public String newNonce(long ts) { // long ts=request.getTimeStamp(); long sk = nonceSecret; byte[] nounce = new byte[24]; for (int i = 0; i < 8; i++) { nounce[i] = (byte) (ts & 0xff); ts = ts >> 8; nounce[8 + i] = (byte) (sk & 0xff); sk = sk >> 8; } byte[] hash = null; try { MessageDigest md = MessageDigest.getInstance("MD5"); md.reset(); md.update(nounce, 0, 16); hash = md.digest(); } catch (Exception e) { LOG.warn(e); } for (int i = 0; i < hash.length; i++) { nounce[8 + i] = hash[i]; if (i == 23) break; } return new String(B64Code.encode(nounce)); }
/* ------------------------------------------------------------ */ public String getWeakETag() { try { StringBuilder b = new StringBuilder(32); b.append("W/\""); String name = getName(); int length = name.length(); long lhash = 0; for (int i = 0; i < length; i++) lhash = 31 * lhash + name.charAt(i); B64Code.encode(lastModified() ^ lhash, b); B64Code.encode(length() ^ lhash, b); b.append('"'); return b.toString(); } catch (IOException e) { throw new RuntimeException(e); } }
/* ------------------------------------------------------------ */ private int checkNonce(String nonce, Request request) { try { byte[] n = B64Code.decode(nonce.toCharArray()); if (n.length != 24) { return -1; } long ts = 0; long sk = _nonceSecret; byte[] n2 = new byte[16]; System.arraycopy(n, 0, n2, 0, 8); for (int i = 0; i < 8; i++) { n2[8 + i] = (byte) (sk & 0xff); sk = sk >> 8; ts = (ts << 8) + (0xff & (long) n[7 - i]); } long age = request.getTimeStamp() - ts; if (Log.isDebugEnabled()) { Log.debug("age=" + age); } byte[] hash = null; try { MessageDigest md = MessageDigest.getInstance("MD5"); md.reset(); md.update(n2, 0, 16); hash = md.digest(); } catch (Exception e) { Log.warn(e); } for (int i = 0; i < 16; i++) { if (n[i + 8] != hash[i]) { return -1; } } if (_maxNonceAge > 0 && (age < 0 || age > _maxNonceAge)) { return 0; // stale } return 1; } catch (Exception e) { Log.ignore(e); } return -1; }
@Override public void doFilter( final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; // Request basic auth. String authHeader64 = req.getHeader(Http.HEADER_AUTHORISATION); if (authHeader64 == null || authHeader64.length() < Http.HEADER_AUTHORISATION_PREFIX.length() + 3 || !authHeader64.startsWith(Http.HEADER_AUTHORISATION_PREFIX)) { LOG.info( "Auth failed: for={} header={} uri={}", new Object[] {req.getHeader("X-Forwarded-For"), authHeader64, req.getRequestURI()}); send401(resp); return; } // Verify password. authHeader64 = authHeader64.substring(Http.HEADER_AUTHORISATION_PREFIX.length()); String authHeader = B64Code.decode(authHeader64, (String) null); int x = authHeader.indexOf(':'); String user = authHeader.substring(0, x); String pass = authHeader.substring(x + 1); if (user == null || pass == null || user.isEmpty() || pass.isEmpty() || !this.passwdChecker.verifyPasswd(req, user, pass)) { LOG.info( "Auth failed: for={} uri={} user={} pass={} check={}.", req.getHeader("X-Forwarded-For"), req.getRequestURI(), user, pass, this.passwdChecker); send401(resp); return; } chain.doFilter(request, response); }
/** * @see org.eclipse.jetty.security.Authenticator#validateRequest(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, boolean) */ public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; String credentials = request.getHeader(HttpHeaders.AUTHORIZATION); try { if (!mandatory) return new DeferredAuthentication(this); if (credentials != null) { int space = credentials.indexOf(' '); if (space > 0) { String method = credentials.substring(0, space); if ("basic".equalsIgnoreCase(method)) { credentials = credentials.substring(space + 1); credentials = B64Code.decode(credentials, StringUtil.__ISO_8859_1); int i = credentials.indexOf(':'); if (i > 0) { String username = credentials.substring(0, i); String password = credentials.substring(i + 1); UserIdentity user = login(username, password, request); if (user != null) { return new UserAuthentication(getAuthMethod(), user); } } } } } if (DeferredAuthentication.isDeferred(response)) return Authentication.UNAUTHENTICATED; response.setHeader( HttpHeaders.WWW_AUTHENTICATE, "basic realm=\"" + _loginService.getName() + '"'); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return Authentication.SEND_CONTINUE; } catch (IOException e) { throw new ServerAuthException(e); } }
@Override public Result authenticate( Request request, ContentResponse response, HeaderInfo headerInfo, Attributes context) { String value = "Basic " + B64Code.encode(user + ":" + password, StandardCharsets.ISO_8859_1); return new BasicResult(headerInfo.getHeader(), uri, value); }
public ProxyAuthorization(String username, String password) throws IOException { String authenticationString = "Basic " + B64Code.encode(username + ":" + password, StringUtil.__ISO_8859_1); _authorization = new ByteArrayBuffer(authenticationString); }
@Test public void testBasic() throws Exception { _security.setAuthenticator(new BasicAuthenticator()); _server.start(); String response; /* /star all methods except GET/POST forbidden /acme/wholesale/star all methods except GET/POST forbidden /acme/retail/star all methods except GET/POST forbidden /acme/wholesale/star GET must be in role CONTRACTOR or SALESCLERK /acme/wholesale/star POST must be in role CONTRACTOR and confidential transport /acme/retail/star GET must be in role CONTRACTOR or HOMEOWNER /acme/retail/star POST must be in role CONTRACTOR or HOMEOWNER */ // a user in role HOMEOWNER is forbidden HEAD request response = _connector.getResponses("HEAD /ctx/index.html HTTP/1.0\r\n\r\n"); assertTrue(response.startsWith("HTTP/1.1 403 Forbidden")); response = _connector.getResponses( "HEAD /ctx/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("harry:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 403 Forbidden")); response = _connector.getResponses( "HEAD /ctx/acme/wholesale/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("harry:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 403 Forbidden")); response = _connector.getResponses( "HEAD /ctx/acme/retail/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("harry:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 403 Forbidden")); // a user in role CONTRACTOR can do a GET response = _connector.getResponses( "GET /ctx/acme/wholesale/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("chris:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 200 OK")); // a user in role CONTRACTOR can only do a post if confidential response = _connector.getResponses( "POST /ctx/acme/wholesale/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("chris:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 403 !")); // a user in role HOMEOWNER can do a GET response = _connector.getResponses( "GET /ctx/acme/retail/index.html HTTP/1.0\r\n" + "Authorization: Basic " + B64Code.encode("harry:password") + "\r\n" + "\r\n"); assertThat(response, startsWith("HTTP/1.1 200 OK")); }