void setAlgorithm(DigestAlgorithm algorithm) throws NoSuchAlgorithmException { this.algorithm = algorithm; digest = algorithm.getMessageDigest(); }
@Override public Account run() { return identityManager.verify(username, new PasswordCredential(password.toCharArray())); } });
private boolean verifyCredential(Account account, Credential credential) { if (credential instanceof PasswordCredential) { char[] password = ((PasswordCredential) credential).getPassword(); char[] expectedPassword = users.get(account.getPrincipal().getName()); return Arrays.equals(password, expectedPassword); } return false; }
protected void authenticationComplete(Account account, String mechanism, boolean programatic, final boolean cachingRequired) { this.account = account; this.mechanismName = mechanism; UndertowLogger.SECURITY_LOGGER.debugf("Authenticated as %s, roles %s", account.getPrincipal().getName(), account.getRoles()); sendNoticiation(new SecurityNotification(exchange, EventType.AUTHENTICATED, account, mechanism, programatic, MESSAGES.userAuthenticated(account.getPrincipal().getName()), cachingRequired)); }
/** * * @return The principal that was associated with the SSE request */ public Principal getPrincipal() { Account account = getAccount(); if (account != null) { return account.getPrincipal(); } return null; }
private Set<Principal> getPrincipalRoles(Account account) { final Set<Principal> roles = new HashSet<>(); for (String role : account.getRoles()) { roles.add(new SimplePrincipal(role)); } return roles; }
public AuthenticationMechanismOutcome authenticate(final HttpServerExchange exchange, final SecurityContext securityContext) { SSLSessionInfo sslSession = exchange.getConnection().getSslSessionInfo(); if (sslSession != null) { try { Certificate[] clientCerts = getPeerCertificates(exchange, sslSession, securityContext); if (clientCerts[0] instanceof X509Certificate) { Credential credential = new X509CertificateCredential((X509Certificate) clientCerts[0]); IdentityManager idm = getIdentityManager(securityContext); Account account = idm.verify(credential); if (account != null) { securityContext.authenticationComplete(account, name, false); return AuthenticationMechanismOutcome.AUTHENTICATED; } } } catch (SSLPeerUnverifiedException e) { // No action - this mechanism can not attempt authentication without peer certificates so allow it to drop out // to NOT_ATTEMPTED. } } /* * For ClientCert we do not have a concept of a failed authentication, if the client did use a key then it was deemed * acceptable for the connection to be established, this mechanism then just 'attempts' to use it for authentication but * does not mandate success. */ return AuthenticationMechanismOutcome.NOT_ATTEMPTED; }
@Override public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) { String principal = exchange.getAttachment(EXTERNAL_PRINCIPAL); if(principal == null) { return AuthenticationMechanismOutcome.NOT_ATTEMPTED; } Account account = getIdentityManager(securityContext).verify(principal, ExternalCredential.INSTANCE); if(account == null) { return AuthenticationMechanismOutcome.NOT_AUTHENTICATED; } String name = exchange.getAttachment(EXTERNAL_AUTHENTICATION_TYPE); securityContext.authenticationComplete(account, name != null ? name: this.name, false); return AuthenticationMechanismOutcome.AUTHENTICATED; }
@Override public byte[] getSessionData() { if (!context.getAlgorithm().isSession()) { throw MESSAGES.noSessionData(); } byte[] nonce = context.getParsedHeader().get(DigestAuthorizationToken.NONCE).getBytes(StandardCharsets.UTF_8); byte[] cnonce = context.getParsedHeader().get(DigestAuthorizationToken.CNONCE).getBytes(StandardCharsets.UTF_8); byte[] response = new byte[nonce.length + cnonce.length + 1]; System.arraycopy(nonce, 0, response, 0, nonce.length); response[nonce.length] = ':'; System.arraycopy(cnonce, 0, response, nonce.length + 1, cnonce.length); return response; }
@Override public Account verify(Credential credential) { if (credential instanceof X509CertificateCredential) { X509CertificateCredential certCredential = (X509CertificateCredential) credential; X509Certificate certificate = certCredential.getCertificate(); AccountImpl account = getAccount(certificate.getSubjectDN().getName()); return verifyCredential(account, certificate); } throw new IllegalArgumentException("Parameter must be a X509CertificateCredential"); }
