use of org.eclipse.jetty.server.Authentication in project keycloak by keycloak.
the class AbstractSamlAuthenticator method validateRequest.
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
if (log.isTraceEnabled()) {
log.trace("*** authenticate");
}
Request request = resolveRequest(req);
JettyHttpFacade facade = new JettyHttpFacade(request, (HttpServletResponse) res);
SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
if (deployment == null || !deployment.isConfigured()) {
log.debug("*** deployment isn't configured return false");
return Authentication.UNAUTHENTICATED;
}
boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
if (!mandatory && !isEndpoint)
return new DeferredAuthentication(this);
JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);
SamlAuthenticator authenticator = null;
if (isEndpoint) {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new SamlEndpoint(facade, deployment, sessionStore);
}
};
} else {
authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
@Override
protected void completeAuthentication(SamlSession account) {
}
@Override
protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
return new BrowserHandler(facade, deployment, sessionStore);
}
};
}
AuthOutcome outcome = authenticator.authenticate();
if (outcome == AuthOutcome.AUTHENTICATED) {
if (facade.isEnded()) {
return Authentication.SEND_SUCCESS;
}
SamlSession samlSession = tokenStore.getAccount();
Authentication authentication = register(request, samlSession);
return authentication;
}
if (outcome == AuthOutcome.LOGGED_OUT) {
logoutCurrent(request);
if (deployment.getLogoutPage() != null) {
forwardToLogoutPage(request, (HttpServletResponse) res, deployment);
}
return Authentication.SEND_CONTINUE;
}
AuthChallenge challenge = authenticator.getChallenge();
if (challenge != null) {
challenge.challenge(facade);
}
return Authentication.SEND_CONTINUE;
}
use of org.eclipse.jetty.server.Authentication in project zm-mailbox by Zimbra.
the class SpnegoAuthenticator method authenticate.
/* =========================================================
*
* Based on org.eclipse.jetty.security.SpnegoAuthenticator
*
* =========================================================
*/
private ZimbraPrincipal authenticate(LoginService realm, Request request, HttpServletResponse response) throws ServiceException, IOException {
Principal user = null;
String header = request.getHeader(HttpHeader.AUTHORIZATION.toString());
/*
* if the header is null then we need to challenge...this is after the error page check
*/
if (header == null) {
sendChallenge(realm, request, response);
throw SSOAuthenticatorServiceException.SENT_CHALLENGE();
} else if (header != null && header.startsWith(HttpHeader.NEGOTIATE.toString())) {
/*
* we have gotten a negotiate header to try and authenticate
*/
// skip over "Negotiate "
String token = header.substring(10);
UserIdentity identity = realm.login(null, token, request);
if (identity == null) {
throw AuthFailedServiceException.AUTH_FAILED("SpnegoAuthenticator: unable to login", (Throwable) null);
}
user = identity.getUserPrincipal();
if (user != null) {
ZimbraLog.account.debug("SpnegoAuthenticator: obtained principal: " + user.getName());
Account acct = getAccountByPrincipal(user);
ZimbraPrincipal zimbraPrincipal = new ZimbraPrincipal(user.getName(), acct);
String clientName = ((SpnegoUserPrincipal) user).getName();
String role = clientName.substring(clientName.indexOf('@') + 1);
String[] roles = new String[] { role };
DefaultUserIdentity defaultUserIdentity = new DefaultUserIdentity(identity.getSubject(), zimbraPrincipal, roles);
SpnegoUserIdentity spnegoUserIdentity = new SpnegoUserIdentity(identity.getSubject(), zimbraPrincipal, defaultUserIdentity);
Authentication authentication = new UserAuthentication(getAuthType(), spnegoUserIdentity);
request.setAuthentication(authentication);
response.addHeader(HttpHeader.WWW_AUTHENTICATE.toString(), HttpHeader.NEGOTIATE.toString() + " " + ((SpnegoUserPrincipal) user).getToken());
return zimbraPrincipal;
} else {
/*
* no user was returned from the authentication which means something failed
* so process error logic
*/
ZimbraLog.account.debug("SpnegoAuthenticator: no user found, authentication failed");
throw AuthFailedServiceException.AUTH_FAILED("SpnegoAuthenticator: no user found, authentication failed", (Throwable) null);
}
} else {
/*
* the header was not null, but we didn't get a negotiate so process error logic
*/
throw AuthFailedServiceException.AUTH_FAILED("SpnegoAuthenticator: authentication failed, unknown header (browser is likely misconfigured for SPNEGO)", (Throwable) null);
}
}
use of org.eclipse.jetty.server.Authentication in project drill by apache.
