Example 1 with SessionAuthentication
use of org.eclipse.jetty.security.authentication.SessionAuthentication in project jetty.project by eclipse.
the class JaspiAuthenticator method login.
/**
* @see org.eclipse.jetty.security.authentication.LoginAuthenticator#login(java.lang.String, java.lang.Object, javax.servlet.ServletRequest)
*/
@Override
public UserIdentity login(String username, Object password, ServletRequest request) {
UserIdentity user = _loginService.login(username, password, request);
if (user != null) {
renewSession((HttpServletRequest) request, null);
HttpSession session = ((HttpServletRequest) request).getSession(true);
if (session != null) {
SessionAuthentication sessionAuth = new SessionAuthentication(getAuthMethod(), user, password);
session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, sessionAuth);
}
}
return user;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpSession(javax.servlet.http.HttpSession)
UserIdentity(org.eclipse.jetty.server.UserIdentity)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
Example 2 with SessionAuthentication
use of org.eclipse.jetty.security.authentication.SessionAuthentication in project jetty.project by eclipse.
the class JaspiAuthenticator method validateRequest.
public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException {
try {
String authContextId = _authConfig.getAuthContextID(messageInfo);
ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties);
Subject clientSubject = new Subject();
AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, _serviceSubject);
if (authStatus == AuthStatus.SEND_CONTINUE)
return Authentication.SEND_CONTINUE;
if (authStatus == AuthStatus.SEND_FAILURE)
return Authentication.SEND_FAILURE;
if (authStatus == AuthStatus.SUCCESS) {
Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
UserIdentity userIdentity;
if (ids.size() > 0) {
userIdentity = ids.iterator().next();
} else {
CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback();
if (principalCallback == null) {
return Authentication.UNAUTHENTICATED;
}
Principal principal = principalCallback.getPrincipal();
if (principal == null) {
String principalName = principalCallback.getName();
Set<Principal> principals = principalCallback.getSubject().getPrincipals();
for (Principal p : principals) {
if (p.getName().equals(principalName)) {
principal = p;
break;
}
}
if (principal == null) {
return Authentication.UNAUTHENTICATED;
}
}
GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback();
String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups);
}
HttpSession session = ((HttpServletRequest) messageInfo.getRequestMessage()).getSession(false);
Authentication cached = (session == null ? null : (SessionAuthentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED));
if (cached != null)
return cached;
return new UserAuthentication(getAuthMethod(), userIdentity);
}
if (authStatus == AuthStatus.SEND_SUCCESS) {
// we are processing a message in a secureResponse dialog.
return Authentication.SEND_SUCCESS;
}
if (authStatus == AuthStatus.FAILURE) {
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return Authentication.SEND_FAILURE;
}
// should not happen
throw new IllegalStateException("No AuthStatus returned");
} catch (IOException | AuthException e) {
throw new ServerAuthException(e);
}
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
UserIdentity(org.eclipse.jetty.server.UserIdentity)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthException(javax.security.auth.message.AuthException)
ServerAuthException(org.eclipse.jetty.security.ServerAuthException)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
IOException(java.io.IOException)
ServerAuthException(org.eclipse.jetty.security.ServerAuthException)
UserAuthentication(org.eclipse.jetty.security.UserAuthentication)
Subject(javax.security.auth.Subject)
ServerAuthContext(javax.security.auth.message.config.ServerAuthContext)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
CallerPrincipalCallback(javax.security.auth.message.callback.CallerPrincipalCallback)
GroupPrincipalCallback(javax.security.auth.message.callback.GroupPrincipalCallback)
AuthStatus(javax.security.auth.message.AuthStatus)
DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
UserAuthentication(org.eclipse.jetty.security.UserAuthentication)
Authentication(org.eclipse.jetty.server.Authentication)
Principal(java.security.Principal)
Example 3 with SessionAuthentication
use of org.eclipse.jetty.security.authentication.SessionAuthentication in project jetty.project by eclipse.
the class FormAuthModule method validateRequest.
@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
String uri = request.getRequestURI();
if (uri == null)
uri = URIUtil.SLASH;
boolean mandatory = isMandatory(messageInfo);
mandatory |= isJSecurityCheck(uri);
HttpSession session = request.getSession(mandatory);
// not mandatory or its the login or login error page don't authenticate
if (!mandatory || isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(), request.getPathInfo())))
// TODO return null for do nothing?
return AuthStatus.SUCCESS;
try {
// Handle a request for authentication.
if (isJSecurityCheck(uri)) {
final String username = request.getParameter(__J_USERNAME);
final String password = request.getParameter(__J_PASSWORD);
boolean success = tryLogin(messageInfo, clientSubject, response, session, username, new Password(password));
if (success) {
// Redirect to original request
String nuri = null;
synchronized (session) {
nuri = (String) session.getAttribute(__J_URI);
}
if (nuri == null || nuri.length() == 0) {
nuri = request.getContextPath();
if (nuri.length() == 0)
nuri = URIUtil.SLASH;
}
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri));
return AuthStatus.SEND_CONTINUE;
}
// not authenticated
if (LOG.isDebugEnabled())
LOG.debug("Form authentication FAILED for " + StringUtil.printable(username));
if (_formErrorPage == null) {
if (response != null)
response.sendError(HttpServletResponse.SC_FORBIDDEN);
} else {
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formErrorPage)));
}
// that occur?
return AuthStatus.SEND_FAILURE;
}
// Check if the session is already authenticated.
