Example 1 with IdentityAccessException
use of org.apache.nifi.registry.security.authentication.exception.IdentityAccessException in project nifi-registry by apache.
the class KerberosIdentityProvider method authenticate.
@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
if (provider == null) {
throw new IdentityAccessException("The Kerberos authentication provider is not initialized.");
}
try {
// perform the authentication
final String username = authenticationRequest.getUsername();
final Object credentials = authenticationRequest.getCredentials();
final String password = credentials != null && credentials instanceof String ? (String) credentials : null;
// perform the authentication
final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, credentials);
logger.debug("Created authentication token " + token.toString());
final Authentication authentication = provider.authenticate(token);
logger.debug("Ran provider.authenticate(token) and returned authentication for " + "principal={} with name={} and isAuthenticated={}", authentication.getPrincipal(), authentication.getName(), authentication.isAuthenticated());
return new AuthenticationResponse(authentication.getName(), username, expiration, issuer);
} catch (final AuthenticationException e) {
throw new InvalidCredentialsException(e.getMessage(), e);
}
}
Also used :
AuthenticationException(org.springframework.security.core.AuthenticationException)
InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException)
Authentication(org.springframework.security.core.Authentication)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException)
AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse)
Example 2 with IdentityAccessException
use of org.apache.nifi.registry.security.authentication.exception.IdentityAccessException in project nifi-registry by apache.
the class KerberosSpnegoIdentityProvider method authenticate.
@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
if (authenticationRequest == null) {
logger.info("Cannot authenticate null authenticationRequest, returning null.");
return null;
}
final Object credentials = authenticationRequest.getCredentials();
byte[] kerberosTicket = credentials != null && credentials instanceof byte[] ? (byte[]) authenticationRequest.getCredentials() : null;
if (credentials == null) {
logger.info("Kerberos Ticket not found in authenticationRequest credentials, returning null.");
return null;
}
if (kerberosServiceAuthenticationProvider == null) {
throw new IdentityAccessException("The Kerberos authentication provider is not initialized.");
}
try {
KerberosServiceRequestToken kerberosServiceRequestToken = new KerberosServiceRequestToken(kerberosTicket);
kerberosServiceRequestToken.setDetails(authenticationRequest.getDetails());
Authentication authentication = kerberosServiceAuthenticationProvider.authenticate(kerberosServiceRequestToken);
if (authentication == null) {
throw new InvalidCredentialsException("Kerberos credentials could not be authenticated.");
}
final String kerberosPrincipal = authentication.getName();
return new AuthenticationResponse(kerberosPrincipal, kerberosPrincipal, expiration, issuer);
} catch (AuthenticationException e) {
String authFailedMessage = "Kerberos credentials could not be authenticated.";
/* Kerberos uses encryption with up to AES-256, specifically AES256-CTS-HMAC-SHA1-96.
* That is not available in every JRE, particularly if Unlimited Strength Encryption
* policies are not installed in the Java home lib dir. The Kerberos lib does not
* differentiate between failures due to decryption and those due to bad credentials
* without walking the causes of the exception, so this check puts something
* potentially useful in the logs for those troubleshooting Kerberos authentication. */
if (!Boolean.FALSE.equals(CryptoUtils.isCryptoRestricted())) {
authFailedMessage += " This Java Runtime does not support unlimited strength encryption. " + "This could cause Kerberos authentication to fail as it can require AES-256.";
}
logger.info(authFailedMessage);
throw new InvalidCredentialsException(authFailedMessage, e);
}
}
Also used :
InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException)
AuthenticationException(org.springframework.security.core.AuthenticationException)
Authentication(org.springframework.security.core.Authentication)
IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException)
AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse)
KerberosServiceRequestToken(org.springframework.security.kerberos.authentication.KerberosServiceRequestToken)
Example 3 with IdentityAccessException
use of org.apache.nifi.registry.security.authentication.exception.IdentityAccessException in project nifi-registry by apache.
the class LdapIdentityProvider method authenticate.
