Example 1 with DeferredAuthentication
use of org.eclipse.jetty.security.authentication.DeferredAuthentication in project hive by apache.
the class PamAuthenticator method validateRequest.
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
try {
if (!mandatory)
return new DeferredAuthentication(this);
if (credentials != null) {
int space = credentials.indexOf(' ');
if (space > 0) {
String method = credentials.substring(0, space);
if ("basic".equalsIgnoreCase(method)) {
credentials = credentials.substring(space + 1);
credentials = B64Code.decode(credentials, StandardCharsets.ISO_8859_1);
int i = credentials.indexOf(':');
if (i > 0) {
String username = credentials.substring(0, i);
String password = credentials.substring(i + 1);
UserIdentity user = login(username, password);
if (user != null) {
return new UserAuthentication(getAuthMethod(), user);
}
}
}
}
}
if (DeferredAuthentication.isDeferred(response))
return Authentication.UNAUTHENTICATED;
response.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "basic realm=\"" + _loginService.getName() + '"');
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return Authentication.SEND_CONTINUE;
} catch (IOException e) {
throw new ServerAuthException(e);
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UserIdentity(org.eclipse.jetty.server.UserIdentity)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
IOException(java.io.IOException)
ServerAuthException(org.eclipse.jetty.security.ServerAuthException)
UserAuthentication(org.eclipse.jetty.security.UserAuthentication)
Example 2 with DeferredAuthentication
use of org.eclipse.jetty.security.authentication.DeferredAuthentication in project jetty.project by eclipse.
the class JaspiAuthenticator method validateRequest.
public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException {
JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory);
request.setAttribute("org.eclipse.jetty.security.jaspi.info", info);
Authentication a = validateRequest(info);
//if its not mandatory to authenticate, and the authenticator returned UNAUTHENTICATED, we treat it as authentication deferred
if (_allowLazyAuthentication && !info.isAuthMandatory() && a == Authentication.UNAUTHENTICATED)
a = new DeferredAuthentication(this);
return a;
}
Also used :
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
UserAuthentication(org.eclipse.jetty.security.UserAuthentication)
Authentication(org.eclipse.jetty.server.Authentication)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
Example 3 with DeferredAuthentication
use of org.eclipse.jetty.security.authentication.DeferredAuthentication in project jetty.project by eclipse.
the class SecurityHandler method handle.
/* ------------------------------------------------------------ */
/*
* @see org.eclipse.jetty.server.Handler#handle(java.lang.String,
* javax.servlet.http.HttpServletRequest,
* javax.servlet.http.HttpServletResponse, int)
*/
@Override
public void handle(String pathInContext, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
final Response base_response = baseRequest.getResponse();
final Handler handler = getHandler();
if (handler == null)
return;
final Authenticator authenticator = _authenticator;
if (checkSecurity(baseRequest)) {
//See Servlet Spec 3.1 sec 13.6.3
if (authenticator != null)
authenticator.prepareRequest(baseRequest);
RoleInfo roleInfo = prepareConstraintInfo(pathInContext, baseRequest);
// Check data constraints
if (!checkUserDataPermissions(pathInContext, baseRequest, base_response, roleInfo)) {
if (!baseRequest.isHandled()) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
baseRequest.setHandled(true);
}
return;
}
// is Auth mandatory?
boolean isAuthMandatory = isAuthMandatory(baseRequest, base_response, roleInfo);
if (isAuthMandatory && authenticator == null) {
LOG.warn("No authenticator for: " + roleInfo);
if (!baseRequest.isHandled()) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
baseRequest.setHandled(true);
}
return;
}
// check authentication
Object previousIdentity = null;
try {
Authentication authentication = baseRequest.getAuthentication();
if (authentication == null || authentication == Authentication.NOT_CHECKED)
authentication = authenticator == null ? Authentication.UNAUTHENTICATED : authenticator.validateRequest(request, response, isAuthMandatory);
if (authentication instanceof Authentication.Wrapped) {
request = ((Authentication.Wrapped) authentication).getHttpServletRequest();
response = ((Authentication.Wrapped) authentication).getHttpServletResponse();
}
if (authentication instanceof Authentication.ResponseSent) {
baseRequest.setHandled(true);
} else if (authentication instanceof Authentication.User) {
Authentication.User userAuth = (Authentication.User) authentication;
baseRequest.setAuthentication(authentication);
if (_identityService != null)
previousIdentity = _identityService.associate(userAuth.getUserIdentity());
if (isAuthMandatory) {
boolean authorized = checkWebResourcePermissions(pathInContext, baseRequest, base_response, roleInfo, userAuth.getUserIdentity());
if (!authorized) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "!role");
baseRequest.setHandled(true);
return;
}
}
handler.handle(pathInContext, baseRequest, request, response);
if (authenticator != null)
authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
} else if (authentication instanceof Authentication.Deferred) {
DeferredAuthentication deferred = (DeferredAuthentication) authentication;
baseRequest.setAuthentication(authentication);
try {
handler.handle(pathInContext, baseRequest, request, response);
} finally {
previousIdentity = deferred.getPreviousAssociation();
}
if (authenticator != null) {
Authentication auth = baseRequest.getAuthentication();
if (auth instanceof Authentication.User) {
Authentication.User userAuth = (Authentication.User) auth;
authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
} else
authenticator.secureResponse(request, response, isAuthMandatory, null);
}
} else {
baseRequest.setAuthentication(authentication);
if (_identityService != null)
previousIdentity = _identityService.associate(null);
handler.handle(pathInContext, baseRequest, request, response);
if (authenticator != null)
authenticator.secureResponse(request, response, isAuthMandatory, null);
}
} catch (ServerAuthException e) {
// jaspi 3.8.3 send HTTP 500 internal server error, with message
// from AuthException
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
} finally {
if (_identityService != null)
_identityService.disassociate(previousIdentity);
}
} else
handler.handle(pathInContext, baseRequest, request, response);
}
Also used :
Handler(org.eclipse.jetty.server.Handler)
ContextHandler(org.eclipse.jetty.server.handler.ContextHandler)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
Response(org.eclipse.jetty.server.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
Authentication(org.eclipse.jetty.server.Authentication)
Example 4 with DeferredAuthentication
use of org.eclipse.jetty.security.authentication.DeferredAuthentication in project blade by biezhi.
