Search in sources :

Example 11 with UserAuthentication

use of org.eclipse.jetty.security.UserAuthentication in project jetty.project by eclipse.

the class ClientCertAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (!mandatory)
        return new DeferredAuthentication(this);
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
    try {
        // Need certificates.
        if (certs != null && certs.length > 0) {
            if (_validateCerts) {
                KeyStore trustStore = getKeyStore(_trustStorePath, _trustStoreType, _trustStoreProvider, _trustStorePassword == null ? null : _trustStorePassword.toString());
                Collection<? extends CRL> crls = loadCRL(_crlPath);
                CertificateValidator validator = new CertificateValidator(trustStore, crls);
                validator.validate(certs);
            }
            for (X509Certificate cert : certs) {
                if (cert == null)
                    continue;
                Principal principal = cert.getSubjectDN();
                if (principal == null)
                    principal = cert.getIssuerDN();
                final String username = principal == null ? "clientcert" : principal.getName();
                final char[] credential = B64Code.encode(cert.getSignature());
                UserIdentity user = login(username, credential, req);
                if (user != null) {
                    return new UserAuthentication(getAuthMethod(), user);
                }
            }
        }
        if (!DeferredAuthentication.isDeferred(response)) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN);
            return Authentication.SEND_FAILURE;
        }
        return Authentication.UNAUTHENTICATED;
    } catch (Exception e) {
        throw new ServerAuthException(e.getMessage());
    }
}
Also used : CertificateValidator(org.eclipse.jetty.util.security.CertificateValidator) UserIdentity(org.eclipse.jetty.server.UserIdentity) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) HttpServletRequest(javax.servlet.http.HttpServletRequest) Principal(java.security.Principal)

Example 12 with UserAuthentication

use of org.eclipse.jetty.security.UserAuthentication in project zm-mailbox by Zimbra.

the class ZimbraAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse resp, boolean mandatory) throws ServerAuthException {
    if (mandatory && req instanceof HttpServletRequest) {
        HttpServletRequest httpReq = (HttpServletRequest) req;
        //we want to just ignore rather than potentially flooding auth provider (which may be external)
        if (PathMap.match(urlPattern, httpReq.getRequestURI())) {
            Cookie[] cookies = httpReq.getCookies();
            if (cookies != null) {
                for (Cookie cookie : cookies) {
                    if (ZimbraCookie.authTokenCookieName(true).equalsIgnoreCase(cookie.getName()) || ZimbraCookie.authTokenCookieName(false).equalsIgnoreCase(cookie.getName())) {
                        String encoded = cookie.getValue();
                        AuthToken token;
                        try {
                            token = AuthProvider.getAuthToken(encoded);
                            Account authAcct = AuthProvider.validateAuthToken(Provisioning.getInstance(), token, false);
                            if (authAcct != null) {
                                if (_loginService instanceof ZimbraLoginService) {
                                    UserIdentity user = ((ZimbraLoginService) _loginService).makeUserIdentity(authAcct.getMail());
                                    ZimbraLog.security.debug("Auth token validated");
                                    return new UserAuthentication(getAuthMethod(), user);
                                } else {
                                    ZimbraLog.security.warn("Misconfigured? _loginService not ZimbraLoginService");
                                    assert (false);
                                }
                            }
                        } catch (AuthTokenException e) {
                            ZimbraLog.security.error("Unable to authenticate due to AuthTokenException", e);
                        } catch (ServiceException e) {
                            ZimbraLog.security.error("Unable to authenticate due to ServiceException", e);
                        }
                    }
                }
                ZimbraLog.security.debug("no valid auth token, fallback to basic");
            }
        }
    }
    return super.validateRequest(req, resp, mandatory);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ZimbraCookie(com.zimbra.common.util.ZimbraCookie) Cookie(javax.servlet.http.Cookie) Account(com.zimbra.cs.account.Account) ServiceException(com.zimbra.common.service.ServiceException) UserIdentity(org.eclipse.jetty.server.UserIdentity) AuthTokenException(com.zimbra.cs.account.AuthTokenException) AuthToken(com.zimbra.cs.account.AuthToken) UserAuthentication(org.eclipse.jetty.security.UserAuthentication)

Example 13 with UserAuthentication

use of org.eclipse.jetty.security.UserAuthentication in project zm-mailbox by Zimbra.

the class SpnegoAuthenticator method authenticate.

