1
2
3
4
5
6
7
8
9
10
11
12
13
14 package org.eclipse.jetty.security.jaspi;
15
16 import java.security.Principal;
17 import java.util.Map;
18 import java.util.Set;
19
20 import javax.security.auth.Subject;
21 import javax.security.auth.message.AuthException;
22 import javax.security.auth.message.AuthStatus;
23 import javax.security.auth.message.callback.CallerPrincipalCallback;
24 import javax.security.auth.message.callback.GroupPrincipalCallback;
25 import javax.security.auth.message.config.ServerAuthConfig;
26 import javax.security.auth.message.config.ServerAuthContext;
27 import javax.servlet.ServletRequest;
28 import javax.servlet.ServletResponse;
29
30 import org.eclipse.jetty.security.Authenticator;
31 import org.eclipse.jetty.security.IdentityService;
32 import org.eclipse.jetty.security.ServerAuthException;
33 import org.eclipse.jetty.security.UserAuthentication;
34 import org.eclipse.jetty.security.authentication.DeferredAuthentication;
35 import org.eclipse.jetty.server.Authentication;
36 import org.eclipse.jetty.server.UserIdentity;
37 import org.eclipse.jetty.server.Authentication.User;
38
39
40
41
42 public class JaspiAuthenticator implements Authenticator
43 {
44 private final ServerAuthConfig _authConfig;
45
46 private final Map _authProperties;
47
48 private final ServletCallbackHandler _callbackHandler;
49
50 private final Subject _serviceSubject;
51
52 private final boolean _allowLazyAuthentication;
53
54 private final IdentityService _identityService;
55
56 private final DeferredAuthentication _deferred;
57
58 public JaspiAuthenticator(ServerAuthConfig authConfig, Map authProperties, ServletCallbackHandler callbackHandler, Subject serviceSubject,
59 boolean allowLazyAuthentication, IdentityService identityService)
60 {
61
62 if (callbackHandler == null) throw new NullPointerException("No CallbackHandler");
63 if (authConfig == null) throw new NullPointerException("No AuthConfig");
64 this._authConfig = authConfig;
65 this._authProperties = authProperties;
66 this._callbackHandler = callbackHandler;
67 this._serviceSubject = serviceSubject;
68 this._allowLazyAuthentication = allowLazyAuthentication;
69 this._identityService = identityService;
70 this._deferred = new DeferredAuthentication(this);
71 }
72
73 public void setConfiguration(AuthConfiguration configuration)
74 {
75 }
76
77 public String getAuthMethod()
78 {
79 return "JASPI";
80 }
81
82 public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
83 {
84 System.err.println("\nJaspiAuthenticator.validateRequest, uri=" + ((javax.servlet.http.HttpServletRequest) request).getRequestURI()
85 + " lazy="
86 + _allowLazyAuthentication
87 + " mandatory="
88 + mandatory);
89 new Throwable().printStackTrace();
90
91 JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory);
92 request.setAttribute("org.eclipse.jetty.security.jaspi.info", info);
93
94 Authentication a = validateRequest(info);
95
96
97 if (_allowLazyAuthentication && !info.isAuthMandatory() && a == Authentication.UNAUTHENTICATED)
98 a =_deferred;
99
100 System.err.println("JaspiAuthenticator.validateRequest returning "+a);
101 return a;
102 }
103
104
105 public boolean secureResponse(ServletRequest req, ServletResponse res, boolean mandatory, User validatedUser) throws ServerAuthException
106 {
107 System.err.println("JaspiAuthenticator.secureResponse uri=" + ((javax.servlet.http.HttpServletRequest) req).getRequestURI());
108
109 JaspiMessageInfo info = (JaspiMessageInfo) req.getAttribute("org.eclipse.jetty.security.jaspi.info");
110 if (info == null) throw new NullPointerException("MessageInfo from request missing: " + req);
111 return secureResponse(info, validatedUser);
112 }
113
114
115 public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException
116 {
117 try
118 {
119 System.err.println("jaspAuthenticator.validateRequest(info)");
120 String authContextId = _authConfig.getAuthContextID(messageInfo);
121 ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties);
122 Subject clientSubject = new Subject();
123
124 AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, _serviceSubject);
125
126
127
128 if (authStatus == AuthStatus.SEND_CONTINUE) return Authentication.SEND_CONTINUE;
129 if (authStatus == AuthStatus.SEND_FAILURE) return Authentication.SEND_FAILURE;
130
131 if (authStatus == AuthStatus.SUCCESS)
132 {
133 Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
134 UserIdentity userIdentity;
135 if (ids.size() > 0)
136 {
137 userIdentity = ids.iterator().next();
138 }
139 else
140 {
141 CallerPrincipalCallback principalCallback = _callbackHandler.getThreadCallerPrincipalCallback();
142 if (principalCallback == null) { return Authentication.UNAUTHENTICATED; }
143 Principal principal = principalCallback.getPrincipal();
144 if (principal == null)
145 {
146 String principalName = principalCallback.getName();
147 Set<Principal> principals = principalCallback.getSubject().getPrincipals();
148 for (Principal p : principals)
149 {
150 if (p.getName().equals(principalName))
151 {
152 principal = p;
153 break;
154 }
155 }
156 if (principal == null) { return Authentication.UNAUTHENTICATED; }
157 }
158 GroupPrincipalCallback groupPrincipalCallback = _callbackHandler.getThreadGroupPrincipalCallback();
159 String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
160 userIdentity = _identityService.newUserIdentity(clientSubject, principal, groups);
161 }
162 return new UserAuthentication(getAuthMethod(), userIdentity);
163 }
164 if (authStatus == AuthStatus.SEND_SUCCESS)
165 {
166
167 return Authentication.SEND_SUCCESS;
168 }
169
170 throw new NullPointerException("No AuthStatus returned");
171 }
172 catch (AuthException e)
173 {
174 throw new ServerAuthException(e);
175 }
176 }
177
178 public boolean secureResponse(JaspiMessageInfo messageInfo, Authentication validatedUser) throws ServerAuthException
179 {
180 try
181 {
182 String authContextId = _authConfig.getAuthContextID(messageInfo);
183 ServerAuthContext authContext = _authConfig.getAuthContext(authContextId, _serviceSubject, _authProperties);
184
185
186 AuthStatus status = authContext.secureResponse(messageInfo, _serviceSubject);
187 return (AuthStatus.SEND_SUCCESS.equals(status));
188 }
189 catch (AuthException e)
190 {
191 System.err.println("Error in JaspiAuthenticator.secureResponse");
192 e.printStackTrace();
193 throw new ServerAuthException(e);
194 }
195 }
196
197 }