io.undertow.security.idm.Credential Java Examples

The following examples show how to use io.undertow.security.idm.Credential. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ServletClientCertAuthTestCase.java    From quarkus-http with Apache License 2.0 6 votes vote down vote up
@Override
public Account verify(Credential credential) {
    if (credential instanceof X509CertificateCredential) {
        final Principal p = ((X509CertificateCredential) credential).getCertificate().getSubjectX500Principal();
        if (certUsers.contains(p.getName())) {
            return new Account() {

                @Override
                public Principal getPrincipal() {
                    return p;
                }

                @Override
                public Set<String> getRoles() {
                    return Collections.singleton("role1");
                }

            };
        }

    }
    return null;
}
 
Example #2
Source File: MapIdentityManager.java    From light-oauth2 with Apache License 2.0 6 votes vote down vote up
@SuppressWarnings("unchecked")
private boolean verifyCredential(Account account, Credential credential) {
    boolean match = false;
    if (credential instanceof PasswordCredential) {
        char[] password = ((PasswordCredential) credential).getPassword();
        User user = users.get(account.getPrincipal().getName());
        String expectedPassword = user.getPassword();
        try {
            match = HashUtil.validatePassword(password, expectedPassword);
            Arrays.fill(password, ' ');
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            logger.error("Exception:", e);
        }
    }
    if(logger.isDebugEnabled()) logger.debug("verfifyCredential = " + match);
    return match;
}
 
Example #3
Source File: DatawaveAuthenticationMechanismTest.java    From datawave with Apache License 2.0 6 votes vote down vote up
@Test
public void testNonSSLSimpleLogin() throws Exception {
    httpRequestHeaders.add(SUBJECT_DN_HEADER, testUserCert.getSubjectDN().toString());
    httpRequestHeaders.add(ISSUER_DN_HEADER, testUserCert.getIssuerDN().toString());
    
    String expectedID = normalizeDN(testUserCert.getSubjectDN().getName()) + "<" + normalizeDN(testUserCert.getIssuerDN().getName()) + ">";
    
    expect(httpServerExchange.getConnection()).andReturn(serverConnection);
    expect(serverConnection.getSslSessionInfo()).andReturn(null);
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders).times(2);
    expect(securityContext.getIdentityManager()).andReturn(identityManager);
    expect(identityManager.verify(eq(expectedID), isA(Credential.class))).andReturn(account);
    securityContext.authenticationComplete(account, "DATAWAVE-AUTH", false);
    long requestStartTime = System.nanoTime();
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    expect(httpServerExchange.getRequestStartTime()).andReturn(requestStartTime);
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    
    replayAll();
    
    AuthenticationMechanismOutcome outcome = datawaveAuthenticationMechanism.authenticate(httpServerExchange, securityContext);
    assertEquals(AuthenticationMechanismOutcome.AUTHENTICATED, outcome);
    
    verifyAll();
}
 
Example #4
Source File: LightIdentityManager.java    From light-oauth2 with Apache License 2.0 6 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    if (credential instanceof LightPasswordCredential) {
        LightPasswordCredential passwordCredential = (LightPasswordCredential) credential;
        String clientAuthClass = passwordCredential.getClientAuthClass();
        if(logger.isDebugEnabled()) logger.debug("LightPasswordCredential with clientAuthClass = " + clientAuthClass);
        // get authenticator object.
        Class clazz = DefaultAuth.class;
        if(clientAuthClass != null && clientAuthClass.trim().length() > 0) {
            try {
                clazz = Class.forName(clientAuthClass);
            } catch (ClassNotFoundException e) {
                logger.error("Authenticate Class " + clientAuthClass + " not found.", e);
                return null;
            }
        }
        if(logger.isDebugEnabled()) logger.debug("Get Authenticator implementation from service factory with clazz = " + clazz);
        Authenticator authenticator = SingletonServiceFactory.getBean(Authenticator.class, clazz);
        return authenticator.authenticate(id, credential);
    }
    return null;
}
 
Example #5
Source File: DatawaveAuthenticationMechanismTest.java    From datawave with Apache License 2.0 6 votes vote down vote up
@Test
public void testJWTHeaderAuthentication() throws Exception {
    Whitebox.setInternalState(datawaveAuthenticationMechanism, "trustedHeaderAuthentication", false);
    Whitebox.setInternalState(datawaveAuthenticationMechanism, "jwtHeaderAuthentication", true);
    
    httpRequestHeaders.add(new HttpString("Authorization"), "Bearer 1234");
    
