@Override
public Object handleAuth(String clientSignature, CallMessage message) {
WampSession wampSession = message.getWampSession();
if (!wampSession.isAuthRequested()) {
throw new IllegalStateException("No authentication previously requested");
}
final String correctSignature;
try {
final String secret = this.authenticationSecretProvider.getSecret(wampSession.getAuthKey());
if (!StringUtils.hasText(secret)) {
throw new IllegalStateException("Secret does not exist");
}
correctSignature = generateHMacSHA256(secret, wampSession.getChallenge());
} catch (InvalidKeyException | NoSuchAlgorithmException e) {
throw new IllegalStateException("invalid key", e);
}
if (clientSignature.equals(correctSignature)) {
wampSession.setSignature(clientSignature);
return null;
}
wampSession.setAuthKey(null);
wampSession.setChallenge(null);
wampSession.setSignature(null);
throw new SecurityException("Signature for authentication request is invalid");
}
@Override
public Object handleAuthReq(String authKey, Map<String, Object> extra, CallMessage message) {
WampSession wampSession = message.getWampSession();
if (wampSession.isAuthRequested()) {
throw new IllegalStateException("Already authenticated");
}
if (this.authenticationSecretProvider.getSecret(authKey) == null) {
throw new IllegalStateException("Secret key does not exist");
}
try {
final String challenge =
generateHMacSHA256(message.getWebSocketSessionId() + System.currentTimeMillis(), authKey);
wampSession.setAuthKey(authKey);
wampSession.setChallenge(challenge);
return challenge;
} catch (InvalidKeyException | NoSuchAlgorithmException e) {
throw new IllegalStateException("invalid key", e);
}
}