Search in sources :

Example 26 with Authentication

use of org.eclipse.jetty.server.Authentication in project keycloak by keycloak.

the class AbstractSamlAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (log.isTraceEnabled()) {
        log.trace("*** authenticate");
    }
    Request request = resolveRequest(req);
    JettyHttpFacade facade = new JettyHttpFacade(request, (HttpServletResponse) res);
    SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        log.debug("*** deployment isn't configured return false");
        return Authentication.UNAUTHENTICATED;
    }
    boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
    if (!mandatory && !isEndpoint)
        return new DeferredAuthentication(this);
    JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);
    SamlAuthenticator authenticator = null;
    if (isEndpoint) {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new SamlEndpoint(facade, deployment, sessionStore);
            }
        };
    } else {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {

            @Override
            protected void completeAuthentication(SamlSession account) {
            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new BrowserHandler(facade, deployment, sessionStore);
            }
        };
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        if (facade.isEnded()) {
            return Authentication.SEND_SUCCESS;
        }
        SamlSession samlSession = tokenStore.getAccount();
        Authentication authentication = register(request, samlSession);
        return authentication;
    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        logoutCurrent(request);
        if (deployment.getLogoutPage() != null) {
            forwardToLogoutPage(request, (HttpServletResponse) res, deployment);
        }
        return Authentication.SEND_CONTINUE;
    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        challenge.challenge(facade);
    }
    return Authentication.SEND_CONTINUE;
}
Also used : AuthChallenge(org.keycloak.adapters.spi.AuthChallenge) SamlAuthenticator(org.keycloak.adapters.saml.SamlAuthenticator) HttpFacade(org.keycloak.adapters.spi.HttpFacade) JettyHttpFacade(org.keycloak.adapters.jetty.spi.JettyHttpFacade) SamlSessionStore(org.keycloak.adapters.saml.SamlSessionStore) BrowserHandler(org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler) SamlEndpoint(org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint) Request(org.eclipse.jetty.server.Request) ServletRequest(javax.servlet.ServletRequest) JettyHttpFacade(org.keycloak.adapters.jetty.spi.JettyHttpFacade) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) AuthOutcome(org.keycloak.adapters.spi.AuthOutcome) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) SamlSession(org.keycloak.adapters.saml.SamlSession) SamlAuthenticationHandler(org.keycloak.adapters.saml.profile.SamlAuthenticationHandler) DeferredAuthentication(org.eclipse.jetty.security.authentication.DeferredAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication)

Example 27 with Authentication

use of org.eclipse.jetty.server.Authentication in project zm-mailbox by Zimbra.

the class SpnegoAuthenticator method authenticate.

