private void validateResponse(ClientUpgradeResponse response) {
// Check the Accept hash
String reqKey = request.getKey();
String expectedHash = AcceptHash.hashKey(reqKey);
response.validateWebSocketHash(expectedHash);
// Parse extensions
List<ExtensionConfig> extensions = new ArrayList<>();
List<String> extValues = response.getHeaders("Sec-WebSocket-Extensions");
if (extValues != null) {
for (String extVal : extValues) {
QuotedStringTokenizer tok = new QuotedStringTokenizer(extVal, ",");
while (tok.hasMoreTokens()) {
extensions.add(ExtensionConfig.parse(tok.nextToken()));
}
}
}
response.setExtensions(extensions);
}
@Override
public AuthStatus validateRequest(
MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
String credentials = request.getHeader(HttpHeader.AUTHORIZATION.asString());
try {
boolean stale = false;
// TODO extract from request
long timestamp = System.currentTimeMillis();
if (credentials != null) {
if (LOG.isDebugEnabled()) LOG.debug("Credentials: " + credentials);
QuotedStringTokenizer tokenizer =
new QuotedStringTokenizer(credentials, "=, ", true, false);
final Digest digest = new Digest(request.getMethod());
String last = null;
String name = null;
while (tokenizer.hasMoreTokens()) {
String tok = tokenizer.nextToken();
char c = (tok.length() == 1) ? tok.charAt(0) : '\0';
switch (c) {
case '=':
name = last;
last = tok;
break;
case ',':
name = null;
case ' ':
break;
default:
last = tok;
if (name != null) {
if ("username".equalsIgnoreCase(name)) digest.username = tok;
else if ("realm".equalsIgnoreCase(name)) digest.realm = tok;
else if ("nonce".equalsIgnoreCase(name)) digest.nonce = tok;
else if ("nc".equalsIgnoreCase(name)) digest.nc = tok;
else if ("cnonce".equalsIgnoreCase(name)) digest.cnonce = tok;
else if ("qop".equalsIgnoreCase(name)) digest.qop = tok;
else if ("uri".equalsIgnoreCase(name)) digest.uri = tok;
else if ("response".equalsIgnoreCase(name)) digest.response = tok;
break;
}
}
}
int n = checkNonce(digest.nonce, timestamp);
if (n > 0) {
if (login(
clientSubject, digest.username, digest, Constraint.__DIGEST_AUTH, messageInfo)) {
return AuthStatus.SUCCESS;
}
} else if (n == 0) stale = true;
}
if (!isMandatory(messageInfo)) {
return AuthStatus.SUCCESS;
}
String domain = request.getContextPath();
if (domain == null) domain = "/";
response.setHeader(
HttpHeader.WWW_AUTHENTICATE.asString(),
"Digest realm=\""
+ realmName
+ "\", domain=\""
+ domain
+ "\", nonce=\""
+ newNonce(timestamp)
+ "\", algorithm=MD5, qop=\"auth\""
+ (useStale ? (" stale=" + stale) : ""));
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return AuthStatus.SEND_CONTINUE;
} catch (IOException e) {
throw new AuthException(e.getMessage());
} catch (UnsupportedCallbackException e) {
throw new AuthException(e.getMessage());
}
}
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory)
throws ServerAuthException {
if (!mandatory) {
return _deferred;
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String credentials = request.getHeader(HttpHeaders.AUTHORIZATION);
try {
boolean stale = false;
if (credentials != null) {
if (Log.isDebugEnabled()) {
Log.debug("Credentials: " + credentials);
}
QuotedStringTokenizer tokenizer =
new QuotedStringTokenizer(credentials, "=, ", true, false);
final Digest digest = new Digest(request.getMethod());
String last = null;
String name = null;
while (tokenizer.hasMoreTokens()) {
String tok = tokenizer.nextToken();
char c = (tok.length() == 1) ? tok.charAt(0) : '\0';
switch (c) {
case '=':
name = last;
last = tok;
break;
case ',':
name = null;
case ' ':
break;
default:
last = tok;
if (name != null) {
if ("username".equalsIgnoreCase(name)) {
digest.username = tok;
} else if ("realm".equalsIgnoreCase(name)) {
digest.realm = tok;
} else if ("nonce".equalsIgnoreCase(name)) {
digest.nonce = tok;
} else if ("nc".equalsIgnoreCase(name)) {
digest.nc = tok;
} else if ("cnonce".equalsIgnoreCase(name)) {
digest.cnonce = tok;
} else if ("qop".equalsIgnoreCase(name)) {
digest.qop = tok;
} else if ("uri".equalsIgnoreCase(name)) {
digest.uri = tok;
} else if ("response".equalsIgnoreCase(name)) {
digest.response = tok;
}
break;
}
}
}
int n = checkNonce(digest.nonce, (Request) request);
if (n > 0) {
UserIdentity user = _loginService.login(digest.username, digest);
if (user != null) {
return new UserAuthentication(getAuthMethod(), user);
}
} else if (n == 0) {
stale = true;
}
}
if (!_deferred.isDeferred(response)) {
String domain = request.getContextPath();
if (domain == null) {
domain = "/";
}
response.setHeader(
HttpHeaders.WWW_AUTHENTICATE,
"Digest realm=\""
+ _loginService.getName()
+ "\", domain=\""
+ domain
+ "\", nonce=\""
+ newNonce((Request) request)
+ "\", algorithm=MD5, qop=\"auth\""
+ (_useStale ? (" stale=" + stale) : ""));
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return Authentication.SEND_CONTINUE;
}
return Authentication.UNAUTHENTICATED;
} catch (Exception e) {
throw new ServerAuthException(e);
}
}
