Java Code Examples for javax.security.enterprise.authentication.mechanism.http.HttpMessageContext#isProtected()

The following examples show how to use javax.security.enterprise.authentication.mechanism.http.HttpMessageContext#isProtected() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: JWTHttpAuthenticationMechanism.java    From smallrye-jwt with Apache License 2.0 6 votes vote down vote up 
@Override
public AuthenticationStatus validateRequest(HttpServletRequest request,
        HttpServletResponse response,
        HttpMessageContext httpMessageContext)
        throws AuthenticationException {

    AbstractBearerTokenExtractor extractor = new BearerTokenExtractor(request, authContextInfo);
    String bearerToken = extractor.getBearerToken();

    if (bearerToken != null) {
        try {
            JsonWebToken jwtPrincipal = jwtParser.parse(bearerToken);
            producer.setJsonWebToken(jwtPrincipal);
            Set<String> groups = jwtPrincipal.getGroups();
            MechanismLogging.log.success();
            return httpMessageContext.notifyContainerAboutLogin(jwtPrincipal, groups);
        } catch (Exception e) {
            MechanismLogging.log.unableToValidateBearerToken(e);
            return httpMessageContext.responseUnauthorized();
        }
    } else {
        MechanismLogging.log.noUsableBearerTokenFound();
        return httpMessageContext.isProtected() ? httpMessageContext.responseUnauthorized()
                : httpMessageContext.doNothing();
    }
}
Example 2
Source File: BasicAuthenticationMechanism.java    From tomee with Apache License 2.0 6 votes vote down vote up 
@Override
public AuthenticationStatus validateRequest(final HttpServletRequest request,
                                            final HttpServletResponse response,
                                            final HttpMessageContext httpMessageContext)
        throws AuthenticationException {

    if (!httpMessageContext.isProtected()) {
        return httpMessageContext.doNothing();
    }

    try {
        final CredentialValidationResult result =
                identityStoreHandler.validate(parseAuthenticationHeader(request.getHeader(AUTHORIZATION)));

        if (result.getStatus().equals(VALID)) {
            return httpMessageContext.notifyContainerAboutLogin(result);
        }

    } catch (final IllegalArgumentException | IllegalStateException e) {
        // Something was sent in the header was not valid. Fallthrough to the authenticate challenge again.
    }

    response.setHeader("WWW-Authenticate", "Basic");
    return httpMessageContext.responseUnauthorized();
}
Example 3
Source File: JwtAuthenticationMechanism.java    From javaee8-jaxrs-sample with GNU General Public License v3.0 5 votes vote down vote up 
@Override
public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext context) {

    LOGGER.log(Level.INFO, "validateRequest: {0}", request.getRequestURI());
    // Get the (caller) name and password from the request
    // NOTE: This is for the smallest possible example only. In practice
    // putting the password in a request query parameter is highly insecure
    String name = request.getParameter("username");
    String password = request.getParameter("password");
    String token = extractToken(context);

    if (name != null && password != null
        && "POST".equals(request.getMethod())
        && request.getRequestURI().endsWith("/auth/login")) {
        LOGGER.log(Level.INFO, "user credentials : {0}, {1}", new String[]{name, password});
        // validation of the credential using the identity store
        CredentialValidationResult result = identityStoreHandler.validate(new UsernamePasswordCredential(name, password));
        if (result.getStatus() == CredentialValidationResult.Status.VALID) {
            // Communicate the details of the authenticated user to the container and return SUCCESS.
            return createToken(result, context);
        }
        // if the authentication failed, we return the unauthorized status in the http response
        return context.responseUnauthorized();
    } else if (token != null) {
        // validation of the jwt credential
        return validateToken(token, context);
    } else if (context.isProtected()) {
        // A protected resource is a resource for which a constraint has been defined.
        // if there are no credentials and the resource is protected, we response with unauthorized status
        return context.responseUnauthorized();
    }
    // there are no credentials AND the resource is not protected, 
    // SO Instructs the container to "do nothing"
    return context.doNothing();
}
Example 4
Source File: LoginToContinueInterceptor.java    From tomee with Apache License 2.0 4 votes vote down vote up 
private boolean isOnInitialProtectedURL(final HttpMessageContext httpMessageContext) {
    return httpMessageContext.isProtected() && !hasRequest(httpMessageContext.getRequest());
}