Search in sources :

Example 1 with EvidenceVerifyCallback

use of org.wildfly.security.auth.callback.EvidenceVerifyCallback in project wildfly by wildfly.

the class RealmDirectLoginModule method validatePassword.

@Override
protected boolean validatePassword(String inputPassword, String expectedPassword) {
    if (digestCredential != null) {
        return digestCredential.verifyHA1(expectedPassword.getBytes(UTF_8));
    }
    switch(validationMode) {
        case DIGEST:
            String inputHashed = hashUtil.generateHashedHexURP(getUsername(), securityRealm.getName(), inputPassword.toCharArray());
            return expectedPassword.equals(inputHashed);
        case PASSWORD:
            return expectedPassword.equals(inputPassword);
        case VALIDATION:
            RealmCallback rcb = new RealmCallback("Realm", securityRealm.getName());
            NameCallback ncb = new NameCallback("User Name", getUsername());
            EvidenceVerifyCallback evc = new EvidenceVerifyCallback(new PasswordGuessEvidence(inputPassword.toCharArray()));
            try {
                handle(new Callback[] { rcb, ncb, evc });
                return evc.isVerified();
            } catch (LoginException e) {
                return false;
            }
        default:
            return false;
    }
}
Also used : NameCallback(javax.security.auth.callback.NameCallback) PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence) LoginException(javax.security.auth.login.LoginException) EvidenceVerifyCallback(org.wildfly.security.auth.callback.EvidenceVerifyCallback) RealmCallback(javax.security.sasl.RealmCallback)

Example 2 with EvidenceVerifyCallback

use of org.wildfly.security.auth.callback.EvidenceVerifyCallback in project quickstart by wildfly.

the class CustomHeaderHttpAuthenticationMechanism method evaluateRequest.

public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
    final String username = request.getFirstRequestHeaderValue(USERNAME_HEADER);
    final String password = request.getFirstRequestHeaderValue(PASSWORD_HEADER);
    if (username == null || username.length() == 0 || password == null || password.length() == 0) {
        /*
             * This mechanism is not performing authentication at this time however other mechanisms may be in use concurrently and could succeed so we register
             */
        request.noAuthenticationInProgress(RESPONDER);
        return;
    }
    /*
         * The first two callbacks are used to authenticate a user using the supplied username and password.
         */
    NameCallback nameCallback = new NameCallback("Remote Authentication Name", username);
    nameCallback.setName(username);
    final PasswordGuessEvidence evidence = new PasswordGuessEvidence(password.toCharArray());
    EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(evidence);
    try {
        callbackHandler.handle(new Callback[] { nameCallback, evidenceVerifyCallback });
    } catch (IOException | UnsupportedCallbackException e) {
        throw new HttpAuthenticationException(e);
    }
    if (evidenceVerifyCallback.isVerified() == false) {
        request.authenticationFailed("Username / Password Validation Failed", RESPONDER);
    }
    try {
        callbackHandler.handle(new Callback[] { new IdentityCredentialCallback(new PasswordCredential(ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR, password.toCharArray())), true) });
    } catch (IOException | UnsupportedCallbackException e) {
        throw new HttpAuthenticationException(e);
    }
    /*
         * The next callback is important, although at this stage they are authenticated an authorization check is now needed to
         * ensure the user has the LoginPermission granted allowing them to login.
         */
    AuthorizeCallback authorizeCallback = new AuthorizeCallback(username, username);
    try {
        callbackHandler.handle(new Callback[] { authorizeCallback });
        if (authorizeCallback.isAuthorized()) {
            callbackHandler.handle(new Callback[] { AuthenticationCompleteCallback.SUCCEEDED });
            request.authenticationComplete();
        } else {
            callbackHandler.handle(new Callback[] { AuthenticationCompleteCallback.FAILED });
            request.authenticationFailed("Authorization check failed.", RESPONDER);
        }
        return;
    } catch (IOException | UnsupportedCallbackException e) {
        throw new HttpAuthenticationException(e);
    }
}
Also used : NameCallback(javax.security.auth.callback.NameCallback) IdentityCredentialCallback(org.wildfly.security.auth.callback.IdentityCredentialCallback) HttpAuthenticationException(org.wildfly.security.http.HttpAuthenticationException) PasswordCredential(org.wildfly.security.credential.PasswordCredential) PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence) EvidenceVerifyCallback(org.wildfly.security.auth.callback.EvidenceVerifyCallback) IOException(java.io.IOException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) AuthorizeCallback(javax.security.sasl.AuthorizeCallback)

Aggregations

NameCallback (javax.security.auth.callback.NameCallback)2 EvidenceVerifyCallback (org.wildfly.security.auth.callback.EvidenceVerifyCallback)2 PasswordGuessEvidence (org.wildfly.security.evidence.PasswordGuessEvidence)2 IOException (java.io.IOException)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 LoginException (javax.security.auth.login.LoginException)1 AuthorizeCallback (javax.security.sasl.AuthorizeCallback)1 RealmCallback (javax.security.sasl.RealmCallback)1 IdentityCredentialCallback (org.wildfly.security.auth.callback.IdentityCredentialCallback)1 PasswordCredential (org.wildfly.security.credential.PasswordCredential)1 HttpAuthenticationException (org.wildfly.security.http.HttpAuthenticationException)1