Search in sources :

Example 6 with AuthenticationRequiredException

use of org.apache.geode.security.AuthenticationRequiredException in project geode by apache.

the class CacheClientNotifier method registerGFEClient.

protected void registerGFEClient(DataInputStream dis, DataOutputStream dos, Socket socket, boolean isPrimary, long startTime, Version clientVersion, long acceptorId, boolean notifyBySubscription) throws IOException {
    // Read the ports and throw them away. We no longer need them
    int numberOfPorts = dis.readInt();
    for (int i = 0; i < numberOfPorts; i++) {
        dis.readInt();
    }
    // Read the handshake identifier and convert it to a string member id
    ClientProxyMembershipID proxyID = null;
    CacheClientProxy proxy;
    AccessControl authzCallback = null;
    byte clientConflation = HandShake.CONFLATION_DEFAULT;
    try {
        proxyID = ClientProxyMembershipID.readCanonicalized(dis);
        if (getBlacklistedClient().contains(proxyID)) {
            writeException(dos, HandShake.REPLY_INVALID, new Exception("This client is blacklisted by server"), clientVersion);
            return;
        }
        proxy = getClientProxy(proxyID);
        DistributedMember member = proxyID.getDistributedMember();
        DistributedSystem system = this.getCache().getDistributedSystem();
        Properties sysProps = system.getProperties();
        String authenticator = sysProps.getProperty(SECURITY_CLIENT_AUTHENTICATOR);
        if (clientVersion.compareTo(Version.GFE_603) >= 0) {
            byte[] overrides = HandShake.extractOverrides(new byte[] { (byte) dis.read() });
            clientConflation = overrides[0];
        } else {
            clientConflation = (byte) dis.read();
        }
        switch(clientConflation) {
            case HandShake.CONFLATION_DEFAULT:
            case HandShake.CONFLATION_OFF:
            case HandShake.CONFLATION_ON:
                break;
            default:
                writeException(dos, HandShake.REPLY_INVALID, new IllegalArgumentException("Invalid conflation byte"), clientVersion);
                return;
        }
        proxy = registerClient(socket, proxyID, proxy, isPrimary, clientConflation, clientVersion, acceptorId, notifyBySubscription);
        Properties credentials = HandShake.readCredentials(dis, dos, system);
        if (credentials != null && proxy != null) {
            if (securityLogWriter.fineEnabled()) {
                securityLogWriter.fine("CacheClientNotifier: verifying credentials for proxyID: " + proxyID);
            }
            Object subject = HandShake.verifyCredentials(authenticator, credentials, system.getSecurityProperties(), this.logWriter, this.securityLogWriter, member);
            if (subject instanceof Principal) {
                Principal principal = (Principal) subject;
                if (securityLogWriter.fineEnabled()) {
                    securityLogWriter.fine("CacheClientNotifier: successfully verified credentials for proxyID: " + proxyID + " having principal: " + principal.getName());
                }
                String postAuthzFactoryName = sysProps.getProperty(SECURITY_CLIENT_ACCESSOR_PP);
                if (postAuthzFactoryName != null && postAuthzFactoryName.length() > 0) {
                    if (principal == null) {
