Search in sources :

Example 6 with PasswordGuessEvidence

use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.

the class ElytronSecurityDomainContextImpl method authenticate.

private SecurityIdentity authenticate(final String username, final String password) {
    ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
    PasswordGuessEvidence evidence = new PasswordGuessEvidence(password != null ? password.toCharArray() : null);
    try {
        context.setAuthenticationName(username);
        if (context.verifyEvidence(evidence)) {
            if (context.authorize()) {
                context.succeed();
                return context.getAuthorizedIdentity();
            } else {
                context.fail();
                WSLogger.ROOT_LOGGER.failedAuthorization(username);
            }
        } else {
            context.fail();
            WSLogger.ROOT_LOGGER.failedAuthentication(username);
        }
    } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
        context.fail();
        WSLogger.ROOT_LOGGER.failedAuthenticationWithException(e, username, e.getMessage());
    } finally {
        // prevent leaks of RealmIdentity instances
        if (!context.isDone())
            context.fail();
        evidence.destroy();
    }
    return null;
}
Also used : ServerAuthenticationContext(org.wildfly.security.auth.server.ServerAuthenticationContext) PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence) RealmUnavailableException(org.wildfly.security.auth.server.RealmUnavailableException)

Example 7 with PasswordGuessEvidence

use of org.wildfly.security.evidence.PasswordGuessEvidence in project quickstart by wildfly.

the class CustomHeaderHttpAuthenticationMechanism method evaluateRequest.

public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException {
    final String username = request.getFirstRequestHeaderValue(USERNAME_HEADER);
    final String password = request.getFirstRequestHeaderValue(PASSWORD_HEADER);
    if (username == null || username.length() == 0 || password == null || password.length() == 0) {
        /*
             * This mechanism is not performing authentication at this time however other mechanisms may be in use concurrently and could succeed so we register
             */
        request.noAuthenticationInProgress(RESPONDER);
        return;
    }
    /*
         * The first two callbacks are used to authenticate a user using the supplied username and password.
         */
    NameCallback nameCallback = new NameCallback("Remote Authentication Name", username);
    nameCallback.setName(username);
    final PasswordGuessEvidence evidence = new PasswordGuessEvidence(password.toCharArray());
    EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(evidence);
    try {
        callbackHandler.handle(new Callback[] { nameCallback, evidenceVerifyCallback });
    } catch (IOException | UnsupportedCallbackException e) {
        throw new HttpAuthenticationException(e);
    }
    if (evidenceVerifyCallback.isVerified() == false) {
        request.authenticationFailed("Username / Password Validation Failed", RESPONDER);
    }
    try {
        callbackHandler.handle(new Callback[] { new IdentityCredentialCallback(new PasswordCredential(ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR, password.toCharArray())), true) });
    } catch (IOException | UnsupportedCallbackException e) {
        throw new HttpAuthenticationException(e);
    }
    /*
         * The next callback is important, although at this stage they are authenticated an authorization check is now needed to
         * ensure the user has the LoginPermission granted allowing them to login.
         */
    AuthorizeCallback authorizeCallback = new AuthorizeCallback(username, username);
    try {
        callbackHandler.handle(new Callback[] { authorizeCallback });
        if (authorizeCallback.isAuthorized()) {
            callbackHandler.handle(new Callback[] { AuthenticationCompleteCallback.SUCCEEDED });
            request.authenticationComplete();
        } else {
            callbackHandler.handle(new Callback[] { AuthenticationCompleteCallback.FAILED });
            request.authenticationFailed("Authorization check failed.", RESPONDER);
        }
        return;
    } catch (IOException | UnsupportedCallbackException e) {
        throw new HttpAuthenticationException(e);
    }
}
Also used : NameCallback(javax.security.auth.callback.NameCallback) IdentityCredentialCallback(org.wildfly.security.auth.callback.IdentityCredentialCallback) HttpAuthenticationException(org.wildfly.security.http.HttpAuthenticationException) PasswordCredential(org.wildfly.security.credential.PasswordCredential) PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence) EvidenceVerifyCallback(org.wildfly.security.auth.callback.EvidenceVerifyCallback) IOException(java.io.IOException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) AuthorizeCallback(javax.security.sasl.AuthorizeCallback)

Example 8 with PasswordGuessEvidence

use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.

the class ElytronCallbackHandler method authenticate.

/**
 * Authenticate the user with the given credential against the configured Elytron security domain.
 *
 * @param username the user being authenticated.
 * @param credential the credential used as evidence to verify the user's identity.
 * @return the authenticated and authorized {@link SecurityIdentity}.
 * @throws IOException if an error occurs while authenticating the user.
 */
private SecurityIdentity authenticate(final String username, final char[] credential) throws IOException {
    final ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
    final PasswordGuessEvidence evidence = new PasswordGuessEvidence(credential != null ? credential : null);
    try {
        context.setAuthenticationName(username);
        if (context.verifyEvidence(evidence)) {
            if (context.authorize()) {
                context.succeed();
                return context.getAuthorizedIdentity();
            } else {
                context.fail();
                throw new SecurityException("Authorization failed");
            }
        } else {
            context.fail();
            throw new SecurityException("Authentication failed");
        }
    } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
        context.fail();
        throw e;
    } finally {
        if (!context.isDone()) {
            context.fail();
        }
        evidence.destroy();
    }
}
Also used : ServerAuthenticationContext(org.wildfly.security.auth.server.ServerAuthenticationContext) PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence) RealmUnavailableException(org.wildfly.security.auth.server.RealmUnavailableException)

Example 9 with PasswordGuessEvidence

use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.

the class ElytronSecurityManager method authenticate.

