use of org.graylog2.security.headerauth.HTTPHeaderAuthConfig in project graylog2-server by Graylog2.
the class SessionsResource method validateSession.
@GET
@ApiOperation(value = "Validate an existing session", notes = "Checks the session with the given ID: returns http status 204 (No Content) if session is valid.", code = 204)
public SessionValidationResponse validateSession(@Context ContainerRequestContext requestContext) {
try {
this.authenticationFilter.filter(requestContext);
} catch (NotAuthorizedException | LockedAccountException | IOException e) {
return SessionValidationResponse.invalid();
}
final Subject subject = getSubject();
if (!subject.isAuthenticated()) {
return SessionValidationResponse.invalid();
}
// session information from the response to perform subsequent requests to the backend using this session.
if (subject.getSession(false) == null && ShiroSecurityContext.isSessionCreationRequested()) {
final Session session = subject.getSession();
final String userId = subject.getPrincipal().toString();
final User user = userService.loadById(userId);
if (user == null) {
throw new InternalServerErrorException("Unable to load user with ID <" + userId + ">.");
}
session.setAttribute("username", user.getName());
final HTTPHeaderAuthConfig httpHeaderConfig = loadHTTPHeaderConfig();
final Optional<String> usernameHeader = ShiroRequestHeadersBinder.getHeaderFromThreadContext(httpHeaderConfig.usernameHeader());
if (httpHeaderConfig.enabled() && usernameHeader.isPresent()) {
session.setAttribute(HTTPHeaderAuthenticationRealm.SESSION_AUTH_HEADER, usernameHeader.get());
}
LOG.debug("Create session for <{}>", user.getName());
session.touch();
// save subject in session, otherwise we can't get the username back in subsequent requests.
((DefaultSecurityManager) SecurityUtils.getSecurityManager()).getSubjectDAO().save(subject);
return SessionValidationResponse.validWithNewSession(String.valueOf(session.getId()), String.valueOf(user.getName()));
}
return SessionValidationResponse.valid();
}
use of org.graylog2.security.headerauth.HTTPHeaderAuthConfig in project graylog2-server by Graylog2.
the class HTTPHeaderAuthenticationRealm method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
final HttpHeadersToken headersToken = (HttpHeadersToken) token;
final HTTPHeaderAuthConfig config = loadConfig();
if (!config.enabled()) {
LOG.debug("Skipping disabled HTTP header authentication");
return null;
}
final MultivaluedMap<String, String> headers = headersToken.getHeaders();
final Optional<String> optionalUsername = headerValue(headers, config.usernameHeader());
if (optionalUsername.isPresent()) {
final String username = optionalUsername.get().trim();
if (isBlank(username)) {
LOG.warn("Skipping request with trusted HTTP header <{}> and blank value", config.usernameHeader());
return null;
}
final String remoteAddr = headersToken.getRemoteAddr();
if (inTrustedSubnets(remoteAddr)) {
return doAuthenticate(username, config, remoteAddr);
}
LOG.warn("Request with trusted HTTP header <{}={}> received from <{}> which is not in the trusted proxies: <{}>", config.usernameHeader(), username, remoteAddr, JOINER.join(trustedProxies));
return null;
}
return null;
}
use of org.graylog2.security.headerauth.HTTPHeaderAuthConfig in project graylog2-server by Graylog2.
the class SessionAuthenticator method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
SessionIdToken sessionIdToken = (SessionIdToken) token;
final Subject subject = new Subject.Builder().sessionId(sessionIdToken.getSessionId()).buildSubject();
final Session session = subject.getSession(false);
if (session == null) {
LOG.debug("Invalid session. Either it has expired or did not exist.");
return null;
}
final Object userId = subject.getPrincipal();
final User user = userService.loadById(String.valueOf(userId));
if (user == null) {
LOG.debug("No user with userId {} found for session", userId);
return null;
}
if (LOG.isDebugEnabled()) {
LOG.debug("Found session for userId {}", userId);
}
final String sessionUsername = (String) session.getAttribute(HTTPHeaderAuthenticationRealm.SESSION_AUTH_HEADER);
if (sessionUsername != null) {
final HTTPHeaderAuthConfig httpHeaderConfig = loadHTTPHeaderConfig();
final Optional<String> usernameHeader = ShiroRequestHeadersBinder.getHeaderFromThreadContext(httpHeaderConfig.usernameHeader());
if (httpHeaderConfig.enabled() && usernameHeader.isPresent() && !usernameHeader.get().equalsIgnoreCase(sessionUsername)) {
LOG.warn("Terminating session where user <{}> does not match trusted HTTP header <{}>.", sessionUsername, usernameHeader.get());
session.stop();
return null;
}
}
final Optional<String> noSessionExtension = ShiroRequestHeadersBinder.getHeaderFromThreadContext(X_GRAYLOG_NO_SESSION_EXTENSION);
if (noSessionExtension.isPresent() && "true".equalsIgnoreCase(noSessionExtension.get())) {
LOG.debug("Not extending session because the request indicated not to.");
} else {
session.touch();
}
ThreadContext.bind(subject);
return new SimpleAccount(user.getId(), null, "session authenticator");
}
Aggregations