHttpServletRequest).notifyContainerAboutLogin(savedAuthentication.getPrincipal(), savedAuthentication.getGroups());
}
return (AuthenticationStatus) invocationContext.proceed();
}
Also used :
AuthenticationStatus(javax.security.enterprise.AuthenticationStatus)
SavedHttpServletRequest(org.apache.tomee.security.http.SavedHttpServletRequest)
LoginToContinue(javax.security.enterprise.authentication.mechanism.http.LoginToContinue)
SavedAuthentication(org.apache.tomee.security.http.SavedAuthentication)
SavedRequest(org.apache.tomee.security.http.SavedRequest)
Example 3 with AuthenticationStatus
use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.
the class TomEESecurityServerAuthModule method validateRequest.
@Override
public AuthStatus validateRequest(final MessageInfo messageInfo, final Subject clientSubject, final Subject serviceSubject) throws AuthException {
final HttpMessageContext httpMessageContext = httpMessageContext(handler, messageInfo, clientSubject, serviceSubject);
final HttpAuthenticationMechanism authenticationMechanism = CDI.current().select(TomEESecurityServletAuthenticationMechanismMapper.class).get().getCurrentAuthenticationMechanism(httpMessageContext);
final AuthenticationStatus authenticationStatus;
try {
authenticationStatus = authenticationMechanism.validateRequest(httpMessageContext.getRequest(), httpMessageContext.getResponse(), httpMessageContext);
} catch (final AuthenticationException e) {
final AuthException authException = new AuthException(e.getMessage());
authException.initCause(e);
throw authException;
}
return mapToAuthStatus(authenticationStatus);
}
Also used :
AuthenticationStatus(javax.security.enterprise.AuthenticationStatus)
AuthenticationException(javax.security.enterprise.AuthenticationException)
HttpAuthenticationMechanism(javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism)
AuthException(javax.security.auth.message.AuthException)
HttpMessageContext(javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)
Example 4 with AuthenticationStatus
use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.
the class AutoApplySessionInterceptor method validateRequest.
private AuthenticationStatus validateRequest(final InvocationContext invocationContext) throws Exception {
final HttpMessageContext httpMessageContext = (HttpMessageContext) invocationContext.getParameters()[2];
final Principal principal = httpMessageContext.getRequest().getUserPrincipal();
if (principal == null) {
final Object authenticationStatus = invocationContext.proceed();
if (AuthenticationStatus.SUCCESS.equals(authenticationStatus)) {
httpMessageContext.getMessageInfo().getMap().put("javax.servlet.http.registerSession", "true");
}
return (AuthenticationStatus) authenticationStatus;
} else {
final CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(httpMessageContext.getClientSubject(), principal);
httpMessageContext.getHandler().handle(new Callback[] { callerPrincipalCallback });
return AuthenticationStatus.SUCCESS;
}
}
Also used :
AuthenticationStatus(javax.security.enterprise.AuthenticationStatus)
CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback)
HttpMessageContext(javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)
Principal(java.security.Principal)
Example 5 with AuthenticationStatus
use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.
the class TomEESecurityServerAuthModule method secureResponse.
@Override
public AuthStatus secureResponse(final MessageInfo messageInfo, final Subject subject) throws AuthException {
final HttpMessageContext httpMessageContext = httpMessageContext(handler, messageInfo, subject, null);
final HttpAuthenticationMechanism authenticationMechanism = CDI.current().select(TomEESecurityServletAuthenticationMechanismMapper.class).get().getCurrentAuthenticationMechanism(httpMessageContext);
final AuthenticationStatus authenticationStatus;
try {
authenticationStatus = authenticationMechanism.secureResponse(httpMessageContext.getRequest(), httpMessageContext.getResponse(), httpMessageContext);
} catch (final AuthenticationException e) {
final AuthException authException = new AuthException(e.getMessage());
authException.initCause(e);
throw authException;
}
return mapToAuthStatus(authenticationStatus);
}
Also used :
AuthenticationStatus(javax.security.enterprise.AuthenticationStatus)
AuthenticationException(javax.security.enterprise.AuthenticationException)
HttpAuthenticationMechanism(javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism)
AuthException(javax.security.auth.message.AuthException)
HttpMessageContext(javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)
Aggregations
AuthenticationStatus (javax.security.enterprise.AuthenticationStatus)5
HttpMessageContext (javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)4
AuthException (javax.security.auth.message.AuthException)2
AuthenticationException (javax.security.enterprise.AuthenticationException)2
HttpAuthenticationMechanism (javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism)2
Principal (java.security.Principal)1
CallerPrincipalCallback (javax.security.auth.message.callback.CallerPrincipalCallback)1
CallerPrincipal (javax.security.enterprise.CallerPrincipal)1
LoginToContinue (javax.security.enterprise.authentication.mechanism.http.LoginToContinue)1
RememberMe (javax.security.enterprise.authentication.mechanism.http.RememberMe)1
RememberMeCredential (javax.security.enterprise.credential.RememberMeCredential)1
CredentialValidationResult (javax.security.enterprise.identitystore.CredentialValidationResult)1
Cookie (javax.servlet.http.Cookie)1
SavedAuthentication (org.apache.tomee.security.http.SavedAuthentication)1
SavedHttpServletRequest (org.apache.tomee.security.http.SavedHttpServletRequest)1
SavedRequest (org.apache.tomee.security.http.SavedRequest)1
