use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.
the class ElytronSecurityDomainContextImpl method authenticate.
private SecurityIdentity authenticate(final String username, final String password) {
ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
PasswordGuessEvidence evidence = new PasswordGuessEvidence(password != null ? password.toCharArray() : null);
try {
context.setAuthenticationName(username);
if (context.verifyEvidence(evidence)) {
if (context.authorize()) {
context.succeed();
return context.getAuthorizedIdentity();
} else {
context.fail();
WSLogger.ROOT_LOGGER.failedAuthorization(username);
}
} else {
context.fail();
WSLogger.ROOT_LOGGER.failedAuthentication(username);
}
} catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
context.fail();
WSLogger.ROOT_LOGGER.failedAuthenticationWithException(e, username, e.getMessage());
} finally {
// prevent leaks of RealmIdentity instances
if (!context.isDone())
context.fail();
evidence.destroy();
}
return null;
}
use of org.wildfly.security.evidence.PasswordGuessEvidence in project quickstart by wildfly.
the class CustomHeaderHttpAuthenticationMechanism method evaluateRequest.
public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
final String username = request.getFirstRequestHeaderValue(USERNAME_HEADER);
final String password = request.getFirstRequestHeaderValue(PASSWORD_HEADER);
if (username == null || username.length() == 0 || password == null || password.length() == 0) {
/*
* This mechanism is not performing authentication at this time however other mechanisms may be in use concurrently and could succeed so we register
*/
request.noAuthenticationInProgress(RESPONDER);
return;
}
/*
* The first two callbacks are used to authenticate a user using the supplied username and password.
*/
NameCallback nameCallback = new NameCallback("Remote Authentication Name", username);
nameCallback.setName(username);
final PasswordGuessEvidence evidence = new PasswordGuessEvidence(password.toCharArray());
EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(evidence);
try {
callbackHandler.handle(new Callback[] { nameCallback, evidenceVerifyCallback });
} catch (IOException | UnsupportedCallbackException e) {
throw new HttpAuthenticationException(e);
}
if (evidenceVerifyCallback.isVerified() == false) {
request.authenticationFailed("Username / Password Validation Failed", RESPONDER);
}
try {
callbackHandler.handle(new Callback[] { new IdentityCredentialCallback(new PasswordCredential(ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR, password.toCharArray())), true) });
} catch (IOException | UnsupportedCallbackException e) {
throw new HttpAuthenticationException(e);
}
/*
* The next callback is important, although at this stage they are authenticated an authorization check is now needed to
* ensure the user has the LoginPermission granted allowing them to login.
*/
AuthorizeCallback authorizeCallback = new AuthorizeCallback(username, username);
try {
callbackHandler.handle(new Callback[] { authorizeCallback });
if (authorizeCallback.isAuthorized()) {
callbackHandler.handle(new Callback[] { AuthenticationCompleteCallback.SUCCEEDED });
request.authenticationComplete();
} else {
callbackHandler.handle(new Callback[] { AuthenticationCompleteCallback.FAILED });
request.authenticationFailed("Authorization check failed.", RESPONDER);
}
return;
} catch (IOException | UnsupportedCallbackException e) {
throw new HttpAuthenticationException(e);
}
}
use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.
the class ElytronCallbackHandler method authenticate.
/**
* Authenticate the user with the given credential against the configured Elytron security domain.
*
* @param username the user being authenticated.
* @param credential the credential used as evidence to verify the user's identity.
* @return the authenticated and authorized {@link SecurityIdentity}.
* @throws IOException if an error occurs while authenticating the user.
*/
private SecurityIdentity authenticate(final String username, final char[] credential) throws IOException {
final ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
final PasswordGuessEvidence evidence = new PasswordGuessEvidence(credential != null ? credential : null);
try {
context.setAuthenticationName(username);
if (context.verifyEvidence(evidence)) {
if (context.authorize()) {
context.succeed();
return context.getAuthorizedIdentity();
} else {
context.fail();
throw new SecurityException("Authorization failed");
}
} else {
context.fail();
throw new SecurityException("Authentication failed");
}
} catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
context.fail();
throw e;
} finally {
if (!context.isDone()) {
context.fail();
}
evidence.destroy();
}
}
use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.
the class ElytronSecurityManager method authenticate.