    String expectedID = "1234";
    
    expect(httpServerExchange.getConnection()).andReturn(serverConnection);
    expect(serverConnection.getSslSessionInfo()).andReturn(null);
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    expect(securityContext.getIdentityManager()).andReturn(identityManager);
    expect(identityManager.verify(eq(expectedID), isA(Credential.class))).andReturn(account);
    securityContext.authenticationComplete(account, "DATAWAVE-AUTH", false);
    expect(httpServerExchange.getRequestStartTime()).andReturn(System.nanoTime());
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    
    replayAll();
    
    AuthenticationMechanismOutcome outcome = datawaveAuthenticationMechanism.authenticate(httpServerExchange, securityContext);
    assertEquals(AuthenticationMechanismOutcome.AUTHENTICATED, outcome);
    
    verifyAll();
}
 
Example #6
Source File: MapIdentityManager.java    From proteus with Apache License 2.0 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential)
{
    Account account = getAccount(id);

    if ((account != null) && verifyCredential(account, credential)) {
        return account;
    }

    return null;
}
 
Example #7
Source File: RealmIdentityManager.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    if (id == null || id.length() == 0) {
        HttpServerLogger.ROOT_LOGGER.debug("Missing or empty username received, aborting account verification.");
        return null;
    }

    if (credential instanceof PasswordCredential) {
        return verify(id, (PasswordCredential) credential);
    } else if (credential instanceof DigestCredential) {
        return verify(id, (DigestCredential) credential);
    }

    throw HttpServerLogger.ROOT_LOGGER.invalidCredentialType(credential.getClass().getName());
}
 
Example #8
Source File: Identity.java    From mangooio with Apache License 2.0 5 votes vote down vote up
private boolean verifyCredential(Credential credential) {
    if (credential instanceof PasswordCredential) {
        return Arrays.equals(((PasswordCredential) credential).getPassword(), this.password); 
    }
    
    return false;
}
 
Example #9
Source File: Identity.java    From mangooio with Apache License 2.0 5 votes vote down vote up
@Override
public Account verify(String username, Credential credential) {
    Account account = null;
    if (this.username.equals(username) && verifyCredential(credential)) {
        account = getAccount(username);
    }

    return account;
}
 
Example #10
Source File: MapIdentityManager.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    Account account = getAccount(id);
    if (account != null && verifyCredential(account, credential)) {
        return account;
    }

    return null;
}
 
Example #11
Source File: AuthConfiguration.java    From haven-platform with Apache License 2.0 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    if(!(credential instanceof PasswordCredential)) {
        return null;
    }
    PasswordCredential pc = (PasswordCredential) credential;
    char[] pwdArr = pc.getPassword();
    if(pwdArr != null && passwordEncoder.matches(new String(pwdArr), encodedPass)) {
        return new AccountImpl(id);
    }
    return null;
}
 
Example #12
Source File: MapIdentityManager.java    From light-oauth2 with Apache License 2.0 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    Account account = getAccount(id);
    if (account != null && verifyCredential(account, credential)) {
        return account;
    }

    return null;
}
 
Example #13
Source File: CustomIdentityManager.java    From tutorials with MIT License 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    Account account = getAccount(id);
    if (account != null && verifyCredential(account, credential)) {
        return account;
    }
    return null;
}
 
Example #14
Source File: DefaultAuthenticator.java    From light-oauth2 with Apache License 2.0 5 votes vote down vote up
@Override
public Account authenticate(String id, Credential credential) {
    IMap<String, User> users = CacheStartupHookProvider.hz.getMap("users");
    Account account = getAccount(id);
    if (credential instanceof LightPasswordCredential) {
        LightPasswordCredential passwordCredential = (LightPasswordCredential)credential;
        char[] password = passwordCredential.getPassword();
        String clientAuthClass = passwordCredential.getClientAuthClass();
        String userType = passwordCredential.getUserType();

        User user = users.get(account.getPrincipal().getName());
        String expectedPassword = user.getPassword();
        boolean match = false;
        try {
            match = HashUtil.validatePassword(password, expectedPassword);
            Arrays.fill(password, ' ');
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            logger.error("Exception:", e);
            return null;
        }
        if(!match) return null;
    } else if(credential instanceof LightGSSContextCredential) {
        return new Account() {
            private Set<String> roles = LdapUtil.authorize(id);
            private final Principal principal = () -> id;
            @Override
            public Principal getPrincipal() {
                return principal;
            }
            @Override
            public Set<String> getRoles() { return roles; }
        };
    }
    return account;
}
 
