Search in sources :

Example 6 with Authentication

use of org.eclipse.jetty.server.Authentication in project blade by biezhi.

the class SecurityHandler method handle.

/* ------------------------------------------------------------ */
/*
     * @see org.eclipse.jetty.server.Handler#handle(java.lang.String,
     *      javax.servlet.http.HttpServletRequest,
     *      javax.servlet.http.HttpServletResponse, int)
     */
@Override
public void handle(String pathInContext, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    final Response base_response = baseRequest.getResponse();
    final Handler handler = getHandler();
    if (handler == null)
        return;
    final Authenticator authenticator = _authenticator;
    if (checkSecurity(baseRequest)) {
        //See Servlet Spec 3.1 sec 13.6.3
        if (authenticator != null)
            authenticator.prepareRequest(baseRequest);
        RoleInfo roleInfo = prepareConstraintInfo(pathInContext, baseRequest);
        // Check data constraints
        if (!checkUserDataPermissions(pathInContext, baseRequest, base_response, roleInfo)) {
            if (!baseRequest.isHandled()) {
                response.sendError(HttpServletResponse.SC_FORBIDDEN);
                baseRequest.setHandled(true);
            }
            return;
        }
        // is Auth mandatory?
        boolean isAuthMandatory = isAuthMandatory(baseRequest, base_response, roleInfo);
        if (isAuthMandatory && authenticator == null) {
            LOG.warn("No authenticator for: " + roleInfo);
            if (!baseRequest.isHandled()) {
                response.sendError(HttpServletResponse.SC_FORBIDDEN);
                baseRequest.setHandled(true);
            }
            return;
        }
        // check authentication
        Object previousIdentity = null;
        try {
            Authentication authentication = baseRequest.getAuthentication();
            if (authentication == null || authentication == Authentication.NOT_CHECKED)
                authentication = authenticator == null ? Authentication.UNAUTHENTICATED : authenticator.validateRequest(request, response, isAuthMandatory);
            if (authentication instanceof Authentication.Wrapped) {
                request = ((Authentication.Wrapped) authentication).getHttpServletRequest();
                response = ((Authentication.Wrapped) authentication).getHttpServletResponse();
            }
            if (authentication instanceof Authentication.ResponseSent) {
                baseRequest.setHandled(true);
            } else if (authentication instanceof Authentication.User) {
                Authentication.User userAuth = (Authentication.User) authentication;
                baseRequest.setAuthentication(authentication);
                if (_identityService != null)
                    previousIdentity = _identityService.associate(userAuth.getUserIdentity());
                if (isAuthMandatory) {
                    boolean authorized = checkWebResourcePermissions(pathInContext, baseRequest, base_response, roleInfo, userAuth.getUserIdentity());
                    if (!authorized) {
                        response.sendError(HttpServletResponse.SC_FORBIDDEN, "!role");
                        baseRequest.setHandled(true);
                        return;
                    }
                }
                handler.handle(pathInContext, baseRequest, request, response);
                if (authenticator != null)
                    authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
            } else if (authentication instanceof Authentication.Deferred) {
                DeferredAuthentication deferred = (DeferredAuthentication) authentication;
                baseRequest.setAuthentication(authentication);
                try {
                    handler.handle(pathInContext, baseRequest, request, response);
                } finally {
                    previousIdentity = deferred.getPreviousAssociation();
                }
                if (authenticator != null) {
                    Authentication auth = baseRequest.getAuthentication();
                    if (auth instanceof Authentication.User) {
                        Authentication.User userAuth = (Authentication.User) auth;
                        authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
                    } else
                        authenticator.secureResponse(request, response, isAuthMandatory, null);
                }
            } else {
                baseRequest.setAuthentication(authentication);
                if (_identityService != null)
                    previousIdentity = _identityService.associate(null);
                handler.handle(pathInContext, baseRequest, request, response);
                if (authenticator != null)
                    authenticator.secureResponse(request, response, isAuthMandatory, null);
            }
        } catch (ServerAuthException e) {
            // jaspi 3.8.3 send HTTP 500 internal server error, with message
            // from AuthException
            response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e.getMessage());
        } finally {
            if (_identityService != null)
                _identityService.disassociate(previousIdentity);
        }
    } else
        handler.handle(pathInContext, baseRequest, request, response);
}
Also used : Handler(org.eclipse.jetty.server.Handler) ContextHandler(org.eclipse.jetty.server.handler.ContextHandler) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) Response(org.eclipse.jetty.server.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) Authentication(org.eclipse.jetty.server.Authentication)

Example 7 with Authentication

use of org.eclipse.jetty.server.Authentication in project blade by biezhi.

the class DeferredAuthentication method authenticate.

