Hooked up the LoginCallbackImpl inside ServletCallbackHandler as the FormAuthModule appears to expect to see it; made JaspiAuthenticator return Deferred IFF !mandatory && allowLazyAuth && auth module returned UNAUTHENTICATED. This hinges on the fact that an auth module who is prepared to skip doing authentication (because !mandatory) must return AuthStatus.SUCCESS, which JaspiAuthenticator turns into Authentication.UNAUTHENTICATED.
This commit is contained in:
parent
1d6d2b46de
commit
53fa6a0481
|
@ -81,21 +81,27 @@ public class JaspiAuthenticator implements Authenticator
|
||||||
|
|
||||||
public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
|
public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException
|
||||||
{
|
{
|
||||||
System.err.println("JaspiAuthenticator.validateRequest, uri=" + ((javax.servlet.http.HttpServletRequest) request).getRequestURI()
|
System.err.println("\nJaspiAuthenticator.validateRequest, uri=" + ((javax.servlet.http.HttpServletRequest) request).getRequestURI()
|
||||||
+ "lazy="
|
+ " lazy="
|
||||||
+ _allowLazyAuthentication
|
+ _allowLazyAuthentication
|
||||||
+ " mandatory="
|
+ " mandatory="
|
||||||
+ mandatory);
|
+ mandatory);
|
||||||
new Throwable().printStackTrace();
|
|
||||||
|
|
||||||
|
|
||||||
JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory);
|
JaspiMessageInfo info = new JaspiMessageInfo(request, response, mandatory);
|
||||||
request.setAttribute("org.eclipse.jetty.security.jaspi.info", info);
|
request.setAttribute("org.eclipse.jetty.security.jaspi.info", info);
|
||||||
|
|
||||||
|
//TODO janb - removed deferred authentication temporarily
|
||||||
/* if (_allowLazyAuthentication && !mandatory)
|
/* if (_allowLazyAuthentication && !mandatory)
|
||||||
return _deferred;*/
|
return _deferred;*/
|
||||||
|
|
||||||
return validateRequest(info);
|
Authentication a = validateRequest(info);
|
||||||
|
|
||||||
|
//if its not mandatory to authenticate, and the authenticator returned UNAUTHENTICATED, we treat it as authentication deferred
|
||||||
|
if (_allowLazyAuthentication && !info.isAuthMandatory() && a == Authentication.UNAUTHENTICATED)
|
||||||
|
a =_deferred;
|
||||||
|
|
||||||
|
System.err.println("JaspiAuthenticator.validateRequest returning "+a);
|
||||||
|
return a;
|
||||||
}
|
}
|
||||||
|
|
||||||
// most likely validatedUser is not needed here.
|
// most likely validatedUser is not needed here.
|
||||||
|
@ -108,6 +114,7 @@ public class JaspiAuthenticator implements Authenticator
|
||||||
return secureResponse(info, validatedUser);
|
return secureResponse(info, validatedUser);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException
|
public Authentication validateRequest(JaspiMessageInfo messageInfo) throws ServerAuthException
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
|
|
|
@ -90,8 +90,9 @@ public class ServletCallbackHandler implements CallbackHandler
|
||||||
|
|
||||||
if (user!=null)
|
if (user!=null)
|
||||||
{
|
{
|
||||||
|
loginCallback.setUserPrincipal(user.getUserPrincipal());
|
||||||
|
credentialValidationCallback.getSubject().getPrivateCredentials().add(loginCallback);
|
||||||
credentialValidationCallback.setResult(true);
|
credentialValidationCallback.setResult(true);
|
||||||
|
|
||||||
credentialValidationCallback.getSubject().getPrincipals().addAll(user.getSubject().getPrincipals());
|
credentialValidationCallback.getSubject().getPrincipals().addAll(user.getSubject().getPrincipals());
|
||||||
credentialValidationCallback.getSubject().getPrivateCredentials().add(user);
|
credentialValidationCallback.getSubject().getPrivateCredentials().add(user);
|
||||||
}
|
}
|
||||||
|
|
|
@ -131,6 +131,7 @@ public class BaseAuthModule implements ServerAuthModule, ServerAuthContext
|
||||||
if (credValidationCallback.getResult())
|
if (credValidationCallback.getResult())
|
||||||
{
|
{
|
||||||
Set<LoginCallbackImpl> loginCallbacks = clientSubject.getPrivateCredentials(LoginCallbackImpl.class);
|
Set<LoginCallbackImpl> loginCallbacks = clientSubject.getPrivateCredentials(LoginCallbackImpl.class);
|
||||||
|
System.err.println("LoginCallbackImpls.isEmpty="+loginCallbacks.isEmpty());
|
||||||
if (!loginCallbacks.isEmpty())
|
if (!loginCallbacks.isEmpty())
|
||||||
{
|
{
|
||||||
LoginCallbackImpl loginCallback = loginCallbacks.iterator().next();
|
LoginCallbackImpl loginCallback = loginCallbacks.iterator().next();
|
||||||
|
|
|
@ -146,40 +146,50 @@ public class FormAuthModule extends BaseAuthModule
|
||||||
@Override
|
@Override
|
||||||
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException
|