/**
 * Attempt to authenticate and authorize an username with the specified password evidence.
 *
 * @param username the username being authenticated.
 * @param password the password to be verified.
 * @return a reference to the {@link SecurityIdentity} if the user was successfully authenticated and authorized;
 *  {@code null} otherwise.
 */
private SecurityIdentity authenticate(final String username, final String password) {
    ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
    PasswordGuessEvidence evidence = null;
    try {
        if (password == null) {
            if (username == null) {
                if (context.authorizeAnonymous()) {
                    context.succeed();
                    return context.getAuthorizedIdentity();
                } else {
                    context.fail();
                    return null;
                }
            } else {
                // treat a non-null user name with a null password as a auth failure
                context.fail();
                return null;
            }
        }
        context.setAuthenticationName(username);
        evidence = new PasswordGuessEvidence(password.toCharArray());
        if (context.verifyEvidence(evidence)) {
            if (context.authorize()) {
                context.succeed();
                return context.getAuthorizedIdentity();
            } else {
                context.fail();
                MessagingLogger.ROOT_LOGGER.failedAuthorization(username);
            }
        } else {
            context.fail();
            MessagingLogger.ROOT_LOGGER.failedAuthentication(username);
        }
    } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
        context.fail();
        MessagingLogger.ROOT_LOGGER.failedAuthenticationWithException(e, username, e.getMessage());
    } finally {
        if (evidence != null) {
            evidence.destroy();
        }
    }
    return null;
}
Also used : ServerAuthenticationContext(org.wildfly.security.auth.server.ServerAuthenticationContext) PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence) RealmUnavailableException(org.wildfly.security.auth.server.RealmUnavailableException)

Example 10 with PasswordGuessEvidence

use of org.wildfly.security.evidence.PasswordGuessEvidence in project wildfly by wildfly.

the class SeccontextUtil method switchIdentity.

/**
 * Method which handles {@link ReAuthnType} types by using Elytron API. Based on provided type new
 * {@link AuthenticationContext} is created and given callable is called within the context.
 *
 * @param username login name used for reauthentication scenarios (or null)
 * @param password password used for reauthentication scenarios (or null)
 * @param authzName used for authorization name
 * @param callable logic to be executed in the requested AuthenticationContext
 * @param type reauthentication type
 * @return result of the callable call
 */
public static <T> T switchIdentity(final String username, final String password, final String authzName, final Callable<T> callable, ReAuthnType type) throws Exception {
    if (type == null) {
        type = ReAuthnType.AC_AUTHENTICATION;
    }
    final SecurityDomain securityDomain = SecurityDomain.getCurrent();
    AuthenticationConfiguration authCfg = AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.ALL);
    switch(type) {
        case FORWARDED_AUTHENTICATION:
            return AuthenticationContext.empty().with(MatchRule.ALL, authCfg.useForwardedIdentity(securityDomain)).runCallable(callable);
        case FORWARDED_AUTHORIZATION:
            authCfg = authCfg.useForwardedAuthorizationIdentity(securityDomain);
        // fall through
        case AC_AUTHENTICATION:
            if (username != null) {
                authCfg = authCfg.useName(username);
            }
            if (password != null) {
                authCfg = authCfg.usePassword(password);
            }
            return AuthenticationContext.empty().with(MatchRule.ALL, authCfg).runCallable(callable);
        case AC_AUTHORIZATION:
            if (username != null) {
                authCfg = authCfg.useName(username);
            }
            if (password != null) {
                authCfg = authCfg.usePassword(password);
            }
            if (authzName != null) {
                authCfg = authCfg.useAuthorizationName(authzName);
            }
            return AuthenticationContext.empty().with(MatchRule.ALL, authCfg).runCallable(callable);
        case SD_AUTHENTICATION:
            return password == null ? null : securityDomain.authenticate(username, new PasswordGuessEvidence(password.toCharArray())).runAs(callable);
        case SD_AUTHENTICATION_FORWARDED:
            final Callable<T> forwardIdentityCallable = () -> {
                return AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.ALL).useForwardedIdentity(securityDomain)).runCallable(callable);
            };
            return password == null ? null : securityDomain.authenticate(username, new PasswordGuessEvidence(password.toCharArray())).runAs(forwardIdentityCallable);
        case NO_REAUTHN:
        default:
            return callable.call();
    }
}
Also used : AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration) PasswordGuessEvidence(org.wildfly.security.evidence.PasswordGuessEvidence) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)

Aggregations

PasswordGuessEvidence (org.wildfly.security.evidence.PasswordGuessEvidence)10 RealmUnavailableException (org.wildfly.security.auth.server.RealmUnavailableException)4 ServerAuthenticationContext (org.wildfly.security.auth.server.ServerAuthenticationContext)4 SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)3 SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)3 IOException (java.io.IOException)2 NameCallback (javax.security.auth.callback.NameCallback)2 EvidenceVerifyCallback (org.wildfly.security.auth.callback.EvidenceVerifyCallback)2 PrintWriter (java.io.PrintWriter)1 Permission (java.security.Permission)1 EJBAccessException (javax.ejb.EJBAccessException)1 EJBException (javax.ejb.EJBException)1 NamingException (javax.naming.NamingException)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 LoginException (javax.security.auth.login.LoginException)1 AuthorizeCallback (javax.security.sasl.AuthorizeCallback)1 RealmCallback (javax.security.sasl.RealmCallback)1 ServletException (javax.servlet.ServletException)1 IdentityCredentialCallback (org.wildfly.security.auth.callback.IdentityCredentialCallback)1 AuthenticationConfiguration (org.wildfly.security.auth.client.AuthenticationConfiguration)1