/* ------------------------------------------------------------ */
/**
     * @see Deferred#authenticate(ServletRequest, ServletResponse)
     */
@Override
public Authentication authenticate(ServletRequest request, ServletResponse response) {
    try {
        LoginService login_service = _authenticator.getLoginService();
        IdentityService identity_service = login_service.getIdentityService();
        Authentication authentication = _authenticator.validateRequest(request, response, true);
        if (authentication instanceof User && identity_service != null)
            _previousAssociation = identity_service.associate(((User) authentication).getUserIdentity());
        return authentication;
    } catch (ServerAuthException e) {
        LOG.debug(e);
    }
    return this;
}
Also used : IdentityService(org.eclipse.jetty.security.IdentityService) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) LoginService(org.eclipse.jetty.security.LoginService)

Example 8 with Authentication

use of org.eclipse.jetty.server.Authentication in project blade by biezhi.

the class FormAuthenticator method login.

/* ------------------------------------------------------------ */
@Override
public UserIdentity login(String username, Object password, ServletRequest request) {
    UserIdentity user = super.login(username, password, request);
    if (user != null) {
        HttpSession session = ((HttpServletRequest) request).getSession(true);
        Authentication cached = new SessionAuthentication(getAuthMethod(), user, password);
        session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
    }
    return user;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpSession(javax.servlet.http.HttpSession) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) UserIdentity(org.eclipse.jetty.server.UserIdentity)

Example 9 with Authentication

use of org.eclipse.jetty.server.Authentication in project jetty.project by eclipse.

the class JaspiAuthenticator method validateRequest.

public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException {
    JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory);
    request.setAttribute("org.eclipse.jetty.security.jaspi.info", info);
    Authentication a = validateRequest(info);
    //if its not mandatory to authenticate, and the authenticator returned UNAUTHENTICATED, we treat it as authentication deferred
    if (_allowLazyAuthentication && !info.isAuthMandatory() && a == Authentication.UNAUTHENTICATED)
        a = new DeferredAuthentication(this);
    return a;
}
Also used : DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication)

Example 10 with Authentication

use of org.eclipse.jetty.server.Authentication in project jetty.project by eclipse.

the class FormAuthenticator method validateRequest.

