Example #1
0
  public String newNonce(long ts) {
    // long ts=request.getTimeStamp();
    long sk = nonceSecret;

    byte[] nounce = new byte[24];
    for (int i = 0; i < 8; i++) {
      nounce[i] = (byte) (ts & 0xff);
      ts = ts >> 8;
      nounce[8 + i] = (byte) (sk & 0xff);
      sk = sk >> 8;
    }

    byte[] hash = null;
    try {
      MessageDigest md = MessageDigest.getInstance("MD5");
      md.reset();
      md.update(nounce, 0, 16);
      hash = md.digest();
    } catch (Exception e) {
      LOG.warn(e);
    }

    for (int i = 0; i < hash.length; i++) {
      nounce[8 + i] = hash[i];
      if (i == 23) break;
    }

    return new String(B64Code.encode(nounce));
  }
Example #2
0
  /* ------------------------------------------------------------ */
  public String getWeakETag() {
    try {
      StringBuilder b = new StringBuilder(32);
      b.append("W/\"");

      String name = getName();
      int length = name.length();
      long lhash = 0;
      for (int i = 0; i < length; i++) lhash = 31 * lhash + name.charAt(i);

      B64Code.encode(lastModified() ^ lhash, b);
      B64Code.encode(length() ^ lhash, b);
      b.append('"');
      return b.toString();
    } catch (IOException e) {
      throw new RuntimeException(e);
    }
  }
  /* ------------------------------------------------------------ */
  private int checkNonce(String nonce, Request request) {
    try {
      byte[] n = B64Code.decode(nonce.toCharArray());
      if (n.length != 24) {
        return -1;
      }

      long ts = 0;
      long sk = _nonceSecret;
      byte[] n2 = new byte[16];
      System.arraycopy(n, 0, n2, 0, 8);
      for (int i = 0; i < 8; i++) {
        n2[8 + i] = (byte) (sk & 0xff);
        sk = sk >> 8;
        ts = (ts << 8) + (0xff & (long) n[7 - i]);
      }

      long age = request.getTimeStamp() - ts;
      if (Log.isDebugEnabled()) {
        Log.debug("age=" + age);
      }

      byte[] hash = null;
      try {
        MessageDigest md = MessageDigest.getInstance("MD5");
        md.reset();
        md.update(n2, 0, 16);
        hash = md.digest();
      } catch (Exception e) {
        Log.warn(e);
      }

      for (int i = 0; i < 16; i++) {
        if (n[i + 8] != hash[i]) {
          return -1;
        }
      }

      if (_maxNonceAge > 0 && (age < 0 || age > _maxNonceAge)) {
        return 0; // stale
      }

      return 1;
    } catch (Exception e) {
      Log.ignore(e);
    }
    return -1;
  }
Example #4
0
  @Override
  public void doFilter(
      final ServletRequest request, final ServletResponse response, final FilterChain chain)
      throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse resp = (HttpServletResponse) response;

    // Request basic auth.
    String authHeader64 = req.getHeader(Http.HEADER_AUTHORISATION);
    if (authHeader64 == null
        || authHeader64.length() < Http.HEADER_AUTHORISATION_PREFIX.length() + 3
        || !authHeader64.startsWith(Http.HEADER_AUTHORISATION_PREFIX)) {
      LOG.info(
          "Auth failed: for={} header={} uri={}",
          new Object[] {req.getHeader("X-Forwarded-For"), authHeader64, req.getRequestURI()});
      send401(resp);
      return;
    }

    // Verify password.
    authHeader64 = authHeader64.substring(Http.HEADER_AUTHORISATION_PREFIX.length());
    String authHeader = B64Code.decode(authHeader64, (String) null);
    int x = authHeader.indexOf(':');
    String user = authHeader.substring(0, x);
    String pass = authHeader.substring(x + 1);
    if (user == null
        || pass == null
        || user.isEmpty()
        || pass.isEmpty()
        || !this.passwdChecker.verifyPasswd(req, user, pass)) {
      LOG.info(
          "Auth failed: for={} uri={} user={} pass={} check={}.",
          req.getHeader("X-Forwarded-For"),
          req.getRequestURI(),
          user,
          pass,
          this.passwdChecker);
      send401(resp);
      return;
    }

