/** * Create credentials from a validated userId. * * @param req The request to sniff for a user. * @return */ private Credentials createCredentials(String userId, String tokenType) { SimpleCredentials sc = new SimpleCredentials(userId, new char[0]); TrustedUser user = new TrustedUser(userId); sc.setAttribute(CA_AUTHENTICATION_USER, user); sc.setAttribute(CA_AUTHENTICATION_ATTRIBUTES, tokenType); return sc; }
/** @see FlowService#executeJob(String, String, String, long, long, String) */ @Override public Job executeJob( Credentials credentials, String token, String name, String description, long flowInstanceId, long userId, String userEmail) { FlowDao flowDao = daoFactory.getFlowDao(); JobDao jobDao = daoFactory.getJobDao(); Flow flowInstance = flowDao.findById(flowInstanceId, false); Job job = new Job(); job.setToken(token); job.setName(name); job.setDescription(description); job.setFlow(flowInstance); job.setOwnerId(userId); job.setOwnerEmail(userEmail); SimpleCredentials simpleCreds = (SimpleCredentials) credentials; String serializedCreds = simpleCreds.getUserID() + ":" + new String(simpleCreds.getPassword()); job.setCredentials(serializedCreds); jobDao.makePersistent(job); jobScheduler.scheduleJob(job); job.setJobStatus(JobStatus.SCHEDULED); job.setScheduleTimestamp(new Date()); jobDao.makePersistent(job); jobStatusMonitor.start(job, notificationCreator); return job; }
@Test public void testGetCredentialsValid() { ComponentContext context = configureForCookie(); HttpServletRequest request = createMock(HttpServletRequest.class); Cookie[] cookies = new Cookie[] { new Cookie("sdfsd", "fsdfs"), new Cookie("sdfsd1", "fsdfs"), null, new Cookie("sdfsd3", "fsdfs"), new Cookie("sdfsd4", "fsdfs"), }; EasyMock.expect(request.getCookies()).andReturn(cookies); HttpServletResponse response = createMock(HttpServletResponse.class); replay(); trustedTokenService.activate(context); Cookie secureCookie = new Cookie("secure-cookie", trustedTokenService.encodeCookie("ieb")); cookies[2] = secureCookie; Credentials ieb = trustedTokenService.getCredentials(request, response); Assert.assertTrue(ieb instanceof SimpleCredentials); SimpleCredentials sc = (SimpleCredentials) ieb; TrustedUser tu = (TrustedUser) sc.getAttribute(TrustedTokenService.CA_AUTHENTICATION_USER); Assert.assertNotNull(tu); Assert.assertEquals("ieb", tu.getUser()); verify(); }
public void testGetPassword2() throws NoSuchAlgorithmException, UnsupportedEncodingException { CryptedSimpleCredentials prev = cCreds.get(0); // build crypted credentials from the uid and the crypted pw contained // in simple credentials -> simple-c-password must be treated plain-text SimpleCredentials sc = new SimpleCredentials(userID, prev.getPassword().toCharArray()); CryptedSimpleCredentials diff = new CryptedSimpleCredentials(sc); assertFalse(prev.getPassword().equals(diff.getPassword())); assertFalse(String.valueOf(sc.getPassword()).equals(diff.getPassword())); }
public void logout() { for (Session session : sessions.values()) { session.logout(); } if (credentials instanceof SimpleCredentials) { SimpleCredentials simpleCredentials = (SimpleCredentials) credentials; JahiaLoginModule.removeToken( simpleCredentials.getUserID(), new String(simpleCredentials.getPassword())); } isLive = false; activeSessions.decrementAndGet(); }
/** * {@inheritDoc} * * <p>Creates a {@code UsernamePasswordAuthenticationToken} from the given {@code principal} and * {@code credentials} and passes to Spring Security {@code AuthenticationManager}. */ @Override protected Authentication getAuthentication( final Principal principal, final Credentials credentials) throws RepositoryException { // only handles SimpleCredential instances; DefaultLoginModule behaves the same way (albeit // indirectly) if (!(credentials instanceof SimpleCredentials)) { logger.debug("credentials not instance of SimpleCredentials; returning null"); // $NON-NLS-1$ return null; } SimpleCredentials simpleCredentials = (SimpleCredentials) credentials; UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken( simpleCredentials.getUserID(), String.valueOf(simpleCredentials.getPassword())); boolean authenticated = false; try { org.springframework.security.Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication != null && authentication.getName().equals(simpleCredentials.getUserID())) { // see if there's already an active Authentication for this user. authenticated = true; } else { // delegate to Spring Security getAuthenticationManager().authenticate(token); authenticated = true; } } catch (AuthenticationException e) { logger.debug("authentication exception", e); // $NON-NLS-1$ } final boolean authenticateResult = authenticated; return new Authentication() { public boolean canHandle(Credentials credentials) { // this is decided earlier in getAuthentication return true; } public boolean authenticate(Credentials credentials) throws RepositoryException { return authenticateResult; } }; }
