/* ------------------------------------------------------------ */
  private int checkNonce(String nonce, Request request) {
    try {
      byte[] n = B64Code.decode(nonce.toCharArray());
      if (n.length != 24) {
        return -1;
      }

      long ts = 0;
      long sk = _nonceSecret;
      byte[] n2 = new byte[16];
      System.arraycopy(n, 0, n2, 0, 8);
      for (int i = 0; i < 8; i++) {
        n2[8 + i] = (byte) (sk & 0xff);
        sk = sk >> 8;
        ts = (ts << 8) + (0xff & (long) n[7 - i]);
      }

      long age = request.getTimeStamp() - ts;
      if (Log.isDebugEnabled()) {
        Log.debug("age=" + age);
      }

      byte[] hash = null;
      try {
        MessageDigest md = MessageDigest.getInstance("MD5");
        md.reset();
        md.update(n2, 0, 16);
        hash = md.digest();
      } catch (Exception e) {
        Log.warn(e);
      }

      for (int i = 0; i < 16; i++) {
        if (n[i + 8] != hash[i]) {
          return -1;
        }
      }

      if (_maxNonceAge > 0 && (age < 0 || age > _maxNonceAge)) {
        return 0; // stale
      }

      return 1;
    } catch (Exception e) {
      Log.ignore(e);
    }
    return -1;
  }
예제 #2
0
  @Override
  public void doFilter(
      final ServletRequest request, final ServletResponse response, final FilterChain chain)
      throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse resp = (HttpServletResponse) response;

    // Request basic auth.
    String authHeader64 = req.getHeader(Http.HEADER_AUTHORISATION);
    if (authHeader64 == null
        || authHeader64.length() < Http.HEADER_AUTHORISATION_PREFIX.length() + 3
        || !authHeader64.startsWith(Http.HEADER_AUTHORISATION_PREFIX)) {
      LOG.info(
          "Auth failed: for={} header={} uri={}",
          new Object[] {req.getHeader("X-Forwarded-For"), authHeader64, req.getRequestURI()});
      send401(resp);
      return;
    }

    // Verify password.
    authHeader64 = authHeader64.substring(Http.HEADER_AUTHORISATION_PREFIX.length());
    String authHeader = B64Code.decode(authHeader64, (String) null);
    int x = authHeader.indexOf(':');
    String user = authHeader.substring(0, x);
    String pass = authHeader.substring(x + 1);
    if (user == null
        || pass == null
        || user.isEmpty()
        || pass.isEmpty()
        || !this.passwdChecker.verifyPasswd(req, user, pass)) {
      LOG.info(
          "Auth failed: for={} uri={} user={} pass={} check={}.",
          req.getHeader("X-Forwarded-For"),
          req.getRequestURI(),
          user,
          pass,
          this.passwdChecker);
      send401(resp);
      return;
    }

    chain.doFilter(request, response);
  }
예제 #3
0
  /**
   * @see org.eclipse.jetty.security.Authenticator#validateRequest(javax.servlet.ServletRequest,
   *     javax.servlet.ServletResponse, boolean)
   */
  public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory)
      throws ServerAuthException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    String credentials = request.getHeader(HttpHeaders.AUTHORIZATION);

    try {
      if (!mandatory) return new DeferredAuthentication(this);

      if (credentials != null) {
        int space = credentials.indexOf(' ');
        if (space > 0) {
          String method = credentials.substring(0, space);
          if ("basic".equalsIgnoreCase(method)) {
            credentials = credentials.substring(space + 1);
            credentials = B64Code.decode(credentials, StringUtil.__ISO_8859_1);
            int i = credentials.indexOf(':');
            if (i > 0) {
              String username = credentials.substring(0, i);
              String password = credentials.substring(i + 1);

              UserIdentity user = login(username, password, request);
              if (user != null) {
                return new UserAuthentication(getAuthMethod(), user);
              }
            }
          }
        }
      }

      if (DeferredAuthentication.isDeferred(response)) return Authentication.UNAUTHENTICATED;

      response.setHeader(
          HttpHeaders.WWW_AUTHENTICATE, "basic realm=\"" + _loginService.getName() + '"');
      response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
      return Authentication.SEND_CONTINUE;
    } catch (IOException e) {
      throw new ServerAuthException(e);
    }
  }