/* =========================================================
     *
     * Based on org.eclipse.jetty.security.SpnegoAuthenticator
     *
     * =========================================================
     */
private ZimbraPrincipal authenticate(LoginService realm, Request request, HttpServletResponse response) throws ServiceException, IOException {
    Principal user = null;
    String header = request.getHeader(HttpHeader.AUTHORIZATION.toString());
    /*
         * if the header is null then we need to challenge...this is after the error page check
         */
    if (header == null) {
        sendChallenge(realm, request, response);
        throw SSOAuthenticatorServiceException.SENT_CHALLENGE();
    } else if (header != null && header.startsWith(HttpHeader.NEGOTIATE.toString())) {
        /*
             * we have gotten a negotiate header to try and authenticate
             */
        // skip over "Negotiate "
        String token = header.substring(10);
        UserIdentity identity = realm.login(null, token, request);
        if (identity == null) {
            throw AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: unable to login", (Throwable) null);
        }
        user = identity.getUserPrincipal();
        if (user != null) {
            ZimbraLog.account.debug("SpengoAuthenticator: obtained principal: " + user.getName());
            Account acct = getAccountByPrincipal(user);
            ZimbraPrincipal zimbraPrincipal = new ZimbraPrincipal(user.getName(), acct);
            String clientName = ((SpnegoUserPrincipal) user).getName();
            String role = clientName.substring(clientName.indexOf('@') + 1);
            SpnegoUserIdentity spnegoUserIdentity = new SpnegoUserIdentity(identity.getSubject(), zimbraPrincipal, Arrays.asList(role));
            Authentication authentication = new UserAuthentication(getAuthType(), spnegoUserIdentity);
            request.setAuthentication(authentication);
            response.addHeader(HttpHeader.WWW_AUTHENTICATE.toString(), HttpHeader.NEGOTIATE.toString() + " " + ((SpnegoUserPrincipal) user).getToken());
            return zimbraPrincipal;
        } else {
            /*
                 * no user was returned from the authentication which means something failed
                 * so process error logic
                 */
            ZimbraLog.account.debug("SpengoAuthenticator: no user found, authentication failed");
            throw AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: no user found, authentication failed", (Throwable) null);
        }
    } else {
        /*
             * the header was not null, but we didn't get a negotiate so process error logic
             */
        throw AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: authentication failed, unknown header (browser is likely misconfigured for SPNEGO)", (Throwable) null);
    }
}
Also used : SpnegoUserIdentity(org.eclipse.jetty.security.SpnegoUserIdentity) GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) UserIdentity(org.eclipse.jetty.server.UserIdentity) SpnegoUserIdentity(org.eclipse.jetty.security.SpnegoUserIdentity) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Krb5Principal(com.zimbra.cs.account.krb5.Krb5Principal) SpnegoUserPrincipal(org.eclipse.jetty.security.SpnegoUserPrincipal) Principal(java.security.Principal)

Aggregations

UserAuthentication (org.eclipse.jetty.security.UserAuthentication)13 UserIdentity (org.eclipse.jetty.server.UserIdentity)13 HttpServletRequest (javax.servlet.http.HttpServletRequest)10 HttpServletResponse (javax.servlet.http.HttpServletResponse)9 ServerAuthException (org.eclipse.jetty.security.ServerAuthException)9 IOException (java.io.IOException)7 Principal (java.security.Principal)4 Constraint (org.eclipse.jetty.util.security.Constraint)4 Account (com.zimbra.cs.account.Account)2 KeyStore (java.security.KeyStore)2 MessageDigest (java.security.MessageDigest)2 X509Certificate (java.security.cert.X509Certificate)2 ServletRequest (javax.servlet.ServletRequest)2 IdentityService (org.eclipse.jetty.security.IdentityService)2 Authentication (org.eclipse.jetty.server.Authentication)2 Request (org.eclipse.jetty.server.Request)2 QuotedStringTokenizer (org.eclipse.jetty.util.QuotedStringTokenizer)2 CertificateValidator (org.eclipse.jetty.util.security.CertificateValidator)2 ServiceException (com.zimbra.common.service.ServiceException)1 ZimbraCookie (com.zimbra.common.util.ZimbraCookie)1