the class SecurityHandler method handle.
/* ------------------------------------------------------------ */
/*
* @see org.eclipse.jetty.server.Handler#handle(java.lang.String,
* javax.servlet.http.HttpServletRequest,
* javax.servlet.http.HttpServletResponse, int)
*/
@Override
public void handle(String pathInContext, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
final Response base_response = baseRequest.getResponse();
final Handler handler = getHandler();
if (handler == null)
return;
final Authenticator authenticator = _authenticator;
if (checkSecurity(baseRequest)) {
//See Servlet Spec 3.1 sec 13.6.3
if (authenticator != null)
authenticator.prepareRequest(baseRequest);
RoleInfo roleInfo = prepareConstraintInfo(pathInContext, baseRequest);
// Check data constraints
if (!checkUserDataPermissions(pathInContext, baseRequest, base_response, roleInfo)) {
if (!baseRequest.isHandled()) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
baseRequest.setHandled(true);
}
return;
}
// is Auth mandatory?
boolean isAuthMandatory = isAuthMandatory(baseRequest, base_response, roleInfo);
if (isAuthMandatory && authenticator == null) {
LOG.warn("No authenticator for: " + roleInfo);
if (!baseRequest.isHandled()) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
baseRequest.setHandled(true);
}
return;
}
// check authentication
Object previousIdentity = null;
try {
Authentication authentication = baseRequest.getAuthentication();
if (authentication == null || authentication == Authentication.NOT_CHECKED)
authentication = authenticator == null ? Authentication.UNAUTHENTICATED : authenticator.validateRequest(request, response, isAuthMandatory);
if (authentication instanceof Authentication.Wrapped) {
request = ((Authentication.Wrapped) authentication).getHttpServletRequest();
response = ((Authentication.Wrapped) authentication).getHttpServletResponse();
}
if (authentication instanceof Authentication.ResponseSent) {
baseRequest.setHandled(true);
} else if (authentication instanceof Authentication.User) {
Authentication.User userAuth = (Authentication.User) authentication;
baseRequest.setAuthentication(authentication);
if (_identityService != null)
previousIdentity = _identityService.associate(userAuth.getUserIdentity());
if (isAuthMandatory) {
boolean authorized = checkWebResourcePermissions(pathInContext, baseRequest, base_response, roleInfo, userAuth.getUserIdentity());
if (!authorized) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "!role");
baseRequest.setHandled(true);
return;
}
}
handler.handle(pathInContext, baseRequest, request, response);
if (authenticator != null)
authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
} else if (authentication instanceof Authentication.Deferred) {
DeferredAuthentication deferred = (DeferredAuthentication) authentication;
baseRequest.setAuthentication(authentication);
try {
handler.handle(pathInContext, baseRequest, request, response);
} finally {
previousIdentity = deferred.getPreviousAssociation();
}
if (authenticator != null) {
Authentication auth = baseRequest.getAuthentication();
if (auth instanceof Authentication.User) {
Authentication.User userAuth = (Authentication.User) auth;
authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
} else
authenticator.secureResponse(request, response, isAuthMandatory, null);
}
} else {
baseRequest.setAuthentication(authentication);
if (_identityService != null)
previousIdentity = _identityService.associate(null);
handler.handle(pathInContext, baseRequest, request, response);
if (authenticator != null)
authenticator.secureResponse(request, response, isAuthMandatory, null);
}
} catch (ServerAuthException e) {
// jaspi 3.8.3 send HTTP 500 internal server error, with message
// from AuthException
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
} finally {
if (_identityService != null)
_identityService.disassociate(previousIdentity);
}
} else
handler.handle(pathInContext, baseRequest, request, response);
}
Also used :
Handler(org.eclipse.jetty.server.Handler)
ContextHandler(org.eclipse.jetty.server.handler.ContextHandler)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
Response(org.eclipse.jetty.server.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
Authentication(org.eclipse.jetty.server.Authentication)
Example 5 with DeferredAuthentication
use of org.eclipse.jetty.security.authentication.DeferredAuthentication in project drill by axbaretto.
the class DrillSpnegoAuthenticator method authenticateSession.
