Example 1 with PasswordCredential
use of org.dcache.auth.PasswordCredential in project dcache by dCache.
the class Ldap method authenticate.
@Override
public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException {
Optional<PasswordCredential> password = findFirst(privateCredentials, PasswordCredential.class::isInstance).map(PasswordCredential.class::cast);
checkAuthentication(password.isPresent(), "no login name");
Subject subject = new Subject();
LdapLoginModule loginModule = new LdapLoginModule();
Map<String, Object> loginOptions = ImmutableMap.<String, Object>builder().put(USERNAME_KEY, password.get().getUsername()).put(PASSWORD_KEY, password.get().getPassword().toCharArray()).build();
loginModule.initialize(subject, null, loginOptions, globalLoginOptions);
try {
loginModule.login();
loginModule.commit();
subject.getPrincipals(UserPrincipal.class).stream().map(Principal::getName).map(UserNamePrincipal::new).forEach(identifiedPrincipals::add);
tryToLogout(loginModule);
} catch (FailedLoginException e) {
tryToAbortLogin(loginModule);
throw new AuthenticationException(e.getMessage(), e);
} catch (LoginException e) {
tryToAbortLogin(loginModule);
LOGGER.warn("LDAP login failed: {}", e.getMessage());
throw new AuthenticationException(e.getMessage(), e);
}
}
Also used :
FailedLoginException(javax.security.auth.login.FailedLoginException)
AuthenticationException(org.dcache.gplazma.AuthenticationException)
PasswordCredential(org.dcache.auth.PasswordCredential)
LoginException(javax.security.auth.login.LoginException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
LdapLoginModule(com.sun.security.auth.module.LdapLoginModule)
Subject(javax.security.auth.Subject)
UserPrincipal(com.sun.security.auth.UserPrincipal)
GroupNamePrincipal(org.dcache.auth.GroupNamePrincipal)
GidPrincipal(org.dcache.auth.GidPrincipal)
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
Principal(java.security.Principal)
UidPrincipal(org.dcache.auth.UidPrincipal)
Example 2 with PasswordCredential
use of org.dcache.auth.PasswordCredential in project dcache by dCache.
the class HtpasswdPlugin method authenticate.
@Override
public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException {
try {
PasswordCredential credential = getFirst(filter(privateCredentials, PasswordCredential.class), null);
checkAuthentication(credential != null, "no username and password");
String name = credential.getUsername();
String hash = getHash(name);
checkAuthentication(hash != null, name + " is unknown");
checkAuthentication(MD5Crypt.verifyPassword(credential.getPassword(), hash), "wrong password");
identifiedPrincipals.add(new UserNamePrincipal(name));
} catch (IOException e) {
throw new AuthenticationException("Authentication failed due to I/O error: " + e.getMessage(), e);
}
}
Also used :
UserNamePrincipal(org.dcache.auth.UserNamePrincipal)
AuthenticationException(org.dcache.gplazma.AuthenticationException)
PasswordCredential(org.dcache.auth.PasswordCredential)
IOException(java.io.IOException)
Example 3 with PasswordCredential
use of org.dcache.auth.PasswordCredential in project dcache by dCache.
the class KpwdPlugin method authenticate.
/**
* Password authentication.
* <p>
* Authenticates login name + password and generates a KpwdPrincipal.
*/
@SuppressWarnings("null")
@Override
public void authenticate(Set<Object> publicCredentials, Set<Object> privateCredentials, Set<Principal> identifiedPrincipals) throws AuthenticationException {
PasswordCredential password = getFirst(filter(privateCredentials, PasswordCredential.class), null);
checkAuthentication(password != null, "no username and password");
String name = password.getUsername();
UserPwdRecord entry = getAuthFile().getUserPwdRecord(name);
checkAuthentication(entry != null, name + " is unknown");
checkAuthentication(entry.isAnonymous() || entry.isDisabled() || entry.passwordIsValid(String.valueOf(password.getPassword())), "wrong password");
/* NOTE: We add the principal even when the account is
* disabled (banned) and we do so without checking the password; this
* is to allow banning during the account step.
