1
2
3
4
5
6
7
8
9
10
11
12
13
14 package org.eclipse.jetty.security.jaspi;
15
16 import java.security.Principal;
17 import java.util.Map;
18 import java.util.Set;
19
20 import javax.security.auth.Subject;
21 import javax.security.auth.message.AuthException;
22 import javax.security.auth.message.AuthStatus;
23 import javax.security.auth.message.callback.CallerPrincipalCallback;
24 import javax.security.auth.message.callback.GroupPrincipalCallback;
25 import javax.security.auth.message.config.ServerAuthConfig;
26 import javax.security.auth.message.config.ServerAuthContext;
27 import javax.servlet.ServletRequest;
28 import javax.servlet.ServletResponse;
29
30 import org.eclipse.jetty.security.Authenticator;
31 import org.eclipse.jetty.security.UserAuthentication;
32 import org.eclipse.jetty.security.ServerAuthException;
33 import org.eclipse.jetty.security.IdentityService;
34 import org.eclipse.jetty.security.authentication.DeferredAuthenticator;
35 import org.eclipse.jetty.server.Authentication;
36 import org.eclipse.jetty.server.UserIdentity;
37 import org.eclipse.jetty.server.Authentication.User;
38
39
40
41
42 public class JaspiAuthenticator implements Authenticator
43 {
44 private final ServerAuthConfig _authConfig;
45 private final Map _authProperties;
46 private final ServletCallbackHandler _callbackHandler;
47 private final Subject _serviceSubject;
48 private final boolean _allowLazyAuthentication;
49 private final IdentityService _identityService;
50
51 public JaspiAuthenticator(ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler,
52 Subject serviceSubject, boolean allowLazyAuthentication, IdentityService identityService)
53 {
54
55 if (callbackHandler == null)
56 throw new NullPointerException("No CallbackHandler");
57 if (authConfig == null)
58 throw new NullPointerException("No AuthConfig");
59 this._authConfig = authConfig;
60 this._authProperties = authProperties;
61 this._callbackHandler = callbackHandler;
62 this._serviceSubject = serviceSubject;
63 this._allowLazyAuthentication = allowLazyAuthentication;
64 this._identityService = identityService;
65 }
66
67
68 public void setConfiguration(Configuration configuration)
69 {
70 }
71
72
73 public String getAuthMethod()
74 {
75 return "JASPI";
76 }
77
78 public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
79 {
80 if (_allowLazyAuthentication && !mandatory)
81 return new DeferredAuthenticator.DeferredAuthentication(this,request,response);
82
83 JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory);
84 request.setAttribute("org.eclipse.jetty.security.jaspi.info",info);
85 return validateRequest(info);
86 }
87
88
89 public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
90 {
91 JaspiMessageInfo info = (JaspiMessageInfo)req.getAttribute("org.eclipse.jetty.security.jaspi.info");
92 if (info==null) throw new NullPointerException("MeesageInfo from request missing: " + req);
93 return secureResponse(info,validatedUser);
94 }
95
96 public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException
97 {
98 try
99 {
100 String authContextId = _authConfig.getAuthContextID(messageInfo);
101 ServerAuthContext authContext = _authConfig.getAuthContext(authContextId,_serviceSubject,_authProperties);
102 Subject clientSubject = new Subject();
103
104 AuthStatus authStatus = authContext.validateRequest(messageInfo,clientSubject,_serviceSubject);
105
106
107
108 if (authStatus == AuthStatus.SEND_CONTINUE)
109 return Authentication.SEND_CONTINUE;
110 if (authStatus == AuthStatus.SEND_FAILURE)
111 return Authentication.SEND_FAILURE;
112
113 if (authStatus == AuthStatus.SUCCESS)
114 {
115 Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
116 UserIdentity userIdentity;
117 if (ids.size() > 0) {
118 userIdentity = ids.iterator().next();
119
120 } else {
121 CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback();
122 if (principalCallback == null) throw new NullPointerException("No CallerPrincipalCallback");
123 Principal principal = principalCallback.getPrincipal();
124 if (principal == null) {
125 String principalName = principalCallback.getName();
126 Set<Principal> principals = principalCallback.getSubject().getPrincipals();
127 for (Principal p: principals)
128 {
129 if (p.getName().equals(principalName))
130 {
131 principal = p;
132 break;
133 }
134 }
135 if (principal == null)
136 {
137 return Authentication.UNAUTHENTICATED;
138 }
139 }
140 GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback();
141 String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
142 userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups);
143 }
144 return new UserAuthentication(this, userIdentity);
145 }
146 if (authStatus == AuthStatus.SEND_SUCCESS)
147 {
148
149 return Authentication.SEND_SUCCESS;
150 }
151
152 throw new NullPointerException("No AuthStatus returned");
153 }
154 catch (AuthException e)
155 {
156 throw new ServerAuthException(e);
157 }
158 }
159
160 public boolean secureResponse(JaspiMessageInfo messageInfo, Authentication validatedUser) throws ServerAuthException
161 {
162 try
163 {
164 String authContextId = _authConfig.getAuthContextID(messageInfo);
165 ServerAuthContext authContext = _authConfig.getAuthContext(authContextId,_serviceSubject,_authProperties);
166
167 AuthStatus status = authContext.secureResponse(messageInfo,_serviceSubject);
168 return (AuthStatus.SEND_SUCCESS.equals(status));
169 }
170 catch (AuthException e)
171 {
172 throw new ServerAuthException(e);
173 }
174 }
175
176 }