View Javadoc

1   // ========================================================================
2   // Copyright (c) 2008-2009 Mort Bay Consulting Pty. Ltd.
3   // ------------------------------------------------------------------------
4   // All rights reserved. This program and the accompanying materials
5   // are made available under the terms of the Eclipse Public License v1.0
6   // and Apache License v2.0 which accompanies this distribution.
7   // The Eclipse Public License is available at 
8   // http://www.eclipse.org/legal/epl-v10.html
9   // The Apache License v2.0 is available at
10  // http://www.opensource.org/licenses/apache2.0.php
11  // You may elect to redistribute this code under either of these licenses. 
12  // ========================================================================
13  
14  package org.eclipse.jetty.security.jaspi;
15  
16  import java.security.Principal;
17  import java.util.Map;
18  import java.util.Set;
19  
20  import javax.security.auth.Subject;
21  import javax.security.auth.message.AuthException;
22  import javax.security.auth.message.AuthStatus;
23  import javax.security.auth.message.callback.CallerPrincipalCallback;
24  import javax.security.auth.message.callback.GroupPrincipalCallback;
25  import javax.security.auth.message.config.ServerAuthConfig;
26  import javax.security.auth.message.config.ServerAuthContext;
27  import javax.servlet.ServletRequest;
28  import javax.servlet.ServletResponse;
29  
30  import org.eclipse.jetty.security.Authenticator;
31  import org.eclipse.jetty.security.IdentityService;
32  import org.eclipse.jetty.security.ServerAuthException;
33  import org.eclipse.jetty.security.UserAuthentication;
34  import org.eclipse.jetty.security.authentication.DeferredAuthentication;
35  import org.eclipse.jetty.server.Authentication;
36  import org.eclipse.jetty.server.UserIdentity;
37  import org.eclipse.jetty.server.Authentication.User;
38  
39  /**
40   * @version $Rev: 4793 $ $Date: 2009-03-19 00:00:01 +0100 (Thu, 19 Mar 2009) $
41   */
42  public class JaspiAuthenticator implements Authenticator
43  {
44      private final ServerAuthConfig _authConfig;
45  
46      private final Map _authProperties;
47  
48      private final ServletCallbackHandler _callbackHandler;
49  
50      private final Subject _serviceSubject;
51  
52      private final boolean _allowLazyAuthentication;
53  
54      private final IdentityService _identityService;
55  
56      private final DeferredAuthentication _deferred;
57  
58      public JaspiAuthenticator(ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler, Subject serviceSubject,
59                                boolean allowLazyAuthentication, IdentityService identityService)
60      {
61          // TODO maybe pass this in via setConfiguration ?
62          if (callbackHandler == null) throw new NullPointerException("No CallbackHandler");
63          if (authConfig == null) throw new NullPointerException("No AuthConfig");
64          this._authConfig = authConfig;
65          this._authProperties = authProperties;
66          this._callbackHandler = callbackHandler;
67          this._serviceSubject = serviceSubject;
68          this._allowLazyAuthentication = allowLazyAuthentication;
69          this._identityService = identityService;
70          this._deferred = new DeferredAuthentication(this);
71      }
72  
73      public void setConfiguration(AuthConfiguration configuration)
74      {
75      }
76  
77      public String getAuthMethod()
78      {
79          return "JASPI";
80      }
81  
82      public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
83      {
84          System.err.println("\nJaspiAuthenticator.validateRequest, uri=" + ((javax.servlet.http.HttpServletRequest) request).getRequestURI()
85                             + " lazy="
86                             + _allowLazyAuthentication
87                             + " mandatory="
88                             + mandatory);
89          new Throwable().printStackTrace();
90    
91          JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory);
92          request.setAttribute("org.eclipse.jetty.security.jaspi.info", info);
93  
94          Authentication a = validateRequest(info);
95          
96          //if its not mandatory to authenticate, and the authenticator returned UNAUTHENTICATED, we treat it as authentication deferred
97          if (_allowLazyAuthentication && !info.isAuthMandatory() && a == Authentication.UNAUTHENTICATED)
98              a =_deferred;
99          
100         System.err.println("JaspiAuthenticator.validateRequest returning "+a);
101         return a;
102     }
103 
104     // most likely validatedUser is not needed here.
105     public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
106     {
107         System.err.println("JaspiAuthenticator.secureResponse uri=" + ((javax.servlet.http.HttpServletRequest) req).getRequestURI());
108 
109         JaspiMessageInfo info = (JaspiMessageInfo) req.getAttribute("org.eclipse.jetty.security.jaspi.info");
110         if (info == null) throw new NullPointerException("MessageInfo from request missing: " + req);
111         return secureResponse(info, validatedUser);
112     }
113 
114 
115     public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException
116     {
117         try
118         {
119             System.err.println("jaspAuthenticator.validateRequest(info)");
120             String authContextId = _authConfig.getAuthContextID(messageInfo);
121             ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties);
122             Subject clientSubject = new Subject();
123 
124             AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, _serviceSubject);
125             // String authMethod =
126             // (String)messageInfo.getMap().get(JaspiMessageInfo.AUTH_METHOD_KEY);
127 
128             if (authStatus == AuthStatus.SEND_CONTINUE) return Authentication.SEND_CONTINUE;
129             if (authStatus == AuthStatus.SEND_FAILURE) return Authentication.SEND_FAILURE;
130 
131             if (authStatus == AuthStatus.SUCCESS)
132             {
133                 Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
134                 UserIdentity userIdentity;
135                 if (ids.size() > 0)
136                 {
137                     userIdentity = ids.iterator().next();
138                 }
139                 else
140                 {
141                     CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback();
142                     if (principalCallback == null) { return Authentication.UNAUTHENTICATED; }
143                     Principal principal = principalCallback.getPrincipal();
144                     if (principal == null)
145                     {
146                         String principalName = principalCallback.getName();
147                         Set<Principal> principals = principalCallback.getSubject().getPrincipals();
148                         for (Principal p : principals)
149                         {
150                             if (p.getName().equals(principalName))
151                             {
152                                 principal = p;
153                                 break;
154                             }
155                         }
156                         if (principal == null) { return Authentication.UNAUTHENTICATED; }
157                     }
158                     GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback();
159                     String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
160                     userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups);
161                 }
162                 return new UserAuthentication(getAuthMethod(), userIdentity);
163             }
164             if (authStatus == AuthStatus.SEND_SUCCESS)
165             {
166                 // we are processing a message in a secureResponse dialog.
167                 return Authentication.SEND_SUCCESS;
168             }
169             // should not happen
170             throw new NullPointerException("No AuthStatus returned");
171         }
172         catch (AuthException e)
173         {
174             throw new ServerAuthException(e);
175         }
176     }
177 
178     public boolean secureResponse(JaspiMessageInfo messageInfo, Authentication validatedUser) throws ServerAuthException
179     {
180         try
181         {
182             String authContextId = _authConfig.getAuthContextID(messageInfo);
183             ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties);
184             // TODO
185             // authContext.cleanSubject(messageInfo,validatedUser.getUserIdentity().getSubject());
186             AuthStatus status = authContext.secureResponse(messageInfo, _serviceSubject);
187             return (AuthStatus.SEND_SUCCESS.equals(status));
188         }
189         catch (AuthException e)
190         {
191             System.err.println("Error in JaspiAuthenticator.secureResponse");
192             e.printStackTrace();
193             throw new ServerAuthException(e);
194         }
195     }
196 
197 }