*/
identifiedPrincipals.add(new KpwdPrincipal(entry));
checkAuthentication(!entry.isDisabled(), "account is disabled");
}
Also used :
UserPwdRecord(org.dcache.auth.UserPwdRecord)
PasswordCredential(org.dcache.auth.PasswordCredential)
Example 4 with PasswordCredential
use of org.dcache.auth.PasswordCredential in project dcache by dCache.
the class WeakFtpDoorV1 method doRegularLogin.
private void doRegularLogin(String arg) {
Subject subject = new Subject();
subject.getPrivateCredentials().add(new PasswordCredential(_user, arg));
subject.getPrincipals().add(_origin);
try {
login(subject);
reply("230 User " + _user + " logged in");
} catch (PermissionDeniedCacheException e) {
LOGGER.warn("Login denied for {}", subject);
reply("530 Login denied");
} catch (CacheException e) {
LOGGER.error("Login failed for {}: {}", subject, e);
reply("530 Login failed: " + e.getMessage());
}
}
Also used :
PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException)
PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException)
CacheException(diskCacheV111.util.CacheException)
PasswordCredential(org.dcache.auth.PasswordCredential)
Subject(javax.security.auth.Subject)
Example 5 with PasswordCredential
use of org.dcache.auth.PasswordCredential in project dcache by dCache.
the class AuthenticationHandler method addAuthCredentialsToSubject.
private void addAuthCredentialsToSubject(HttpServletRequest request, Subject subject) throws PermissionDeniedCacheException {
Optional<AuthInfo> optional = parseAuthenticationHeader(request);
if (optional.isPresent()) {
AuthInfo info = optional.get();
switch(info.getScheme()) {
case HttpServletRequest.BASIC_AUTH:
if (!_isBasicAuthenticationEnabled) {
return;
}
try {
byte[] bytes = Base64.getDecoder().decode(info.getData().getBytes(StandardCharsets.US_ASCII));
String credential = new String(bytes, StandardCharsets.UTF_8);
int colon = credential.indexOf(":");
if (colon >= 0) {
String user = credential.substring(0, colon);
int lastHash = user.lastIndexOf('#');
if (lastHash != -1 && lastHash < (user.length() - 1)) {
Splitter.on(',').trimResults().omitEmptyStrings().split(user.substring(lastHash + 1)).forEach(r -> subject.getPrincipals().add(new DesiredRole(r)));
user = user.substring(0, lastHash);
}
String password = credential.substring(colon + 1);
subject.getPrivateCredentials().add(new PasswordCredential(user, password));
} else {
subject.getPrincipals().add(new LoginNamePrincipal(credential));
}
} catch (IllegalArgumentException e) {
LOG.warn("Authentication Data in the header received is not Base64 encoded {}", request.getHeader("Authorization"));
}
break;
case "BEARER":
if (!_acceptBearerTokenUnencrypted && !request.isSecure()) {
throw new PermissionDeniedCacheException("not allowed to send bearer token unencrypted");
}
try {
subject.getPrivateCredentials().add(new BearerTokenCredential(info.getData()));
} catch (IllegalArgumentException e) {
LOG.info("Bearer Token in invalid {}", request.getHeader("Authorization"));
}
break;
default:
LOG.debug("Unknown authentication scheme {}", info.getScheme());
}
}
}
Also used :
PermissionDeniedCacheException(diskCacheV111.util.PermissionDeniedCacheException)
PasswordCredential(org.dcache.auth.PasswordCredential)
DesiredRole(org.dcache.auth.DesiredRole)
BearerTokenCredential(org.dcache.auth.BearerTokenCredential)
LoginNamePrincipal(org.dcache.auth.LoginNamePrincipal)
Aggregations
PasswordCredential (org.dcache.auth.PasswordCredential)6
AuthenticationException (org.dcache.gplazma.AuthenticationException)3
PermissionDeniedCacheException (diskCacheV111.util.PermissionDeniedCacheException)2
Subject (javax.security.auth.Subject)2
LoginException (javax.security.auth.login.LoginException)2
UserNamePrincipal (org.dcache.auth.UserNamePrincipal)2
UserPrincipal (com.sun.security.auth.UserPrincipal)1
LdapLoginModule (com.sun.security.auth.module.LdapLoginModule)1
CacheException (diskCacheV111.util.CacheException)1
IOException (java.io.IOException)1
Principal (java.security.Principal)1
FailedLoginException (javax.security.auth.login.FailedLoginException)1
LoginContext (javax.security.auth.login.LoginContext)1
BearerTokenCredential (org.dcache.auth.BearerTokenCredential)1
DesiredRole (org.dcache.auth.DesiredRole)1
GidPrincipal (org.dcache.auth.GidPrincipal)1
GroupNamePrincipal (org.dcache.auth.GroupNamePrincipal)1
LoginNamePrincipal (org.dcache.auth.LoginNamePrincipal)1
UidPrincipal (org.dcache.auth.UidPrincipal)1
UserPwdRecord (org.dcache.auth.UserPwdRecord)1