/* =========================================================
     *
     * Based on org.eclipse.jetty.security.SpnegoAuthenticator
     *
     * =========================================================
     */
private ZimbraPrincipal authenticate(LoginService realm, Request request, HttpServletResponse response) throws ServiceException, IOException {
    Principal user = null;
    String header = request.getHeader(HttpHeader.AUTHORIZATION.toString());
    /*
         * if the header is null then we need to challenge...this is after the error page check
         */
    if (header == null) {
        sendChallenge(realm, request, response);
        throw SSOAuthenticatorServiceException.SENT_CHALLENGE();
    } else if (header != null && header.startsWith(HttpHeader.NEGOTIATE.toString())) {
        /*
             * we have gotten a negotiate header to try and authenticate
             */
        // skip over "Negotiate "
        String token = header.substring(10);
        UserIdentity identity = realm.login(null, token, request);
        if (identity == null) {
            throw AuthFailedServiceException.AUTH_FAILED("SpnegoAuthenticator: unable to login", (Throwable) null);
        }
        user = identity.getUserPrincipal();
        if (user != null) {
            ZimbraLog.account.debug("SpnegoAuthenticator: obtained principal: " + user.getName());
            Account acct = getAccountByPrincipal(user);
            ZimbraPrincipal zimbraPrincipal = new ZimbraPrincipal(user.getName(), acct);
            String clientName = ((SpnegoUserPrincipal) user).getName();
            String role = clientName.substring(clientName.indexOf('@') + 1);
            String[] roles = new String[] { role };
            DefaultUserIdentity defaultUserIdentity = new DefaultUserIdentity(identity.getSubject(), zimbraPrincipal, roles);
            SpnegoUserIdentity spnegoUserIdentity = new SpnegoUserIdentity(identity.getSubject(), zimbraPrincipal, defaultUserIdentity);
            Authentication authentication = new UserAuthentication(getAuthType(), spnegoUserIdentity);
            request.setAuthentication(authentication);
            response.addHeader(HttpHeader.WWW_AUTHENTICATE.toString(), HttpHeader.NEGOTIATE.toString() + " " + ((SpnegoUserPrincipal) user).getToken());
            return zimbraPrincipal;
        } else {
            /*
                 * no user was returned from the authentication which means something failed
                 * so process error logic
                 */
            ZimbraLog.account.debug("SpnegoAuthenticator: no user found, authentication failed");
            throw AuthFailedServiceException.AUTH_FAILED("SpnegoAuthenticator: no user found, authentication failed", (Throwable) null);
        }
    } else {
        /*
             * the header was not null, but we didn't get a negotiate so process error logic
             */
        throw AuthFailedServiceException.AUTH_FAILED("SpnegoAuthenticator: authentication failed, unknown header (browser is likely misconfigured for SPNEGO)", (Throwable) null);
    }
}
Also used : SpnegoUserIdentity(org.eclipse.jetty.security.SpnegoUserIdentity) GuestAccount(com.zimbra.cs.account.GuestAccount) Account(com.zimbra.cs.account.Account) DefaultUserIdentity(org.eclipse.jetty.security.DefaultUserIdentity) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) DefaultUserIdentity(org.eclipse.jetty.security.DefaultUserIdentity) UserIdentity(org.eclipse.jetty.server.UserIdentity) SpnegoUserIdentity(org.eclipse.jetty.security.SpnegoUserIdentity) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Krb5Principal(com.zimbra.cs.account.krb5.Krb5Principal) SpnegoUserPrincipal(org.eclipse.jetty.security.SpnegoUserPrincipal) Principal(java.security.Principal)

Example 28 with Authentication

use of org.eclipse.jetty.server.Authentication in project drill by apache.

the class TestDrillSpnegoAuthenticator method testNewSessionReqForSpnegoLogin.

/**
 * Test to verify response when request is sent for {@link WebServerConstants#SPENGO_LOGIN_RESOURCE_PATH} from
 * unauthenticated session. Expectation is client will receive response with Negotiate header.
 */
@Test
public void testNewSessionReqForSpnegoLogin() throws Exception {
    final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
    final HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
    final HttpSession session = Mockito.mock(HttpSession.class);
    Mockito.when(request.getSession(true)).thenReturn(session);
    Mockito.when(request.getRequestURI()).thenReturn(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH);
    final Authentication authentication = spnegoAuthenticator.validateRequest(request, response, false);
    assertEquals(authentication, Authentication.SEND_CONTINUE);
    verify(response).sendError(401);
    verify(response).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpSession(javax.servlet.http.HttpSession) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) HttpServletResponse(javax.servlet.http.HttpServletResponse) BaseTest(org.apache.drill.test.BaseTest) SecurityTest(org.apache.drill.categories.SecurityTest) Test(org.junit.Test)

Example 29 with Authentication

use of org.eclipse.jetty.server.Authentication in project drill by apache.

the class TestDrillSpnegoAuthenticator method testAuthClientRequestForLogOut.