/**
* Method to authenticate a user session using the SPNEGO token passed in AUTHORIZATION header of request.
* @param request
* @param response
* @param mandatory
* @return
* @throws ServerAuthException
*/
private Authentication authenticateSession(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException {
final HttpServletRequest req = (HttpServletRequest) request;
final HttpServletResponse res = (HttpServletResponse) response;
final HttpSession session = req.getSession(true);
// Defer the authentication if not mandatory.
if (!mandatory) {
return new DeferredAuthentication(this);
}
// Authentication is mandatory, get the Authorization header
final String header = req.getHeader(HttpHeader.AUTHORIZATION.asString());
// Authorization header is null, so send the 401 error code to client along with negotiate header
if (header == null) {
try {
if (DeferredAuthentication.isDeferred(res)) {
return Authentication.UNAUTHENTICATED;
} else {
res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
res.sendError(401);
logger.debug("DrillSpnegoAuthenticator: Sending challenge to client {}", req.getRemoteAddr());
return Authentication.SEND_CONTINUE;
}
} catch (IOException e) {
logger.error("DrillSpnegoAuthenticator: Failed while sending challenge to client {}", req.getRemoteAddr(), e);
throw new ServerAuthException(e);
}
}
// Valid Authorization header received. Get the SPNEGO token sent by client and try to authenticate
logger.debug("DrillSpnegoAuthenticator: Received NEGOTIATE Response back from client {}", req.getRemoteAddr());
final String negotiateString = HttpHeader.NEGOTIATE.asString();
if (header.startsWith(negotiateString)) {
final String spnegoToken = header.substring(negotiateString.length() + 1);
final UserIdentity user = this.login(null, spnegoToken, request);
// redirect the request to the desired page after successful login
if (user != null) {
String newUri = (String) session.getAttribute("org.eclipse.jetty.security.form_URI");
if (Strings.isNullOrEmpty(newUri)) {
newUri = req.getContextPath();
if (Strings.isNullOrEmpty(newUri)) {
newUri = WebServerConstants.WEBSERVER_ROOT_PATH;
}
}
response.setContentLength(0);
final HttpChannel channel = HttpChannel.getCurrentHttpChannel();
final Response base_response = channel.getResponse();
final Request base_request = channel.getRequest();
final int redirectCode = base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? 302 : 303;
try {
base_response.sendRedirect(redirectCode, res.encodeRedirectURL(newUri));
} catch (IOException e) {
logger.error("DrillSpnegoAuthenticator: Failed while using the redirect URL {} from client {}", newUri, req.getRemoteAddr(), e);
throw new ServerAuthException(e);
}
logger.debug("DrillSpnegoAuthenticator: Successfully authenticated this client session: {}", user.getUserPrincipal().getName());
return new UserAuthentication(this.getAuthMethod(), user);
}
}
logger.debug("DrillSpnegoAuthenticator: Authentication failed for client session: {}", req.getRemoteAddr());
return Authentication.UNAUTHENTICATED;
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
UserIdentity(org.eclipse.jetty.server.UserIdentity)
Request(org.eclipse.jetty.server.Request)
ServletRequest(javax.servlet.ServletRequest)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
IOException(java.io.IOException)
ServerAuthException(org.eclipse.jetty.security.ServerAuthException)
UserAuthentication(org.eclipse.jetty.security.UserAuthentication)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Response(org.eclipse.jetty.server.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ServletResponse(javax.servlet.ServletResponse)
HttpChannel(org.eclipse.jetty.server.HttpChannel)
Aggregations
DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)6
HttpServletResponse (javax.servlet.http.HttpServletResponse)5
UserAuthentication (org.eclipse.jetty.security.UserAuthentication)4
IOException (java.io.IOException)3
HttpServletRequest (javax.servlet.http.HttpServletRequest)3
ServerAuthException (org.eclipse.jetty.security.ServerAuthException)3
Authentication (org.eclipse.jetty.server.Authentication)3
Response (org.eclipse.jetty.server.Response)3
UserIdentity (org.eclipse.jetty.server.UserIdentity)3
ServletRequest (javax.servlet.ServletRequest)2
HttpSession (javax.servlet.http.HttpSession)2
Handler (org.eclipse.jetty.server.Handler)2
Request (org.eclipse.jetty.server.Request)2
ContextHandler (org.eclipse.jetty.server.handler.ContextHandler)2
ServletResponse (javax.servlet.ServletResponse)1
SessionAuthentication (org.eclipse.jetty.security.authentication.SessionAuthentication)1
HttpChannel (org.eclipse.jetty.server.HttpChannel)1
