Example 26 with UnauthorizedException
use of org.jivesoftware.openfire.auth.UnauthorizedException in project Openfire by igniterealtime.
the class AuthFilter method filter.
/**
* Apply the filter : check input request, validate or not with user auth
*
* @param containerRequest
* The request from Tomcat server
*/
@Override
public ContainerRequest filter(ContainerRequest containerRequest) throws WebApplicationException {
// Get the authentification passed in HTTP headers parameters
String auth = containerRequest.getHeaderValue("authorization");
// Auth)
if (auth == null) {
throw new WebApplicationException(Status.UNAUTHORIZED);
}
// lap : loginAndPassword
String[] lap = BasicAuth.decode(auth);
// If login or password fail
if (lap == null || lap.length != 2) {
throw new WebApplicationException(Status.UNAUTHORIZED);
}
boolean userAdmin = AdminManager.getInstance().isUserAdmin(lap[0], true);
if (!userAdmin) {
throw new WebApplicationException(Status.UNAUTHORIZED);
}
try {
AuthFactory.authenticate(lap[0], lap[1]);
} catch (UnauthorizedException e) {
throw new WebApplicationException(Status.UNAUTHORIZED);
} catch (ConnectionException e) {
throw new WebApplicationException(Status.UNAUTHORIZED);
} catch (InternalUnauthenticatedException e) {
throw new WebApplicationException(Status.UNAUTHORIZED);
}
return containerRequest;
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
UnauthorizedException(org.jivesoftware.openfire.auth.UnauthorizedException)
InternalUnauthenticatedException(org.jivesoftware.openfire.auth.InternalUnauthenticatedException)
ConnectionException(org.jivesoftware.openfire.auth.ConnectionException)
Example 27 with UnauthorizedException
use of org.jivesoftware.openfire.auth.UnauthorizedException in project Openfire by igniterealtime.
the class IQAuthHandler method handleIQ.
@Override
public IQ handleIQ(IQ packet) throws UnauthorizedException, PacketException {
JID from = packet.getFrom();
LocalClientSession session = (LocalClientSession) sessionManager.getSession(from);
// If no session was found then answer an error (if possible)
if (session == null) {
Log.error("Error during authentication. Session not found in " + sessionManager.getPreAuthenticatedKeys() + " for key " + from);
// This error packet will probably won't make it through
IQ reply = IQ.createResultIQ(packet);
reply.setChildElement(packet.getChildElement().createCopy());
reply.setError(PacketError.Condition.internal_server_error);
return reply;
}
IQ response;
boolean resourceBound = false;
if (JiveGlobals.getBooleanProperty("xmpp.auth.iqauth", true)) {
try {
Element iq = packet.getElement();
Element query = iq.element("query");
Element queryResponse = probeResponse.createCopy();
if (IQ.Type.get == packet.getType()) {
String username = query.elementText("username");
if (username != null) {
queryResponse.element("username").setText(username);
}
response = IQ.createResultIQ(packet);
response.setChildElement(queryResponse);
// JID until the user actually authenticates with the server.
