Example 1 with SubjectAccreditedImpl
use of org.exist.security.internal.SubjectAccreditedImpl in project exist by eXist-db.
the class ActiveDirectoryRealm method authenticate.
/*
* (non-Javadoc)
*
* @see org.exist.security.Realm#authenticate(java.lang.String,
* java.lang.Object)
*/
@Override
public Subject authenticate(final String username, Object credentials) throws AuthenticationException {
String[] returnedAtts = { "sn", "givenName", "mail" };
String searchFilter = "(&(objectClass=user)(sAMAccountName=" + username + "))";
// Create the search controls
SearchControls searchCtls = new SearchControls();
searchCtls.setReturningAttributes(returnedAtts);
// Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
LdapContext ctxGC = null;
boolean ldapUser = false;
try {
ctxGC = ensureContextFactory().getLdapContext(username, String.valueOf(credentials));
// Search objects in GC using filters
NamingEnumeration<SearchResult> answer = ctxGC.search(((ContextFactory) ensureContextFactory()).getSearchBase(), searchFilter, searchCtls);
while (answer.hasMoreElements()) {
SearchResult sr = answer.next();
Attributes attrs = sr.getAttributes();
Map<String, Object> amap = null;
if (attrs != null) {
amap = new HashMap<>();
NamingEnumeration<? extends Attribute> ne = attrs.getAll();
while (ne.hasMore()) {
Attribute attr = ne.next();
amap.put(attr.getID(), attr.get());
ldapUser = true;
}
ne.close();
}
}
} catch (NamingException e) {
e.printStackTrace();
throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, e.getMessage());
}
if (ldapUser) {
AbstractAccount account = (AbstractAccount) getAccount(username);
if (account == null) {
try (final DBBroker broker = getDatabase().get(Optional.of(getSecurityManager().getSystemSubject()))) {
// perform as SYSTEM user
account = (AbstractAccount) getSecurityManager().addAccount(new UserAider(ID, username));
} catch (Exception e) {
throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, e.getMessage(), e);
}
}
return new SubjectAccreditedImpl(account, ctxGC);
}
return null;
}
Also used :
Attribute(javax.naming.directory.Attribute)
AuthenticationException(org.exist.security.AuthenticationException)
AbstractAccount(org.exist.security.AbstractAccount)
Attributes(javax.naming.directory.Attributes)
SearchResult(javax.naming.directory.SearchResult)
AuthenticationException(org.exist.security.AuthenticationException)
NamingException(javax.naming.NamingException)
DBBroker(org.exist.storage.DBBroker)
SubjectAccreditedImpl(org.exist.security.internal.SubjectAccreditedImpl)
SearchControls(javax.naming.directory.SearchControls)
NamingException(javax.naming.NamingException)
UserAider(org.exist.security.internal.aider.UserAider)
LdapContext(javax.naming.ldap.LdapContext)
Example 2 with SubjectAccreditedImpl
use of org.exist.security.internal.SubjectAccreditedImpl in project exist by eXist-db.
the class IPRangeRealm method authenticate.
