Examples with AuthenticationFailedException org.apache.geode.security.AuthenticationFailedException used on opensource projects

Search in sources :

Example 21 with AuthenticationFailedException

use of org.apache.geode.security.AuthenticationFailedException in project geode by apache.

the class HandShake method verifyCredentials.

/**
   * this could return either a Subject or a Principal depending on if it's integrated security or
   * not
   */
public static Object verifyCredentials(String authenticatorMethod, Properties credentials, Properties securityProperties, InternalLogWriter logWriter, InternalLogWriter securityLogWriter, DistributedMember member) throws AuthenticationRequiredException, AuthenticationFailedException {
    if (!AcceptorImpl.isAuthenticationRequired()) {
        return null;
    }
    Authenticator auth = null;
    try {
        if (AcceptorImpl.isIntegratedSecurity()) {
            return securityService.login(credentials);
        } else {
            Method instanceGetter = ClassLoadUtil.methodFromName(authenticatorMethod);
            auth = (Authenticator) instanceGetter.invoke(null, (Object[]) null);
            auth.init(securityProperties, logWriter, securityLogWriter);
            return auth.authenticate(credentials, member);
        }
    } catch (AuthenticationFailedException ex) {
        throw ex;
    } catch (Exception ex) {
        throw new AuthenticationFailedException(ex.getMessage(), ex);
    } finally {
        if (auth != null)
            auth.close();
    }
}
Also used : AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) Method(java.lang.reflect.Method) Authenticator(org.apache.geode.security.Authenticator) ServerRefusedConnectionException(org.apache.geode.cache.client.ServerRefusedConnectionException) GemFireSecurityException(org.apache.geode.security.GemFireSecurityException) InternalGemFireException(org.apache.geode.InternalGemFireException) GatewayConfigurationException(org.apache.geode.cache.GatewayConfigurationException) EOFException(java.io.EOFException) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) GemFireConfigException(org.apache.geode.GemFireConfigException) IOException(java.io.IOException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException)

Example 22 with AuthenticationFailedException

use of org.apache.geode.security.AuthenticationFailedException in project geode by apache.

the class ServerConnection method setCredentials.

public byte[] setCredentials(Message msg) throws Exception {
    try {
        // need to send back in response with encrption
        if (!AcceptorImpl.isAuthenticationRequired() && msg.isSecureMode()) {
            // This is a CREDENTIALS_NORMAL case.;
            return new byte[0];
        }
        if (!msg.isSecureMode()) {
            throw new AuthenticationFailedException("Authentication failed");
        }
        byte[] secureBytes = msg.getSecureBytes();
        secureBytes = ((HandShake) this.handshake).decryptBytes(secureBytes);
        // need to decrypt it first then get connectionid
        AuthIds aIds = new AuthIds(secureBytes);
        long connId = aIds.getConnectionId();
        if (connId != this.connectionId) {
            throw new AuthenticationFailedException("Authentication failed");
        }
        byte[] credBytes = msg.getPart(0).getSerializedForm();
        credBytes = ((HandShake) this.handshake).decryptBytes(credBytes);
        ByteArrayInputStream bis = new ByteArrayInputStream(credBytes);
        DataInputStream dinp = new DataInputStream(bis);
        Properties credentials = DataSerializer.readProperties(dinp);
        // When here, security is enfored on server, if login returns a subject, then it's the newly
        // integrated security, otherwise, do it the old way.
        long uniqueId;
        DistributedSystem system = this.getDistributedSystem();
        String methodName = system.getProperties().getProperty(SECURITY_CLIENT_AUTHENTICATOR);
        Object principal = HandShake.verifyCredentials(methodName, credentials, system.getSecurityProperties(), (InternalLogWriter) system.getLogWriter(), (InternalLogWriter) system.getSecurityLogWriter(), this.proxyId.getDistributedMember());
        if (principal instanceof Subject) {
            Subject subject = (Subject) principal;
            uniqueId = this.clientUserAuths.putSubject(subject);
            logger.info(this.clientUserAuths);
        } else {
            // this sets principal in map as well....
            uniqueId = ServerHandShakeProcessor.getUniqueId(this, (Principal) principal);
        }
        // create secure part which will be send in respones
        return encryptId(uniqueId, this);
    } catch (AuthenticationFailedException afe) {
        throw afe;
    } catch (AuthenticationRequiredException are) {
        throw are;
    } catch (Exception e) {
        throw new AuthenticationFailedException("REPLY_REFUSED", e);
    }
}
Also used : AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) DataInputStream(java.io.DataInputStream) ConfigurationProperties(org.apache.geode.distributed.ConfigurationProperties) Properties(java.util.Properties) DistributedSystem(org.apache.geode.distributed.DistributedSystem) Subject(org.apache.shiro.subject.Subject) CancelException(org.apache.geode.CancelException) GemFireSecurityException(org.apache.geode.security.GemFireSecurityException) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) IOException(java.io.IOException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) ByteArrayInputStream(java.io.ByteArrayInputStream) Principal(java.security.Principal)