if (session.getStatus() != Session.STATUS_AUTHENTICATED) {
response.setTo((JID) null);
}
} else // Otherwise set query
{
if (query.elements().isEmpty()) {
// Anonymous authentication
response = anonymousLogin(session, packet);
resourceBound = session.getStatus() == Session.STATUS_AUTHENTICATED;
} else {
String username = query.elementText("username");
// Login authentication
String password = query.elementText("password");
String digest = null;
if (query.element("digest") != null) {
digest = query.elementText("digest").toLowerCase();
}
// If we're already logged in, this is a password reset
if (session.getStatus() == Session.STATUS_AUTHENTICATED) {
// Check that a new password has been specified
if (password == null || password.trim().length() == 0) {
response = IQ.createResultIQ(packet);
response.setError(PacketError.Condition.not_allowed);
response.setType(IQ.Type.error);
} else {
// Check if a user is trying to change his own password
if (session.getUsername().equalsIgnoreCase(username)) {
response = passwordReset(password, packet, username, session);
} else // Check if an admin is trying to set the password for another user
if (XMPPServer.getInstance().getAdmins().contains(new JID(from.getNode(), from.getDomain(), null, true))) {
response = passwordReset(password, packet, username, session);
} else {
// User not authorized to change the password of another user
throw new UnauthorizedException();
}
}
} else {
// it is an auth attempt
response = login(username, query, packet, password, session, digest);
resourceBound = session.getStatus() == Session.STATUS_AUTHENTICATED;
}
}
}
} catch (UserNotFoundException | UnauthorizedException e) {
response = IQ.createResultIQ(packet);
response.setChildElement(packet.getChildElement().createCopy());
response.setError(PacketError.Condition.not_authorized);
} catch (ConnectionException | InternalUnauthenticatedException e) {
response = IQ.createResultIQ(packet);
response.setChildElement(packet.getChildElement().createCopy());
response.setError(PacketError.Condition.internal_server_error);
}
} else {
response = IQ.createResultIQ(packet);
response.setChildElement(packet.getChildElement().createCopy());
response.setError(PacketError.Condition.not_authorized);
}
// Send the response directly since we want to be sure that we are sending it back
// to the correct session. Any other session of the same user but with different
// resource is incorrect.
session.process(response);
if (resourceBound) {
// After the client has been informed, inform all listeners as well.
SessionEventDispatcher.dispatchEvent(session, SessionEventDispatcher.EventType.resource_bound);
}
return null;
}
Also used :
LocalClientSession(org.jivesoftware.openfire.session.LocalClientSession)
UserNotFoundException(org.jivesoftware.openfire.user.UserNotFoundException)
JID(org.xmpp.packet.JID)
Element(org.dom4j.Element)
IQ(org.xmpp.packet.IQ)
UnauthorizedException(org.jivesoftware.openfire.auth.UnauthorizedException)
InternalUnauthenticatedException(org.jivesoftware.openfire.auth.InternalUnauthenticatedException)
ConnectionException(org.jivesoftware.openfire.auth.ConnectionException)
Example 28 with UnauthorizedException
use of org.jivesoftware.openfire.auth.UnauthorizedException in project Openfire by igniterealtime.
the class IQAuthHandler method passwordReset.
private IQ passwordReset(String password, IQ packet, String username, Session session) throws UnauthorizedException {
IQ response;
// Check if users can change their passwords and a password was specified
if (!registerHandler.canChangePassword() || password == null || password.length() == 0) {
throw new UnauthorizedException();
} else {
try {
userManager.getUser(username).setPassword(password);
response = IQ.createResultIQ(packet);
List<String> params = new ArrayList<>();
params.add(username);
params.add(session.toString());
Log.info(LocaleUtils.getLocalizedString("admin.password.update", params));
} catch (UserNotFoundException e) {
throw new UnauthorizedException();
}
}
return response;
}
Also used :
UserNotFoundException(org.jivesoftware.openfire.user.UserNotFoundException)
IQ(org.xmpp.packet.IQ)
UnauthorizedException(org.jivesoftware.openfire.auth.UnauthorizedException)
ArrayList(java.util.ArrayList)
Example 29 with UnauthorizedException
use of org.jivesoftware.openfire.auth.UnauthorizedException in project Openfire by igniterealtime.
the class IQAuthHandler method login.