@Override
public Subject authenticate(final String ipAddress, final Object credentials) throws AuthenticationException {
// Elevaste to system privileges
try (final DBBroker broker = getSecurityManager().database().get(Optional.of(getSecurityManager().getSystemSubject()))) {
// Convert IP address
final long ipToTest = ipToLong(InetAddress.getByName(ipAddress));
// Get xquery service
final XQuery queryService = broker.getBrokerPool().getXQueryService();
if (queryService == null) {
LOG.error("IPRange broker unable to retrieve XQueryService");
return null;
}
// Construct XQuery
final String query = "collection('/db/system/security/iprange/accounts')/account/" + "iprange[" + ipToTest + " ge number(start) and " + ipToTest + " le number(end)]/../name";
final XQueryContext context = new XQueryContext(broker.getBrokerPool());
final CompiledXQuery compiled = queryService.compile(context, query);
final Properties outputProperties = new Properties();
// Execute xQuery
final Sequence result = queryService.execute(broker, compiled, null, outputProperties);
final SequenceIterator i = result.iterate();
// Get FIRST username when present
final String username = i.hasNext() ? i.nextItem().getStringValue() : "";
if (i.hasNext()) {
LOG.warn("IP address {} matched multiple ipranges. Using first result only.", ipAddress);
}
if (!username.isEmpty()) {
final Account account = getSecurityManager().getAccount(username);
if (account != null) {
LOG.info("IPRangeRealm trying {}", account.getName());
return new SubjectAccreditedImpl((AbstractAccount) account, ipAddress);
} else {
LOG.info("IPRangeRealm couldn't resolve account for {}", username);
}
} else {
LOG.info("IPRangeRealm xquery found no matches");
}
return null;
} catch (final EXistException | UnknownHostException | XPathException | PermissionDeniedException e) {
throw new AuthenticationException(AuthenticationException.UNNOWN_EXCEPTION, e.getMessage());
}
}
Also used :
UnknownHostException(java.net.UnknownHostException)
XPathException(org.exist.xquery.XPathException)
CompiledXQuery(org.exist.xquery.CompiledXQuery)
XQuery(org.exist.xquery.XQuery)
CompiledXQuery(org.exist.xquery.CompiledXQuery)
XQueryContext(org.exist.xquery.XQueryContext)
Sequence(org.exist.xquery.value.Sequence)
EXistException(org.exist.EXistException)
Properties(java.util.Properties)
DBBroker(org.exist.storage.DBBroker)
SequenceIterator(org.exist.xquery.value.SequenceIterator)
SubjectAccreditedImpl(org.exist.security.internal.SubjectAccreditedImpl)
Example 3 with SubjectAccreditedImpl
use of org.exist.security.internal.SubjectAccreditedImpl in project exist by eXist-db.
the class DigestAuthenticator method authenticate.
@Override
public Subject authenticate(HttpServletRequest request, HttpServletResponse response, boolean sendChallenge) throws IOException {
final String credentials = request.getHeader("Authorization");
if (credentials == null) {
sendChallenge(request, response);
return null;
}
final Digest digest = new Digest(request.getMethod());
parseCredentials(digest, credentials);
final SecurityManager secman = pool.getSecurityManager();
final AccountImpl user = (AccountImpl) secman.getAccount(digest.username);
if (user == null) {
// If user does not exist then send a challenge request again
if (sendChallenge) {
sendChallenge(request, response);
}
return null;
}
if (!digest.check(user.getDigestPassword())) {
// If password is incorrect then send a challenge request again
if (sendChallenge) {
sendChallenge(request, response);
}
return null;
}
return new SubjectAccreditedImpl(user, this);
}
Also used :
SecurityManager(org.exist.security.SecurityManager)
MessageDigest(java.security.MessageDigest)
SubjectAccreditedImpl(org.exist.security.internal.SubjectAccreditedImpl)
AccountImpl(org.exist.security.internal.AccountImpl)
Aggregations
SubjectAccreditedImpl (org.exist.security.internal.SubjectAccreditedImpl)3
DBBroker (org.exist.storage.DBBroker)2
UnknownHostException (java.net.UnknownHostException)1
MessageDigest (java.security.MessageDigest)1
Properties (java.util.Properties)1
NamingException (javax.naming.NamingException)1
Attribute (javax.naming.directory.Attribute)1
Attributes (javax.naming.directory.Attributes)1
SearchControls (javax.naming.directory.SearchControls)1
SearchResult (javax.naming.directory.SearchResult)1
LdapContext (javax.naming.ldap.LdapContext)1
EXistException (org.exist.EXistException)1
AbstractAccount (org.exist.security.AbstractAccount)1
AuthenticationException (org.exist.security.AuthenticationException)1
SecurityManager (org.exist.security.SecurityManager)1
AccountImpl (org.exist.security.internal.AccountImpl)1
UserAider (org.exist.security.internal.aider.UserAider)1
CompiledXQuery (org.exist.xquery.CompiledXQuery)1
XPathException (org.exist.xquery.XPathException)1
XQuery (org.exist.xquery.XQuery)1