Example 23 with AuthenticationFailedException

use of org.apache.geode.security.AuthenticationFailedException in project geode by apache.

the class HandShake method writeCredentials.

/**
   * This assumes that authentication is the last piece of info in handshake
   */
public void writeCredentials(DataOutputStream dos, DataInputStream dis, Properties p_credentials, boolean isNotification, DistributedMember member, HeapDataOutputStream heapdos) throws IOException, GemFireSecurityException {
    if (p_credentials == null) {
        // No credentials indicator
        heapdos.writeByte(CREDENTIALS_NONE);
        heapdos.flush();
        dos.write(heapdos.toByteArray());
        dos.flush();
        return;
    }
    if (dhSKAlgo == null || dhSKAlgo.length() == 0) {
        // Normal credentials without encryption indicator
        heapdos.writeByte(CREDENTIALS_NORMAL);
        DataSerializer.writeProperties(p_credentials, heapdos);
        heapdos.flush();
        dos.write(heapdos.toByteArray());
        dos.flush();
        return;
    }
    try {
        InternalLogWriter securityLogWriter = (InternalLogWriter) this.system.getSecurityLogWriter();
        securityLogWriter.fine("HandShake: using Diffie-Hellman key exchange with algo " + dhSKAlgo);
        boolean requireAuthentication = (certificateFilePath != null && certificateFilePath.length() > 0);
        if (requireAuthentication) {
            securityLogWriter.fine("HandShake: server authentication using digital " + "signature required");
        }
        // Credentials with encryption indicator
        heapdos.writeByte(CREDENTIALS_DHENCRYPT);
        heapdos.writeBoolean(requireAuthentication);
        // Send the symmetric encryption algorithm name
        DataSerializer.writeString(dhSKAlgo, heapdos);
        // Send the DH public key
        byte[] keyBytes = dhPublicKey.getEncoded();
        DataSerializer.writeByteArray(keyBytes, heapdos);
        byte[] clientChallenge = null;
        if (requireAuthentication) {
            // Authentication of server should be with the client supplied
            // challenge
            clientChallenge = new byte[64];
            random.nextBytes(clientChallenge);
            DataSerializer.writeByteArray(clientChallenge, heapdos);
        }
        heapdos.flush();
        dos.write(heapdos.toByteArray());
        dos.flush();
        // Expect the alias and signature in the reply
        byte acceptanceCode = dis.readByte();
        if (acceptanceCode != REPLY_OK && acceptanceCode != REPLY_AUTH_NOT_REQUIRED) {
            // Ignore the useless data
            dis.readByte();
            dis.readInt();
            if (!isNotification) {
                DataSerializer.readByteArray(dis);
            }
            readMessage(dis, dos, acceptanceCode, member);
        } else if (acceptanceCode == REPLY_OK) {
            // Get the public key of the other side
            keyBytes = DataSerializer.readByteArray(dis);
            if (requireAuthentication) {
                String subject = DataSerializer.readString(dis);
                byte[] signatureBytes = DataSerializer.readByteArray(dis);
                if (!certificateMap.containsKey(subject)) {
