@Override public AuthenticationStatus doNothing() { return getWrapped().doNothing(); }
private boolean isOnInitialProtectedURL(HttpMessageContext httpMessageContext) { return httpMessageContext.isProtected() && // When HttpServletRequest#authenticate is called, it counts as "mandated" authentication // which here means isProtected() is true. But we want to use HttpServletRequest#authenticate // to resume a dialog started by accessing a protected page, so therefore exclude it here. !httpMessageContext.isAuthenticationRequest() && getSavedRequest(httpMessageContext.getRequest()) == null && getSavedAuthentication(httpMessageContext.getRequest()) == null && // Some servers consider the Servlet special URL "/j_security_check" as // a protected URL !httpMessageContext.getRequest().getRequestURI().endsWith("j_security_check"); }
@Override public HttpServletResponse getResponse() { return getWrapped().getResponse(); }
private AuthenticationStatus processCallerInitiatedAuthentication(InvocationContext invocationContext, HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws Exception { // Try to authenticate with the next interceptor or actual authentication mechanism AuthenticationStatus authstatus; try { authstatus = (AuthenticationStatus) invocationContext.proceed(); } catch (AuthException e) { authstatus = AuthenticationStatus.SEND_FAILURE; } if (authstatus == AuthenticationStatus.SUCCESS) { if (httpMessageContext.getCallerPrincipal() == null) { return AuthenticationStatus.SUCCESS; } // Actually authenticated now, so we remove the authentication dialog marker removeCallerInitiatedAuthentication(httpMessageContext.getRequest()); // TODO: for some mechanisms, such as OAuth the caller would now likely be at an // application OAuth landing page, and should likely be returned to "some other" location // (e.g. the page from which a login link was clicked in say a top menu bar) // // Do we add support for this, e.g. via a watered down savedRequest (saving only a caller provided URL) // Or do we leave this as an application responsibility? } return authstatus; }
private void tryClean(HttpMessageContext httpMessageContext) { // 1. Check if caller aborted earlier flow and does a new request to protected resource if (isOnProtectedURLWithStaleData(httpMessageContext)) { removeSavedRequest(httpMessageContext.getRequest()); removeCallerInitiatedAuthentication(httpMessageContext.getRequest()); } // 2. Check if caller aborted earlier flow and explicitly initiated a new authentication dialog if (httpMessageContext.getAuthParameters().isNewAuthentication()) { saveCallerInitiatedAuthentication(httpMessageContext.getRequest()); removeSavedRequest(httpMessageContext.getRequest()); removeSavedAuthentication(httpMessageContext.getRequest()); } }
return httpMessageContext.forward( loginToContinueAnnotation.loginPage()); } else { return httpMessageContext.redirect( getBaseURL(request) + loginToContinueAnnotation.loginPage()); if (httpMessageContext.getCallerPrincipal() == null) { return AuthenticationStatus.SUCCESS; httpMessageContext.getCallerPrincipal(), httpMessageContext.getGroups())); return httpMessageContext.redirect(savedRequest.getFullRequestURL()); return httpMessageContext.redirect( // TODO: optionally forward? getBaseURL(request) + errorPage); } else { .withRequest(new HttpServletRequestDelegator(request, requestData)) .notifyContainerAboutLogin( authenticationData.getPrincipal(), authenticationData.getGroups());
@Override public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMsgContext) throws AuthenticationException { String[] credentials = getCredentials(request); if (!isEmpty(credentials)) { IdentityStoreHandler identityStoreHandler = CDI.current().select(IdentityStoreHandler.class).get(); CredentialValidationResult result = identityStoreHandler.validate( new UsernamePasswordCredential(credentials[0], new Password(credentials[1]))); if (result.getStatus() == VALID) { return httpMsgContext.notifyContainerAboutLogin( result.getCallerPrincipal(), result.getCallerGroups()); } } if (httpMsgContext.isProtected()) { response.setHeader("WWW-Authenticate", format("Basic realm=\"%s\"", basicAuthenticationMechanismDefinition.realmName())); return httpMsgContext.responseUnauthorized(); } return httpMsgContext.doNothing(); }
