use of org.eclipse.jetty.security.UserAuthentication in project jetty.project by eclipse.
the class ClientCertAuthenticator method validateRequest.
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
if (!mandatory)
return new DeferredAuthentication(this);
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
try {
// Need certificates.
if (certs != null && certs.length > 0) {
if (_validateCerts) {
KeyStore trustStore = getKeyStore(_trustStorePath, _trustStoreType, _trustStoreProvider, _trustStorePassword == null ? null : _trustStorePassword.toString());
Collection<? extends CRL> crls = loadCRL(_crlPath);
CertificateValidator validator = new CertificateValidator(trustStore, crls);
validator.validate(certs);
}
for (X509Certificate cert : certs) {
if (cert == null)
continue;
Principal principal = cert.getSubjectDN();
if (principal == null)
principal = cert.getIssuerDN();
final String username = principal == null ? "clientcert" : principal.getName();
final char[] credential = B64Code.encode(cert.getSignature());
UserIdentity user = login(username, credential, req);
if (user != null) {
return new UserAuthentication(getAuthMethod(), user);
}
}
}
if (!DeferredAuthentication.isDeferred(response)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return Authentication.SEND_FAILURE;
}
return Authentication.UNAUTHENTICATED;
} catch (Exception e) {
throw new ServerAuthException(e.getMessage());
}
}
use of org.eclipse.jetty.security.UserAuthentication in project zm-mailbox by Zimbra.
the class ZimbraAuthenticator method validateRequest.
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse resp, boolean mandatory) throws ServerAuthException {
if (mandatory && req instanceof HttpServletRequest) {
HttpServletRequest httpReq = (HttpServletRequest) req;
//we want to just ignore rather than potentially flooding auth provider (which may be external)
if (PathMap.match(urlPattern, httpReq.getRequestURI())) {
Cookie[] cookies = httpReq.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (ZimbraCookie.authTokenCookieName(true).equalsIgnoreCase(cookie.getName()) || ZimbraCookie.authTokenCookieName(false).equalsIgnoreCase(cookie.getName())) {
String encoded = cookie.getValue();
AuthToken token;
try {
token = AuthProvider.getAuthToken(encoded);
Account authAcct = AuthProvider.validateAuthToken(Provisioning.getInstance(), token, false);
if (authAcct != null) {
if (_loginService instanceof ZimbraLoginService) {
UserIdentity user = ((ZimbraLoginService) _loginService).makeUserIdentity(authAcct.getMail());
ZimbraLog.security.debug("Auth token validated");
return new UserAuthentication(getAuthMethod(), user);
} else {
ZimbraLog.security.warn("Misconfigured? _loginService not ZimbraLoginService");
assert (false);
}
}
} catch (AuthTokenException e) {
ZimbraLog.security.error("Unable to authenticate due to AuthTokenException", e);
} catch (ServiceException e) {
ZimbraLog.security.error("Unable to authenticate due to ServiceException", e);
}
}
}
ZimbraLog.security.debug("no valid auth token, fallback to basic");
}
}
}
return super.validateRequest(req, resp, mandatory);
}
use of org.eclipse.jetty.security.UserAuthentication in project zm-mailbox by Zimbra.
the class SpnegoAuthenticator method authenticate.
/* =========================================================
*
* Based on org.eclipse.jetty.security.SpnegoAuthenticator
*
* =========================================================
*/
private ZimbraPrincipal authenticate(LoginService realm, Request request, HttpServletResponse response) throws ServiceException, IOException {
Principal user = null;
String header = request.getHeader(HttpHeader.AUTHORIZATION.toString());
/*
* if the header is null then we need to challenge...this is after the error page check
*/
if (header == null) {
sendChallenge(realm, request, response);
throw SSOAuthenticatorServiceException.SENT_CHALLENGE();
} else if (header != null && header.startsWith(HttpHeader.NEGOTIATE.toString())) {
/*
* we have gotten a negotiate header to try and authenticate
*/
// skip over "Negotiate "
String token = header.substring(10);
UserIdentity identity = realm.login(null, token, request);
if (identity == null) {
throw AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: unable to login", (Throwable) null);
}
user = identity.getUserPrincipal();
if (user != null) {
ZimbraLog.account.debug("SpengoAuthenticator: obtained principal: " + user.getName());
Account acct = getAccountByPrincipal(user);
ZimbraPrincipal zimbraPrincipal = new ZimbraPrincipal(user.getName(), acct);
String clientName = ((SpnegoUserPrincipal) user).getName();
String role = clientName.substring(clientName.indexOf('@') + 1);
SpnegoUserIdentity spnegoUserIdentity = new SpnegoUserIdentity(identity.getSubject(), zimbraPrincipal, Arrays.asList(role));
Authentication authentication = new UserAuthentication(getAuthType(), spnegoUserIdentity);
request.setAuthentication(authentication);
response.addHeader(HttpHeader.WWW_AUTHENTICATE.toString(), HttpHeader.NEGOTIATE.toString() + " " + ((SpnegoUserPrincipal) user).getToken());
return zimbraPrincipal;
} else {
/*
* no user was returned from the authentication which means something failed
* so process error logic
*/
ZimbraLog.account.debug("SpengoAuthenticator: no user found, authentication failed");
throw AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: no user found, authentication failed", (Throwable) null);
}
} else {
/*
* the header was not null, but we didn't get a negotiate so process error logic
*/
throw AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: authentication failed, unknown header (browser is likely misconfigured for SPNEGO)", (Throwable) null);
}
}
Aggregations