Search in sources :

Example 1 with SessionAuthentication

use of org.eclipse.jetty.security.authentication.SessionAuthentication in project jetty.project by eclipse.

the class JaspiAuthenticator method login.

/** 
     * @see org.eclipse.jetty.security.authentication.LoginAuthenticator#login(java.lang.String, java.lang.Object, javax.servlet.ServletRequest)
     */
@Override
public UserIdentity login(String username, Object password, ServletRequest request) {
    UserIdentity user = _loginService.login(username, password, request);
    if (user != null) {
        renewSession((HttpServletRequest) request, null);
        HttpSession session = ((HttpServletRequest) request).getSession(true);
        if (session != null) {
            SessionAuthentication sessionAuth = new SessionAuthentication(getAuthMethod(), user, password);
            session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, sessionAuth);
        }
    }
    return user;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpSession(javax.servlet.http.HttpSession) UserIdentity(org.eclipse.jetty.server.UserIdentity) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)

Example 2 with SessionAuthentication

use of org.eclipse.jetty.security.authentication.SessionAuthentication in project jetty.project by eclipse.

the class JaspiAuthenticator method validateRequest.

public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException {
    try {
        String authContextId = _authConfig.getAuthContextID(messageInfo);
        ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties);
        Subject clientSubject = new Subject();
        AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, _serviceSubject);
        if (authStatus == AuthStatus.SEND_CONTINUE)
            return Authentication.SEND_CONTINUE;
        if (authStatus == AuthStatus.SEND_FAILURE)
            return Authentication.SEND_FAILURE;
        if (authStatus == AuthStatus.SUCCESS) {
            Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
            UserIdentity userIdentity;
            if (ids.size() > 0) {
                userIdentity = ids.iterator().next();
            } else {
                CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback();
                if (principalCallback == null) {
                    return Authentication.UNAUTHENTICATED;
                }
                Principal principal = principalCallback.getPrincipal();
                if (principal == null) {
                    String principalName = principalCallback.getName();
                    Set<Principal> principals = principalCallback.getSubject().getPrincipals();
                    for (Principal p : principals) {
                        if (p.getName().equals(principalName)) {
                            principal = p;
                            break;
                        }
                    }
                    if (principal == null) {
                        return Authentication.UNAUTHENTICATED;
                    }
                }
                GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback();
                String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
                userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups);
            }
            HttpSession session = ((HttpServletRequest) messageInfo.getRequestMessage()).getSession(false);
            Authentication cached = (session == null ? null : (SessionAuthentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED));
            if (cached != null)
                return cached;
            return new UserAuthentication(getAuthMethod(), userIdentity);
        }
        if (authStatus == AuthStatus.SEND_SUCCESS) {
            // we are processing a message in a secureResponse dialog.
            return Authentication.SEND_SUCCESS;
        }
        if (authStatus == AuthStatus.FAILURE) {
            HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
            response.sendError(HttpServletResponse.SC_FORBIDDEN);
            return Authentication.SEND_FAILURE;
        }
        // should not happen
        throw new IllegalStateException("No AuthStatus returned");
    } catch (IOException | AuthException e) {
        throw new ServerAuthException(e);
    }
}
Also used : HttpSession(javax.servlet.http.HttpSession) UserIdentity(org.eclipse.jetty.server.UserIdentity) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthException(javax.security.auth.message.AuthException) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) IOException(java.io.IOException) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Subject(javax.security.auth.Subject) ServerAuthContext(javax.security.auth.message.config.ServerAuthContext) HttpServletRequest(javax.servlet.http.HttpServletRequest) CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback) GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback) AuthStatus(javax.security.auth.message.AuthStatus) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) Principal(java.security.Principal)

Example 3 with SessionAuthentication

use of org.eclipse.jetty.security.authentication.SessionAuthentication in project jetty.project by eclipse.

the class FormAuthModule method validateRequest.