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException
|
||||||
{
|
{
|
||||||
System.err.println("FormAuthModule.validateRequest(info,subject,serviceSubject)");
|
|
||||||
HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
|
HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage();
|
||||||
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
|
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
|
||||||
HttpSession session = request.getSession(isMandatory(messageInfo));
|
|
||||||
String uri = request.getRequestURI();
|
String uri = request.getRequestURI();
|
||||||
// not mandatory and not authenticated
|
if (uri==null)
|
||||||
if (session == null || isLoginOrErrorPage(uri)) return AuthStatus.SUCCESS;
|
uri=URIUtil.SLASH;
|
||||||
|
|
||||||
|
boolean mandatory = isMandatory(messageInfo);
|
||||||
|
mandatory |= isJSecurityCheck(uri);
|
||||||
|
HttpSession session = request.getSession(mandatory);
|
||||||
|
|
||||||
|
System.err.println("FormAuthModule.validateRequest(info,subject,serviceSubject) for uri="+uri+" mandatory="+mandatory+" isLoginOrError="+isLoginOrErrorPage(uri));
|
||||||
|
|
||||||
|
// not mandatory or its the login or login error page don't authenticate
|
||||||
|
if (!mandatory || isLoginOrErrorPage(uri)) return AuthStatus.SUCCESS;
|
||||||
|
|
||||||
System.err.println("FormAuthModule.validateRequest(info,subect,serviceSubject), uri="+uri);
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
// Handle a request for authentication.
|
// Handle a request for authentication.
|
||||||
// TODO perhaps j_securitycheck can be uri suffix?
|
if (isJSecurityCheck(uri))
|
||||||
if (uri != null && isJSecurityCheck(uri))
|
|
||||||
{
|
{
|
||||||
|
|
||||||
final String username = request.getParameter(__J_USERNAME);
|
final String username = request.getParameter(__J_USERNAME);
|
||||||
final String password = request.getParameter(__J_PASSWORD);
|
final String password = request.getParameter(__J_PASSWORD);
|
||||||
System.err.println("Try login username="+username+" password="+password);
|
System.err.println("Try login username="+username+" password="+password);
|
||||||
boolean success = tryLogin(messageInfo, clientSubject, response, session, username, new Password(password));
|
boolean success = tryLogin(messageInfo, clientSubject, response, session, username, new Password(password));
|
||||||
if (success)
|
if (success)
|
||||||
{
|
{
|
||||||
// Redirect to original request
|
// Redirect to original request
|
||||||
String nuri = (String) session.getAttribute(__J_URI);
|
String nuri=null;
|
||||||
|
synchronized(session)
|
||||||
|
{
|
||||||
|
nuri = (String) session.getAttribute(__J_URI);
|
||||||
|
}
|
||||||
|
|
||||||
if (nuri == null || nuri.length() == 0)
|
if (nuri == null || nuri.length() == 0)
|
||||||
{
|
{
|
||||||
nuri = request.getContextPath();
|
nuri = request.getContextPath();
|
||||||
if (nuri.length() == 0) nuri = URIUtil.SLASH;
|
if (nuri.length() == 0)
|
||||||
|
nuri = URIUtil.SLASH;
|
||||||
}
|
}
|
||||||
session.removeAttribute(__J_URI); // Remove popped return
|
|
||||||
// URI.
|
System.err.println("FormAuthModule succesful login, sending redirect to "+nuri);
|
||||||
response.setContentLength(0);
|
response.setContentLength(0);
|
||||||
response.sendRedirect(response.encodeRedirectURL(nuri));
|
response.sendRedirect(response.encodeRedirectURL(nuri));
|
||||||
|
|
||||||
return AuthStatus.SEND_CONTINUE;
|
return AuthStatus.SEND_CONTINUE;
|
||||||
}
|
}
|
||||||
// not authenticated
|
// not authenticated
|
||||||
|
@ -205,88 +215,6 @@ public class FormAuthModule extends BaseAuthModule
|
||||||
System.err.println("Form cred: form.username="+form_cred._jUserName+" form.pwd="+new String(form_cred._jPassword));
|
System.err.println("Form cred: form.username="+form_cred._jUserName+" form.pwd="+new String(form_cred._jPassword));
|
||||||
boolean success = tryLogin(messageInfo, clientSubject, response, session, form_cred._jUserName, new Password(new String(form_cred._jPassword)));
|
boolean success = tryLogin(messageInfo, clientSubject, response, session, form_cred._jUserName, new Password(new String(form_cred._jPassword)));
|
||||||
if (success) { return AuthStatus.SUCCESS; }
|
if (success) { return AuthStatus.SUCCESS; }
|
||||||
// CallbackHandler loginCallbackHandler = new
|
|
||||||
// UserPasswordCallbackHandler(form_cred._jUserName,
|
|
||||||
// form_cred._jPassword);
|
|
||||||
// LoginResult loginResult = loginService.login(clientSubject,
|
|
||||||
// loginCallbackHandler);
|
|
||||||
// //TODO what should happen if !isMandatory but credentials
|
|
||||||
// exist and are wrong?
