1
2
3
4
5
6
7
8
9
10
11
12
13
14 package org.eclipse.jetty.security.jaspi;
15
16 import java.security.Principal;
17 import java.util.Map;
18 import java.util.Set;
19
20 import javax.security.auth.Subject;
21 import javax.security.auth.message.AuthException;
22 import javax.security.auth.message.AuthStatus;
23 import javax.security.auth.message.callback.CallerPrincipalCallback;
24 import javax.security.auth.message.callback.GroupPrincipalCallback;
25 import javax.security.auth.message.config.ServerAuthConfig;
26 import javax.security.auth.message.config.ServerAuthContext;
27 import javax.servlet.ServletRequest;
28 import javax.servlet.ServletResponse;
29
30 import org.eclipse.jetty.security.Authenticator;
31 import org.eclipse.jetty.security.IdentityService;
32 import org.eclipse.jetty.security.ServerAuthException;
33 import org.eclipse.jetty.security.UserAuthentication;
34 import org.eclipse.jetty.security.authentication.DeferredAuthentication;
35 import org.eclipse.jetty.server.Authentication;
36 import org.eclipse.jetty.server.UserIdentity;
37 import org.eclipse.jetty.server.Authentication.User;
38
39
40
41
42 public class JaspiAuthenticator implements Authenticator
43 {
44 private final ServerAuthConfig _authConfig;
45 private final Map _authProperties;
46 private final ServletCallbackHandler _callbackHandler;
47 private final Subject _serviceSubject;
48 private final boolean _allowLazyAuthentication;
49 private final IdentityService _identityService;
50 private final DeferredAuthentication _deferred;
51
52 public JaspiAuthenticator(ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler,
53 Subject serviceSubject, boolean allowLazyAuthentication, IdentityService identityService)
54 {
55
56 if (callbackHandler == null)
57 throw new NullPointerException("No CallbackHandler");
58 if (authConfig == null)
59 throw new NullPointerException("No AuthConfig");
60 this._authConfig = authConfig;
61 this._authProperties = authProperties;
62 this._callbackHandler = callbackHandler;
63 this._serviceSubject = serviceSubject;
64 this._allowLazyAuthentication = allowLazyAuthentication;
65 this._identityService = identityService;
66 this._deferred=new DeferredAuthentication(this);
67 }
68
69
70 public void setConfiguration(AuthConfiguration configuration)
71 {
72 }
73
74
75 public String getAuthMethod()
76 {
77 return "JASPI";
78 }
79
80 public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
81 {
82 if (_allowLazyAuthentication && !mandatory)
83 return _deferred;
84
85 JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory);
86 request.setAttribute("org.eclipse.jetty.security.jaspi.info",info);
87 return validateRequest(info);
88 }
89
90
91 public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
92 {
93 JaspiMessageInfo info = (JaspiMessageInfo)req.getAttribute("org.eclipse.jetty.security.jaspi.info");
94 if (info==null) throw new NullPointerException("MeesageInfo from request missing: " + req);
95 return secureResponse(info,validatedUser);
96 }
97
98 public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException
99 {
100 try
101 {
102 String authContextId = _authConfig.getAuthContextID(messageInfo);
103 ServerAuthContext authContext = _authConfig.getAuthContext(authContextId,_serviceSubject,_authProperties);
104 Subject clientSubject = new Subject();
105
106 AuthStatus authStatus = authContext.validateRequest(messageInfo,clientSubject,_serviceSubject);
107
108
109 if (authStatus == AuthStatus.SEND_CONTINUE)
110 return Authentication.SEND_CONTINUE;
111 if (authStatus == AuthStatus.SEND_FAILURE)
112 return Authentication.SEND_FAILURE;
113
114 if (authStatus == AuthStatus.SUCCESS)
115 {
116 Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
117 UserIdentity userIdentity;
118 if (ids.size() > 0)
119 {
120 userIdentity = ids.iterator().next();
121 } else {
122 CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback();
123 if (principalCallback == null)
124 {
125 return Authentication.UNAUTHENTICATED;
126 }
127 Principal principal = principalCallback.getPrincipal();
128 if (principal == null) {
129 String principalName = principalCallback.getName();
130 Set<Principal> principals = principalCallback.getSubject().getPrincipals();
131 for (Principal p: principals)
132 {
133 if (p.getName().equals(principalName))
134 {
135 principal = p;
136 break;
137 }
138 }
139 if (principal == null)
140 {
141 return Authentication.UNAUTHENTICATED;
142 }
143 }
144 GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback();
145 String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
146 userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups);
147 }
148 return new UserAuthentication(getAuthMethod(), userIdentity);
149 }
150 if (authStatus == AuthStatus.SEND_SUCCESS)
151 {
152
153 return Authentication.SEND_SUCCESS;
154 }
155
156 throw new NullPointerException("No AuthStatus returned");
157 }
158 catch (AuthException e)
159 {
160 throw new ServerAuthException(e);
161 }
162 }
163
164 public boolean secureResponse(JaspiMessageInfo messageInfo, Authentication validatedUser) throws ServerAuthException
165 {
166 try
167 {
168 String authContextId = _authConfig.getAuthContextID(messageInfo);
169 ServerAuthContext authContext = _authConfig.getAuthContext(authContextId,_serviceSubject,_authProperties);
170
171 AuthStatus status = authContext.secureResponse(messageInfo,_serviceSubject);
172 return (AuthStatus.SEND_SUCCESS.equals(status));
173 }
174 catch (AuthException e)
175 {
176 throw new ServerAuthException(e);
177 }
178 }
179
180 }