Search in sources :

Example 1 with ElytronHTTPAuthenticator

use of org.infinispan.server.security.ElytronHTTPAuthenticator in project infinispan by infinispan.

the class EndpointConfigurationBuilder method enableImplicitAuthentication.

public static void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, RestServerConfigurationBuilder builder) {
    // Set the security realm only if it has not been set already
    org.infinispan.rest.configuration.AuthenticationConfigurationBuilder authentication = builder.authentication();
    if (!authentication.hasSecurityRealm()) {
        authentication.securityRealm(securityRealmName);
    }
    ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
    // Only add implicit mechanisms if the user has not set any explicitly
    if (!authentication.hasMechanisms()) {
        String serverPrincipal = null;
        for (KerberosSecurityFactoryConfiguration identity : securityRealm.getServerIdentities().kerberosConfigurations()) {
            if (identity.getPrincipal().startsWith("HTTP/")) {
                authentication.enable().addMechanisms("SPNEGO");
                serverPrincipal = identity.getPrincipal();
            }
            Server.log.debugf("Enabled SPNEGO authentication for HTTP using principal '%s'", identity.getPrincipal());
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
            authentication.enable().addMechanisms("BEARER_TOKEN");
            Server.log.debug("Enabled BEARER_TOKEN for HTTP");
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
            authentication.enable().addMechanisms("CLIENT_CERT");
            Server.log.debug("Enabled CLIENT_CERT for HTTP");
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
            authentication.enable().addMechanisms("DIGEST");
            Server.log.debug("Enabled DIGEST for HTTP");
            // Only enable PLAIN if encryption is on
            if (securityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
                authentication.enable().addMechanisms("BASIC");
                Server.log.debug("Enabled BASIC for HTTP");
            }
        }
        authentication.authenticator(new ElytronHTTPAuthenticator(authentication.securityRealm(), serverPrincipal, authentication.mechanisms()));
    }
}
Also used : ElytronHTTPAuthenticator(org.infinispan.server.security.ElytronHTTPAuthenticator) KerberosSecurityFactoryConfiguration(org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration) ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm)

Example 2 with ElytronHTTPAuthenticator

use of org.infinispan.server.security.ElytronHTTPAuthenticator in project infinispan by infinispan.

the class RestServerConfigurationParser method parseAuthentication.

private void parseAuthentication(ConfigurationReader reader, ServerConfigurationBuilder serverBuilder, AuthenticationConfigurationBuilder builder, String securityRealmName) {
    if (securityRealmName == null) {
        securityRealmName = serverBuilder.endpoints().current().securityRealm();
    }
    String serverPrincipal = null;
    for (int i = 0; i < reader.getAttributeCount(); i++) {
        ParseUtils.requireNoNamespaceAttribute(reader, i);
        String value = reader.getAttributeValue(i);
        Attribute attribute = Attribute.forName(reader.getAttributeName(i));
        switch(attribute) {
            case SECURITY_REALM:
                {
                    builder.securityRealm(value);
                    securityRealmName = value;
                    break;
                }
            case MECHANISMS:
                {
                    builder.addMechanisms(reader.getListAttributeValue(i));
                    break;
                }
            case SERVER_PRINCIPAL:
                {
                    serverPrincipal = value;
                    break;
                }
            default:
                {
                    throw ParseUtils.unexpectedAttribute(reader, i);
                }
        }
    }
    ParseUtils.requireNoContent(reader);
    if (securityRealmName == null) {
        throw Server.log.authenticationWithoutSecurityRealm();
    }
    builder.authenticator(new ElytronHTTPAuthenticator(securityRealmName, serverPrincipal, builder.mechanisms()));
}
Also used : ElytronHTTPAuthenticator(org.infinispan.server.security.ElytronHTTPAuthenticator)

Aggregations

ElytronHTTPAuthenticator (org.infinispan.server.security.ElytronHTTPAuthenticator)2 KerberosSecurityFactoryConfiguration (org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration)1 ServerSecurityRealm (org.infinispan.server.security.ServerSecurityRealm)1