/**
* Attempt to authenticate and authorize an username with the specified password evidence.
*
* @param username the username being authenticated.
* @param password the password to be verified.
* @return a reference to the {@link SecurityIdentity} if the user was successfully authenticated and authorized;
* {@code null} otherwise.
*/
private SecurityIdentity authenticate(final String username, final String password) {
ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
PasswordGuessEvidence evidence = null;
try {
if (password == null) {
if (username == null) {
if (context.authorizeAnonymous()) {
context.succeed();
return context.getAuthorizedIdentity();
} else {
context.fail();
return null;
}
} else {
// treat a non-null user name with a null password as a auth failure
context.fail();
return null;
}
}
context.setAuthenticationName(username);
evidence = new PasswordGuessEvidence(password.toCharArray());
if (context.verifyEvidence(evidence)) {
if (context.authorize()) {
context.succeed();
return context.getAuthorizedIdentity();
} else {
context.fail();
MessagingLogger.ROOT_LOGGER.failedAuthorization(username);
}
} else {
context.fail();
MessagingLogger.ROOT_LOGGER.failedAuthentication(username);
}
} catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
context.fail();
MessagingLogger.ROOT_LOGGER.failedAuthenticationWithException(e, username, e.getMessage());
} finally {
if (evidence != null) {
evidence.destroy();
}
}
return null;
}
use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.
the class SeccontextUtil method switchIdentity.
/**
* Method which handles {@link ReAuthnType} types by using Elytron API. Based on provided type new
* {@link AuthenticationContext} is created and given callable is called within the context.
*
* @param username login name used for reauthentication scenarios (or null)
* @param password password used for reauthentication scenarios (or null)
* @param authzName used for authorization name
* @param callable logic to be executed in the requested AuthenticationContext
* @param type reauthentication type
* @return result of the callable call
*/
public static <T> T switchIdentity(final String username, final String password, final String authzName, final Callable<T> callable, ReAuthnType type) throws Exception {
if (type == null) {
type = ReAuthnType.AC_AUTHENTICATION;
}
final SecurityDomain securityDomain = SecurityDomain.getCurrent();
AuthenticationConfiguration authCfg = AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.ALL);
switch(type) {
case FORWARDED_AUTHENTICATION:
return AuthenticationContext.empty().with(MatchRule.ALL, authCfg.useForwardedIdentity(securityDomain)).runCallable(callable);
case FORWARDED_AUTHORIZATION:
authCfg = authCfg.useForwardedAuthorizationIdentity(securityDomain);
// fall through
case AC_AUTHENTICATION:
if (username != null) {
authCfg = authCfg.useName(username);
}
if (password != null) {
authCfg = authCfg.usePassword(password);
}
return AuthenticationContext.empty().with(MatchRule.ALL, authCfg).runCallable(callable);
case AC_AUTHORIZATION:
if (username != null) {
authCfg = authCfg.useName(username);
}
if (password != null) {
authCfg = authCfg.usePassword(password);
}
if (authzName != null) {
authCfg = authCfg.useAuthorizationName(authzName);
}
return AuthenticationContext.empty().with(MatchRule.ALL, authCfg).runCallable(callable);
case SD_AUTHENTICATION:
return password == null ? null : securityDomain.authenticate(username, new PasswordGuessEvidence(password.toCharArray())).runAs(callable);
case SD_AUTHENTICATION_FORWARDED:
final Callable<T> forwardIdentityCallable = () -> {
return AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.ALL).useForwardedIdentity(securityDomain)).runCallable(callable);
};
return password == null ? null : securityDomain.authenticate(username, new PasswordGuessEvidence(password.toCharArray())).runAs(forwardIdentityCallable);
case NO_REAUTHN:
default:
return callable.call();
}
}
Aggregations