/** * this function invoked using RememberMe.isRememberMeExpression EL * expression * * @param context * @return The remember me flag */ public Boolean isRememberMe(HttpMessageContext context) { return Boolean.valueOf(context.getRequest().getParameter("rememberme")); }
/** * To extract the JWT from Authorization HTTP header * * @param context * @return The JWT access tokens */ private String extractToken(HttpMessageContext context) { String authorizationHeader = context.getRequest().getHeader(AUTHORIZATION_HEADER); if (authorizationHeader != null && authorizationHeader.startsWith(BEARER)) { String token = authorizationHeader.substring(BEARER.length(), authorizationHeader.length()); return token; } return null; }
@Override public HttpServletRequest getRequest() { return getWrapped().getRequest(); }
@Override public HttpServletRequest getRequest() { return getWrapped().getRequest(); }
@Override public HttpServletRequest getRequest() { return getWrapped().getRequest(); }
@Override public HttpServletRequest getRequest() { return getWrapped().getRequest(); }
private boolean isOnInitialProtectedURL(HttpMessageContext httpMessageContext) { return httpMessageContext.isProtected() && // When HttpServletRequest#authenticate is called, it counts as "mandated" authentication // which here means isProtected() is true. But we want to use HttpServletRequest#authenticate // to resume a dialog started by accessing a protected page, so therefore exclude it here. !httpMessageContext.isAuthenticationRequest() && getSavedRequest(httpMessageContext.getRequest()) == null && getSavedAuthentication(httpMessageContext.getRequest()) == null && // Some servers consider the Servlet special URL "/j_security_check" as // a protected URL !httpMessageContext.getRequest().getRequestURI().endsWith("j_security_check"); }
private boolean isOnProtectedURLWithStaleData(HttpMessageContext httpMessageContext) { return httpMessageContext.isProtected() && // When HttpServletRequest#authenticate is called, it counts as "mandated" authentication // which here means isProtected() is true. But we want to use HttpServletRequest#authenticate // to resume a dialog started by accessing a protected page, so therefore exclude it here. !httpMessageContext.isAuthenticationRequest() && getSavedRequest(httpMessageContext.getRequest()) != null && getSavedAuthentication(httpMessageContext.getRequest()) == null && // Some servers consider the Servlet special URL "/j_security_check" as // a protected URL !httpMessageContext.getRequest().getRequestURI().endsWith("j_security_check"); }
private boolean isOnProtectedURLWithStaleData(HttpMessageContext httpMessageContext) { return httpMessageContext.isProtected() && // When HttpServletRequest#authenticate is called, it counts as "mandated" authentication // which here means isProtected() is true. But we want to use HttpServletRequest#authenticate // to resume a dialog started by accessing a protected page, so therefore exclude it here. !httpMessageContext.isAuthenticationRequest() && getSavedRequest(httpMessageContext.getRequest()) != null && getSavedAuthentication(httpMessageContext.getRequest()) == null && // Some servers consider the Servlet special URL "/j_security_check" as // a protected URL !httpMessageContext.getRequest().getRequestURI().endsWith("j_security_check"); }
private boolean isOnInitialProtectedURL(HttpMessageContext httpMessageContext) { return httpMessageContext.isProtected() && // When HttpServletRequest#authenticate is called, it counts as "mandated" authentication // which here means isProtected() is true. But we want to use HttpServletRequest#authenticate // to resume a dialog started by accessing a protected page, so therefore exclude it here. !httpMessageContext.isAuthenticationRequest() && getSavedRequest(httpMessageContext.getRequest()) == null && getSavedAuthentication(httpMessageContext.getRequest()) == null && // Some servers consider the Servlet special URL "/j_security_check" as // a protected URL !httpMessageContext.getRequest().getRequestURI().endsWith("j_security_check"); }
private void tryClean(HttpMessageContext httpMessageContext) { // 1. Check if caller aborted earlier flow and does a new request to protected resource if (isOnProtectedURLWithStaleData(httpMessageContext)) { removeSavedRequest(httpMessageContext.getRequest()); removeCallerInitiatedAuthentication(httpMessageContext.getRequest()); } // 2. Check if caller aborted earlier flow and explicitly initiated a new authentication dialog if (httpMessageContext.getAuthParameters().isNewAuthentication()) { saveCallerInitiatedAuthentication(httpMessageContext.getRequest()); removeSavedRequest(httpMessageContext.getRequest()); removeSavedAuthentication(httpMessageContext.getRequest()); } }
private void tryClean(HttpMessageContext httpMessageContext) { // 1. Check if caller aborted earlier flow and does a new request to protected resource if (isOnProtectedURLWithStaleData(httpMessageContext)) { removeSavedRequest(httpMessageContext.getRequest()); removeCallerInitiatedAuthentication(httpMessageContext.getRequest()); } // 2. Check if caller aborted earlier flow and explicitly initiated a new authentication dialog if (httpMessageContext.getAuthParameters().isNewAuthentication()) { saveCallerInitiatedAuthentication(httpMessageContext.getRequest()); removeSavedRequest(httpMessageContext.getRequest()); removeSavedAuthentication(httpMessageContext.getRequest()); } }