@Override public boolean login() throws LoginException { Credentials credentials = getCredentials(); if (!(credentials instanceof SimpleCredentials)) { return super.login(); } Principal principal = getPrincipal(credentials); if (principal == null) { SimpleCredentials cred = (SimpleCredentials) credentials; if (!createLogin(getUserID(credentials), String.valueOf(cred.getPassword()))) { return false; } } return super.login(); }
public Session getProviderSession(JCRStoreProvider provider) throws RepositoryException { if (sessions.get(provider) == null) { Session s = null; if (credentials instanceof SimpleCredentials) { SimpleCredentials simpleCredentials = (SimpleCredentials) credentials; JahiaLoginModule.Token t = JahiaLoginModule.getToken( simpleCredentials.getUserID(), new String(simpleCredentials.getPassword())); s = provider.getSession(credentials, workspace.getName()); credentials = JahiaLoginModule.getCredentials( simpleCredentials.getUserID(), t != null ? t.deniedPath : null); } else { s = provider.getSession(credentials, workspace.getName()); } sessions.put(provider, s); for (String token : tokens) { s.addLockToken(token); } NamespaceRegistry namespaceRegistryWrapper = getWorkspace().getNamespaceRegistry(); NamespaceRegistry providerNamespaceRegistry = s.getWorkspace().getNamespaceRegistry(); if (providerNamespaceRegistry != null) { for (String prefix : namespaceRegistryWrapper.getPrefixes()) { try { providerNamespaceRegistry.getURI(prefix); } catch (NamespaceException ne) { providerNamespaceRegistry.registerNamespace( prefix, namespaceRegistryWrapper.getURI(prefix)); } } } for (String prefix : prefixToNs.keySet()) { s.setNamespacePrefix(prefix, prefixToNs.get(prefix)); } } return sessions.get(provider); }
@Override protected boolean isPreAuthenticated(final Credentials creds) { if (super.isPreAuthenticated(creds)) { SimpleCredentials simpleCreds = (SimpleCredentials) creds; String preAuth = (String) simpleCreds.getAttribute(getPreAuthAttributeName()); boolean preAuthenticated = preAuthenticationTokens.contains(preAuth); if (preAuthenticated) { if (logger.isDebugEnabled()) { logger.debug(simpleCreds.getUserID() + " is pre-authenticated"); // $NON-NLS-1$ } } else { if (logger.isDebugEnabled()) { logger.debug("pre-authentication token rejected"); // $NON-NLS-1$ } } return preAuthenticated; } return false; }
@Override protected String getUserID(Credentials credentials) { if (!(credentials instanceof SimpleCredentials)) { return super.getUserID(credentials); } SimpleCredentials cred = (SimpleCredentials) credentials; String id = cred.getUserID(); if (id == null) { return super.getUserID(credentials); } String key = id + String.valueOf(cred.getPassword()); String userId = ids.get(key); if (userId != null) { return userId; } boolean realId = false; Object realIdAttr = cred.getAttribute(JackrabbitConstants.REAL_USER_ID_USED); if (realIdAttr instanceof String) { realId = Boolean.valueOf((String) realIdAttr); } if (!realId) { try { LoginTable loginTable = LoginDBHandler.getUserLoginByUserName(id); userId = loginTable == null ? null : String.valueOf(loginTable.getUserId()); } catch (Exception e) { e.printStackTrace(); } } if (userId == null) { userId = super.getUserID(credentials); } if (userId != null) { ids.put(key, userId); } return userId; }
@Test public void testGetCredentialsValidSession() { ComponentContext context = configureForSession(); HttpServletRequest request = createMock(HttpServletRequest.class); HttpSession session = createMock(HttpSession.class); EasyMock.expect(request.getSession(true)).andReturn(session); Principal principal = createMock(Principal.class); EasyMock.expect(request.getUserPrincipal()).andReturn(principal); EasyMock.expect(principal.getName()).andReturn(null); EasyMock.expect(request.getRemoteUser()).andReturn("ieb"); Capture<SimpleCredentials> attributeValue = new Capture<SimpleCredentials>(); Capture<String> attributeName = new Capture<String>(); session.setAttribute(EasyMock.capture(attributeName), EasyMock.capture(attributeValue)); HttpServletResponse response = createMock(HttpServletResponse.class); replay(); trustedTokenService.activate(context); trustedTokenService.injectToken(request, response); Assert.assertTrue(attributeName.hasCaptured()); Assert.assertTrue(attributeValue.hasCaptured()); Credentials credentials = attributeValue.getValue(); verify(); reset(); EasyMock.expect(request.getSession(false)).andReturn(session); EasyMock.expect(session.getAttribute(TrustedTokenService.SA_AUTHENTICATION_CREDENTIALS)) .andReturn(credentials); replay(); Credentials ieb = trustedTokenService.getCredentials(request, response); Assert.assertTrue(ieb instanceof SimpleCredentials); SimpleCredentials sc = (SimpleCredentials) ieb; TrustedUser tu = (TrustedUser) sc.getAttribute(TrustedTokenService.CA_AUTHENTICATION_USER); Assert.assertNotNull(tu); Assert.assertEquals("ieb", tu.getUser()); verify(); }
