Search in sources :

Example 1 with HTTPHeaderAuthConfig

use of org.graylog2.security.headerauth.HTTPHeaderAuthConfig in project graylog2-server by Graylog2.

the class SessionsResource method validateSession.

@GET
@ApiOperation(value = "Validate an existing session", notes = "Checks the session with the given ID: returns http status 204 (No Content) if session is valid.", code = 204)
public SessionValidationResponse validateSession(@Context ContainerRequestContext requestContext) {
    try {
        this.authenticationFilter.filter(requestContext);
    } catch (NotAuthorizedException | LockedAccountException | IOException e) {
        return SessionValidationResponse.invalid();
    }
    final Subject subject = getSubject();
    if (!subject.isAuthenticated()) {
        return SessionValidationResponse.invalid();
    }
    // session information from the response to perform subsequent requests to the backend using this session.
    if (subject.getSession(false) == null && ShiroSecurityContext.isSessionCreationRequested()) {
        final Session session = subject.getSession();
        final String userId = subject.getPrincipal().toString();
        final User user = userService.loadById(userId);
        if (user == null) {
            throw new InternalServerErrorException("Unable to load user with ID <" + userId + ">.");
        }
        session.setAttribute("username", user.getName());
        final HTTPHeaderAuthConfig httpHeaderConfig = loadHTTPHeaderConfig();
        final Optional<String> usernameHeader = ShiroRequestHeadersBinder.getHeaderFromThreadContext(httpHeaderConfig.usernameHeader());
        if (httpHeaderConfig.enabled() && usernameHeader.isPresent()) {
            session.setAttribute(HTTPHeaderAuthenticationRealm.SESSION_AUTH_HEADER, usernameHeader.get());
        }
        LOG.debug("Create session for <{}>", user.getName());
        session.touch();
        // save subject in session, otherwise we can't get the username back in subsequent requests.
        ((DefaultSecurityManager) SecurityUtils.getSecurityManager()).getSubjectDAO().save(subject);
        return SessionValidationResponse.validWithNewSession(String.valueOf(session.getId()), String.valueOf(user.getName()));
    }
    return SessionValidationResponse.valid();
}
Also used : HTTPHeaderAuthConfig(org.graylog2.security.headerauth.HTTPHeaderAuthConfig) User(org.graylog2.plugin.database.users.User) InternalServerErrorException(javax.ws.rs.InternalServerErrorException) NotAuthorizedException(javax.ws.rs.NotAuthorizedException) IOException(java.io.IOException) LockedAccountException(org.apache.shiro.authc.LockedAccountException) Subject(org.apache.shiro.subject.Subject) Session(org.apache.shiro.session.Session) GET(javax.ws.rs.GET) ApiOperation(io.swagger.annotations.ApiOperation)

Example 2 with HTTPHeaderAuthConfig

use of org.graylog2.security.headerauth.HTTPHeaderAuthConfig in project graylog2-server by Graylog2.

the class HTTPHeaderAuthenticationRealm method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    final HttpHeadersToken headersToken = (HttpHeadersToken) token;
    final HTTPHeaderAuthConfig config = loadConfig();
    if (!config.enabled()) {
        LOG.debug("Skipping disabled HTTP header authentication");
        return null;
    }
    final MultivaluedMap<String, String> headers = headersToken.getHeaders();
    final Optional<String> optionalUsername = headerValue(headers, config.usernameHeader());
    if (optionalUsername.isPresent()) {
        final String username = optionalUsername.get().trim();
        if (isBlank(username)) {
            LOG.warn("Skipping request with trusted HTTP header <{}> and blank value", config.usernameHeader());
            return null;
        }
        final String remoteAddr = headersToken.getRemoteAddr();
        if (inTrustedSubnets(remoteAddr)) {
            return doAuthenticate(username, config, remoteAddr);
        }
        LOG.warn("Request with trusted HTTP header <{}={}> received from <{}> which is not in the trusted proxies: <{}>", config.usernameHeader(), username, remoteAddr, JOINER.join(trustedProxies));
        return null;
    }
    return null;
}
Also used : HTTPHeaderAuthConfig(org.graylog2.security.headerauth.HTTPHeaderAuthConfig) HttpHeadersToken(org.graylog2.shared.security.HttpHeadersToken)

Example 3 with HTTPHeaderAuthConfig

use of org.graylog2.security.headerauth.HTTPHeaderAuthConfig in project graylog2-server by Graylog2.

the class SessionAuthenticator method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    SessionIdToken sessionIdToken = (SessionIdToken) token;
    final Subject subject = new Subject.Builder().sessionId(sessionIdToken.getSessionId()).buildSubject();
    final Session session = subject.getSession(false);
    if (session == null) {
        LOG.debug("Invalid session. Either it has expired or did not exist.");
        return null;
    }
    final Object userId = subject.getPrincipal();
    final User user = userService.loadById(String.valueOf(userId));
    if (user == null) {
        LOG.debug("No user with userId {} found for session", userId);
        return null;
    }
    if (LOG.isDebugEnabled()) {
        LOG.debug("Found session for userId {}", userId);
    }
    final String sessionUsername = (String) session.getAttribute(HTTPHeaderAuthenticationRealm.SESSION_AUTH_HEADER);
    if (sessionUsername != null) {
        final HTTPHeaderAuthConfig httpHeaderConfig = loadHTTPHeaderConfig();
        final Optional<String> usernameHeader = ShiroRequestHeadersBinder.getHeaderFromThreadContext(httpHeaderConfig.usernameHeader());
        if (httpHeaderConfig.enabled() && usernameHeader.isPresent() && !usernameHeader.get().equalsIgnoreCase(sessionUsername)) {
            LOG.warn("Terminating session where user <{}> does not match trusted HTTP header <{}>.", sessionUsername, usernameHeader.get());
            session.stop();
            return null;
        }
    }
    final Optional<String> noSessionExtension = ShiroRequestHeadersBinder.getHeaderFromThreadContext(X_GRAYLOG_NO_SESSION_EXTENSION);
    if (noSessionExtension.isPresent() && "true".equalsIgnoreCase(noSessionExtension.get())) {
        LOG.debug("Not extending session because the request indicated not to.");
    } else {
        session.touch();
    }
    ThreadContext.bind(subject);
    return new SimpleAccount(user.getId(), null, "session authenticator");
}
Also used : SimpleAccount(org.apache.shiro.authc.SimpleAccount) HTTPHeaderAuthConfig(org.graylog2.security.headerauth.HTTPHeaderAuthConfig) User(org.graylog2.plugin.database.users.User) SessionIdToken(org.graylog2.shared.security.SessionIdToken) Subject(org.apache.shiro.subject.Subject) Session(org.apache.shiro.session.Session)

Aggregations

HTTPHeaderAuthConfig (org.graylog2.security.headerauth.HTTPHeaderAuthConfig)3 Session (org.apache.shiro.session.Session)2 Subject (org.apache.shiro.subject.Subject)2 User (org.graylog2.plugin.database.users.User)2 ApiOperation (io.swagger.annotations.ApiOperation)1 IOException (java.io.IOException)1 GET (javax.ws.rs.GET)1 InternalServerErrorException (javax.ws.rs.InternalServerErrorException)1 NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1 LockedAccountException (org.apache.shiro.authc.LockedAccountException)1 SimpleAccount (org.apache.shiro.authc.SimpleAccount)1 HttpHeadersToken (org.graylog2.shared.security.HttpHeadersToken)1 SessionIdToken (org.graylog2.shared.security.SessionIdToken)1