private IQ login(String username, Element iq, IQ packet, String password, LocalClientSession session, String digest) throws UnauthorizedException, UserNotFoundException, ConnectionException, InternalUnauthenticatedException {
// Verify the validity of the username
if (username == null || username.trim().length() == 0) {
throw new UnauthorizedException("Invalid username (empty or null).");
}
try {
Stringprep.nodeprep(username);
} catch (StringprepException e) {
throw new UnauthorizedException("Invalid username: " + username, e);
}
// Verify that specified resource is not violating any string prep rule
String resource = iq.elementText("resource");
if (resource != null) {
try {
resource = JID.resourceprep(resource);
} catch (StringprepException e) {
throw new UnauthorizedException("Invalid resource: " + resource, e);
}
} else {
// Answer a not_acceptable error since a resource was not supplied
IQ response = IQ.createResultIQ(packet);
response.setChildElement(packet.getChildElement().createCopy());
response.setError(PacketError.Condition.not_acceptable);
return response;
}
if (!JiveGlobals.getBooleanProperty("xmpp.auth.iqauth", true)) {
throw new UnauthorizedException();
}
username = username.toLowerCase();
// Verify that supplied username and password are correct (i.e. user authentication was successful)
AuthToken token = null;
if (AuthFactory.supportsPasswordRetrieval()) {
if (password != null) {
token = AuthFactory.authenticate(username, password);
} else if (digest != null) {
token = authenticate(username, session.getStreamID().toString(), digest);
}
}
if (token == null) {
throw new UnauthorizedException();
}
// Verify if there is a resource conflict between new resource and existing one.
// Check if a session already exists with the requested full JID and verify if
// we should kick it off or refuse the new connection
ClientSession oldSession = routingTable.getClientRoute(new JID(username, serverName, resource, true));
if (oldSession != null) {
try {
int conflictLimit = sessionManager.getConflictKickLimit();
if (conflictLimit == SessionManager.NEVER_KICK) {
IQ response = IQ.createResultIQ(packet);
response.setChildElement(packet.getChildElement().createCopy());
response.setError(PacketError.Condition.forbidden);
return response;
}
int conflictCount = oldSession.incrementConflictCount();
if (conflictCount > conflictLimit) {
// Send a stream:error before closing the old connection
StreamError error = new StreamError(StreamError.Condition.conflict);
oldSession.deliverRawText(error.toXML());
oldSession.close();
} else {
IQ response = IQ.createResultIQ(packet);
response.setChildElement(packet.getChildElement().createCopy());
response.setError(PacketError.Condition.forbidden);
return response;
}
} catch (Exception e) {
Log.error("Error during login", e);
}
}
// Set that the new session has been authenticated successfully
session.setAuthToken(token, resource);
packet.setFrom(session.getAddress());
return IQ.createResultIQ(packet);
}
Also used :
StringprepException(gnu.inet.encoding.StringprepException)
StreamError(org.xmpp.packet.StreamError)
JID(org.xmpp.packet.JID)
LocalClientSession(org.jivesoftware.openfire.session.LocalClientSession)
ClientSession(org.jivesoftware.openfire.session.ClientSession)
UnauthorizedException(org.jivesoftware.openfire.auth.UnauthorizedException)
IQ(org.xmpp.packet.IQ)
AuthToken(org.jivesoftware.openfire.auth.AuthToken)
StringprepException(gnu.inet.encoding.StringprepException)
PacketException(org.jivesoftware.openfire.PacketException)
UnauthorizedException(org.jivesoftware.openfire.auth.UnauthorizedException)
ConnectionException(org.jivesoftware.openfire.auth.ConnectionException)
UserNotFoundException(org.jivesoftware.openfire.user.UserNotFoundException)
InternalUnauthenticatedException(org.jivesoftware.openfire.auth.InternalUnauthenticatedException)
Example 30 with UnauthorizedException
use of org.jivesoftware.openfire.auth.UnauthorizedException in project Openfire by igniterealtime.
the class AuthFilter method filter.