@SuppressWarnings("unchecked") @AroundInvoke public Object intercept(InvocationContext invocationContext) throws Exception { if (isImplementationOf(invocationContext.getMethod(), validateRequestMethod)) { HttpMessageContext httpMessageContext = (HttpMessageContext)invocationContext.getParameters()[2]; Principal userPrincipal = getPrincipal(httpMessageContext.getRequest()); if (userPrincipal != null) { httpMessageContext.getHandler().handle(new Callback[] { new CallerPrincipalCallback(httpMessageContext.getClientSubject(), userPrincipal) } ); return SUCCESS; } Object outcome = invocationContext.proceed(); if (SUCCESS.equals(outcome)) { httpMessageContext.getMessageInfo().getMap().put("javax.servlet.http.registerSession", TRUE.toString()); } return outcome; } return invocationContext.proceed(); }
/** * Called in response to a {@link HttpServletRequest#logout()} call. * */ @Override public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException { HttpMessageContext msgContext = new HttpMessageContextImpl(handler, messageInfo, subject); CDI.current() .select(HttpAuthenticationMechanism.class).get() .cleanSubject(msgContext.getRequest(), msgContext.getResponse(), msgContext); }
return context.responseUnauthorized(); } else if (token != null) { } else if (context.isProtected()) { return context.responseUnauthorized(); return context.doNothing();
@Override public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException { if (hasCredential(httpMessageContext)) { IdentityStoreHandler identityStoreHandler = CDI.current().select(IdentityStoreHandler.class).get(); return httpMessageContext.notifyContainerAboutLogin( identityStoreHandler.validate( httpMessageContext.getAuthParameters() .getCredential())); } return httpMessageContext.doNothing(); }
return httpMessageContext.notifyContainerAboutLogin( result.getCallerPrincipal(), result.getCallerGroups()); } else { if (authstatus == AuthenticationStatus.SUCCESS && httpMessageContext.getCallerPrincipal() != null) { toCallerPrincipal(httpMessageContext.getCallerPrincipal()), httpMessageContext.getGroups() );
@Override public AuthenticationStatus notifyContainerAboutLogin(CredentialValidationResult result) { return getWrapped().notifyContainerAboutLogin(result); }
@Override public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws AuthenticationException { if (isValidFormPostback(request)) { IdentityStoreHandler identityStoreHandler = CDI.current().select(IdentityStoreHandler.class).get(); return httpMessageContext.notifyContainerAboutLogin( identityStoreHandler.validate( new UsernamePasswordCredential( request.getParameter("j_username"), new Password(request.getParameter("j_password"))))); } return httpMessageContext.doNothing(); }
/** * To validate the JWT token e.g Signature check, JWT claims * check(expiration) etc * * @param token The JWT access tokens * @param context * @return the AuthenticationStatus to notify the container */ private AuthenticationStatus validateToken(String token, HttpMessageContext context) { try { if (tokenProvider.validateToken(token)) { JWTCredential credential = tokenProvider.getCredential(token); return context.notifyContainerAboutLogin(credential.getPrincipal(), credential.getAuthorities()); } // if token invalid, response with unauthorized status return context.responseUnauthorized(); } catch (ExpiredJwtException eje) { LOGGER.log(Level.INFO, "Security exception for user {0} - {1}", new String[]{eje.getClaims().getSubject(), eje.getMessage()}); return context.responseUnauthorized(); } }
/** * Create the JWT using CredentialValidationResult received from * IdentityStoreHandler * * @param result the result from validation of UsernamePasswordCredential * @param context * @return the AuthenticationStatus to notify the container */ private AuthenticationStatus createToken(CredentialValidationResult result, HttpMessageContext context) { if (!isRememberMe(context)) { String jwt = tokenProvider.createToken(result.getCallerPrincipal().getName(), result.getCallerGroups(), false); context.getResponse().setHeader(AUTHORIZATION_HEADER, BEARER + jwt); } return context.notifyContainerAboutLogin(result.getCallerPrincipal(), result.getCallerGroups()); }
/** * this function invoked using RememberMe.isRememberMeExpression EL * expression * * @param context * @return The remember me flag */ public Boolean isRememberMe(HttpMessageContext context) { return Boolean.valueOf(context.getRequest().getParameter("rememberme")); }
@Override public AuthenticationParameters getAuthParameters() { return getWrapped().getAuthParameters(); }
@Override public AuthenticationStatus responseUnauthorized() { return getWrapped().responseUnauthorized(); }
@Override public boolean isProtected() { return getWrapped().isProtected(); }