Search in sources :

Example 1 with JWTCredential

use of org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTCredential in project wildfly-swarm by wildfly-swarm.

the class JWTAuthMechanism method authenticate.

/**
 * Extract the Authorization header and validate the bearer token if it exists. If it does, and is validated, this
 * builds the org.jboss.security.SecurityContext authenticated Subject that drives the container APIs as well as
 * the authorization layers.
 *
 * @param exchange        - the http request exchange object
 * @param securityContext - the current security context that
 * @return one of AUTHENTICATED, NOT_AUTHENTICATED or NOT_ATTEMPTED depending on the header and authentication outcome.
 */
@Override
public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
    List<String> authHeaders = exchange.getRequestHeaders().get(AUTHORIZATION);
    if (authHeaders != null) {
        String bearerToken = null;
        for (String current : authHeaders) {
            if (current.toLowerCase(Locale.ENGLISH).startsWith("bearer ")) {
                bearerToken = current.substring(7);
                if (UndertowLogger.SECURITY_LOGGER.isTraceEnabled()) {
                    UndertowLogger.SECURITY_LOGGER.tracef("Bearer token: %s", bearerToken);
                }
                try {
                    identityManager = securityContext.getIdentityManager();
                    JWTCredential credential = new JWTCredential(bearerToken, authContextInfo);
                    if (UndertowLogger.SECURITY_LOGGER.isTraceEnabled()) {
                        UndertowLogger.SECURITY_LOGGER.tracef("Bearer token: %s", bearerToken);
                    }
                    // Install the JWT principal as the caller
                    Account account = identityManager.verify(credential.getName(), credential);
                    if (account != null) {
                        JsonWebToken jwtPrincipal = (JsonWebToken) account.getPrincipal();
                        MPJWTProducer.setJWTPrincipal(jwtPrincipal);
                        JWTAccount jwtAccount = new JWTAccount(jwtPrincipal, account);
                        securityContext.authenticationComplete(jwtAccount, "MP-JWT", false);
                        // Workaround authenticated JsonWebToken not being installed as user principal
                        // https://issues.jboss.org/browse/WFLY-9212
                        org.jboss.security.SecurityContext jbSC = SecurityContextAssociation.getSecurityContext();
                        Subject subject = jbSC.getUtil().getSubject();
                        jbSC.getUtil().createSubjectInfo(jwtPrincipal, bearerToken, subject);
                        RoleGroup roles = extract(subject);
                        jbSC.getUtil().setRoles(roles);
                        UndertowLogger.SECURITY_LOGGER.debugf("Authenticated caller(%s) for path(%s) with roles: %s", credential.getName(), exchange.getRequestPath(), account.getRoles());
                        return AuthenticationMechanismOutcome.AUTHENTICATED;
                    } else {
                        UndertowLogger.SECURITY_LOGGER.info("Failed to authenticate JWT bearer token");
                        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                    }
                } catch (Exception e) {
                    UndertowLogger.SECURITY_LOGGER.infof(e, "Failed to validate JWT bearer token");
                    return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                }
            }
        }
    }
    // No suitable header has been found in this request,
    return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
Also used : JWTCredential(org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTCredential) Account(io.undertow.security.idm.Account) JsonWebToken(org.eclipse.microprofile.jwt.JsonWebToken) Subject(javax.security.auth.Subject) RoleGroup(org.jboss.security.identity.RoleGroup) SimpleRoleGroup(org.jboss.security.identity.plugins.SimpleRoleGroup)

Aggregations

Account (io.undertow.security.idm.Account)1 Subject (javax.security.auth.Subject)1 JsonWebToken (org.eclipse.microprofile.jwt.JsonWebToken)1 RoleGroup (org.jboss.security.identity.RoleGroup)1 SimpleRoleGroup (org.jboss.security.identity.plugins.SimpleRoleGroup)1 JWTCredential (org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTCredential)1