Search in sources :

Example 1 with ShiroSecurityContext

use of org.graylog2.shared.security.ShiroSecurityContext in project graylog2-server by Graylog2.

the class SessionsResource method newSession.

@POST
@ApiOperation(value = "Create a new session", notes = "This request creates a new session for a user or reactivates an existing session: the equivalent of logging in.")
@NoAuditEvent("dispatches audit events in the method body")
public SessionResponse newSession(@Context ContainerRequestContext requestContext, @ApiParam(name = "Login request", value = "Username and credentials", required = true) @Valid @NotNull SessionCreateRequest createRequest) {
    final SecurityContext securityContext = requestContext.getSecurityContext();
    if (!(securityContext instanceof ShiroSecurityContext)) {
        throw new InternalServerErrorException("Unsupported SecurityContext class, this is a bug!");
    }
    final ShiroSecurityContext shiroSecurityContext = (ShiroSecurityContext) securityContext;
    // we treat the BASIC auth username as the sessionid
    final String sessionId = shiroSecurityContext.getUsername();
    // pretend that we had session id before
    Serializable id = null;
    if (sessionId != null && !sessionId.isEmpty()) {
        id = sessionId;
    }
    final String remoteAddrFromRequest = RestTools.getRemoteAddrFromRequest(grizzlyRequest, trustedSubnets);
    final Subject subject = new Subject.Builder().sessionId(id).host(remoteAddrFromRequest).buildSubject();
    ThreadContext.bind(subject);
    final Session s = subject.getSession();
    try {
        subject.login(new UsernamePasswordToken(createRequest.username(), createRequest.password()));
        final User user = userService.load(createRequest.username());
        if (user != null) {
            long timeoutInMillis = user.getSessionTimeoutMs();
            s.setTimeout(timeoutInMillis);
        } else {
            // set a sane default. really we should be able to load the user from above.
            s.setTimeout(TimeUnit.HOURS.toMillis(8));
        }
        s.touch();
        // save subject in session, otherwise we can't get the username back in subsequent requests.
        ((DefaultSecurityManager) SecurityUtils.getSecurityManager()).getSubjectDAO().save(subject);
    } catch (AuthenticationException e) {
        LOG.info("Invalid username or password for user \"{}\"", createRequest.username());
    } catch (UnknownSessionException e) {
        subject.logout();
    }
    if (subject.isAuthenticated()) {
        id = s.getId();
        final Map<String, Object> auditEventContext = ImmutableMap.of("session_id", id, "remote_address", remoteAddrFromRequest);
        auditEventSender.success(AuditActor.user(createRequest.username()), SESSION_CREATE, auditEventContext);
        // TODO is the validUntil attribute even used by anyone yet?
        return SessionResponse.create(new DateTime(s.getLastAccessTime(), DateTimeZone.UTC).plus(s.getTimeout()).toDate(), id.toString());
    } else {
        final Map<String, Object> auditEventContext = ImmutableMap.of("remote_address", remoteAddrFromRequest);
        auditEventSender.failure(AuditActor.user(createRequest.username()), SESSION_CREATE, auditEventContext);
        throw new NotAuthorizedException("Invalid username or password", "Basic realm=\"Graylog Server session\"");
    }
}
Also used : Serializable(java.io.Serializable) User(org.graylog2.plugin.database.users.User) AuthenticationException(org.apache.shiro.authc.AuthenticationException) UnknownSessionException(org.apache.shiro.session.UnknownSessionException) NotAuthorizedException(javax.ws.rs.NotAuthorizedException) Subject(org.apache.shiro.subject.Subject) DateTime(org.joda.time.DateTime) UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken) SecurityContext(javax.ws.rs.core.SecurityContext) ShiroSecurityContext(org.graylog2.shared.security.ShiroSecurityContext) InternalServerErrorException(javax.ws.rs.InternalServerErrorException) ShiroSecurityContext(org.graylog2.shared.security.ShiroSecurityContext) Session(org.apache.shiro.session.Session) POST(javax.ws.rs.POST) ApiOperation(io.swagger.annotations.ApiOperation) NoAuditEvent(org.graylog2.audit.jersey.NoAuditEvent)

Example 2 with ShiroSecurityContext

use of org.graylog2.shared.security.ShiroSecurityContext in project graylog2-server by Graylog2.

the class RestTools method getUserNameFromRequest.

@Nullable
public static String getUserNameFromRequest(ContainerRequestContext requestContext) {
    final SecurityContext securityContext = requestContext.getSecurityContext();
    if (!(securityContext instanceof ShiroSecurityContext)) {
        return null;
    }
    final ShiroSecurityContext shiroSecurityContext = (ShiroSecurityContext) securityContext;
    final Principal userPrincipal = shiroSecurityContext.getUserPrincipal();
    if (!(userPrincipal instanceof ShiroPrincipal)) {
        return null;
    }
    final ShiroPrincipal shiroPrincipal = (ShiroPrincipal) userPrincipal;
    return shiroPrincipal.getName();
}
Also used : SecurityContext(javax.ws.rs.core.SecurityContext) ShiroSecurityContext(org.graylog2.shared.security.ShiroSecurityContext) ShiroPrincipal(org.graylog2.shared.security.ShiroPrincipal) ShiroPrincipal(org.graylog2.shared.security.ShiroPrincipal) Principal(java.security.Principal) ShiroSecurityContext(org.graylog2.shared.security.ShiroSecurityContext) Nullable(javax.annotation.Nullable)

Aggregations

SecurityContext (javax.ws.rs.core.SecurityContext)2 ShiroSecurityContext (org.graylog2.shared.security.ShiroSecurityContext)2 ApiOperation (io.swagger.annotations.ApiOperation)1 Serializable (java.io.Serializable)1 Principal (java.security.Principal)1 Nullable (javax.annotation.Nullable)1 InternalServerErrorException (javax.ws.rs.InternalServerErrorException)1 NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1 POST (javax.ws.rs.POST)1 AuthenticationException (org.apache.shiro.authc.AuthenticationException)1 UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)1 Session (org.apache.shiro.session.Session)1 UnknownSessionException (org.apache.shiro.session.UnknownSessionException)1 Subject (org.apache.shiro.subject.Subject)1 NoAuditEvent (org.graylog2.audit.jersey.NoAuditEvent)1 User (org.graylog2.plugin.database.users.User)1 ShiroPrincipal (org.graylog2.shared.security.ShiroPrincipal)1 DateTime (org.joda.time.DateTime)1