455047 Update JASPI

Added test harnesses. Corrected a few issues.
This commit is contained in:
Greg Wilkins 2014-12-12 16:47:30 +01:00
parent 2dd4e9b09e
commit fe444b28dd
8 changed files with 359 additions and 4 deletions

View File

@ -85,5 +85,18 @@
<groupId>org.eclipse.jetty.orbit</groupId>
<artifactId>javax.security.auth.message</artifactId>
</dependency>
<dependency>
<groupId>org.apache.geronimo.components</groupId>
<artifactId>geronimo-jaspi</artifactId>
<version>2.0.0</version>
<exclusions>
<exclusion>
<groupId>org.apache.geronimo.specs</groupId>
<artifactId>geronimo-jaspic_1.0_spec</artifactId>
</exclusion>
</exclusions>
<scope>test</scope>
</dependency>
</dependencies>
</project>

View File

@ -18,6 +18,7 @@
package org.eclipse.jetty.security.jaspi;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
import java.util.Set;
@ -32,6 +33,7 @@ import javax.security.auth.message.config.ServerAuthContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.eclipse.jetty.security.IdentityService;
@ -192,10 +194,16 @@ public class JaspiAuthenticator extends LoginAuthenticator
// we are processing a message in a secureResponse dialog.
return Authentication.SEND_SUCCESS;
}
if (authStatus == AuthStatus.FAILURE)
{
HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage();
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return Authentication.SEND_FAILURE;
}
// should not happen
throw new NullPointerException("No AuthStatus returned");
throw new IllegalStateException("No AuthStatus returned");
}
catch (AuthException e)
catch (IOException|AuthException e)
{
throw new ServerAuthException(e);
}

View File

@ -102,6 +102,9 @@ public class JaspiAuthenticatorFactory extends DefaultAuthenticatorFactory
Subject serviceSubject=findServiceSubject(server);
String serverName=findServerName(server,serviceSubject);
String contextPath=context.getContextPath();
if (contextPath==null || contextPath.length()==0)
contextPath="/";
String appContext = serverName + " " + context.getContextPath();
AuthConfigProvider authConfigProvider = authConfigFactory.getConfigProvider(MESSAGE_LAYER,appContext,listener);

View File

@ -46,7 +46,6 @@ import org.eclipse.jetty.util.security.Credential;
import org.eclipse.jetty.util.security.Password;
/**
* @deprecated use *ServerAuthentication
* @version $Rev: 4792 $ $Date: 2009-03-18 22:55:52 +0100 (Wed, 18 Mar 2009) $
*/
public class BaseAuthModule implements ServerAuthModule, ServerAuthContext

View File

@ -164,7 +164,8 @@ public class FormAuthModule extends BaseAuthModule
HttpSession session = request.getSession(mandatory);
// not mandatory or its the login or login error page don't authenticate
if (!mandatory || isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo()))) return AuthStatus.SUCCESS;
if (!mandatory || isLoginOrErrorPage(URIUtil.addPaths(request.getServletPath(),request.getPathInfo())))
return AuthStatus.SUCCESS; // TODO return null for do nothing?
try
{

View File

@ -0,0 +1,125 @@
//
// ========================================================================
// Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.security.jaspi;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.module.ServerAuthModule;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* Example JASPI Auth Module based on http://www.trajano.net/2014/06/creating-a-simple-jaspic-auth-module/
*/
public class HttpHeaderAuthModule implements ServerAuthModule
{
/**
* Supported message types. For our case we only need to deal with HTTP servlet request and responses. On Java EE 7 this will handle WebSockets as well.
*/
private static final Class<?>[] SUPPORTED_MESSAGE_TYPES = new Class<?>[]
{ HttpServletRequest.class, HttpServletResponse.class };
/**
* Callback handler that is passed in initialize by the container. This processes the callbacks which are objects that populate the "subject".
*/
private CallbackHandler handler;
/**
* Does nothing of note for what we need.
*/
@Override
public void cleanSubject(final MessageInfo messageInfo, final Subject subject) throws AuthException
{
}
@SuppressWarnings("rawtypes")
@Override
public Class[] getSupportedMessageTypes()
{
return SUPPORTED_MESSAGE_TYPES;
}
/**
* Initializes the module. Allows you to pass in options.
*
* @param requestPolicy
* request policy, ignored
* @param responsePolicy
* response policy, ignored
* @param h
* callback handler
* @param options
* options
*/
@Override
public void initialize(final MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler h, Map options) throws AuthException
{
handler = h;
}
/**
* @return AuthStatus.SEND_SUCCESS
*/
@Override
public AuthStatus secureResponse(final MessageInfo paramMessageInfo, final Subject subject) throws AuthException
{
return AuthStatus.SEND_SUCCESS;
}
/**
* Validation occurs here.
*/
@Override
public AuthStatus validateRequest(final MessageInfo messageInfo, final Subject client, final Subject serviceSubject) throws AuthException
{
// Take the request from the messageInfo structure.
final HttpServletRequest req = (HttpServletRequest)messageInfo.getRequestMessage();
try
{
// Get the user name from the header. If not there then fail authentication.
final String userName = req.getHeader("X-Forwarded-User");
if (userName == null)
{
return AuthStatus.FAILURE;
}
// Store the user name that was in the header and also set a group.
handler.handle(new Callback[]
{ new CallerPrincipalCallback(client,userName), new GroupPrincipalCallback(client,new String[]
{ "users" }) });
return AuthStatus.SUCCESS;
}
catch (final Exception e)
{
throw new AuthException(e.getMessage());
}
}
}