/* ------------------------------------------------------------ */
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    Request base_request = Request.getBaseRequest(request);
    Response base_response = base_request.getResponse();
    String uri = request.getRequestURI();
    if (uri == null)
        uri = URIUtil.SLASH;
    mandatory |= isJSecurityCheck(uri);
    if (!mandatory)
        return new DeferredAuthentication(this);
    if (isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(), request.getPathInfo())) && !DeferredAuthentication.isDeferred(response))
        return new DeferredAuthentication(this);
    HttpSession session = null;
    try {
        session = request.getSession(true);
    } catch (Exception e) {
        if (LOG.isDebugEnabled())
            LOG.debug(e);
    }
    //unauthenticated
    if (session == null)
        return Authentication.UNAUTHENTICATED;
    try {
        // Handle a request for authentication.
        if (isJSecurityCheck(uri)) {
            final String username = request.getParameter(__J_USERNAME);
            final String password = request.getParameter(__J_PASSWORD);
            UserIdentity user = login(username, password, request);
            LOG.debug("jsecuritycheck {} {}", username, user);
            session = request.getSession(true);
            if (user != null) {
                // Redirect to original request
                String nuri;
                FormAuthentication form_auth;
                synchronized (session) {
                    nuri = (String) session.getAttribute(__J_URI);
                    if (nuri == null || nuri.length() == 0) {
                        nuri = request.getContextPath();
                        if (nuri.length() == 0)
                            nuri = URIUtil.SLASH;
                    }
                    form_auth = new FormAuthentication(getAuthMethod(), user);
                }
                LOG.debug("authenticated {}->{}", form_auth, nuri);
                response.setContentLength(0);
                int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
                base_response.sendRedirect(redirectCode, response.encodeRedirectURL(nuri));
                return form_auth;
            }
            // not authenticated
            if (LOG.isDebugEnabled())
                LOG.debug("Form authentication FAILED for " + StringUtil.printable(username));
            if (_formErrorPage == null) {
                LOG.debug("auth failed {}->403", username);
                if (response != null)
                    response.sendError(HttpServletResponse.SC_FORBIDDEN);
            } else if (_dispatch) {
                LOG.debug("auth failed {}=={}", username, _formErrorPage);
                RequestDispatcher dispatcher = request.getRequestDispatcher(_formErrorPage);
                response.setHeader(HttpHeader.CACHE_CONTROL.asString(), HttpHeaderValue.NO_CACHE.asString());
                response.setDateHeader(HttpHeader.EXPIRES.asString(), 1);
                dispatcher.forward(new FormRequest(request), new FormResponse(response));
            } else {
                LOG.debug("auth failed {}->{}", username, _formErrorPage);
                int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
                base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formErrorPage)));
            }
            return Authentication.SEND_FAILURE;
        }
        // Look for cached authentication
        Authentication authentication = (Authentication) session.getAttribute(SessionAuthentication.__J_AUTHENTICATED);
        if (authentication != null) {
            // Has authentication been revoked?
            if (authentication instanceof Authentication.User && _loginService != null && !_loginService.validate(((Authentication.User) authentication).getUserIdentity())) {
                LOG.debug("auth revoked {}", authentication);
                session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
            } else {
                synchronized (session) {
                    String j_uri = (String) session.getAttribute(__J_URI);
                    if (j_uri != null) {
                        //check if the request is for the same url as the original and restore
                        //params if it was a post
                        LOG.debug("auth retry {}->{}", authentication, j_uri);
                        StringBuffer buf = request.getRequestURL();
                        if (request.getQueryString() != null)
                            buf.append("?").append(request.getQueryString());
                        if (j_uri.equals(buf.toString())) {
                            MultiMap<String> j_post = (MultiMap<String>) session.getAttribute(__J_POST);
                            if (j_post != null) {
                                LOG.debug("auth rePOST {}->{}", authentication, j_uri);
                                base_request.setContentParameters(j_post);
                            }
                            session.removeAttribute(__J_URI);
                            session.removeAttribute(__J_METHOD);
                            session.removeAttribute(__J_POST);
                        }
                    }
                }
                LOG.debug("auth {}", authentication);
                return authentication;
            }
        }
        // if we can't send challenge
        if (DeferredAuthentication.isDeferred(response)) {
            LOG.debug("auth deferred {}", session.getId());
            return Authentication.UNAUTHENTICATED;
        }
        // remember the current URI
        synchronized (session) {
            // But only if it is not set already, or we save every uri that leads to a login form redirect
            if (session.getAttribute(__J_URI) == null || _alwaysSaveUri) {
                StringBuffer buf = request.getRequestURL();
                if (request.getQueryString() != null)
                    buf.append("?").append(request.getQueryString());
                session.setAttribute(__J_URI, buf.toString());
                session.setAttribute(__J_METHOD, request.getMethod());
                if (MimeTypes.Type.FORM_ENCODED.is(req.getContentType()) && HttpMethod.POST.is(request.getMethod())) {
                    MultiMap<String> formParameters = new MultiMap<>();
                    base_request.extractFormParameters(formParameters);
                    session.setAttribute(__J_POST, formParameters);
                }
            }
        }
        // send the the challenge
        if (_dispatch) {
            LOG.debug("challenge {}=={}", session.getId(), _formLoginPage);
            RequestDispatcher dispatcher = request.getRequestDispatcher(_formLoginPage);
            response.setHeader(HttpHeader.CACHE_CONTROL.asString(), HttpHeaderValue.NO_CACHE.asString());
            response.setDateHeader(HttpHeader.EXPIRES.asString(), 1);
            dispatcher.forward(new FormRequest(request), new FormResponse(response));
        } else {
            LOG.debug("challenge {}->{}", session.getId(), _formLoginPage);
            int redirectCode = (base_request.getHttpVersion().getVersion() < HttpVersion.HTTP_1_1.getVersion() ? HttpServletResponse.SC_MOVED_TEMPORARILY : HttpServletResponse.SC_SEE_OTHER);
            base_response.sendRedirect(redirectCode, response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formLoginPage)));
        }
        return Authentication.SEND_CONTINUE;
    } catch (IOException | ServletException e) {
        throw new ServerAuthException(e);
    }
}
Also used : User(org.eclipse.jetty.server.Authentication.User) HttpSession(javax.servlet.http.HttpSession) UserIdentity(org.eclipse.jetty.server.UserIdentity) Request(org.eclipse.jetty.server.Request) HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletRequest(javax.servlet.ServletRequest) HttpServletResponse(javax.servlet.http.HttpServletResponse) IOException(java.io.IOException) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) ServletException(javax.servlet.ServletException) IOException(java.io.IOException) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) Constraint(org.eclipse.jetty.util.security.Constraint) RequestDispatcher(javax.servlet.RequestDispatcher) HttpServletRequest(javax.servlet.http.HttpServletRequest) Response(org.eclipse.jetty.server.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServletResponse(javax.servlet.ServletResponse) ServletException(javax.servlet.ServletException) MultiMap(org.eclipse.jetty.util.MultiMap) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication)

Aggregations

Authentication (org.eclipse.jetty.server.Authentication)13 UserAuthentication (org.eclipse.jetty.security.UserAuthentication)11 ServerAuthException (org.eclipse.jetty.security.ServerAuthException)7 UserIdentity (org.eclipse.jetty.server.UserIdentity)6 HttpServletRequest (javax.servlet.http.HttpServletRequest)5 HttpServletResponse (javax.servlet.http.HttpServletResponse)5 HttpSession (javax.servlet.http.HttpSession)5 IdentityService (org.eclipse.jetty.security.IdentityService)4 LoginService (org.eclipse.jetty.security.LoginService)4 DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)4 Response (org.eclipse.jetty.server.Response)4 IOException (java.io.IOException)3 Principal (java.security.Principal)2 RequestDispatcher (javax.servlet.RequestDispatcher)2 ServletException (javax.servlet.ServletException)2 ServletRequest (javax.servlet.ServletRequest)2 ServletResponse (javax.servlet.ServletResponse)2 SessionAuthentication (org.eclipse.jetty.security.authentication.SessionAuthentication)2 User (org.eclipse.jetty.server.Authentication.User)2 Handler (org.eclipse.jetty.server.Handler)2