org.eclipse.jetty.security.authentication.DeferredAuthentication Java Examples

The following examples show how to use org.eclipse.jetty.security.authentication.DeferredAuthentication. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: AvaticaSpnegoAuthenticator.java    From calcite-avatica with Apache License 2.0 6 votes vote down vote up
/**
 * Jetty has a bug in which if there is an Authorization header sent by a client which is
 * not of the Negotiate type, Jetty does not send the challenge to negotiate. This works
 * around that issue, forcing the challenge to be sent. Will require investigation on
 * upgrade to a newer version of Jetty.
 */
Authentication sendChallengeIfNecessary(Authentication computedAuth, ServletRequest request,
    ServletResponse response) throws IOException {
  if (computedAuth == Authentication.UNAUTHENTICATED) {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;

    String header = req.getHeader(HttpHeader.AUTHORIZATION.asString());
    // We have an authorization header, but it's not Negotiate
    if (header != null && !header.startsWith(HttpHeader.NEGOTIATE.asString())) {
      LOG.debug("Client sent Authorization header that was not for Negotiate,"
          + " sending challenge anyways.");
      if (DeferredAuthentication.isDeferred(res)) {
        return Authentication.UNAUTHENTICATED;
      }

      res.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
      res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
      return Authentication.SEND_CONTINUE;
    }
  }
  return computedAuth;
}
 
Example #2
Source File: SpnegoAuthenticatorEx.java    From sql-layer with GNU Affero General Public License v3.0 6 votes vote down vote up
@Override
public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException {
    Authentication result = super.validateRequest(request, response, mandatory);
    if ((result == Authentication.UNAUTHENTICATED) &&
        mandatory &&
        !DeferredAuthentication.isDeferred((HttpServletResponse)response)) {
        LOG.debug("SpengoAuthenticatorEx: unauthenticated -> forbidden");
        try {
            ((HttpServletResponse)response).sendError(Response.SC_FORBIDDEN,
                                                      "negotiation failure");
        }
        catch (IOException ex) {
            throw new ServerAuthException(ex);
        }
        result = Authentication.SEND_FAILURE;
    }
    return result;
}
 
Example #3
Source File: KeycloakDropwizardAuthenticator.java    From keycloak-dropwizard-integration with Apache License 2.0 5 votes vote down vote up
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory)
        throws ServerAuthException {
    HttpServletRequest request = ((HttpServletRequest) req);
    request.setAttribute(HttpServletRequest.class.getName(), request);
    if (!getAdapterConfig().isBearerOnly()
            && request.getQueryString() != null
            && request.getQueryString().contains("code=")) {
        // we receive a code as part of the query string that is returned by OAuth
        // but only assume control is this is not bearer only!
        mandatory = true;
    } else if (request.getHeaders("Authorization").hasMoreElements()) {
        // we receive Authorization, might be Bearer or Basic Auth (both supported by Keycloak)
        mandatory = true;
    }
    HttpSession session = ((HttpServletRequest) req).getSession(false);
    if (session != null && session.getAttribute(JettyAdapterSessionStore.CACHED_FORM_PARAMETERS) != null) {
        // this is a redirect after the code has been received for a FORM
        mandatory = true;
    } else if (session != null && session.getAttribute(KeycloakSecurityContext.class.getName()) != null) {
        // there is an existing authentication in the session, use it
        mandatory = true;
    }
    Authentication authentication = super.validateRequest(req, res, mandatory);
    if (authentication instanceof DeferredAuthentication) {
        // resolving of a deferred authentication later will otherwise lead to a NullPointerException
        authentication = null;
    }
    return authentication;
}
 
Example #4
Source File: AbstractKeycloakJettyAuthenticator.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (log.isTraceEnabled()) {
        log.trace("*** authenticate");
    }
    Request request = resolveRequest(req);
    OIDCJettyHttpFacade facade = new OIDCJettyHttpFacade(request, (HttpServletResponse) res);
    KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        log.debug("*** deployment isn't configured return false");
        return Authentication.UNAUTHENTICATED;
    }
    PreAuthActionsHandler handler = new PreAuthActionsHandler(createSessionManagement(request), deploymentContext, facade);
    if (handler.handleRequest()) {
        return Authentication.SEND_SUCCESS;
    }
    if (!mandatory)
        return new DeferredAuthentication(this);
    AdapterTokenStore tokenStore = getTokenStore(request, facade, deployment);
    nodesRegistrationManagement.tryRegister(deployment);

    tokenStore.checkCurrentToken();
    JettyRequestAuthenticator authenticator = createRequestAuthenticator(request, facade, deployment, tokenStore);
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        if (facade.isEnded()) {
            return Authentication.SEND_SUCCESS;
        }

        Authentication authentication = register(request, authenticator.principal);
        AuthenticatedActionsHandler authenticatedActionsHandler = new AuthenticatedActionsHandler(deployment, facade);
        if (authenticatedActionsHandler.handledRequest()) {
            return Authentication.SEND_SUCCESS;
        }
        return authentication;

    }
    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        challenge.challenge(facade);
    }
    return Authentication.SEND_CONTINUE;
}
 
Example #5
Source File: AbstractSamlAuthenticator.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (log.isTraceEnabled()) {
        log.trace("*** authenticate");
    }
    Request request = resolveRequest(req);
    JettyHttpFacade facade = new JettyHttpFacade(request, (HttpServletResponse) res);
    SamlDeployment deployment = deploymentContext.resolveDeployment(facade);
    if (deployment == null || !deployment.isConfigured()) {
        log.debug("*** deployment isn't configured return false");
        return Authentication.UNAUTHENTICATED;
    }
    boolean isEndpoint = request.getRequestURI().substring(request.getContextPath().length()).endsWith("/saml");
    if (!mandatory && !isEndpoint)
        return new DeferredAuthentication(this);
    JettySamlSessionStore tokenStore = getTokenStore(request, facade, deployment);

    SamlAuthenticator authenticator = null;
    if (isEndpoint) {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
            @Override
            protected void completeAuthentication(SamlSession account) {

            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new SamlEndpoint(facade, deployment, sessionStore);
            }
        };

    } else {
        authenticator = new SamlAuthenticator(facade, deployment, tokenStore) {
            @Override
            protected void completeAuthentication(SamlSession account) {

            }

            @Override
            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade facade, SamlDeployment deployment, SamlSessionStore sessionStore) {
                return new BrowserHandler(facade, deployment, sessionStore);
            }
        };
    }
    AuthOutcome outcome = authenticator.authenticate();
    if (outcome == AuthOutcome.AUTHENTICATED) {
        if (facade.isEnded()) {
            return Authentication.SEND_SUCCESS;
        }
        SamlSession samlSession = tokenStore.getAccount();
        Authentication authentication = register(request, samlSession);
        return authentication;

    }
    if (outcome == AuthOutcome.LOGGED_OUT) {
        logoutCurrent(request);
        if (deployment.getLogoutPage() != null) {
            forwardToLogoutPage(request, (HttpServletResponse)res, deployment);

        }
        return Authentication.SEND_CONTINUE;
    }

    AuthChallenge challenge = authenticator.getChallenge();
    if (challenge != null) {
        challenge.challenge(facade);
    }
    return Authentication.SEND_CONTINUE;
}