/** * Method tries to acquire an Impersonator in the following order: * * <ul> * <li>Try to access it from the {@link Credentials} via {@link * SimpleCredentials#getAttribute(String)} * <li>Ask CallbackHandler for Impersonator with use of {@link ImpersonationCallback}. * </ul> * * @param credentials which, may contain an impersonation Subject * @return impersonation subject or null if non contained * @see #login() * @see #impersonate(java.security.Principal, javax.jcr.Credentials) */ protected Subject getImpersonatorSubject(Credentials credentials) { Subject impersonator = null; if (credentials == null) { try { ImpersonationCallback impers = new ImpersonationCallback(); callbackHandler.handle(new Callback[] {impers}); impersonator = impers.getImpersonator(); } catch (UnsupportedCallbackException e) { log.warn( e.getCallback().getClass().getName() + " not supported: Unable to perform Impersonation."); } catch (IOException e) { log.error( "Impersonation-Callback failed: " + e.getMessage() + ": Unable to perform Impersonation."); } } else if (credentials instanceof SimpleCredentials) { SimpleCredentials sc = (SimpleCredentials) credentials; impersonator = (Subject) sc.getAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE); } return impersonator; }
/** * Extract credentials from the request. * * @param req * @return credentials associated with the request. */ public Credentials getCredentials(HttpServletRequest req, HttpServletResponse response) { if (testing) { calls.add(new Object[] {"getCredentials", req, response}); return new SimpleCredentials("testing", "testing".toCharArray()); } Credentials cred = null; String userId = null; String sakaiTrustedHeader = req.getHeader("x-sakai-token"); if (trustedTokenEnabled && sakaiTrustedHeader != null && sakaiTrustedHeader.trim().length() > 0) { String host = req.getRemoteAddr(); if (!safeHostAddrSet.contains(host)) { LOG.warn("Ignoring Trusted Token request from {} ", host); } else { // we have a HMAC based token, we should see if it is valid against the key we // have // and if so create some credentials. String[] parts = sakaiTrustedHeader.split(";"); if (parts.length == 3) { try { String hash = parts[0]; String user = parts[1]; String timestamp = parts[2]; String hmac = Signature.calculateRFC2104HMAC(user + ";" + timestamp, sharedSecret); if (hmac.equals(hash)) { // the user is Ok, we will trust it. userId = user; cred = createCredentials(userId, TrustedTokenTypes.TRUSTED_TOKEN); } else { LOG.debug("HMAC Match Failed {} != {} ", hmac, hash); } } catch (SignatureException e) { LOG.warn( "Failed to validate server token : {} {} ", sakaiTrustedHeader, e.getMessage()); } } else { LOG.warn( "Illegal number of elements in trusted server token:{} {} ", sakaiTrustedHeader, parts.length); } } } if (userId == null) { if (usingSession) { HttpSession session = req.getSession(false); if (session != null) { Credentials testCredentials = (Credentials) session.getAttribute(SA_AUTHENTICATION_CREDENTIALS); if (testCredentials instanceof SimpleCredentials) { SimpleCredentials sc = (SimpleCredentials) testCredentials; Object o = sc.getAttribute(CA_AUTHENTICATION_USER); if (o instanceof TrustedUser) { TrustedUser tu = (TrustedUser) o; if (tu.getUser() != null) { userId = tu.getUser(); cred = testCredentials; } } } } else { cred = null; } } else { Cookie[] cookies = req.getCookies(); if (cookies != null) { for (Cookie c : cookies) { if (trustedAuthCookieName.equals(c.getName())) { if (secureCookie && !c.getSecure()) { continue; } String cookieValue = c.getValue(); String[] decodedToken = decodeCookie(c.getValue()); if (decodedToken != null) { userId = decodedToken[0]; String tokenType = decodedToken[1]; TokenTrustValidator ttv = registeredTypes.get(tokenType); if (ttv == null || ttv.isTrusted(req)) { LOG.debug("Token is valid and decoded to {} ", userId); cred = createCredentials(userId, tokenType); refreshToken(response, c.getValue(), userId, tokenType); break; } else { LOG.debug("Cookie cant be trusted for this request {} ", cookieValue); } } else { LOG.debug("Invalid Cookie {} ", cookieValue); clearCookie(response); } } } } } } if (userId != null) { LOG.debug("Trusted Authentication for {} with credentials {} ", userId, cred); } return cred; }