                    throw new AuthenticationFailedException(LocalizedStrings.HandShake_HANDSHAKE_FAILED_TO_FIND_PUBLIC_KEY_FOR_SERVER_WITH_SUBJECT_0.toLocalizedString(subject));
                }
                // Check the signature with the public key
                X509Certificate cert = (X509Certificate) certificateMap.get(subject);
                Signature sig = Signature.getInstance(cert.getSigAlgName());
                sig.initVerify(cert);
                sig.update(clientChallenge);
                // Check the challenge string
                if (!sig.verify(signatureBytes)) {
                    throw new AuthenticationFailedException("Mismatch in client " + "challenge bytes. Malicious server?");
                }
                securityLogWriter.fine("HandShake: Successfully verified the " + "digital signature from server");
            }
            byte[] challenge = DataSerializer.readByteArray(dis);
            X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
            KeyFactory keyFact = KeyFactory.getInstance("DH");
            // PublicKey pubKey = keyFact.generatePublic(x509KeySpec);
            this.clientPublicKey = keyFact.generatePublic(x509KeySpec);
            HeapDataOutputStream hdos = new HeapDataOutputStream(Version.CURRENT);
            try {
                DataSerializer.writeProperties(p_credentials, hdos);
                // Also add the challenge string
                DataSerializer.writeByteArray(challenge, hdos);
                // byte[] encBytes = encrypt.doFinal(hdos.toByteArray());
                byte[] encBytes = encryptBytes(hdos.toByteArray(), getEncryptCipher(dhSKAlgo, this.clientPublicKey));
                DataSerializer.writeByteArray(encBytes, dos);
            } finally {
                hdos.close();
            }
        }
    } catch (IOException ex) {
        throw ex;
    } catch (GemFireSecurityException ex) {
        throw ex;
    } catch (Exception ex) {
        throw new AuthenticationFailedException("HandShake failed in Diffie-Hellman key exchange", ex);
    }
    dos.flush();
}
Also used : InternalLogWriter(org.apache.geode.internal.logging.InternalLogWriter) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) ServerRefusedConnectionException(org.apache.geode.cache.client.ServerRefusedConnectionException) GemFireSecurityException(org.apache.geode.security.GemFireSecurityException) InternalGemFireException(org.apache.geode.InternalGemFireException) GatewayConfigurationException(org.apache.geode.cache.GatewayConfigurationException) EOFException(java.io.EOFException) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) GemFireConfigException(org.apache.geode.GemFireConfigException) IOException(java.io.IOException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) GemFireSecurityException(org.apache.geode.security.GemFireSecurityException) HeapDataOutputStream(org.apache.geode.internal.HeapDataOutputStream) Signature(java.security.Signature) KeyFactory(java.security.KeyFactory)

Example 24 with AuthenticationFailedException

use of org.apache.geode.security.AuthenticationFailedException in project geode by apache.

the class GMSAuthenticator method authenticate.

