Search in sources :

Example 1 with AuthenticationStatus

use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.

the class RememberMeInterceptor method validateRequest.

private AuthenticationStatus validateRequest(final InvocationContext invocationContext) throws Exception {
    final HttpMessageContext httpMessageContext = (HttpMessageContext) invocationContext.getParameters()[2];
    final RememberMe rememberMe = TomEEELInvocationHandler.of(RememberMe.class, getRememberMe(), getElProcessor(invocationContext, httpMessageContext));
    final Optional<Cookie> cookie = getCookie(httpMessageContext.getRequest(), rememberMe.cookieName());
    if (cookie.isPresent() && !isEmpty(cookie.get().getValue())) {
        final RememberMeCredential rememberMeCredential = new RememberMeCredential(cookie.get().getValue());
        final CredentialValidationResult validate = rememberMeIdentityStore.get().validate(rememberMeCredential);
        if (VALID.equals(validate.getStatus())) {
            return httpMessageContext.notifyContainerAboutLogin(validate);
        } else {
            cookie.get().setMaxAge(0);
            httpMessageContext.getResponse().addCookie(cookie.get());
        }
    }
    final AuthenticationStatus status = (AuthenticationStatus) invocationContext.proceed();
    if (SUCCESS.equals(status) && httpMessageContext.getCallerPrincipal() != null) {
        if (rememberMe.isRememberMe()) {
            final CallerPrincipal principal = new CallerPrincipal(httpMessageContext.getCallerPrincipal().getName());
            final Set<String> groups = httpMessageContext.getGroups();
            final String loginToken = rememberMeIdentityStore.get().generateLoginToken(principal, groups);
            final Cookie rememberMeCookie = new Cookie(rememberMe.cookieName(), loginToken);
            rememberMeCookie.setPath(isEmpty(httpMessageContext.getRequest().getContextPath()) ? "/" : httpMessageContext.getRequest().getContextPath());
            rememberMeCookie.setMaxAge(rememberMe.cookieMaxAgeSeconds());
            rememberMeCookie.setHttpOnly(rememberMe.cookieHttpOnly());
            rememberMeCookie.setSecure(rememberMe.cookieSecureOnly());
            httpMessageContext.getResponse().addCookie(rememberMeCookie);
        }
    }
    return status;
}
Also used : Cookie(javax.servlet.http.Cookie) AuthenticationStatus(javax.security.enterprise.AuthenticationStatus) CredentialValidationResult(javax.security.enterprise.identitystore.CredentialValidationResult) RememberMe(javax.security.enterprise.authentication.mechanism.http.RememberMe) HttpMessageContext(javax.security.enterprise.authentication.mechanism.http.HttpMessageContext) CallerPrincipal(javax.security.enterprise.CallerPrincipal) RememberMeCredential(javax.security.enterprise.credential.RememberMeCredential)

Example 2 with AuthenticationStatus

use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.

the class LoginToContinueInterceptor method processContainerInitiatedAuthentication.

private AuthenticationStatus processContainerInitiatedAuthentication(final InvocationContext invocationContext, final HttpMessageContext httpMessageContext) throws Exception {
    if (isOnInitialProtectedURL(httpMessageContext)) {
        saveRequest(httpMessageContext.getRequest());
        final LoginToContinue loginToContinue = getLoginToContinue(invocationContext);
        if (loginToContinue.useForwardToLogin()) {
            return httpMessageContext.forward(loginToContinue.loginPage());
        } else {
            return httpMessageContext.redirect(toAbsoluteUrl(httpMessageContext.getRequest(), loginToContinue.loginPage()));
        }
    }
    if (isOnLoginPostback(httpMessageContext)) {
        final AuthenticationStatus authenticationStatus = (AuthenticationStatus) invocationContext.proceed();
        if (authenticationStatus.equals(SUCCESS)) {
            if (httpMessageContext.getCallerPrincipal() == null) {
                return SUCCESS;
            }
            if (matchRequest(httpMessageContext.getRequest())) {
                return SUCCESS;
            }
            saveAuthentication(httpMessageContext.getRequest(), httpMessageContext.getCallerPrincipal(), httpMessageContext.getGroups());
            final SavedRequest savedRequest = getRequest(httpMessageContext.getRequest());
            return httpMessageContext.redirect(savedRequest.getRequestURLWithQueryString());
        } else if (authenticationStatus.equals(SEND_FAILURE)) {
            final LoginToContinue loginToContinue = getLoginToContinue(invocationContext);
            if (!loginToContinue.errorPage().isEmpty()) {
                return httpMessageContext.redirect(toAbsoluteUrl(httpMessageContext.getRequest(), loginToContinue.errorPage()));
            }
            return authenticationStatus;
        } else {
            // SEND_CONTINUE
            return authenticationStatus;
        }
    }
    if (isOnOriginalURLAfterAuthenticate(httpMessageContext)) {
        final SavedRequest savedRequest = getRequest(httpMessageContext.getRequest());
        final SavedAuthentication savedAuthentication = getAuthentication(httpMessageContext.getRequest());
        clearRequestAndAuthentication(httpMessageContext.getRequest());
        final SavedHttpServletRequest savedHttpServletRequest = new SavedHttpServletRequest(httpMessageContext.getRequest(), savedRequest);
        return httpMessageContext.withRequest(savedHttpServletRequest).notifyContainerAboutLogin(savedAuthentication.getPrincipal(), savedAuthentication.getGroups());
    }
    return (AuthenticationStatus) invocationContext.proceed();
}
Also used : AuthenticationStatus(javax.security.enterprise.AuthenticationStatus) SavedHttpServletRequest(org.apache.tomee.security.http.SavedHttpServletRequest) LoginToContinue(javax.security.enterprise.authentication.mechanism.http.LoginToContinue) SavedAuthentication(org.apache.tomee.security.http.SavedAuthentication) SavedRequest(org.apache.tomee.security.http.SavedRequest)

Example 3 with AuthenticationStatus

use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.

the class TomEESecurityServerAuthModule method validateRequest.