Example #15
Source File: ClientCertAuthenticationMechanism.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
public AuthenticationMechanismOutcome authenticate(final HttpServerExchange exchange, final SecurityContext securityContext) {
    SSLSessionInfo sslSession = exchange.getConnection().getSslSessionInfo();
    if (sslSession != null) {
        try {
            Certificate[] clientCerts = getPeerCertificates(exchange, sslSession, securityContext);
            if (clientCerts[0] instanceof X509Certificate) {
                Credential credential = new X509CertificateCredential((X509Certificate) clientCerts[0]);

                IdentityManager idm = getIdentityManager(securityContext);
                Account account = idm.verify(credential);
                if (account != null) {
                    securityContext.authenticationComplete(account, name, false);
                    return AuthenticationMechanismOutcome.AUTHENTICATED;
                }
            }
        } catch (SSLPeerUnverifiedException e) {
            // No action - this mechanism can not attempt authentication without peer certificates so allow it to drop out
            // to NOT_ATTEMPTED.
        }
    }

    /*
     * For ClientCert we do not have a concept of a failed authentication, if the client did use a key then it was deemed
     * acceptable for the connection to be established, this mechanism then just 'attempts' to use it for authentication but
     * does not mandate success.
     */

    return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
 
Example #16
Source File: MapIdentityManager.java    From proteus with Apache License 2.0 5 votes vote down vote up
private boolean verifyCredential(Account account, Credential credential)
{
    if (credential instanceof PasswordCredential) {
        char[] password = ((PasswordCredential) credential).getPassword();
        char[] expectedPassword = identities.get(account.getPrincipal().getName());

        return Arrays.equals(password, expectedPassword);
    }

    return false;
}
 
Example #17
Source File: CustomIdentityManager.java    From tutorials with MIT License 5 votes vote down vote up
private boolean verifyCredential(Account account, Credential credential) {
    if (credential instanceof PasswordCredential) {
        char[] password = ((PasswordCredential) credential).getPassword();
        char[] expectedPassword = users.get(account.getPrincipal().getName());

        return Arrays.equals(password, expectedPassword);
    }
    return false;
}
 
Example #18
Source File: DatawaveAuthenticationMechanismTest.java    From datawave with Apache License 2.0 5 votes vote down vote up
@Test
public void testNonSSLProxiedLogin() throws Exception {
    httpRequestHeaders.add(PROXIED_ENTITIES_HEADER, testUserCert.getSubjectDN().toString());
    httpRequestHeaders.add(PROXIED_ISSUERS_HEADER, testUserCert.getIssuerDN().toString());
    httpRequestHeaders.add(SUBJECT_DN_HEADER, testServerCert.getSubjectDN().toString());
    httpRequestHeaders.add(ISSUER_DN_HEADER, testServerCert.getIssuerDN().toString());
    
    String expectedID = normalizeDN(testServerCert.getSubjectDN().getName()) + "<" + normalizeDN(testServerCert.getIssuerDN().getName()) + "><"
                    + normalizeDN(testUserCert.getSubjectDN().getName()) + "><" + normalizeDN(testUserCert.getIssuerDN().getName()) + ">";
    
    expect(httpServerExchange.getConnection()).andReturn(serverConnection);
    expect(serverConnection.getSslSessionInfo()).andReturn(null);
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders).times(2);
    expect(securityContext.getIdentityManager()).andReturn(identityManager);
    expect(identityManager.verify(eq(expectedID), isA(Credential.class))).andReturn(account);
    securityContext.authenticationComplete(account, "DATAWAVE-AUTH", false);
    long requestStartTime = System.nanoTime();
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    expect(httpServerExchange.getResponseHeaders()).andReturn(httpResponseHeaders);
    expect(httpServerExchange.getRequestStartTime()).andReturn(requestStartTime);
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    
    replayAll();
    
    AuthenticationMechanismOutcome outcome = datawaveAuthenticationMechanism.authenticate(httpServerExchange, securityContext);
    assertEquals(AuthenticationMechanismOutcome.AUTHENTICATED, outcome);
    assertEquals("true", httpResponseHeaders.getFirst(DatawaveAuthenticationMechanism.HEADER_PROXIED_ENTITIES_ACCEPTED));
    
    verifyAll();
}
 
Example #19
Source File: DatawaveAuthenticationMechanismTest.java    From datawave with Apache License 2.0 5 votes vote down vote up
@Test
public void testSSLWithoutPeerCerts() throws Exception {
    httpRequestHeaders.add(SUBJECT_DN_HEADER, testUserCert.getSubjectDN().toString());
    httpRequestHeaders.add(ISSUER_DN_HEADER, testUserCert.getIssuerDN().toString());
    