/*
* (non-Javadoc)
*
* @see
* com.sun.jersey.spi.container.ContainerRequestFilter#filter(com.sun.jersey
* .spi.container.ContainerRequest)
*/
@Override
public ContainerRequest filter(ContainerRequest containerRequest) throws WebApplicationException {
if (!plugin.isEnabled()) {
throw new WebApplicationException(Status.FORBIDDEN);
}
// Let the preflight request through the authentication
if ("OPTIONS".equals(containerRequest.getMethod())) {
return containerRequest;
}
// To be backwards compatible to userservice 1.*
if ("restapi/v1/userservice".equals(containerRequest.getPath())) {
return containerRequest;
}
if (!plugin.getAllowedIPs().isEmpty()) {
// Get client's IP address
String ipAddress = httpRequest.getHeader("x-forwarded-for");
if (ipAddress == null) {
ipAddress = httpRequest.getHeader("X_FORWARDED_FOR");
if (ipAddress == null) {
ipAddress = httpRequest.getHeader("X-Forward-For");
if (ipAddress == null) {
ipAddress = httpRequest.getRemoteAddr();
}
}
}
if (!plugin.getAllowedIPs().contains(ipAddress)) {
LOG.warn("REST API rejected service to IP address: " + ipAddress);
throw new WebApplicationException(Status.UNAUTHORIZED);
}
}
// Get the authentification passed in HTTP headers parameters
String auth = containerRequest.getHeaderValue("authorization");
if (auth == null) {
throw new WebApplicationException(Status.UNAUTHORIZED);
}
// HTTP Basic Auth or Shared Secret key
if ("basic".equals(plugin.getHttpAuth())) {
String[] usernameAndPassword = BasicAuth.decode(auth);
// If username or password fail
if (usernameAndPassword == null || usernameAndPassword.length != 2) {
throw new WebApplicationException(Status.UNAUTHORIZED);
}
boolean userAdmin = AdminManager.getInstance().isUserAdmin(usernameAndPassword[0], true);
if (!userAdmin) {
throw new WebApplicationException(Status.UNAUTHORIZED);
}
try {
AuthFactory.authenticate(usernameAndPassword[0], usernameAndPassword[1]);
} catch (UnauthorizedException e) {
LOG.warn("Wrong HTTP Basic Auth authorization", e);
throw new WebApplicationException(Status.UNAUTHORIZED);
} catch (ConnectionException e) {
throw new WebApplicationException(Status.UNAUTHORIZED);
} catch (InternalUnauthenticatedException e) {
throw new WebApplicationException(Status.UNAUTHORIZED);
}
} else {
if (!auth.equals(plugin.getSecret())) {
LOG.warn("Wrong secret key authorization. Provided key: " + auth);
throw new WebApplicationException(Status.UNAUTHORIZED);
}
}
return containerRequest;
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
UnauthorizedException(org.jivesoftware.openfire.auth.UnauthorizedException)
InternalUnauthenticatedException(org.jivesoftware.openfire.auth.InternalUnauthenticatedException)
ConnectionException(org.jivesoftware.openfire.auth.ConnectionException)
Aggregations
UnauthorizedException (org.jivesoftware.openfire.auth.UnauthorizedException)30
UserNotFoundException (org.jivesoftware.openfire.user.UserNotFoundException)13
Element (org.dom4j.Element)11
IQ (org.xmpp.packet.IQ)10
JID (org.xmpp.packet.JID)10
ConnectionException (org.jivesoftware.openfire.auth.ConnectionException)7
PacketException (org.jivesoftware.openfire.PacketException)6
InternalUnauthenticatedException (org.jivesoftware.openfire.auth.InternalUnauthenticatedException)6
UserAlreadyExistsException (org.jivesoftware.openfire.user.UserAlreadyExistsException)5
IOException (java.io.IOException)4
AuthToken (org.jivesoftware.openfire.auth.AuthToken)4
StreamError (org.xmpp.packet.StreamError)4
StringprepException (gnu.inet.encoding.StringprepException)3
WebApplicationException (javax.ws.rs.WebApplicationException)3
ClientSession (org.jivesoftware.openfire.session.ClientSession)3
LocalClientSession (org.jivesoftware.openfire.session.LocalClientSession)3
User (org.jivesoftware.openfire.user.User)3
NotFoundException (org.jivesoftware.util.NotFoundException)3
DataForm (org.xmpp.forms.DataForm)3
FormField (org.xmpp.forms.FormField)3
