From 53fa6a04810f2cd4366d3821efd8497e2479d0f8 Mon Sep 17 00:00:00 2001 From: Jan Bartel Date: Tue, 4 Oct 2011 14:31:34 +1100 Subject: [PATCH] Hooked up the LoginCallbackImpl inside ServletCallbackHandler as the FormAuthModule appears to expect to see it; made JaspiAuthenticator return Deferred IFF !mandatory && allowLazyAuth && auth module returned UNAUTHENTICATED. This hinges on the fact that an auth module who is prepared to skip doing authentication (because !mandatory) must return AuthStatus.SUCCESS, which JaspiAuthenticator turns into Authentication.UNAUTHENTICATED. --- .../security/jaspi/JaspiAuthenticator.java | 19 +- .../jaspi/ServletCallbackHandler.java | 3 +- .../jaspi/modules/BaseAuthModule.java | 1 + .../jaspi/modules/FormAuthModule.java | 173 ++++-------------- 4 files changed, 52 insertions(+), 144 deletions(-) diff --git a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/JaspiAuthenticator.java b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/JaspiAuthenticator.java index 1b065287658..6d0e6963e9a 100644 --- a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/JaspiAuthenticator.java +++ b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/JaspiAuthenticator.java @@ -81,21 +81,27 @@ public class JaspiAuthenticator implements Authenticator public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException { - System.err.println("JaspiAuthenticator.validateRequest, uri=" + ((javax.servlet.http.HttpServletRequest) request).getRequestURI() - + "lazy=" + System.err.println("\nJaspiAuthenticator.validateRequest, uri=" + ((javax.servlet.http.HttpServletRequest) request).getRequestURI() + + " lazy=" + _allowLazyAuthentication + " mandatory=" + mandatory); - new Throwable().printStackTrace(); - - + JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory); request.setAttribute("org.eclipse.jetty.security.jaspi.info", info); + //TODO janb - removed deferred authentication temporarily /* if (_allowLazyAuthentication && !mandatory) return _deferred;*/ - return validateRequest(info); + Authentication a = validateRequest(info); + + //if its not mandatory to authenticate, and the authenticator returned UNAUTHENTICATED, we treat it as authentication deferred + if (_allowLazyAuthentication && !info.isAuthMandatory() && a == Authentication.UNAUTHENTICATED) + a =_deferred; + + System.err.println("JaspiAuthenticator.validateRequest returning "+a); + return a; } // most likely validatedUser is not needed here. @@ -108,6 +114,7 @@ public class JaspiAuthenticator implements Authenticator return secureResponse(info, validatedUser); } + public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException { try diff --git a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/ServletCallbackHandler.java b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/ServletCallbackHandler.java index d11a8d9bc84..44dbda13e3b 100644 --- a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/ServletCallbackHandler.java +++ b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/ServletCallbackHandler.java @@ -90,8 +90,9 @@ public class ServletCallbackHandler implements CallbackHandler if (user!=null) { + loginCallback.setUserPrincipal(user.getUserPrincipal()); + credentialValidationCallback.getSubject().getPrivateCredentials().add(loginCallback); credentialValidationCallback.setResult(true); - credentialValidationCallback.getSubject().getPrincipals().addAll(user.getSubject().getPrincipals()); credentialValidationCallback.getSubject().getPrivateCredentials().add(user); } diff --git a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/BaseAuthModule.java b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/BaseAuthModule.java index 3908ec7064d..7099661a4da 100644 --- a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/BaseAuthModule.java +++ b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/BaseAuthModule.java @@ -131,6 +131,7 @@ public class BaseAuthModule implements ServerAuthModule, ServerAuthContext if (credValidationCallback.getResult()) { Set loginCallbacks = clientSubject.getPrivateCredentials(LoginCallbackImpl.class); + System.err.println("LoginCallbackImpls.isEmpty="+loginCallbacks.isEmpty()); if (!loginCallbacks.isEmpty()) { LoginCallbackImpl loginCallback = loginCallbacks.iterator().next(); diff --git a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/FormAuthModule.java