                        securityLogWriter.warning(LocalizedStrings.CacheClientNotifier_CACHECLIENTNOTIFIER_POST_PROCESS_AUTHORIZATION_CALLBACK_ENABLED_BUT_AUTHENTICATION_CALLBACK_0_RETURNED_WITH_NULL_CREDENTIALS_FOR_PROXYID_1, new Object[] { SECURITY_CLIENT_AUTHENTICATOR, proxyID });
                    }
                    Method authzMethod = ClassLoadUtil.methodFromName(postAuthzFactoryName);
                    authzCallback = (AccessControl) authzMethod.invoke(null, (Object[]) null);
                    authzCallback.init(principal, member, this.getCache());
                }
                proxy.setPostAuthzCallback(authzCallback);
            } else if (subject instanceof Subject) {
                proxy.setSubject((Subject) subject);
            }
        }
    } catch (ClassNotFoundException e) {
        throw new IOException(LocalizedStrings.CacheClientNotifier_CLIENTPROXYMEMBERSHIPID_OBJECT_COULD_NOT_BE_CREATED_EXCEPTION_OCCURRED_WAS_0.toLocalizedString(e));
    } catch (AuthenticationRequiredException ex) {
        securityLogWriter.warning(LocalizedStrings.CacheClientNotifier_AN_EXCEPTION_WAS_THROWN_FOR_CLIENT_0_1, new Object[] { proxyID, ex });
        writeException(dos, HandShake.REPLY_EXCEPTION_AUTHENTICATION_REQUIRED, ex, clientVersion);
        return;
    } catch (AuthenticationFailedException ex) {
        securityLogWriter.warning(LocalizedStrings.CacheClientNotifier_AN_EXCEPTION_WAS_THROWN_FOR_CLIENT_0_1, new Object[] { proxyID, ex });
        writeException(dos, HandShake.REPLY_EXCEPTION_AUTHENTICATION_FAILED, ex, clientVersion);
        return;
    } catch (CacheException e) {
        logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientNotifier_0_REGISTERCLIENT_EXCEPTION_ENCOUNTERED_IN_REGISTRATION_1, new Object[] { this, e }), e);
        IOException io = new IOException(LocalizedStrings.CacheClientNotifier_EXCEPTION_OCCURRED_WHILE_TRYING_TO_REGISTER_INTEREST_DUE_TO_0.toLocalizedString(e.getMessage()));
        io.initCause(e);
        throw io;
    } catch (Exception ex) {
        logger.warn(LocalizedMessage.create(LocalizedStrings.CacheClientNotifier_AN_EXCEPTION_WAS_THROWN_FOR_CLIENT_0_1, new Object[] { proxyID, "" }), ex);
        writeException(dos, Acceptor.UNSUCCESSFUL_SERVER_TO_CLIENT, ex, clientVersion);
        return;
    }
    this.statistics.endClientRegistration(startTime);
}
Also used : AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) CacheException(org.apache.geode.cache.CacheException) Method(java.lang.reflect.Method) IOException(java.io.IOException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) ConfigurationProperties(org.apache.geode.distributed.ConfigurationProperties) Properties(java.util.Properties) InternalDistributedSystem(org.apache.geode.distributed.internal.InternalDistributedSystem) DistributedSystem(org.apache.geode.distributed.DistributedSystem) AccessControl(org.apache.geode.security.AccessControl) CqException(org.apache.geode.cache.query.CqException) RegionDestroyedException(org.apache.geode.cache.RegionDestroyedException) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) IOException(java.io.IOException) CacheException(org.apache.geode.cache.CacheException) UnsupportedVersionException(org.apache.geode.cache.UnsupportedVersionException) RegionExistsException(org.apache.geode.cache.RegionExistsException) CancelException(org.apache.geode.CancelException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) Subject(org.apache.shiro.subject.Subject) DistributedMember(org.apache.geode.distributed.DistributedMember) Principal(java.security.Principal)

