Examples with AuthenticationToken org.apache.shiro.authc.AuthenticationToken used on opensource projects

Example 1 with AuthenticationToken

use of org.apache.shiro.authc.AuthenticationToken in project airpal by airbnb.

the class SessionResource method doLogin.

@POST
@Path("/login")
public void doLogin(@Context HttpServletRequest request, @Context HttpServletResponse response, @FormParam("username") String username, @FormParam("password") String password) throws IOException {
    Subject currentUser = SecurityUtils.getSubject();
    if (!currentUser.isAuthenticated()) {
        AuthenticationToken token = new UsernamePasswordToken(username, password);
        currentUser.login(token);
    }
    WebUtils.redirectToSavedRequest(request, response, "/app");
}

Example 2 with AuthenticationToken

use of org.apache.shiro.authc.AuthenticationToken in project killbill by killbill.

the class TestKillbillJdbcTenantRealm method testAuthentication.

@Test(groups = "slow")
public void testAuthentication() throws Exception {
    final DelegatingSubject subject = new DelegatingSubject(securityManager);
    // Good combo
    final AuthenticationToken goodToken = new UsernamePasswordToken(tenant.getApiKey(), tenant.getApiSecret());
    try {
        securityManager.login(subject, goodToken);
        Assert.assertTrue(true);
    } catch (final AuthenticationException e) {
        Assert.fail();
    }
    // Bad login
    final AuthenticationToken badPasswordToken = new UsernamePasswordToken(tenant.getApiKey(), tenant.getApiSecret() + "T");
    try {
        securityManager.login(subject, badPasswordToken);
        Assert.fail();
    } catch (final AuthenticationException e) {
        Assert.assertTrue(true);
    }
    // Bad password
    final AuthenticationToken badLoginToken = new UsernamePasswordToken(tenant.getApiKey() + "U", tenant.getApiSecret());
    try {
        securityManager.login(subject, badLoginToken);
        Assert.fail();
    } catch (final AuthenticationException e) {
        Assert.assertTrue(true);
    }
}

Example 3 with AuthenticationToken

use of org.apache.shiro.authc.AuthenticationToken in project killbill by killbill.

the class TestKillBillJdbcRealm method testAuthorization.

@Test(groups = "slow")
public void testAuthorization() throws SecurityApiException {
    final String username = "i like";
    final String password = "c0ff33";
    securityApi.addRoleDefinition("restricted", ImmutableList.of("account:*", "invoice", "tag:create_tag_definition"), callContext);
    securityApi.addUserRoles(username, password, ImmutableList.of("restricted"), callContext);
    final AuthenticationToken goodToken = new UsernamePasswordToken(username, password);
    final Subject subject = securityManager.login(null, goodToken);
    subject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString());
    subject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString());
    subject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString());
    try {
        subject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString());
        Assert.fail("Subject should not have rights to delete tag definitions");
    } catch (AuthorizationException e) {
    }
    subject.logout();
    securityApi.addRoleDefinition("newRestricted", ImmutableList.of("account:*", "invoice", "tag:delete_tag_definition"), callContext);
    securityApi.updateUserRoles(username, ImmutableList.of("newRestricted"), callContext);
    final Subject newSubject = securityManager.login(null, goodToken);
    newSubject.checkPermission(Permission.ACCOUNT_CAN_CHARGE.toString());
    newSubject.checkPermission(Permission.INVOICE_CAN_CREDIT.toString());
    newSubject.checkPermission(Permission.TAG_CAN_DELETE_TAG_DEFINITION.toString());
    try {
        newSubject.checkPermission(Permission.TAG_CAN_CREATE_TAG_DEFINITION.toString());
        Assert.fail("Subject should not have rights to create tag definitions");
    } catch (AuthorizationException e) {
    }
}

Example 4 with AuthenticationToken

use of org.apache.shiro.authc.AuthenticationToken in project killbill by killbill.

the class TestKillBillJdbcRealm method testAuthentication.

@Test(groups = "slow")
public void testAuthentication() throws SecurityApiException {
    final String username = "toto";
    final String password = "supperCompli43cated";
    securityApi.addRoleDefinition("root", ImmutableList.of("*"), callContext);
    securityApi.addUserRoles(username, password, ImmutableList.of("root"), callContext);
    final DelegatingSubject subject = new DelegatingSubject(securityManager);
    final AuthenticationToken goodToken = new UsernamePasswordToken(username, password);
    securityManager.login(subject, goodToken);
    Assert.assertTrue(true);
    try {
        final AuthenticationToken badToken = new UsernamePasswordToken(username, "somethingelse");
        securityManager.login(subject, badToken);
        Assert.assertTrue(true);
        securityManager.logout(subject);
        securityManager.login(subject, badToken);
        Assert.fail("Should not succeed to login with an incorrect password");
    } catch (final AuthenticationException e) {
    }
    // Update password and try again
    final String newPassword = "suppersimple";
    securityApi.updateUserPassword(username, newPassword, callContext);
    try {
        final AuthenticationToken notGoodTokenAnyLonger = goodToken;
        securityManager.login(subject, notGoodTokenAnyLonger);
        Assert.fail("Should not succeed to login with an incorrect password");
    } catch (final AuthenticationException e) {
    }
    final AuthenticationToken newGoodToken = new UsernamePasswordToken(username, newPassword);
    securityManager.login(subject, newGoodToken);
    Assert.assertTrue(true);
    securityManager.logout(subject);
    securityApi.invalidateUser(username, callContext);
    try {
        final AuthenticationToken notGoodTokenAnyLonger = goodToken;
        securityManager.login(subject, notGoodTokenAnyLonger);
        Assert.fail("Should not succeed to login with an incorrect password");
    } catch (final AuthenticationException e) {
    }
}

Example 5 with AuthenticationToken

use of org.apache.shiro.authc.AuthenticationToken in project graylog2-server by Graylog2.

the class ShiroSecurityContextFilter method createSecurityContext.

private SecurityContext createSecurityContext(String userName, String credential, boolean isSecure, String authcScheme, String host, String remoteAddr, MultivaluedMap<String, String> headers) {
    final AuthenticationToken authToken;
    if ("session".equalsIgnoreCase(credential)) {
        // we don't want to create a SessionIdToken in that case but fall back to looking at the headers instead
        if ("undefined".equalsIgnoreCase(userName)) {
            authToken = new HttpHeadersToken(headers, host, remoteAddr);
        } else {
            authToken = new SessionIdToken(userName, host);
        }
    } else if ("token".equalsIgnoreCase(credential)) {
        authToken = new AccessTokenAuthToken(userName, host);
    } else if (userName == null) {
        // without a username we default to using the header environment as potentially containing tokens used by plugins
        authToken = new HttpHeadersToken(headers, host, remoteAddr);
    } else {
        // otherwise we use the "standard" username/password combination
        authToken = new UsernamePasswordToken(userName, credential, host);
    }
    final Subject subject = new Subject.Builder(securityManager).host(host).sessionCreationEnabled(true).buildSubject();
    return new ShiroSecurityContext(subject, authToken, isSecure, authcScheme, headers);
}