@Override public SingleSignOn createSingleSignOn(Account account, String mechanism) { String id = SECURE_RANDOM_SESSION_ID_GENERATOR.createSessionId(); SingleSignOn entry = new SimpleSingleSignOnEntry(id, account, mechanism); this.ssoEntries.put(id, entry); if(log.isTraceEnabled()) { log.tracef("Creating SSO ID %s for Principal %s and Roles %s.", id, account.getPrincipal().getName(), account.getRoles().toString()); } return entry; }
@Override public Principal getUserPrincipal() { SecurityContext sc = exchange.getSecurityContext(); if(sc == null) { return null; } Account authenticatedAccount = sc.getAuthenticatedAccount(); if(authenticatedAccount == null) { return null; } return authenticatedAccount.getPrincipal(); }
@Override public boolean login(final String username, final String password) { UndertowLogger.SECURITY_LOGGER.debugf("Attempting programatic login for user %s for request %s", username, exchange); final Account account; if(System.getSecurityManager() == null) { account = identityManager.verify(username, new PasswordCredential(password.toCharArray())); } else { account = AccessController.doPrivileged(new PrivilegedAction<Account>() { @Override public Account run() { return identityManager.verify(username, new PasswordCredential(password.toCharArray())); } }); } if (account == null) { return false; } authenticationComplete(account, programaticMechName, true); this.authenticationState = AuthenticationState.AUTHENTICATED; return true; }
@Override public boolean isUserInRole(String role) { SecurityContext sc = exchange.getSecurityContext(); if(sc == null) { return false; } Account authenticatedAccount = sc.getAuthenticatedAccount(); if(authenticatedAccount == null) { return false; } return authenticatedAccount.getRoles().contains(role); }
void setAlgorithm(DigestAlgorithm algorithm) throws NoSuchAlgorithmException { digest = algorithm.getMessageDigest(); }
@Override public String readAttribute(final HttpServerExchange exchange) { SecurityContext sc = exchange.getSecurityContext(); if (sc == null || !sc.isAuthenticated()) { return null; } return sc.getAuthenticatedAccount().getPrincipal().getName(); }
@Override public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) { String principal = getPrincipal(exchange); if(principal == null) { return NOT_ATTEMPTED; } String session = getSession(exchange); if(session == null) { return NOT_ATTEMPTED; } Account account = identityManager.verify(principal, new PasswordCredential(session.toCharArray())); if(account == null) { securityContext.authenticationFailed(UndertowMessages.MESSAGES.authenticationFailed(principal), mechanismName); return NOT_AUTHENTICATED; } securityContext.authenticationComplete(account, mechanismName, false); return AUTHENTICATED; }
private void clearAccount(Account account) { Principal principal = (account instanceof AccountImpl) ? ((AccountImpl) account).getOriginalPrincipal() : account.getPrincipal(); if (principal != null) { // perform the logout of the principal using the subject currently set in the security context. Subject subject = SecurityActions.getSubject(); this.manager.logout(principal, subject); } } }
@Override public void logout() { Account authenticatedAccount = getAuthenticatedAccount(); if(authenticatedAccount != null) { UndertowLogger.SECURITY_LOGGER.debugf("Logging out user %s for %s", authenticatedAccount.getPrincipal().getName(), exchange); } else { UndertowLogger.SECURITY_LOGGER.debugf("Logout called with no authenticated user in exchange %s", exchange); } super.logout(); this.authenticationState = AuthenticationState.NOT_ATTEMPTED; }
@Override public void logout() { if (!isAuthenticated()) { return; } UndertowLogger.SECURITY_LOGGER.debugf("Logged out %s", exchange); sendNoticiation(new SecurityNotification(exchange, SecurityNotification.EventType.LOGGED_OUT, account, mechanismName, true, MESSAGES.userLoggedOut(account.getPrincipal().getName()), true)); this.account = null; this.mechanismName = null; }