Example 7 with AuthenticationRequiredException

use of org.apache.geode.security.AuthenticationRequiredException in project geode by apache.

the class ServerHandShakeProcessor method readGFEHandshake.

private static boolean readGFEHandshake(ServerConnection connection, Version clientVersion) {
    int handShakeTimeout = connection.getHandShakeTimeout();
    InternalLogWriter securityLogWriter = connection.getSecurityLogWriter();
    try {
        Socket socket = connection.getSocket();
        DistributedSystem system = connection.getDistributedSystem();
        // hitesh:it will set credentials and principals
        HandShake handshake = new HandShake(socket, handShakeTimeout, system, clientVersion, connection.getCommunicationMode());
        connection.setHandshake(handshake);
        ClientProxyMembershipID proxyId = handshake.getMembership();
        connection.setProxyId(proxyId);
        // Hitesh:for older version we should set this
        if (clientVersion.compareTo(Version.GFE_65) < 0 || connection.getCommunicationMode() == Acceptor.GATEWAY_TO_GATEWAY) {
            long uniqueId = setAuthAttributes(connection);
            // for older clients < 6.5
            connection.setUserAuthId(uniqueId);
        }
    } catch (SocketTimeoutException timeout) {
        logger.warn(LocalizedMessage.create(LocalizedStrings.ServerHandShakeProcessor_0_HANDSHAKE_REPLY_CODE_TIMEOUT_NOT_RECEIVED_WITH_IN_1_MS, new Object[] { connection.getName(), Integer.valueOf(handShakeTimeout) }));
        connection.stats.incFailedConnectionAttempts();
        connection.cleanup();
        return false;
    } catch (EOFException e) {
        // no need to warn client just gave up on this server before we could
        // handshake
        logger.info("{} {}", connection.getName(), e);
        connection.stats.incFailedConnectionAttempts();
        connection.cleanup();
        return false;
    } catch (SocketException e) {
        // no need to warn client just gave up on this
        // server before we could handshake
        logger.info("{} {}", connection.getName(), e);
        connection.stats.incFailedConnectionAttempts();
        connection.cleanup();
        return false;
    } catch (IOException e) {
        logger.warn(LocalizedMessage.create(LocalizedStrings.ServerHandShakeProcessor_0_RECEIVED_NO_HANDSHAKE_REPLY_CODE, connection.getName()), e);
        connection.stats.incFailedConnectionAttempts();
        connection.cleanup();
        return false;
    } catch (AuthenticationRequiredException noauth) {
        String exStr = noauth.getLocalizedMessage();
        if (noauth.getCause() != null) {
            exStr += " : " + noauth.getCause().getLocalizedMessage();
        }
        if (securityLogWriter.warningEnabled()) {
            securityLogWriter.warning(LocalizedStrings.ONE_ARG, connection.getName() + ": Security exception: " + exStr);
        }
        connection.stats.incFailedConnectionAttempts();
        connection.refuseHandshake(noauth.getMessage(), HandShake.REPLY_EXCEPTION_AUTHENTICATION_REQUIRED);
        connection.cleanup();
        return false;
    } catch (AuthenticationFailedException failed) {
        String exStr = failed.getLocalizedMessage();
        if (failed.getCause() != null) {
            exStr += " : " + failed.getCause().getLocalizedMessage();
        }
        if (securityLogWriter.warningEnabled()) {
            securityLogWriter.warning(LocalizedStrings.ONE_ARG, connection.getName() + ": Security exception: " + exStr);
        }
        connection.stats.incFailedConnectionAttempts();
        connection.refuseHandshake(failed.getMessage(), HandShake.REPLY_EXCEPTION_AUTHENTICATION_FAILED);
        connection.cleanup();
        return false;
    } catch (Exception ex) {
        logger.warn("{} {}", connection.getName(), ex.getLocalizedMessage());
        connection.stats.incFailedConnectionAttempts();
        connection.refuseHandshake(ex.getMessage(), REPLY_REFUSED);
        connection.cleanup();
        return false;
    }
    return true;
}
Also used : SocketException(java.net.SocketException) InternalLogWriter(org.apache.geode.internal.logging.InternalLogWriter) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) IOException(java.io.IOException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) DistributedSystem(org.apache.geode.distributed.DistributedSystem) InternalDistributedSystem(org.apache.geode.distributed.internal.InternalDistributedSystem) VersionException(org.apache.geode.cache.VersionException) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) SocketException(java.net.SocketException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) EOFException(java.io.EOFException) IncompatibleVersionException(org.apache.geode.cache.IncompatibleVersionException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) UnsupportedVersionException(org.apache.geode.cache.UnsupportedVersionException) SocketTimeoutException(java.net.SocketTimeoutException) EOFException(java.io.EOFException) Socket(java.net.Socket)

Example 8 with AuthenticationRequiredException

use of org.apache.geode.security.AuthenticationRequiredException in project geode by apache.

the class HandShake method verifyCredentials.