@Override
public AuthenticationResponse authenticate(AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, IdentityAccessException {
if (authenticationRequest == null || StringUtils.isEmpty(authenticationRequest.getUsername())) {
logger.debug("Call to authenticate method with null or empty authenticationRequest, returning null without attempting to authenticate");
return null;
}
if (ldapAuthenticationProvider == null) {
throw new IdentityAccessException("The LDAP authentication provider is not initialized.");
}
try {
final String username = authenticationRequest.getUsername();
final Object credentials = authenticationRequest.getCredentials();
final String password = credentials != null && credentials instanceof String ? (String) credentials : null;
// perform the authentication
final UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, credentials);
final Authentication authentication = ldapAuthenticationProvider.authenticate(token);
logger.debug("Created authentication token: {}", token.toString());
// use dn if configured
if (IdentityStrategy.USE_DN.equals(identityStrategy)) {
// attempt to get the ldap user details to get the DN
if (authentication.getPrincipal() instanceof LdapUserDetails) {
final LdapUserDetails userDetails = (LdapUserDetails) authentication.getPrincipal();
return new AuthenticationResponse(userDetails.getDn(), username, expiration, issuer);
} else {
logger.warn(String.format("Unable to determine user DN for %s, using username.", authentication.getName()));
return new AuthenticationResponse(authentication.getName(), username, expiration, issuer);
}
} else {
return new AuthenticationResponse(authentication.getName(), username, expiration, issuer);
}
} catch (final BadCredentialsException | UsernameNotFoundException | AuthenticationException e) {
throw new InvalidCredentialsException(e.getMessage(), e);
} catch (final Exception e) {
// there appears to be a bug that generates a InternalAuthenticationServiceException wrapped around an AuthenticationException. this
// shouldn't be the case as they the service exception suggestions that something was wrong with the service. while the authentication
// exception suggests that username and/or credentials were incorrect. checking the cause seems to address this scenario.
final Throwable cause = e.getCause();
if (cause instanceof AuthenticationException) {
throw new InvalidCredentialsException(e.getMessage(), e);
}
logger.error(e.getMessage());
if (logger.isDebugEnabled()) {
logger.debug(StringUtils.EMPTY, e);
}
throw new IdentityAccessException("Unable to validate the supplied credentials. Please contact the system administrator.", e);
}
}
Also used :
UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException)
AuthenticationException(org.springframework.ldap.AuthenticationException)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
BadCredentialsException(org.springframework.security.authentication.BadCredentialsException)
AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse)
BadCredentialsException(org.springframework.security.authentication.BadCredentialsException)
AuthenticationException(org.springframework.ldap.AuthenticationException)
UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException)
KeyStoreException(java.security.KeyStoreException)
IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
SecurityProviderDestructionException(org.apache.nifi.registry.security.exception.SecurityProviderDestructionException)
InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException)
SecurityProviderCreationException(org.apache.nifi.registry.security.exception.SecurityProviderCreationException)
IOException(java.io.IOException)
KeyManagementException(java.security.KeyManagementException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidCredentialsException(org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException)
Authentication(org.springframework.security.core.Authentication)
LdapUserDetails(org.springframework.security.ldap.userdetails.LdapUserDetails)
IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException)
Example 4 with IdentityAccessException
use of org.apache.nifi.registry.security.authentication.exception.IdentityAccessException in project nifi-registry by apache.
the class AccessResource method createAccessToken.
private String createAccessToken(IdentityProvider identityProvider, AuthenticationRequest authenticationRequest) throws InvalidCredentialsException, AdministrationException {
final AuthenticationResponse authenticationResponse;
try {
authenticationResponse = identityProvider.authenticate(authenticationRequest);
final String token = jwtService.generateSignedToken(authenticationResponse);
return token;
} catch (final IdentityAccessException | JwtException e) {
throw new AdministrationException(e.getMessage());
}
}
Also used :
JwtException(io.jsonwebtoken.JwtException)
IdentityAccessException(org.apache.nifi.registry.security.authentication.exception.IdentityAccessException)
AdministrationException(org.apache.nifi.registry.exception.AdministrationException)
AuthenticationResponse(org.apache.nifi.registry.security.authentication.AuthenticationResponse)
Aggregations
AuthenticationResponse (org.apache.nifi.registry.security.authentication.AuthenticationResponse)4
IdentityAccessException (org.apache.nifi.registry.security.authentication.exception.IdentityAccessException)4
InvalidCredentialsException (org.apache.nifi.registry.security.authentication.exception.InvalidCredentialsException)3
Authentication (org.springframework.security.core.Authentication)3
UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)2
AuthenticationException (org.springframework.security.core.AuthenticationException)2
JwtException (io.jsonwebtoken.JwtException)1
IOException (java.io.IOException)1
KeyManagementException (java.security.KeyManagementException)1
KeyStoreException (java.security.KeyStoreException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
UnrecoverableKeyException (java.security.UnrecoverableKeyException)1
CertificateException (java.security.cert.CertificateException)1
AdministrationException (org.apache.nifi.registry.exception.AdministrationException)1
SecurityProviderCreationException (org.apache.nifi.registry.security.exception.SecurityProviderCreationException)1
SecurityProviderDestructionException (org.apache.nifi.registry.security.exception.SecurityProviderDestructionException)1
AuthenticationException (org.springframework.ldap.AuthenticationException)1
BadCredentialsException (org.springframework.security.authentication.BadCredentialsException)1
UsernameNotFoundException (org.springframework.security.core.userdetails.UsernameNotFoundException)1
KerberosServiceRequestToken (org.springframework.security.kerberos.authentication.KerberosServiceRequestToken)1
