Search in sources :

Example 1 with HttpHeadersToken

use of org.graylog2.shared.security.HttpHeadersToken in project graylog2-server by Graylog2.

the class HTTPHeaderAuthenticationRealm method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    final HttpHeadersToken headersToken = (HttpHeadersToken) token;
    final HTTPHeaderAuthConfig config = loadConfig();
    if (!config.enabled()) {
        LOG.debug("Skipping disabled HTTP header authentication");
        return null;
    }
    final MultivaluedMap<String, String> headers = headersToken.getHeaders();
    final Optional<String> optionalUsername = headerValue(headers, config.usernameHeader());
    if (optionalUsername.isPresent()) {
        final String username = optionalUsername.get().trim();
        if (isBlank(username)) {
            LOG.warn("Skipping request with trusted HTTP header <{}> and blank value", config.usernameHeader());
            return null;
        }
        final String remoteAddr = headersToken.getRemoteAddr();
        if (inTrustedSubnets(remoteAddr)) {
            return doAuthenticate(username, config, remoteAddr);
        }
        LOG.warn("Request with trusted HTTP header <{}={}> received from <{}> which is not in the trusted proxies: <{}>", config.usernameHeader(), username, remoteAddr, JOINER.join(trustedProxies));
        return null;
    }
    return null;
}
Also used : HTTPHeaderAuthConfig(org.graylog2.security.headerauth.HTTPHeaderAuthConfig) HttpHeadersToken(org.graylog2.shared.security.HttpHeadersToken)

Aggregations

HTTPHeaderAuthConfig (org.graylog2.security.headerauth.HTTPHeaderAuthConfig)1 HttpHeadersToken (org.graylog2.shared.security.HttpHeadersToken)1