b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/FormAuthModule.java index 88ce65e3526..fa2b5bb3a85 100644 --- a/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/FormAuthModule.java +++ b/jetty-jaspi/src/main/java/org/eclipse/jetty/security/jaspi/modules/FormAuthModule.java @@ -146,40 +146,50 @@ public class FormAuthModule extends BaseAuthModule @Override public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { - System.err.println("FormAuthModule.validateRequest(info,subject,serviceSubject)"); + HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); - HttpSession session = request.getSession(isMandatory(messageInfo)); String uri = request.getRequestURI(); - // not mandatory and not authenticated - if (session == null || isLoginOrErrorPage(uri)) return AuthStatus.SUCCESS; + if (uri==null) + uri=URIUtil.SLASH; + + boolean mandatory = isMandatory(messageInfo); + mandatory |= isJSecurityCheck(uri); + HttpSession session = request.getSession(mandatory); + + System.err.println("FormAuthModule.validateRequest(info,subject,serviceSubject) for uri="+uri+" mandatory="+mandatory+" isLoginOrError="+isLoginOrErrorPage(uri)); + + // not mandatory or its the login or login error page don't authenticate + if (!mandatory || isLoginOrErrorPage(uri)) return AuthStatus.SUCCESS; - System.err.println("FormAuthModule.validateRequest(info,subect,serviceSubject), uri="+uri); try { // Handle a request for authentication. - // TODO perhaps j_securitycheck can be uri suffix? - if (uri != null && isJSecurityCheck(uri)) + if (isJSecurityCheck(uri)) { - final String username = request.getParameter(__J_USERNAME); final String password = request.getParameter(__J_PASSWORD); System.err.println("Try login username="+username+" password="+password); boolean success = tryLogin(messageInfo, clientSubject, response, session, username, new Password(password)); if (success) { - // Redirect to original request - String nuri = (String) session.getAttribute(__J_URI); + // Redirect to original request + String nuri=null; + synchronized(session) + { + nuri = (String) session.getAttribute(__J_URI); + } + if (nuri == null || nuri.length() == 0) { nuri = request.getContextPath(); - if (nuri.length() == 0) nuri = URIUtil.SLASH; + if (nuri.length() == 0) + nuri = URIUtil.SLASH; } - session.removeAttribute(__J_URI); // Remove popped return - // URI. - response.setContentLength(0); + + System.err.println("FormAuthModule succesful login, sending redirect to "+nuri); + response.setContentLength(0); response.sendRedirect(response.encodeRedirectURL(nuri)); - return AuthStatus.SEND_CONTINUE; } // not authenticated @@ -205,88 +215,6 @@ public class FormAuthModule extends BaseAuthModule System.err.println("Form cred: form.username="+form_cred._jUserName+" form.pwd="+new String(form_cred._jPassword)); boolean success = tryLogin(messageInfo, clientSubject, response, session, form_cred._jUserName, new Password(new String(form_cred._jPassword))); if (success) { return AuthStatus.SUCCESS; } - // CallbackHandler loginCallbackHandler = new - // UserPasswordCallbackHandler(form_cred._jUserName, - // form_cred._jPassword); - // LoginResult loginResult = loginService.login(clientSubject, - // loginCallbackHandler); - // //TODO what should happen if !isMandatory but credentials - // exist and are wrong? - // if (loginResult.isSuccess()) - // { - // callbackHandler.handle(new - // Callback[]{loginResult.getCallerPrincipalCallback(), - // loginResult.getGroupPrincipalCallback()}); - // messageInfo.getMap().put(JettyMessageInfo.AUTH_METHOD_KEY, - // Constraint.__FORM_AUTH); - // - // form_cred = new FormCredential(form_cred._jUserName, - // form_cred._jPassword, - // loginResult.getCallerPrincipalCallback().getPrincipal()); - // - // session.setAttribute(__J_AUTHENTICATED, form_cred); - // if (ssoSource != null && ssoSource.fetch(request) == null) - // { - // UserInfo userInfo = new UserInfo(form_cred._jUserName, - // form_cred._jPassword); - // ssoSource.store(userInfo, response); - // } - // messageInfo.getMap().put(JettyMessageInfo.AUTH_METHOD_KEY, - // Constraint.__FORM_AUTH); - // return AuthStatus.SUCCESS; - // } - - // // We have a form credential. Has it been distributed? - // if (form_cred._userPrincipal==null) - // { - // // This form_cred appears to have been distributed. Need to - // reauth - // form_cred.authenticate(realm, request); - // - // // Sign-on to SSO mechanism - // if (form_cred._userPrincipal!