@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
    HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
    HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
    String uri = request.getRequestURI();
    if (uri == null)
        uri = URIUtil.SLASH;
    boolean mandatory = isMandatory(messageInfo);
    mandatory |= isJSecurityCheck(uri);
    HttpSession session = request.getSession(mandatory);
    // not mandatory or its the login or login error page don't authenticate
    if (!mandatory || isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(), request.getPathInfo())))
        // TODO return null for do nothing?
        return AuthStatus.SUCCESS;
    try {
        // Handle a request for authentication.
        if (isJSecurityCheck(uri)) {
            final String username = request.getParameter(__J_USERNAME);
            final String password = request.getParameter(__J_PASSWORD);
            boolean success = tryLogin(messageInfo, clientSubject, response, session, username, new Password(password));
            if (success) {
                // Redirect to original request                    
                String nuri = null;
                synchronized (session) {
                    nuri = (String) session.getAttribute(__J_URI);
                }
                if (nuri == null || nuri.length() == 0) {
                    nuri = request.getContextPath();
                    if (nuri.length() == 0)
                        nuri = URIUtil.SLASH;
                }
                response.setContentLength(0);
                response.sendRedirect(response.encodeRedirectURL(nuri));
                return AuthStatus.SEND_CONTINUE;
            }
            // not authenticated
            if (LOG.isDebugEnabled())
                LOG.debug("Form authentication FAILED for " + StringUtil.printable(username));
            if (_formErrorPage == null) {
                if (response != null)
                    response.sendError(HttpServletResponse.SC_FORBIDDEN);
            } else {
                response.setContentLength(0);
                response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formErrorPage)));
            }
            // that occur?
            return AuthStatus.SEND_FAILURE;
        }
        // Check if the session is already authenticated.
        SessionAuthentication sessionAuth = (SessionAuthentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
        if (sessionAuth != null) {
            //to FormAuthModule
            if (sessionAuth.getUserIdentity().getSubject() == null)
                return AuthStatus.SEND_FAILURE;
            Set<Object> credentials = sessionAuth.getUserIdentity().getSubject().getPrivateCredentials();
            if (credentials == null || credentials.isEmpty())
                //if no private credentials, assume it cannot be authenticated
                return AuthStatus.SEND_FAILURE;
            clientSubject.getPrivateCredentials().addAll(credentials);
            clientSubject.getPrivateCredentials().add(sessionAuth.getUserIdentity());
            return AuthStatus.SUCCESS;
        }
        // if we can't send challenge
        if (DeferredAuthentication.isDeferred(response))
            return AuthStatus.SUCCESS;
        // redirect to login page  
        StringBuffer buf = request.getRequestURL();
        if (request.getQueryString() != null)
            buf.append("?").append(request.getQueryString());
        synchronized (session) {
            session.setAttribute(__J_URI, buf.toString());
        }
        response.setContentLength(0);
        response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formLoginPage)));
        return AuthStatus.SEND_CONTINUE;
    } catch (IOException e) {
        throw new AuthException(e.getMessage());
    } catch (UnsupportedCallbackException e) {
        throw new AuthException(e.getMessage());
    }
}
Also used : HttpSession(javax.servlet.http.HttpSession) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthException(javax.security.auth.message.AuthException) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) IOException(java.io.IOException) HttpServletRequest(javax.servlet.http.HttpServletRequest) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) Password(org.eclipse.jetty.util.security.Password)

Example 4 with SessionAuthentication

use of org.eclipse.jetty.security.authentication.SessionAuthentication in project jetty.project by eclipse.

the class FormAuthModule method tryLogin.