/**
   * Method is package protected to be used in testing.
   */
String authenticate(DistributedMember member, Properties credentials, Properties secProps) throws AuthenticationFailedException {
    // For older systems, locator might be started without cache, so secureService may not be
    // initialized here. We need to check
    // if the passed in secProps has peer authenticator or not
    String authMethod = secProps.getProperty(SECURITY_PEER_AUTHENTICATOR);
    // at this point,
    if (!securityService.isPeerSecurityRequired() && StringUtils.isBlank(authMethod)) {
        return null;
    }
    InternalLogWriter securityLogWriter = this.services.getSecurityLogWriter();
    if (credentials == null) {
        securityLogWriter.warning(AUTH_PEER_AUTHENTICATION_MISSING_CREDENTIALS, member);
        return AUTH_PEER_AUTHENTICATION_MISSING_CREDENTIALS.toLocalizedString(member);
    }
    String failMsg = null;
    try {
        if (this.securityService.isIntegratedSecurity()) {
            this.securityService.login(credentials);
            this.securityService.authorizeClusterManage();
        } else {
            invokeAuthenticator(secProps, member, credentials);
        }
    } catch (Exception ex) {
        securityLogWriter.warning(AUTH_PEER_AUTHENTICATION_FAILED_WITH_EXCEPTION, new Object[] { member, ex.getLocalizedMessage() }, ex);
        failMsg = AUTH_PEER_AUTHENTICATION_FAILED.toLocalizedString(ex.getLocalizedMessage());
    }
    return failMsg;
}
Also used : InternalLogWriter(org.apache.geode.internal.logging.InternalLogWriter) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)

Example 25 with AuthenticationFailedException

use of org.apache.geode.security.AuthenticationFailedException in project geode by apache.

the class GMSAuthenticator method invokeAuthenticator.

/**
   * Method is package protected to be used in testing.
   */
Principal invokeAuthenticator(Properties securityProps, DistributedMember member, Properties credentials) throws AuthenticationFailedException {
    String authMethod = securityProps.getProperty(SECURITY_PEER_AUTHENTICATOR);
    org.apache.geode.security.Authenticator auth = null;
    try {
        auth = SecurityService.getObjectOfType(authMethod, org.apache.geode.security.Authenticator.class);
        LogWriter logWriter = this.services.getLogWriter();
        LogWriter securityLogWriter = this.services.getSecurityLogWriter();
        // this.securityProps contains
        auth.init(this.securityProps, logWriter, securityLogWriter);
        // is expected
        return auth.authenticate(credentials, member);
    } catch (GemFireSecurityException gse) {
        throw gse;
    } catch (Exception ex) {
        throw new AuthenticationFailedException(HandShake_FAILED_TO_ACQUIRE_AUTHENTICATOR_OBJECT.toLocalizedString(), ex);
    } finally {
        if (auth != null)
            auth.close();
    }
}
Also used : GemFireSecurityException(org.apache.geode.security.GemFireSecurityException) InternalLogWriter(org.apache.geode.internal.logging.InternalLogWriter) LogWriter(org.apache.geode.LogWriter) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) Authenticator(org.apache.geode.distributed.internal.membership.gms.interfaces.Authenticator) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) GemFireSecurityException(org.apache.geode.security.GemFireSecurityException)

Aggregations

AuthenticationFailedException (org.apache.geode.security.AuthenticationFailedException)29 IOException (java.io.IOException)14 Properties (java.util.Properties)12 AuthenticationRequiredException (org.apache.geode.security.AuthenticationRequiredException)9 GemFireSecurityException (org.apache.geode.security.GemFireSecurityException)9 InternalLogWriter (org.apache.geode.internal.logging.InternalLogWriter)7 EOFException (java.io.EOFException)6 Signature (java.security.Signature)6 ConfigurationProperties (org.apache.geode.distributed.ConfigurationProperties)6 X509Certificate (java.security.cert.X509Certificate)5 GemFireConfigException (org.apache.geode.GemFireConfigException)5 InternalGemFireException (org.apache.geode.InternalGemFireException)5 GatewayConfigurationException (org.apache.geode.cache.GatewayConfigurationException)5 ServerRefusedConnectionException (org.apache.geode.cache.client.ServerRefusedConnectionException)5 KeyFactory (java.security.KeyFactory)4 X509EncodedKeySpec (java.security.spec.X509EncodedKeySpec)4 Test (org.junit.Test)4 ByteArrayInputStream (java.io.ByteArrayInputStream)3 DataInputStream (java.io.DataInputStream)3 MalformedURLException (java.net.MalformedURLException)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial