Example 6 with PasswordGuessEvidence
use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.
the class ElytronSecurityDomainContextImpl method authenticate.
private SecurityIdentity authenticate(final String username, final String password) {
ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
PasswordGuessEvidence evidence = new PasswordGuessEvidence(password != null ? password.toCharArray() : null);
try {
context.setAuthenticationName(username);
if (context.verifyEvidence(evidence)) {
if (context.authorize()) {
context.succeed();
return context.getAuthorizedIdentity();
} else {
context.fail();
WSLogger.ROOT_LOGGER.failedAuthorization(username);
}
} else {
context.fail();
WSLogger.ROOT_LOGGER.failedAuthentication(username);
}
} catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
context.fail();
WSLogger.ROOT_LOGGER.failedAuthenticationWithException(e, username, e.getMessage());
} finally {
// prevent leaks of RealmIdentity instances
if (!context.isDone())
context.fail();
evidence.destroy();
}
return null;
}
Also used :
ServerAuthenticationContext(org.wildfly.security.auth.server.ServerAuthenticationContext)
PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence)
RealmUnavailableException(org.wildfly.security.auth.server.RealmUnavailableException)
Example 7 with PasswordGuessEvidence
use of org.wildfly.security.evidence.PasswordGuessEvidence in project quickstart by wildfly.
the class CustomHeaderHttpAuthenticationMechanism method evaluateRequest.
public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
final String username = request.getFirstRequestHeaderValue(USERNAME_HEADER);
final String password = request.getFirstRequestHeaderValue(PASSWORD_HEADER);
if (username == null || username.length() == 0 || password == null || password.length() == 0) {
/*
* This mechanism is not performing authentication at this time however other mechanisms may be in use concurrently and could succeed so we register
*/
request.noAuthenticationInProgress(RESPONDER);
return;
}
/*
* The first two callbacks are used to authenticate a user using the supplied username and password.
*/
NameCallback nameCallback = new NameCallback("Remote Authentication Name", username);
nameCallback.setName(username);
final PasswordGuessEvidence evidence = new PasswordGuessEvidence(password.toCharArray());
EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(evidence);
try {
callbackHandler.handle(new Callback[] { nameCallback, evidenceVerifyCallback });
} catch (IOException | UnsupportedCallbackException e) {
throw new HttpAuthenticationException(e);
}
if (evidenceVerifyCallback.isVerified() == false) {
request.authenticationFailed("Username / Password Validation Failed", RESPONDER);
}
try {
callbackHandler.handle(new Callback[] { new IdentityCredentialCallback(new PasswordCredential(ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR, password.toCharArray())), true) });
} catch (IOException | UnsupportedCallbackException e) {
throw new HttpAuthenticationException(e);
}
/*
* The next callback is important, although at this stage they are authenticated an authorization check is now needed to
* ensure the user has the LoginPermission granted allowing them to login.
*/
AuthorizeCallback authorizeCallback = new AuthorizeCallback(username, username);
try {
callbackHandler.handle(new Callback[] { authorizeCallback });
if (authorizeCallback.isAuthorized()) {
callbackHandler.handle(new Callback[] { AuthenticationCompleteCallback.SUCCEEDED });
request.authenticationComplete();
} else {
callbackHandler.handle(new Callback[] { AuthenticationCompleteCallback.FAILED });
request.authenticationFailed("Authorization check failed.", RESPONDER);
}
return;
} catch (IOException | UnsupportedCallbackException e) {
throw new HttpAuthenticationException(e);
}
}
Also used :
NameCallback(javax.security.auth.callback.NameCallback)
IdentityCredentialCallback(org.wildfly.security.auth.callback.IdentityCredentialCallback)
HttpAuthenticationException(org.wildfly.security.http.HttpAuthenticationException)
PasswordCredential(org.wildfly.security.credential.PasswordCredential)
PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence)
EvidenceVerifyCallback(org.wildfly.security.auth.callback.EvidenceVerifyCallback)
IOException(java.io.IOException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Example 8 with PasswordGuessEvidence
use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.
the class ElytronCallbackHandler method authenticate.
/**
* Authenticate the user with the given credential against the configured Elytron security domain.
*
* @param username the user being authenticated.
* @param credential the credential used as evidence to verify the user's identity.
* @return the authenticated and authorized {@link SecurityIdentity}.
* @throws IOException if an error occurs while authenticating the user.
*/
private SecurityIdentity authenticate(final String username, final char[] credential) throws IOException {
final ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
final PasswordGuessEvidence evidence = new PasswordGuessEvidence(credential != null ? credential : null);
try {
context.setAuthenticationName(username);
if (context.verifyEvidence(evidence)) {
if (context.authorize()) {
context.succeed();
return context.getAuthorizedIdentity();
} else {
context.fail();
throw new SecurityException("Authorization failed");
}
} else {
context.fail();
throw new SecurityException("Authentication failed");
}
} catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
context.fail();
throw e;
} finally {
if (!context.isDone()) {
context.fail();
}
evidence.destroy();
}
}
Also used :
ServerAuthenticationContext(org.wildfly.security.auth.server.ServerAuthenticationContext)
PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence)
RealmUnavailableException(org.wildfly.security.auth.server.RealmUnavailableException)
Example 9 with PasswordGuessEvidence
use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.
the class ElytronSecurityManager method authenticate.
/**
* Attempt to authenticate and authorize an username with the specified password evidence.
*
* @param username the username being authenticated.
* @param password the password to be verified.
* @return a reference to the {@link SecurityIdentity} if the user was successfully authenticated and authorized;
* {@code null} otherwise.
*/
private SecurityIdentity authenticate(final String username, final String password) {
ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
PasswordGuessEvidence evidence = null;
try {
if (password == null) {
if (username == null) {
if (context.authorizeAnonymous()) {
context.succeed();
return context.getAuthorizedIdentity();
} else {
context.fail();
return null;
}
} else {
// treat a non-null user name with a null password as a auth failure
context.fail();
return null;
}
}
context.setAuthenticationName(username);
evidence = new PasswordGuessEvidence(password.toCharArray());
if (context.verifyEvidence(evidence)) {
if (context.authorize()) {
context.succeed();
return context.getAuthorizedIdentity();
} else {
context.fail();
MessagingLogger.ROOT_LOGGER.failedAuthorization(username);
}
} else {
context.fail();
MessagingLogger.ROOT_LOGGER.failedAuthentication(username);
}
} catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
context.fail();
MessagingLogger.ROOT_LOGGER.failedAuthenticationWithException(e, username, e.getMessage());
} finally {
if (evidence != null) {
evidence.destroy();
}
}
return null;
}
Also used :
ServerAuthenticationContext(org.wildfly.security.auth.server.ServerAuthenticationContext)
PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence)
RealmUnavailableException(org.wildfly.security.auth.server.RealmUnavailableException)
Example 10 with PasswordGuessEvidence
use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.
the class SeccontextUtil method switchIdentity.
/**
* Method which handles {@link ReAuthnType} types by using Elytron API. Based on provided type new
* {@link AuthenticationContext} is created and given callable is called within the context.
*
* @param username login name used for reauthentication scenarios (or null)
* @param password password used for reauthentication scenarios (or null)
* @param authzName used for authorization name
* @param callable logic to be executed in the requested AuthenticationContext
* @param type reauthentication type
* @return result of the callable call
*/
public static <T> T switchIdentity(final String username, final String password, final String authzName, final Callable<T> callable, ReAuthnType type) throws Exception {
if (type == null) {
type = ReAuthnType.AC_AUTHENTICATION;
}
final SecurityDomain securityDomain = SecurityDomain.getCurrent();
AuthenticationConfiguration authCfg = AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.ALL);
switch(type) {
case FORWARDED_AUTHENTICATION:
return AuthenticationContext.empty().with(MatchRule.ALL, authCfg.useForwardedIdentity(securityDomain)).runCallable(callable);
case FORWARDED_AUTHORIZATION:
authCfg = authCfg.useForwardedAuthorizationIdentity(securityDomain);
// fall through
case AC_AUTHENTICATION:
if (username != null) {
authCfg = authCfg.useName(username);
}
if (password != null) {
authCfg = authCfg.usePassword(password);
}
return AuthenticationContext.empty().with(MatchRule.ALL, authCfg).runCallable(callable);
case AC_AUTHORIZATION:
if (username != null) {
authCfg = authCfg.useName(username);
}
if (password != null) {
authCfg = authCfg.usePassword(password);
}
if (authzName != null) {
authCfg = authCfg.useAuthorizationName(authzName);
}
return AuthenticationContext.empty().with(MatchRule.ALL, authCfg).runCallable(callable);
case SD_AUTHENTICATION:
return password == null ? null : securityDomain.authenticate(username, new PasswordGuessEvidence(password.toCharArray())).runAs(callable);
case SD_AUTHENTICATION_FORWARDED:
final Callable<T> forwardIdentityCallable = () -> {
return AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.ALL).useForwardedIdentity(securityDomain)).runCallable(callable);
};
return password == null ? null : securityDomain.authenticate(username, new PasswordGuessEvidence(password.toCharArray())).runAs(forwardIdentityCallable);
case NO_REAUTHN:
default:
return callable.call();
}
}
Also used :
AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration)
PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Aggregations
PasswordGuessEvidence (org.wildfly.security.evidence.PasswordGuessEvidence)10
RealmUnavailableException (org.wildfly.security.auth.server.RealmUnavailableException)4
ServerAuthenticationContext (org.wildfly.security.auth.server.ServerAuthenticationContext)4
SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)3
SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)3
IOException (java.io.IOException)2
NameCallback (javax.security.auth.callback.NameCallback)2
EvidenceVerifyCallback (org.wildfly.security.auth.callback.EvidenceVerifyCallback)2
PrintWriter (java.io.PrintWriter)1
Permission (java.security.Permission)1
EJBAccessException (javax.ejb.EJBAccessException)1
EJBException (javax.ejb.EJBException)1
NamingException (javax.naming.NamingException)1
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1
LoginException (javax.security.auth.login.LoginException)1
AuthorizeCallback (javax.security.sasl.AuthorizeCallback)1
RealmCallback (javax.security.sasl.RealmCallback)1
ServletException (javax.servlet.ServletException)1
IdentityCredentialCallback (org.wildfly.security.auth.callback.IdentityCredentialCallback)1
AuthenticationConfiguration (org.wildfly.security.auth.client.AuthenticationConfiguration)1