/**
   * this could return either a Subject or a Principal depending on if it's integrated security or
   * not
   */
public static Object verifyCredentials(String authenticatorMethod, Properties credentials, Properties securityProperties, InternalLogWriter logWriter, InternalLogWriter securityLogWriter, DistributedMember member) throws AuthenticationRequiredException, AuthenticationFailedException {
    if (!AcceptorImpl.isAuthenticationRequired()) {
        return null;
    }
    Authenticator auth = null;
    try {
        if (AcceptorImpl.isIntegratedSecurity()) {
            return securityService.login(credentials);
        } else {
            Method instanceGetter = ClassLoadUtil.methodFromName(authenticatorMethod);
            auth = (Authenticator) instanceGetter.invoke(null, (Object[]) null);
            auth.init(securityProperties, logWriter, securityLogWriter);
            return auth.authenticate(credentials, member);
        }
    } catch (AuthenticationFailedException ex) {
        throw ex;
    } catch (Exception ex) {
        throw new AuthenticationFailedException(ex.getMessage(), ex);
    } finally {
        if (auth != null)
            auth.close();
    }
}
Also used : AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) Method(java.lang.reflect.Method) Authenticator(org.apache.geode.security.Authenticator) ServerRefusedConnectionException(org.apache.geode.cache.client.ServerRefusedConnectionException) GemFireSecurityException(org.apache.geode.security.GemFireSecurityException) InternalGemFireException(org.apache.geode.InternalGemFireException) GatewayConfigurationException(org.apache.geode.cache.GatewayConfigurationException) EOFException(java.io.EOFException) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) GemFireConfigException(org.apache.geode.GemFireConfigException) IOException(java.io.IOException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException)

Example 9 with AuthenticationRequiredException

use of org.apache.geode.security.AuthenticationRequiredException in project geode by apache.

the class ServerConnection method getAuthzRequest.

public AuthorizeRequest getAuthzRequest() throws AuthenticationRequiredException, IOException {
    if (!AcceptorImpl.isAuthenticationRequired())
        return null;
    if (AcceptorImpl.isIntegratedSecurity())
        return null;
    long uniqueId = getUniqueId();
    UserAuthAttributes uaa = null;
    try {
        uaa = this.clientUserAuths.getUserAuthAttributes(uniqueId);
    } catch (NullPointerException npe) {
        if (this.isTerminated()) {
            // Bug #52023.
            throw new IOException("Server connection is terminated.");
        } else {
            logger.debug("Unexpected exception {}", npe);
        }
    }
    if (uaa == null) {
        throw new AuthenticationRequiredException("User authorization attributes not found.");
    }
    AuthorizeRequest authReq = uaa.getAuthzRequest();
    if (logger.isDebugEnabled()) {
        logger.debug("getAuthzRequest() authrequest: {}", ((authReq == null) ? "NULL (only authentication is required)" : "not null"));
    }
    return authReq;
}
Also used : AuthorizeRequest(org.apache.geode.internal.security.AuthorizeRequest) IOException(java.io.IOException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException)

Example 10 with AuthenticationRequiredException

use of org.apache.geode.security.AuthenticationRequiredException in project geode by apache.

the class ServerConnection method setCredentials.