    String expectedID = normalizeDN(testUserCert.getSubjectDN().getName()) + "<" + normalizeDN(testUserCert.getIssuerDN().getName()) + ">";
    
    expect(httpServerExchange.getConnection()).andReturn(serverConnection);
    expect(serverConnection.getSslSessionInfo()).andReturn(sslSessionInfo);
    expect(sslSessionInfo.getPeerCertificates()).andThrow(new SSLPeerUnverifiedException("no client cert"));
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders).times(2);
    expect(securityContext.getIdentityManager()).andReturn(identityManager);
    expect(identityManager.verify(eq(expectedID), isA(Credential.class))).andReturn(account);
    securityContext.authenticationComplete(account, "DATAWAVE-AUTH", false);
    long requestStartTime = System.nanoTime();
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    expect(httpServerExchange.getRequestStartTime()).andReturn(requestStartTime);
    expect(httpServerExchange.getRequestHeaders()).andReturn(httpRequestHeaders);
    
    replayAll();
    
    AuthenticationMechanismOutcome outcome = datawaveAuthenticationMechanism.authenticate(httpServerExchange, securityContext);
    assertEquals(AuthenticationMechanismOutcome.AUTHENTICATED, outcome);
    assertFalse(httpResponseHeaders.contains(DatawaveAuthenticationMechanism.HEADER_PROXIED_ENTITIES_ACCEPTED));
    
    verifyAll();
}
 
Example #20
Source File: AuthenticationTestBase.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    Account account = getAccount(id);
    if (account != null && verifyCredential(account, credential)) {
        return account;
    }

    return null;
}
 
Example #21
Source File: ClientCertAuthenticationMechanism.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
public AuthenticationMechanismOutcome authenticate(final HttpServerExchange exchange, final SecurityContext securityContext) {
    SSLSessionInfo sslSession = exchange.getSslSessionInfo();
    if (sslSession != null) {
        try {
            Certificate[] clientCerts = getPeerCertificates(exchange, sslSession, securityContext);
            if (clientCerts[0] instanceof X509Certificate) {
                Credential credential = new X509CertificateCredential((X509Certificate) clientCerts[0]);

                IdentityManager idm = getIdentityManager(securityContext);
                Account account = idm.verify(credential);
                if (account != null) {
                    securityContext.authenticationComplete(account, name, false);
                    return AuthenticationMechanismOutcome.AUTHENTICATED;
                }
            }
        } catch (SSLPeerUnverifiedException e) {
            // No action - this mechanism can not attempt authentication without peer certificates so allow it to drop out
            // to NOT_ATTEMPTED.
        }
    }

    /*
     * For ClientCert we do not have a concept of a failed authentication, if the client did use a key then it was deemed
     * acceptable for the connection to be established, this mechanism then just 'attempts' to use it for authentication but
     * does not mandate success.
     */

    return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
}
 
Example #22
Source File: ServletIdentityManager.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    Account account = users.get(id);
    if (account != null && verifyCredential(account, credential)) {
        return account;
    }

    return null;
}
 
Example #23
Source File: MapIdentityManager.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
private boolean verifyCredential(Account account, Credential credential) {
    if (credential instanceof PasswordCredential) {
        char[] password = ((PasswordCredential) credential).getPassword();
        char[] expectedPassword = users.get(account.getPrincipal().getName());

        return Arrays.equals(password, expectedPassword);
    }
    return false;
}
 
Example #24
Source File: MapIdentityManager.java    From quarkus-http with Apache License 2.0 5 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    Account account = getAccount(id);
    if (account != null && verifyCredential(account, credential)) {
        return account;
    }

    return null;
}
 
Example #25
Source File: CxfKeycloakAuthHandler.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Override
public Account verify(Credential credential) {
    throw new IllegalStateException("Should never be called in Keycloak flow");
}
 
Example #26
Source File: UndertowKeycloakConsumer.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    throw new IllegalStateException("Should never be called in Keycloak flow");
}
 
Example #27
Source File: CustomIdentityManager.java    From tutorials with MIT License 4 votes vote down vote up
@Override
public Account verify(Credential credential) {
    return null;
}
 
Example #28
Source File: UndertowKeycloakConsumer.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Override
public Account verify(Credential credential) {
    throw new IllegalStateException("Should never be called in Keycloak flow");
}
 
Example #29
Source File: MapIdentityManager.java    From cxf with Apache License 2.0 4 votes vote down vote up
@Override
public Account verify(Credential credential) {
    return null;
}
 
Example #30
Source File: CxfKeycloakAuthHandler.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Override
public Account verify(String id, Credential credential) {
    throw new IllegalStateException("Should never be called in Keycloak flow");
}