/**
 * Test to verify that when request is sent for {@link WebServerConstants#LOGOUT_RESOURCE_PATH} then the UserIdentity
 * will be removed from the session and returned authentication will be null from
 * {@link DrillSpnegoAuthenticator#validateRequest(javax.servlet.ServletRequest, javax.servlet.ServletResponse, boolean)}
 */
@Test
public void testAuthClientRequestForLogOut() throws Exception {
    final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
    final HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
    final HttpSession session = Mockito.mock(HttpSession.class);
    final Authentication authentication = Mockito.mock(UserAuthentication.class);
    Mockito.when(request.getSession(true)).thenReturn(session);
    Mockito.when(request.getRequestURI()).thenReturn(WebServerConstants.LOGOUT_RESOURCE_PATH);
    Mockito.when(session.getAttribute(SessionAuthentication.__J_AUTHENTICATED)).thenReturn(authentication);
    final UserAuthentication returnedAuthentication = (UserAuthentication) spnegoAuthenticator.validateRequest(request, response, false);
    assertNull(returnedAuthentication);
    verify(session).removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
    verify(response, never()).sendError(401);
    verify(response, never()).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpSession(javax.servlet.http.HttpSession) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) HttpServletResponse(javax.servlet.http.HttpServletResponse) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) BaseTest(org.apache.drill.test.BaseTest) SecurityTest(org.apache.drill.categories.SecurityTest) Test(org.junit.Test)

Example 30 with Authentication

use of org.eclipse.jetty.server.Authentication in project drill by apache.

the class TestDrillSpnegoAuthenticator method testAuthClientRequestForSpnegoLoginResource.

/**
 * Test to verify response when request is sent for {@link WebServerConstants#SPENGO_LOGIN_RESOURCE_PATH} from
 * authenticated session. Expectation is server will find the authenticated UserIdentity.
 */
@Test
public void testAuthClientRequestForSpnegoLoginResource() throws Exception {
    final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
    final HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
    final HttpSession session = Mockito.mock(HttpSession.class);
    final Authentication authentication = Mockito.mock(UserAuthentication.class);
    Mockito.when(request.getSession(true)).thenReturn(session);
    Mockito.when(request.getRequestURI()).thenReturn(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH);
    Mockito.when(session.getAttribute(SessionAuthentication.__J_AUTHENTICATED)).thenReturn(authentication);
    final UserAuthentication returnedAuthentication = (UserAuthentication) spnegoAuthenticator.validateRequest(request, response, false);
    assertEquals(authentication, returnedAuthentication);
    verify(response, never()).sendError(401);
    verify(response, never()).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HttpSession(javax.servlet.http.HttpSession) SessionAuthentication(org.eclipse.jetty.security.authentication.SessionAuthentication) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) Authentication(org.eclipse.jetty.server.Authentication) HttpServletResponse(javax.servlet.http.HttpServletResponse) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) BaseTest(org.apache.drill.test.BaseTest) SecurityTest(org.apache.drill.categories.SecurityTest) Test(org.junit.Test)

Aggregations

Authentication (org.eclipse.jetty.server.Authentication)32 UserAuthentication (org.eclipse.jetty.security.UserAuthentication)27 HttpServletRequest (javax.servlet.http.HttpServletRequest)17 HttpSession (javax.servlet.http.HttpSession)17 SessionAuthentication (org.eclipse.jetty.security.authentication.SessionAuthentication)14 HttpServletResponse (javax.servlet.http.HttpServletResponse)13 DeferredAuthentication (org.eclipse.jetty.security.authentication.DeferredAuthentication)12 UserIdentity (org.eclipse.jetty.server.UserIdentity)11 Test (org.junit.Test)9 SecurityTest (org.apache.drill.categories.SecurityTest)8 ServerAuthException (org.eclipse.jetty.security.ServerAuthException)8 IOException (java.io.IOException)4 ServletRequest (javax.servlet.ServletRequest)4 BaseTest (org.apache.drill.test.BaseTest)4 IdentityService (org.eclipse.jetty.security.IdentityService)4 LoginService (org.eclipse.jetty.security.LoginService)4 Request (org.eclipse.jetty.server.Request)4 Response (org.eclipse.jetty.server.Response)4 DefaultUserIdentity (org.eclipse.jetty.security.DefaultUserIdentity)3 Principal (java.security.Principal)2