    chain.doFilter(request, response);
  }
Example #5
0
  /**
   * @see org.eclipse.jetty.security.Authenticator#validateRequest(javax.servlet.ServletRequest,
   *     javax.servlet.ServletResponse, boolean)
   */
  public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory)
      throws ServerAuthException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    String credentials = request.getHeader(HttpHeaders.AUTHORIZATION);

    try {
      if (!mandatory) return new DeferredAuthentication(this);

      if (credentials != null) {
        int space = credentials.indexOf(' ');
        if (space > 0) {
          String method = credentials.substring(0, space);
          if ("basic".equalsIgnoreCase(method)) {
            credentials = credentials.substring(space + 1);
            credentials = B64Code.decode(credentials, StringUtil.__ISO_8859_1);
            int i = credentials.indexOf(':');
            if (i > 0) {
              String username = credentials.substring(0, i);
              String password = credentials.substring(i + 1);

              UserIdentity user = login(username, password, request);
              if (user != null) {
                return new UserAuthentication(getAuthMethod(), user);
              }
            }
          }
        }
      }

      if (DeferredAuthentication.isDeferred(response)) return Authentication.UNAUTHENTICATED;

      response.setHeader(
          HttpHeaders.WWW_AUTHENTICATE, "basic realm=\"" + _loginService.getName() + '"');
      response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
      return Authentication.SEND_CONTINUE;
    } catch (IOException e) {
      throw new ServerAuthException(e);
    }
  }
 @Override
 public Result authenticate(
     Request request, ContentResponse response, HeaderInfo headerInfo, Attributes context) {
   String value = "Basic " + B64Code.encode(user + ":" + password, StandardCharsets.ISO_8859_1);
   return new BasicResult(headerInfo.getHeader(), uri, value);
 }
Example #7
0
 public ProxyAuthorization(String username, String password) throws IOException {
   String authenticationString =
       "Basic " + B64Code.encode(username + ":" + password, StringUtil.__ISO_8859_1);
   _authorization = new ByteArrayBuffer(authenticationString);
 }
  @Test
  public void testBasic() throws Exception {

    _security.setAuthenticator(new BasicAuthenticator());
    _server.start();

    String response;
    /*
      /star                 all methods except GET/POST forbidden
      /acme/wholesale/star  all methods except GET/POST forbidden
      /acme/retail/star     all methods except GET/POST forbidden
      /acme/wholesale/star  GET must be in role CONTRACTOR or SALESCLERK
      /acme/wholesale/star  POST must be in role CONTRACTOR and confidential transport
      /acme/retail/star     GET must be in role CONTRACTOR or HOMEOWNER
      /acme/retail/star     POST must be in role CONTRACTOR or HOMEOWNER
    */

    // a user in role HOMEOWNER is forbidden HEAD request
    response = _connector.getResponses("HEAD /ctx/index.html HTTP/1.0\r\n\r\n");
    assertTrue(response.startsWith("HTTP/1.1 403 Forbidden"));

    response =
        _connector.getResponses(
            "HEAD /ctx/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("harry:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));

    response =
        _connector.getResponses(
            "HEAD /ctx/acme/wholesale/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("harry:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));

    response =
        _connector.getResponses(
            "HEAD /ctx/acme/retail/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("harry:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 403 Forbidden"));

    // a user in role CONTRACTOR can do a GET
    response =
        _connector.getResponses(
            "GET /ctx/acme/wholesale/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("chris:password")
                + "\r\n"
                + "\r\n");

    assertThat(response, startsWith("HTTP/1.1 200 OK"));

    // a user in role CONTRACTOR can only do a post if confidential
    response =
        _connector.getResponses(
            "POST /ctx/acme/wholesale/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("chris:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 403 !"));

    // a user in role HOMEOWNER can do a GET
    response =
        _connector.getResponses(
            "GET /ctx/acme/retail/index.html HTTP/1.0\r\n"
                + "Authorization: Basic "
                + B64Code.encode("harry:password")
                + "\r\n"
                + "\r\n");
    assertThat(response, startsWith("HTTP/1.1 200 OK"));
  }