|
|
||||||
// if (loginResult.isSuccess())
|
|
||||||
// {
|
|
||||||
// callbackHandler.handle(new
|
|
||||||
// Callback[]{loginResult.getCallerPrincipalCallback(),
|
|
||||||
// loginResult.getGroupPrincipalCallback()});
|
|
||||||
// messageInfo.getMap().put(JettyMessageInfo.AUTH_METHOD_KEY,
|
|
||||||
// Constraint.__FORM_AUTH);
|
|
||||||
//
|
|
||||||
// form_cred = new FormCredential(form_cred._jUserName,
|
|
||||||
// form_cred._jPassword,
|
|
||||||
// loginResult.getCallerPrincipalCallback().getPrincipal());
|
|
||||||
//
|
|
||||||
// session.setAttribute(__J_AUTHENTICATED, form_cred);
|
|
||||||
// if (ssoSource != null && ssoSource.fetch(request) == null)
|
|
||||||
// {
|
|
||||||
// UserInfo userInfo = new UserInfo(form_cred._jUserName,
|
|
||||||
// form_cred._jPassword);
|
|
||||||
// ssoSource.store(userInfo, response);
|
|
||||||
// }
|
|
||||||
// messageInfo.getMap().put(JettyMessageInfo.AUTH_METHOD_KEY,
|
|
||||||
// Constraint.__FORM_AUTH);
|
|
||||||
// return AuthStatus.SUCCESS;
|
|
||||||
// }
|
|
||||||
|
|
||||||
// // We have a form credential. Has it been distributed?
|
|
||||||
// if (form_cred._userPrincipal==null)
|
|
||||||
// {
|
|
||||||
// // This form_cred appears to have been distributed. Need to
|
|
||||||
// reauth
|
|
||||||
// form_cred.authenticate(realm, request);
|
|
||||||
//
|
|
||||||
// // Sign-on to SSO mechanism
|
|
||||||
// if (form_cred._userPrincipal!=null && realm instanceof
|
|
||||||
// SSORealm)
|
|
||||||
// ((SSORealm)realm).setSingleSignOn(request,response,form_cred._userPrincipal,new
|
|
||||||
// Password(form_cred._jPassword));
|
|
||||||
//
|
|
||||||
// }
|
|
||||||
// else if (!realm.reauthenticate(form_cred._userPrincipal))
|
|
||||||
// // Else check that it is still authenticated.
|
|
||||||
// form_cred._userPrincipal=null;
|
|
||||||
//
|
|
||||||
// // If this credential is still authenticated
|
|
||||||
// if (form_cred._userPrincipal!=null)
|
|
||||||
// {
|
|
||||||
// if(LOG.isDebugEnabled())LOG.debug("FORM Authenticated for
|
|
||||||
// "+form_cred._userPrincipal.getName());
|
|
||||||
// request.setAuthType(Constraint.__FORM_AUTH);
|
|
||||||
// //jaspi
|
|
||||||
// // request.setUserPrincipal(form_cred._userPrincipal);
|
|
||||||
// return form_cred._userPrincipal;
|
|
||||||
// }
|
|
||||||
// else
|
|
||||||
// session.setAttribute(__J_AUTHENTICATED,null);
|
|
||||||
// }
|
|
||||||
// else if (realm instanceof SSORealm)
|
|
||||||
// {
|
|
||||||
// // Try a single sign on.
