/**
* Validates the request by checking for the presence of a pre-configured attribute in the
* ServletRequest.
*
* @param messageInfo {@inheritDoc}
* @param clientSubject {@inheritDoc}
* @param serviceSubject {@inheritDoc}
* @return {@inheritDoc}
*/
@Override
public Promise<AuthStatus, AuthenticationException> validateRequest(
MessageInfoContext messageInfo, Subject clientSubject, Subject serviceSubject) {
SecurityContextMapper securityContextMapper =
SecurityContextMapper.fromMessageInfo(messageInfo);
final JsonValue attributes =
json(messageInfo.asContext(AttributesContext.class).getAttributes());
if (attributes.isDefined(authenticationIdAttribute)
&& attributes.get(authenticationIdAttribute).isString()) {
final String authenticationId = attributes.get(authenticationIdAttribute).asString();
securityContextMapper.setAuthenticationId(authenticationId);
clientSubject
.getPrincipals()
.add(
new Principal() {
public String getName() {
return authenticationId;
}
});
return newResultPromise(SUCCESS);
} else {
return newResultPromise(SEND_FAILURE);
}
}
private boolean authenticate(Credential credential, SecurityContextMapper securityContextMapper)
throws AuthException {
if (!credential.isComplete()) {
logger.debug("Failed authentication, missing or empty headers");
return false;
}
// set the authenticationId of the user that is trying to authenticate
securityContextMapper.setAuthenticationId(credential.username);
try {
return authenticator.authenticate(
credential.username,
credential.password,
authnFilterHelper.getRouter().createServerContext());
} catch (ResourceException e) {
logger.debug(
"Failed delegated authentication of {} on {}.", credential.username, queryOnResource, e);
if (e.isServerError()) { // HTTP server-side error
throw new JaspiAuthException(
"Failed delegated authentication of " + credential.username + " on " + queryOnResource,
e);
}
// authentication failed
return false;
}
}
/**
* Validates the client's request by passing through the request to be authenticated against a
* OpenICF Connector.
*
* @param messageInfo {@inheritDoc}
* @param clientSubject {@inheritDoc}
* @param serviceSubject {@inheritDoc}
* @return {@inheritDoc}
* @throws AuthException If there is a problem performing the authentication.
*/
@Override
public AuthStatus validateRequest(
MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
logger.debug("DelegatedAuthModule: validateRequest START");
SecurityContextMapper securityContextMapper =
SecurityContextMapper.fromMessageInfo(messageInfo);
HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
try {
logger.debug("DelegatedAuthModule: Delegating call to remote authentication");
if (authenticate(HEADER_AUTH_CRED_HELPER.getCredential(request), securityContextMapper)
|| authenticate(BASIC_AUTH_CRED_HELPER.getCredential(request), securityContextMapper)) {
logger.debug("DelegatedAuthModule: Authentication successful");
final String authcid = securityContextMapper.getAuthenticationId();
clientSubject
.getPrincipals()
.add(
new Principal() {
public String getName() {
return authcid;
}
});
// Auth success will be logged in IDMJaspiModuleWrapper
return AuthStatus.SUCCESS;
} else {
logger.debug("DelegatedAuthModule: Authentication failed");
return AuthStatus.SEND_FAILURE;
}
} finally {
logger.debug("DelegatedAuthModule: validateRequest END");
}
}
/**
* Performs the calculation of roles based on the userRoles property in the configuration and the
* retrieved user object.
*
* @param principal The principal.
* @param securityContextMapper The message info instance.
* @param resource the retrieved resource for the principal.
* @return A SecurityContextMapper instance containing the authentication context information.
*/
public void calculateRoles(
String principal, SecurityContextMapper securityContextMapper, ResourceResponse resource) {
// Set roles from retrieved object:
if (resource != null) {
final JsonValue userDetail = resource.getContent();
// support reading roles from property in object
if (userRoles != null && !userDetail.get(userRoles).isNull()) {
if (userDetail.get(userRoles).isString()) {
for (String role : userDetail.get(userRoles).asString().split(",")) {
securityContextMapper.addRole(role);
}
} else if (userDetail.get(userRoles).isList()) {
for (JsonValue role : userDetail.get(userRoles)) {
if (RelationshipUtil.isRelationship(role)) {
// Role is specified as a relationship Object
JsonPointer roleId =
new JsonPointer(role.get(RelationshipUtil.REFERENCE_ID).asString());
securityContextMapper.addRole(roleId.leaf());
} else {
// Role is specified as a String
securityContextMapper.addRole(role.asString());
}
}
} else {
logger.warn(
"Unknown roles type retrieved from user query, expected collection: {} type: {}",
userRoles,
userDetail.get(userRoles).getObject().getClass());
}
}
// Roles are now set.
// Note: roles can be further augmented with a script if more complex behavior is desired
logger.debug(
"Used {}object property to update context for {} with userid : {}, roles : {}",
userRoles != null ? (userRoles + " ") : "",
securityContextMapper.getAuthenticationId(),
securityContextMapper.getUserId(),
securityContextMapper.getRoles());
}
}