private AuthenticationStatus processCallerInitiatedAuthentication(InvocationContext invocationContext, HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws Exception { // Try to authenticate with the next interceptor or actual authentication mechanism AuthenticationStatus authstatus; try { authstatus = (AuthenticationStatus) invocationContext.proceed(); } catch (AuthException e) { authstatus = AuthenticationStatus.SEND_FAILURE; } if (authstatus == AuthenticationStatus.SUCCESS) { if (httpMessageContext.getCallerPrincipal() == null) { return AuthenticationStatus.SUCCESS; } // Actually authenticated now, so we remove the authentication dialog marker removeCallerInitiatedAuthentication(httpMessageContext.getRequest()); // TODO: for some mechanisms, such as OAuth the caller would now likely be at an // application OAuth landing page, and should likely be returned to "some other" location // (e.g. the page from which a login link was clicked in say a top menu bar) // // Do we add support for this, e.g. via a watered down savedRequest (saving only a caller provided URL) // Or do we leave this as an application responsibility? } return authstatus; }
private AuthenticationStatus processCallerInitiatedAuthentication(InvocationContext invocationContext, HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMessageContext) throws Exception { // Try to authenticate with the next interceptor or actual authentication mechanism AuthenticationStatus authstatus; try { authstatus = (AuthenticationStatus) invocationContext.proceed(); } catch (AuthException e) { authstatus = AuthenticationStatus.SEND_FAILURE; } if (authstatus == AuthenticationStatus.SUCCESS) { if (httpMessageContext.getCallerPrincipal() == null) { return AuthenticationStatus.SUCCESS; } // Actually authenticated now, so we remove the authentication dialog marker removeCallerInitiatedAuthentication(httpMessageContext.getRequest()); // TODO: for some mechanisms, such as OAuth the caller would now likely be at an // application OAuth landing page, and should likely be returned to "some other" location // (e.g. the page from which a login link was clicked in say a top menu bar) // // Do we add support for this, e.g. via a watered down savedRequest (saving only a caller provided URL) // Or do we leave this as an application responsibility? } return authstatus; }
/** * Called in response to a {@link HttpServletRequest#logout()} call. * */ @Override public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException { HttpMessageContext msgContext = new HttpMessageContextImpl(handler, messageInfo, subject); CDI.current() .select(HttpAuthenticationMechanism.class).get() .cleanSubject(msgContext.getRequest(), msgContext.getResponse(), msgContext); }
/** * Called in response to a {@link HttpServletRequest#logout()} call. * */ @Override public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException { HttpMessageContext msgContext = new HttpMessageContextImpl(handler, messageInfo, subject); CDI.current() .select(HttpAuthenticationMechanism.class).get() .cleanSubject(msgContext.getRequest(), msgContext.getResponse(), msgContext); }
@SuppressWarnings("unchecked") @AroundInvoke public Object intercept(InvocationContext invocationContext) throws Exception { if (isImplementationOf(invocationContext.getMethod(), validateRequestMethod)) { HttpMessageContext httpMessageContext = (HttpMessageContext)invocationContext.getParameters()[2]; Principal userPrincipal = getPrincipal(httpMessageContext.getRequest()); if (userPrincipal != null) { httpMessageContext.getHandler().handle(new Callback[] { new CallerPrincipalCallback(httpMessageContext.getClientSubject(), userPrincipal) } ); return SUCCESS; } Object outcome = invocationContext.proceed(); if (SUCCESS.equals(outcome)) { httpMessageContext.getMessageInfo().getMap().put("javax.servlet.http.registerSession", TRUE.toString()); } return outcome; } return invocationContext.proceed(); }
@SuppressWarnings("unchecked") @AroundInvoke public Object intercept(InvocationContext invocationContext) throws Exception { if (isImplementationOf(invocationContext.getMethod(), validateRequestMethod)) { HttpMessageContext httpMessageContext = (HttpMessageContext)invocationContext.getParameters()[2]; Principal userPrincipal = getPrincipal(httpMessageContext.getRequest()); if (userPrincipal != null) { httpMessageContext.getHandler().handle(new Callback[] { new CallerPrincipalCallback(httpMessageContext.getClientSubject(), userPrincipal) } ); return SUCCESS; } Object outcome = invocationContext.proceed(); if (SUCCESS.equals(outcome)) { httpMessageContext.getMessageInfo().getMap().put("javax.servlet.http.registerSession", TRUE.toString()); } return outcome; } return invocationContext.proceed(); }
@Override public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { HttpMessageContext msgContext = new HttpMessageContextImpl(handler, messageInfo, null); try { AuthenticationStatus status = CDI.current() .select(HttpAuthenticationMechanism.class).get() .secureResponse( msgContext.getRequest(), msgContext.getResponse(), msgContext); AuthStatus authStatus = fromAuthenticationStatus(status); if (authStatus == AuthStatus.SUCCESS) { return AuthStatus.SEND_SUCCESS; } return authStatus; } catch (AuthenticationException e) { throw (AuthException) new AuthException("Secure response failure in HttpAuthenticationMechanism").initCause(e); } finally { if (cdiPerRequestInitializer != null) { cdiPerRequestInitializer.destroy(msgContext.getRequest()); } } }
@Override public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { HttpMessageContext msgContext = new HttpMessageContextImpl(handler, messageInfo, null); try { AuthenticationStatus status = CDI.current() .select(HttpAuthenticationMechanism.class).get() .secureResponse( msgContext.getRequest(), msgContext.getResponse(), msgContext); AuthStatus authStatus = fromAuthenticationStatus(status); if (authStatus == AuthStatus.SUCCESS) { return AuthStatus.SEND_SUCCESS; } return authStatus; } catch (AuthenticationException e) { throw (AuthException) new AuthException("Secure response failure in HttpAuthenticationMechanism").initCause(e); } finally { if (cdiPerRequestInitializer != null) { cdiPerRequestInitializer.destroy(msgContext.getRequest()); } } }