public byte[] setCredentials(Message msg) throws Exception {
    try {
        // need to send back in response with encrption
        if (!AcceptorImpl.isAuthenticationRequired() && msg.isSecureMode()) {
            // This is a CREDENTIALS_NORMAL case.;
            return new byte[0];
        }
        if (!msg.isSecureMode()) {
            throw new AuthenticationFailedException("Authentication failed");
        }
        byte[] secureBytes = msg.getSecureBytes();
        secureBytes = ((HandShake) this.handshake).decryptBytes(secureBytes);
        // need to decrypt it first then get connectionid
        AuthIds aIds = new AuthIds(secureBytes);
        long connId = aIds.getConnectionId();
        if (connId != this.connectionId) {
            throw new AuthenticationFailedException("Authentication failed");
        }
        byte[] credBytes = msg.getPart(0).getSerializedForm();
        credBytes = ((HandShake) this.handshake).decryptBytes(credBytes);
        ByteArrayInputStream bis = new ByteArrayInputStream(credBytes);
        DataInputStream dinp = new DataInputStream(bis);
        Properties credentials = DataSerializer.readProperties(dinp);
        // When here, security is enfored on server, if login returns a subject, then it's the newly
        // integrated security, otherwise, do it the old way.
        long uniqueId;
        DistributedSystem system = this.getDistributedSystem();
        String methodName = system.getProperties().getProperty(SECURITY_CLIENT_AUTHENTICATOR);
        Object principal = HandShake.verifyCredentials(methodName, credentials, system.getSecurityProperties(), (InternalLogWriter) system.getLogWriter(), (InternalLogWriter) system.getSecurityLogWriter(), this.proxyId.getDistributedMember());
        if (principal instanceof Subject) {
            Subject subject = (Subject) principal;
            uniqueId = this.clientUserAuths.putSubject(subject);
            logger.info(this.clientUserAuths);
        } else {
            // this sets principal in map as well....
            uniqueId = ServerHandShakeProcessor.getUniqueId(this, (Principal) principal);
        }
        // create secure part which will be send in respones
        return encryptId(uniqueId, this);
    } catch (AuthenticationFailedException afe) {
        throw afe;
    } catch (AuthenticationRequiredException are) {
        throw are;
    } catch (Exception e) {
        throw new AuthenticationFailedException("REPLY_REFUSED", e);
    }
}
Also used : AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) DataInputStream(java.io.DataInputStream) ConfigurationProperties(org.apache.geode.distributed.ConfigurationProperties) Properties(java.util.Properties) DistributedSystem(org.apache.geode.distributed.DistributedSystem) Subject(org.apache.shiro.subject.Subject) CancelException(org.apache.geode.CancelException) GemFireSecurityException(org.apache.geode.security.GemFireSecurityException) AuthenticationFailedException(org.apache.geode.security.AuthenticationFailedException) IOException(java.io.IOException) AuthenticationRequiredException(org.apache.geode.security.AuthenticationRequiredException) ByteArrayInputStream(java.io.ByteArrayInputStream) Principal(java.security.Principal)

Aggregations

AuthenticationRequiredException (org.apache.geode.security.AuthenticationRequiredException)12 IOException (java.io.IOException)10 AuthenticationFailedException (org.apache.geode.security.AuthenticationFailedException)5 GemFireSecurityException (org.apache.geode.security.GemFireSecurityException)5 Properties (java.util.Properties)4 ByteArrayInputStream (java.io.ByteArrayInputStream)3 DataInputStream (java.io.DataInputStream)3 EOFException (java.io.EOFException)3 GemFireConfigException (org.apache.geode.GemFireConfigException)3 GatewayConfigurationException (org.apache.geode.cache.GatewayConfigurationException)3 DistributedMember (org.apache.geode.distributed.DistributedMember)3 DistributedSystem (org.apache.geode.distributed.DistributedSystem)3 InternalDistributedSystem (org.apache.geode.distributed.internal.InternalDistributedSystem)3 InternalDistributedMember (org.apache.geode.distributed.internal.membership.InternalDistributedMember)3 DataOutputStream (java.io.DataOutputStream)2 FileInputStream (java.io.FileInputStream)2 InputStream (java.io.InputStream)2 Method (java.lang.reflect.Method)2 Socket (java.net.Socket)2 Principal (java.security.Principal)2