/**
   * Validates the request by checking for the presence of a pre-configured attribute in the
   * ServletRequest.
   *
   * @param messageInfo {@inheritDoc}
   * @param clientSubject {@inheritDoc}
   * @param serviceSubject {@inheritDoc}
   * @return {@inheritDoc}
   */
  @Override
  public Promise<AuthStatus, AuthenticationException> validateRequest(
      MessageInfoContext messageInfo, Subject clientSubject, Subject serviceSubject) {

    SecurityContextMapper securityContextMapper =
        SecurityContextMapper.fromMessageInfo(messageInfo);
    final JsonValue attributes =
        json(messageInfo.asContext(AttributesContext.class).getAttributes());

    if (attributes.isDefined(authenticationIdAttribute)
        && attributes.get(authenticationIdAttribute).isString()) {
      final String authenticationId = attributes.get(authenticationIdAttribute).asString();
      securityContextMapper.setAuthenticationId(authenticationId);
      clientSubject
          .getPrincipals()
          .add(
              new Principal() {
                public String getName() {
                  return authenticationId;
                }
              });
      return newResultPromise(SUCCESS);
    } else {
      return newResultPromise(SEND_FAILURE);
    }
  }
  private boolean authenticate(Credential credential, SecurityContextMapper securityContextMapper)
      throws AuthException {

    if (!credential.isComplete()) {
      logger.debug("Failed authentication, missing or empty headers");
      return false;
    }

    // set the authenticationId of the user that is trying to authenticate
    securityContextMapper.setAuthenticationId(credential.username);

    try {
      return authenticator.authenticate(
          credential.username,
          credential.password,
          authnFilterHelper.getRouter().createServerContext());
    } catch (ResourceException e) {
      logger.debug(
          "Failed delegated authentication of {} on {}.", credential.username, queryOnResource, e);
      if (e.isServerError()) { // HTTP server-side error
        throw new JaspiAuthException(
            "Failed delegated authentication of " + credential.username + " on " + queryOnResource,
            e);
      }
      // authentication failed
      return false;
    }
  }
  /**
   * Validates the client's request by passing through the request to be authenticated against a
   * OpenICF Connector.
   *
   * @param messageInfo {@inheritDoc}
   * @param clientSubject {@inheritDoc}
   * @param serviceSubject {@inheritDoc}
   * @return {@inheritDoc}
   * @throws AuthException If there is a problem performing the authentication.
   */
  @Override
  public AuthStatus validateRequest(
      MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {

    logger.debug("DelegatedAuthModule: validateRequest START");

    SecurityContextMapper securityContextMapper =
        SecurityContextMapper.fromMessageInfo(messageInfo);
    HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();

    try {
      logger.debug("DelegatedAuthModule: Delegating call to remote authentication");

      if (authenticate(HEADER_AUTH_CRED_HELPER.getCredential(request), securityContextMapper)
          || authenticate(BASIC_AUTH_CRED_HELPER.getCredential(request), securityContextMapper)) {

        logger.debug("DelegatedAuthModule: Authentication successful");

        final String authcid = securityContextMapper.getAuthenticationId();
        clientSubject
            .getPrincipals()
            .add(
                new Principal() {
                  public String getName() {
                    return authcid;
                  }
                });

        // Auth success will be logged in IDMJaspiModuleWrapper
        return AuthStatus.SUCCESS;
      } else {
        logger.debug("DelegatedAuthModule: Authentication failed");
        return AuthStatus.SEND_FAILURE;
      }
    } finally {
      logger.debug("DelegatedAuthModule: validateRequest END");
    }
  }
Exemplo n.º 4
0
  /**
   * Performs the calculation of roles based on the userRoles property in the configuration and the
   * retrieved user object.
   *
   * @param principal The principal.
   * @param securityContextMapper The message info instance.
   * @param resource the retrieved resource for the principal.
   * @return A SecurityContextMapper instance containing the authentication context information.
   */
  public void calculateRoles(
      String principal, SecurityContextMapper securityContextMapper, ResourceResponse resource) {

    // Set roles from retrieved object:
    if (resource != null) {
      final JsonValue userDetail = resource.getContent();

      // support reading roles from property in object
      if (userRoles != null && !userDetail.get(userRoles).isNull()) {
        if (userDetail.get(userRoles).isString()) {
          for (String role : userDetail.get(userRoles).asString().split(",")) {
            securityContextMapper.addRole(role);
          }
        } else if (userDetail.get(userRoles).isList()) {
          for (JsonValue role : userDetail.get(userRoles)) {
            if (RelationshipUtil.isRelationship(role)) {
              // Role is specified as a relationship Object
              JsonPointer roleId =
                  new JsonPointer(role.get(RelationshipUtil.REFERENCE_ID).asString());
              securityContextMapper.addRole(roleId.leaf());
            } else {
              // Role is specified as a String
              securityContextMapper.addRole(role.asString());
            }
          }
        } else {
          logger.warn(
              "Unknown roles type retrieved from user query, expected collection: {} type: {}",
              userRoles,
              userDetail.get(userRoles).getObject().getClass());
        }
      }

      // Roles are now set.
      // Note: roles can be further augmented with a script if more complex behavior is desired

      logger.debug(
          "Used {}object property to update context for {} with userid : {}, roles : {}",
          userRoles != null ? (userRoles + " ") : "",
          securityContextMapper.getAuthenticationId(),
          securityContextMapper.getUserId(),
          securityContextMapper.getRoles());
    }
  }