@Override
public AuthStatus validateRequest(final MessageInfo messageInfo, final Subject clientSubject, final Subject serviceSubject) throws AuthException {
    final HttpMessageContext httpMessageContext = httpMessageContext(handler, messageInfo, clientSubject, serviceSubject);
    final HttpAuthenticationMechanism authenticationMechanism = CDI.current().select(TomEESecurityServletAuthenticationMechanismMapper.class).get().getCurrentAuthenticationMechanism(httpMessageContext);
    final AuthenticationStatus authenticationStatus;
    try {
        authenticationStatus = authenticationMechanism.validateRequest(httpMessageContext.getRequest(), httpMessageContext.getResponse(), httpMessageContext);
    } catch (final AuthenticationException e) {
        final AuthException authException = new AuthException(e.getMessage());
        authException.initCause(e);
        throw authException;
    }
    return mapToAuthStatus(authenticationStatus);
}
Also used : AuthenticationStatus(javax.security.enterprise.AuthenticationStatus) AuthenticationException(javax.security.enterprise.AuthenticationException) HttpAuthenticationMechanism(javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism) AuthException(javax.security.auth.message.AuthException) HttpMessageContext(javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)

Example 4 with AuthenticationStatus

use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.

the class AutoApplySessionInterceptor method validateRequest.

private AuthenticationStatus validateRequest(final InvocationContext invocationContext) throws Exception {
    final HttpMessageContext httpMessageContext = (HttpMessageContext) invocationContext.getParameters()[2];
    final Principal principal = httpMessageContext.getRequest().getUserPrincipal();
    if (principal == null) {
        final Object authenticationStatus = invocationContext.proceed();
        if (AuthenticationStatus.SUCCESS.equals(authenticationStatus)) {
            httpMessageContext.getMessageInfo().getMap().put("javax.servlet.http.registerSession", "true");
        }
        return (AuthenticationStatus) authenticationStatus;
    } else {
        final CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(httpMessageContext.getClientSubject(), principal);
        httpMessageContext.getHandler().handle(new Callback[] { callerPrincipalCallback });
        return AuthenticationStatus.SUCCESS;
    }
}
Also used : AuthenticationStatus(javax.security.enterprise.AuthenticationStatus) CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) HttpMessageContext(javax.security.enterprise.authentication.mechanism.http.HttpMessageContext) Principal(java.security.Principal)

Example 5 with AuthenticationStatus

use of javax.security.enterprise.AuthenticationStatus in project tomee by apache.

the class TomEESecurityServerAuthModule method secureResponse.

@Override
public AuthStatus secureResponse(final MessageInfo messageInfo, final Subject subject) throws AuthException {
    final HttpMessageContext httpMessageContext = httpMessageContext(handler, messageInfo, subject, null);
    final HttpAuthenticationMechanism authenticationMechanism = CDI.current().select(TomEESecurityServletAuthenticationMechanismMapper.class).get().getCurrentAuthenticationMechanism(httpMessageContext);
    final AuthenticationStatus authenticationStatus;
    try {
        authenticationStatus = authenticationMechanism.secureResponse(httpMessageContext.getRequest(), httpMessageContext.getResponse(), httpMessageContext);
    } catch (final AuthenticationException e) {
        final AuthException authException = new AuthException(e.getMessage());
        authException.initCause(e);
        throw authException;
    }
    return mapToAuthStatus(authenticationStatus);
}
Also used : AuthenticationStatus(javax.security.enterprise.AuthenticationStatus) AuthenticationException(javax.security.enterprise.AuthenticationException) HttpAuthenticationMechanism(javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism) AuthException(javax.security.auth.message.AuthException) HttpMessageContext(javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)

Aggregations

AuthenticationStatus (javax.security.enterprise.AuthenticationStatus)5 HttpMessageContext (javax.security.enterprise.authentication.mechanism.http.HttpMessageContext)4 AuthException (javax.security.auth.message.AuthException)2 AuthenticationException (javax.security.enterprise.AuthenticationException)2 HttpAuthenticationMechanism (javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism)2 Principal (java.security.Principal)1 CallerPrincipalCallback (javax.security.auth.message.callback.CallerPrincipalCallback)1 CallerPrincipal (javax.security.enterprise.CallerPrincipal)1 LoginToContinue (javax.security.enterprise.authentication.mechanism.http.LoginToContinue)1 RememberMe (javax.security.enterprise.authentication.mechanism.http.RememberMe)1 RememberMeCredential (javax.security.enterprise.credential.RememberMeCredential)1 CredentialValidationResult (javax.security.enterprise.identitystore.CredentialValidationResult)1 Cookie (javax.servlet.http.Cookie)1 SavedAuthentication (org.apache.tomee.security.http.SavedAuthentication)1 SavedHttpServletRequest (org.apache.tomee.security.http.SavedHttpServletRequest)1 SavedRequest (org.apache.tomee.security.http.SavedRequest)1