private boolean tryLogin(MessageInfo messageInfo, Subject clientSubject, HttpServletResponse response, HttpSession session, String username, Password password) throws AuthException, IOException, UnsupportedCallbackException {
    if (login(clientSubject, username, password, Constraint.__FORM_AUTH, messageInfo)) {
        char[] pwdChars = password.toString().toCharArray();
        Set<LoginCallbackImpl> loginCallbacks = clientSubject.getPrivateCredentials(LoginCallbackImpl.class);
        if (!loginCallbacks.isEmpty()) {
            LoginCallbackImpl loginCallback = loginCallbacks.iterator().next();
            Set<UserIdentity> userIdentities = clientSubject.getPrivateCredentials(UserIdentity.class);
            if (!userIdentities.isEmpty()) {
                UserIdentity userIdentity = userIdentities.iterator().next();
                SessionAuthentication sessionAuth = new SessionAuthentication(Constraint.__FORM_AUTH, userIdentity, password);
                session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, sessionAuth);
            }
        }
        return true;
    }
    return false;
}
Also used : LoginCallbackImpl(org.eclipse.jetty.security.authentication.LoginCallbackImpl) UserIdentity(org.eclipse.jetty.server.UserIdentity) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)

Example 5 with SessionAuthentication

use of org.eclipse.jetty.security.authentication.SessionAuthentication in project drill by apache.

the class WebServer method createSessionHandler.

/**
   * @return A {@link SessionHandler} which contains a {@link HashSessionManager}
   */
private SessionHandler createSessionHandler(final SecurityHandler securityHandler) {
    SessionManager sessionManager = new HashSessionManager();
    sessionManager.setMaxInactiveInterval(config.getInt(ExecConstants.HTTP_SESSION_MAX_IDLE_SECS));
    sessionManager.addEventListener(new HttpSessionListener() {

        @Override
        public void sessionCreated(HttpSessionEvent se) {
        }

        @Override
        public void sessionDestroyed(HttpSessionEvent se) {
            final HttpSession session = se.getSession();
            if (session == null) {
                return;
            }
            final Object authCreds = session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
            if (authCreds != null) {
                final SessionAuthentication sessionAuth = (SessionAuthentication) authCreds;
                securityHandler.logout(sessionAuth);
                session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
            }
            // Clear all the resources allocated for this session
            final WebSessionResources webSessionResources = (WebSessionResources) session.getAttribute(WebSessionResources.class.getSimpleName());
            if (webSessionResources != null) {
                webSessionResources.close();
                session.removeAttribute(WebSessionResources.class.getSimpleName());
            }
        }
    });
    return new SessionHandler(sessionManager);
}
Also used : SessionHandler(org.eclipse.jetty.server.session.SessionHandler) HttpSessionListener(javax.servlet.http.HttpSessionListener) HashSessionManager(org.eclipse.jetty.server.session.HashSessionManager) HashSessionManager(org.eclipse.jetty.server.session.HashSessionManager) SessionManager(org.eclipse.jetty.server.SessionManager) HttpSession(javax.servlet.http.HttpSession) HttpSessionEvent(javax.servlet.http.HttpSessionEvent) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)

Aggregations

SessionAuthentication (org.eclipse.jetty.security.authentication.SessionAuthentication)5 HttpSession (javax.servlet.http.HttpSession)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)3 UserIdentity (org.eclipse.jetty.server.UserIdentity)3 IOException (java.io.IOException)2 AuthException (javax.security.auth.message.AuthException)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Principal (java.security.Principal)1 Subject (javax.security.auth.Subject)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 AuthStatus (javax.security.auth.message.AuthStatus)1 CallerPrincipalCallback (javax.security.auth.message.callback.CallerPrincipalCallback)1 GroupPrincipalCallback (javax.security.auth.message.callback.GroupPrincipalCallback)1 ServerAuthContext (javax.security.auth.message.config.ServerAuthContext)1 HttpSessionEvent (javax.servlet.http.HttpSessionEvent)1 HttpSessionListener (javax.servlet.http.HttpSessionListener)1 ServerAuthException (org.eclipse.jetty.security.ServerAuthException)1 UserAuthentication (org.eclipse.jetty.security.UserAuthentication)1 DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)1 LoginCallbackImpl (org.eclipse.jetty.security.authentication.LoginCallbackImpl)1