SessionAuthentication sessionAuth = (SessionAuthentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
if (sessionAuth != null) {
//to FormAuthModule
if (sessionAuth.getUserIdentity().getSubject() == null)
return AuthStatus.SEND_FAILURE;
Set<Object> credentials = sessionAuth.getUserIdentity().getSubject().getPrivateCredentials();
if (credentials == null || credentials.isEmpty())
//if no private credentials, assume it cannot be authenticated
return AuthStatus.SEND_FAILURE;
clientSubject.getPrivateCredentials().addAll(credentials);
clientSubject.getPrivateCredentials().add(sessionAuth.getUserIdentity());
return AuthStatus.SUCCESS;
}
// if we can't send challenge
if (DeferredAuthentication.isDeferred(response))
return AuthStatus.SUCCESS;
// redirect to login page
StringBuffer buf = request.getRequestURL();
if (request.getQueryString() != null)
buf.append("?").append(request.getQueryString());
synchronized (session) {
session.setAttribute(__J_URI, buf.toString());
}
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formLoginPage)));
return AuthStatus.SEND_CONTINUE;
} catch (IOException e) {
throw new AuthException(e.getMessage());
} catch (UnsupportedCallbackException e) {
throw new AuthException(e.getMessage());
}
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthException(javax.security.auth.message.AuthException)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
Password(org.eclipse.jetty.util.security.Password)
Example 4 with SessionAuthentication
use of org.eclipse.jetty.security.authentication.SessionAuthentication in project jetty.project by eclipse.
the class FormAuthModule method tryLogin.
private boolean tryLogin(MessageInfo messageInfo, Subject clientSubject, HttpServletResponse response, HttpSession session, String username, Password password) throws AuthException, IOException, UnsupportedCallbackException {
if (login(clientSubject, username, password, Constraint.__FORM_AUTH, messageInfo)) {
char[] pwdChars = password.toString().toCharArray();
Set<LoginCallbackImpl> loginCallbacks = clientSubject.getPrivateCredentials(LoginCallbackImpl.class);
if (!loginCallbacks.isEmpty()) {
LoginCallbackImpl loginCallback = loginCallbacks.iterator().next();
Set<UserIdentity> userIdentities = clientSubject.getPrivateCredentials(UserIdentity.class);
if (!userIdentities.isEmpty()) {
UserIdentity userIdentity = userIdentities.iterator().next();
SessionAuthentication sessionAuth = new SessionAuthentication(Constraint.__FORM_AUTH, userIdentity, password);
session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, sessionAuth);
}
}
return true;
}
return false;
}
Also used :
LoginCallbackImpl(org.eclipse.jetty.security.authentication.LoginCallbackImpl)
UserIdentity(org.eclipse.jetty.server.UserIdentity)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
Example 5 with SessionAuthentication
use of org.eclipse.jetty.security.authentication.SessionAuthentication in project drill by apache.
the class WebServer method createSessionHandler.
/**
* @return A {@link SessionHandler} which contains a {@link HashSessionManager}
*/
private SessionHandler createSessionHandler(final SecurityHandler securityHandler) {
SessionManager sessionManager = new HashSessionManager();
sessionManager.setMaxInactiveInterval(config.getInt(ExecConstants.HTTP_SESSION_MAX_IDLE_SECS));
sessionManager.addEventListener(new HttpSessionListener() {
@Override
public void sessionCreated(HttpSessionEvent se) {
}
@Override
public void sessionDestroyed(HttpSessionEvent se) {
final HttpSession session = se.getSession();
if (session == null) {
return;
}
final Object authCreds = session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
if (authCreds != null) {
final SessionAuthentication sessionAuth = (SessionAuthentication) authCreds;
securityHandler.logout(sessionAuth);
session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
}
// Clear all the resources allocated for this session
final WebSessionResources webSessionResources = (WebSessionResources) session.getAttribute(WebSessionResources.class.getSimpleName());
if (webSessionResources != null) {
webSessionResources.close();
session.removeAttribute(WebSessionResources.class.getSimpleName());
}
}
});
return new SessionHandler(sessionManager);
}
Also used :
SessionHandler(org.eclipse.jetty.server.session.SessionHandler)
HttpSessionListener(javax.servlet.http.HttpSessionListener)
HashSessionManager(org.eclipse.jetty.server.session.HashSessionManager)
HashSessionManager(org.eclipse.jetty.server.session.HashSessionManager)
SessionManager(org.eclipse.jetty.server.SessionManager)
HttpSession(javax.servlet.http.HttpSession)
HttpSessionEvent(javax.servlet.http.HttpSessionEvent)
SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication)
Aggregations
SessionAuthentication (org.eclipse.jetty.security.authentication.SessionAuthentication)5
HttpSession (javax.servlet.http.HttpSession)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)3
UserIdentity (org.eclipse.jetty.server.UserIdentity)3
IOException (java.io.IOException)2
AuthException (javax.security.auth.message.AuthException)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
Principal (java.security.Principal)1
Subject (javax.security.auth.Subject)1
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1
AuthStatus (javax.security.auth.message.AuthStatus)1
CallerPrincipalCallback (javax.security.auth.message.callback.CallerPrincipalCallback)1
GroupPrincipalCallback (javax.security.auth.message.callback.GroupPrincipalCallback)1
ServerAuthContext (javax.security.auth.message.config.ServerAuthContext)1
HttpSessionEvent (javax.servlet.http.HttpSessionEvent)1
HttpSessionListener (javax.servlet.http.HttpSessionListener)1
ServerAuthException (org.eclipse.jetty.security.ServerAuthException)1
UserAuthentication (org.eclipse.jetty.security.UserAuthentication)1
DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)1
LoginCallbackImpl (org.eclipse.jetty.security.authentication.LoginCallbackImpl)1