the class TestDrillSpnegoAuthenticator method testNewSessionReqForSpnegoLogin.
/**
* Test to verify response when request is sent for {@link WebServerConstants#SPENGO_LOGIN_RESOURCE_PATH} from
* unauthenticated session. Expectation is client will receive response with Negotiate header.
*/
@Test
public void testNewSessionReqForSpnegoLogin() throws Exception {
final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
final HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
final HttpSession session = Mockito.mock(HttpSession.class);
Mockito.when(request.getSession(true)).thenReturn(session);
Mockito.when(request.getRequestURI()).thenReturn(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH);
final Authentication authentication = spnegoAuthenticator.validateRequest(request, response, false);
assertEquals(authentication, Authentication.SEND_CONTINUE);
verify(response).sendError(401);
verify(response).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
}
use of org.eclipse.jetty.server.Authentication in project drill by apache.
the class TestDrillSpnegoAuthenticator method testAuthClientRequestForLogOut.
/**
* Test to verify that when request is sent for {@link WebServerConstants#LOGOUT_RESOURCE_PATH} then the UserIdentity
* will be removed from the session and returned authentication will be null from
* {@link DrillSpnegoAuthenticator#validateRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse, boolean)}
*/
@Test
public void testAuthClientRequestForLogOut() throws Exception {
final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
final HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
final HttpSession session = Mockito.mock(HttpSession.class);
final Authentication authentication = Mockito.mock(UserAuthentication.class);
Mockito.when(request.getSession(true)).thenReturn(session);
Mockito.when(request.getRequestURI()).thenReturn(WebServerConstants.LOGOUT_RESOURCE_PATH);
Mockito.when(session.getAttribute(SessionAuthentication.__J_AUTHENTICATED)).thenReturn(authentication);
final UserAuthentication returnedAuthentication = (UserAuthentication) spnegoAuthenticator.validateRequest(request, response, false);
assertNull(returnedAuthentication);
verify(session).removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
verify(response, never()).sendError(401);
verify(response, never()).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
}
use of org.eclipse.jetty.server.Authentication in project drill by apache.
the class TestDrillSpnegoAuthenticator method testAuthClientRequestForSpnegoLoginResource.
/**
* Test to verify response when request is sent for {@link WebServerConstants#SPENGO_LOGIN_RESOURCE_PATH} from
* authenticated session. Expectation is server will find the authenticated UserIdentity.
*/
@Test
public void testAuthClientRequestForSpnegoLoginResource() throws Exception {
final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
final HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
final HttpSession session = Mockito.mock(HttpSession.class);
final Authentication authentication = Mockito.mock(UserAuthentication.class);
Mockito.when(request.getSession(true)).thenReturn(session);
Mockito.when(request.getRequestURI()).thenReturn(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH);
Mockito.when(session.getAttribute(SessionAuthentication.__J_AUTHENTICATED)).thenReturn(authentication);
final UserAuthentication returnedAuthentication = (UserAuthentication) spnegoAuthenticator.validateRequest(request, response, false);
assertEquals(authentication, returnedAuthentication);
verify(response, never()).sendError(401);
verify(response, never()).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
}
Aggregations