|
|
||||||
// Credential cred =
|
|
||||||
// ((SSORealm)realm).getSingleSignOn(request,response);
|
|
||||||
//
|
|
||||||
// if (request.getUserPrincipal()!=null)
|
|
||||||
// {
|
|
||||||
// form_cred=new FormCredential();
|
|
||||||
// form_cred._userPrincipal=request.getUserPrincipal();
|
|
||||||
// form_cred._jUserName=form_cred._userPrincipal.getName();
|
|
||||||
// if (cred!=null)
|
|
||||||
// form_cred._jPassword=cred.toString();
|
|
||||||
// if(LOG.isDebugEnabled())LOG.debug("SSO for
|
|
||||||
// "+form_cred._userPrincipal);
|
|
||||||
//
|
|
||||||
// request.setAuthType(Constraint.__FORM_AUTH);
|
|
||||||
// session.setAttribute(__J_AUTHENTICATED,form_cred);
|
|
||||||
// return form_cred._userPrincipal;
|
|
||||||
// }
|
|
||||||
}
|
}
|
||||||
else if (ssoSource != null)
|
else if (ssoSource != null)
|
||||||
{
|
{
|
||||||
|
@ -298,19 +226,17 @@ public class FormAuthModule extends BaseAuthModule
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Don't authenticate authform or errorpage
|
// redirect to login page
|
||||||
if (!isMandatory(messageInfo) || isLoginOrErrorPage(uri))
|
StringBuffer buf = request.getRequestURL();
|
||||||
// TODO verify this is correct action
|
if (request.getQueryString() != null)
|
||||||
return AuthStatus.SUCCESS;
|
buf.append("?").append(request.getQueryString());
|
||||||
|
|
||||||
// redirect to login page
|
synchronized (session)
|
||||||
System.err.println("Redirecting to login page");
|
{
|
||||||
if (request.getQueryString() != null) uri += "?" + request.getQueryString();
|
session.setAttribute(__J_URI, buf.toString());
|
||||||
session.setAttribute(__J_URI, request.getScheme() + "://"
|
}
|
||||||
+ request.getServerName()
|
|
||||||
+ ":"
|
System.err.println("Redirecting to login page "+_formLoginPage+" and remembering juri="+buf.toString());
|
||||||
+ request.getServerPort()
|
|
||||||
+ URIUtil.addPaths(request.getContextPath(), uri));
|
|
||||||
response.setContentLength(0);
|
response.setContentLength(0);
|
||||||
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formLoginPage)));
|
response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), _formLoginPage)));
|
||||||
return AuthStatus.SEND_CONTINUE;
|
return AuthStatus.SEND_CONTINUE;
|
||||||
|
@ -349,6 +275,7 @@ public class FormAuthModule extends BaseAuthModule
|
||||||
{
|
{
|
||||||
char[] pwdChars = password.toString().toCharArray();
|
char[] pwdChars = password.toString().toCharArray();
|
||||||
Set<LoginCallbackImpl> loginCallbacks = clientSubject.getPrivateCredentials(LoginCallbackImpl.class);
|
Set<LoginCallbackImpl> loginCallbacks = clientSubject.getPrivateCredentials(LoginCallbackImpl.class);
|
||||||
|
System.err.println("FormAuthModule, LoginCallbackImpl.isEmpty="+loginCallbacks.isEmpty());
|
||||||
if (!loginCallbacks.isEmpty())
|
if (!loginCallbacks.isEmpty())
|
||||||
{
|
{
|
||||||
LoginCallbackImpl loginCallback = loginCallbacks.iterator().next();
|
LoginCallbackImpl loginCallback = loginCallbacks.iterator().next();
|
||||||
|
@ -366,34 +293,6 @@ public class FormAuthModule extends BaseAuthModule
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
// LoginCallback loginCallback = new LoginCallback(clientSubject,
|
|
||||||
// username, password);
|
|
||||||
// loginService.login(loginCallback);
|
|
||||||
// if (loginCallback.isSuccess())
|
|
||||||
// {
|
|
||||||
// CallerPrincipalCallback callerPrincipalCallback = new
|
|
||||||
// CallerPrincipalCallback(clientSubject,
|
|
||||||
// loginCallback.getUserPrincipal());
|
|
||||||
// GroupPrincipalCallback groupPrincipalCallback = new
|
|
||||||
// GroupPrincipalCallback(clientSubject,
|
|
||||||
// loginCallback.getGroups().toArray(new
|
|
||||||
// String[loginCallback.getGroups().size()]));
|
|
||||||
// callbackHandler.handle(new Callback[] {callerPrincipalCallback,
|
|
||||||
// groupPrincipalCallback});
|
|
||||||
// messageInfo.getMap().put(JettyMessageInfo.AUTH_METHOD_KEY,
|
|
||||||
// Constraint.__FORM_AUTH);
|
|
||||||
// FormCredential form_cred = new FormCredential(username, password,
|
|
||||||
// loginCallback.getUserPrincipal());
|
|
||||||
//
|
|
||||||
// session.setAttribute(__J_AUTHENTICATED, form_cred);
|
|
||||||
// // Sign-on to SSO mechanism
|
|
||||||
// if (ssoSource != null)
|
|
||||||
// {
|
|
||||||
// UserInfo userInfo = new UserInfo(username, password);
|
|
||||||
// ssoSource.store(userInfo, response);
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
// return loginCallback.isSuccess();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean isLoginOrErrorPage(String pathInContext)
|
public boolean isLoginOrErrorPage(String pathInContext)
|
||||||
|
|
Loading…
Reference in New Issue