=null && realm instanceof - // SSORealm) - // ((SSORealm)realm).setSingleSignOn(request,response,form_cred._userPrincipal,new - // Password(form_cred._jPassword)); - // - // } - // else if (!realm.reauthenticate(form_cred._userPrincipal)) - // // Else check that it is still authenticated. - // form_cred._userPrincipal=null; - // - // // If this credential is still authenticated - // if (form_cred._userPrincipal!=null) - // { - // if(LOG.isDebugEnabled())LOG.debug("FORM Authenticated for - // "+form_cred._userPrincipal.getName()); - // request.setAuthType(Constraint.__FORM_AUTH); - // //jaspi - // // request.setUserPrincipal(form_cred._userPrincipal); - // return form_cred._userPrincipal; - // } - // else - // session.setAttribute(__J_AUTHENTICATED,null); - // } - // else if (realm instanceof SSORealm) - // { - // // Try a single sign on. - // Credential cred = - // ((SSORealm)realm).getSingleSignOn(request,response); - // - // if (request.getUserPrincipal()!=null) - // { - // form_cred=new FormCredential(); - // form_cred._userPrincipal=request.getUserPrincipal(); - // form_cred._jUserName=form_cred._userPrincipal.getName(); - // if (cred!=null) - // form_cred._jPassword=cred.toString(); - // if(LOG.isDebugEnabled())LOG.debug("SSO for - // "+form_cred._userPrincipal); - // - // request.setAuthType(Constraint.__FORM_AUTH); - // session.setAttribute(__J_AUTHENTICATED,form_cred); - // return form_cred._userPrincipal; - // } } else if (ssoSource != null) { @@ -298,19 +226,17 @@ public class FormAuthModule extends BaseAuthModule } } - // Don't authenticate authform or errorpage - if (!isMandatory(messageInfo) || isLoginOrErrorPage(uri)) - // TODO verify this is correct action - return AuthStatus.SUCCESS; + // redirect to login page + StringBuffer buf = request.getRequestURL(); + if (request.getQueryString() != null) + buf.append("?").append(request.getQueryString()); - // redirect to login page - System.err.println("Redirecting to login page"); - if (request.getQueryString() != null) uri += "?" + request.getQueryString(); - session.setAttribute(__J_URI, request.getScheme() + "://" - + request.getServerName() - + ":" - + request.getServerPort() - + URIUtil.addPaths(request.getContextPath(), uri)); + synchronized (session) + { + session.setAttribute(__J_URI, buf.toString()); + } + + System.err.println("Redirecting to login page "+_formLoginPage+" and remembering juri="+buf.toString()); response.setContentLength(0); response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formLoginPage))); return AuthStatus.SEND_CONTINUE; @@ -349,6 +275,7 @@ public class FormAuthModule extends BaseAuthModule { char[] pwdChars = password.toString().toCharArray(); Set loginCallbacks = clientSubject.getPrivateCredentials(LoginCallbackImpl.class); + System.err.println("FormAuthModule, LoginCallbackImpl.isEmpty="+loginCallbacks.isEmpty()); if (!loginCallbacks.isEmpty()) { LoginCallbackImpl loginCallback = loginCallbacks.iterator().next(); @@ -366,34 +293,6 @@ public class FormAuthModule extends BaseAuthModule return true; } return false; - // LoginCallback loginCallback = new LoginCallback(clientSubject, - // username, password); - // loginService.login(loginCallback); - // if (loginCallback.isSuccess()) - // { - // CallerPrincipalCallback callerPrincipalCallback = new - // CallerPrincipalCallback(clientSubject, - // loginCallback.getUserPrincipal()); - // GroupPrincipalCallback groupPrincipalCallback = new - // GroupPrincipalCallback(clientSubject, - // loginCallback.getGroups().toArray(new - // String[loginCallback.getGroups().size()])); - // callbackHandler.handle(new Callback[] {callerPrincipalCallback, - // groupPrincipalCallback}); - // messageInfo.getMap().put(JettyMessageInfo.AUTH_METHOD_KEY, - // Constraint.__FORM_AUTH); - // FormCredential form_cred = new FormCredential(username, password, - // loginCallback.getUserPrincipal()); - // - // session.setAttribute(__J_AUTHENTICATED, form_cred); - // // Sign-on to SSO mechanism - // if (ssoSource != null) - // { - // UserInfo userInfo = new UserInfo(username, password); - // ssoSource.store(userInfo, response); - // } - // } - // return loginCallback.isSuccess(); } public boolean isLoginOrErrorPage(String pathInContext)