View File

@ -0,0 +1,167 @@
//
// ========================================================================
// Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.security.jaspi;
import static org.hamcrest.Matchers.startsWith;
import static org.junit.Assert.assertThat;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.HashLoginService;
import org.eclipse.jetty.server.LocalConnector;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.AbstractHandler;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.handler.ContextHandlerCollection;
import org.eclipse.jetty.util.B64Code;
import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.util.security.Password;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
public class JaspiTest
{
Server _server;
LocalConnector _connector;
@Before
public void before() throws Exception
{
System.setProperty("org.apache.geronimo.jaspic.configurationFile","src/test/resources/jaspi.xml");
_server = new Server();
_connector = new LocalConnector(_server);
_server.addConnector(_connector);
ContextHandlerCollection contexts = new ContextHandlerCollection();
_server.setHandler(contexts);
HashLoginService loginService = new HashLoginService("TestRealm");
loginService.putUser("user",new Password("password"),new String[]{"users"});
loginService.putUser("admin",new Password("secret"),new String[]{"users","admins"});
_server.addBean(loginService);
ContextHandler context = new ContextHandler();
contexts.addHandler(context);
context.setContextPath("/ctx");
JaspiAuthenticatorFactory jaspiAuthFactory = new JaspiAuthenticatorFactory();
ConstraintSecurityHandler security = new ConstraintSecurityHandler();
context.setHandler(security);
security.setAuthenticatorFactory(jaspiAuthFactory);
// security.setAuthenticator(new BasicAuthenticator());
Constraint constraint = new Constraint("All","users");
constraint.setAuthenticate(true);
ConstraintMapping mapping = new ConstraintMapping();
mapping.setPathSpec("/jaspi/*");
mapping.setConstraint(constraint);
security.addConstraintMapping(mapping);
TestHandler handler = new TestHandler();
security.setHandler(handler);
ContextHandler other = new ContextHandler();
contexts.addHandler(other);
other.setContextPath("/other");
ConstraintSecurityHandler securityOther = new ConstraintSecurityHandler();
other.setHandler(securityOther);
securityOther.setAuthenticatorFactory(jaspiAuthFactory);
securityOther.addConstraintMapping(mapping);
securityOther.setHandler(new TestHandler());
_server.start();
}
@After
public void after() throws Exception
{
_server.stop();
}
@Test
public void testNoConstraint() throws Exception
{
String response = _connector.getResponses("GET /ctx/test HTTP/1.0\n\n");
assertThat(response,startsWith("HTTP/1.1 200 OK"));
}
@Test
public void testConstraintNoAuth() throws Exception
{
String response = _connector.getResponses("GET /ctx/jaspi/test HTTP/1.0\n\n");
assertThat(response,startsWith("HTTP/1.1 401 Unauthorized"));
assertThat(response,Matchers.containsString("WWW-Authenticate: basic realm=\"TestRealm\""));
}
@Test
public void testConstraintWrongAuth() throws Exception
{
String response = _connector.getResponses("GET /ctx/jaspi/test HTTP/1.0\n"+
"Authorization: Basic " + B64Code.encode("user:wrong") + "\n\n");
assertThat(response,startsWith("HTTP/1.1 401 Unauthorized"));
assertThat(response,Matchers.containsString("WWW-Authenticate: basic realm=\"TestRealm\""));
}
@Test
public void testConstraintAuth() throws Exception
{
String response = _connector.getResponses("GET /ctx/jaspi/test HTTP/1.0\n"+
"Authorization: Basic " + B64Code.encode("user:password") + "\n\n");
assertThat(response,startsWith("HTTP/1.1 200 OK"));
}
@Test
public void testOtherNoAuth() throws Exception
{
String response = _connector.getResponses("GET /other/test HTTP/1.0\n\n");
assertThat(response,startsWith("HTTP/1.1 403 Forbidden"));
}
@Test
public void testOtherAuth() throws Exception
{
String response = _connector.getResponses("GET /other/test HTTP/1.0\n"+
"X-Forwarded-User: user\n\n");
assertThat(response,startsWith("HTTP/1.1 200 OK"));
}
public class TestHandler extends AbstractHandler
{
@Override
public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
{
baseRequest.setHandled(true);
response.setStatus(200);
response.setContentType("text/plain");
response.getWriter().println("All OK");
response.getWriter().println("requestURI="+request.getRequestURI());
}
}
}

View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
<jaspi xmlns="http://geronimo.apache.org/xml/ns/geronimo-jaspi">
<configProvider>
<messageLayer>HTTP</messageLayer>
<appContext>server /ctx</appContext>
<description>description</description>
<serverAuthConfig>
<authenticationContextID>authenticationContextID1</authenticationContextID>
<protected>true</protected>
<serverAuthContext>
<serverAuthModule>
<className>org.eclipse.jetty.security.jaspi.modules.BasicAuthModule</className>
<options>
org.eclipse.jetty.security.jaspi.modules.RealmName=TestRealm
</options>
</serverAuthModule>
</serverAuthContext>
</serverAuthConfig>
<persistent>true</persistent>
</configProvider>
<configProvider>
<messageLayer>HTTP</messageLayer>
<appContext>server /other</appContext>
<description>description</description>
<serverAuthConfig>
<authenticationContextID>authenticationContextID2</authenticationContextID>
<protected>true</protected>
<serverAuthContext>
<serverAuthModule>
<className>org.eclipse.jetty.security.jaspi.HttpHeaderAuthModule</className>
<options>
</options>
</serverAuthModule>
</serverAuthContext>
</serverAuthConfig>
<persistent>true</persistent>
</configProvider>
</jaspi>