You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by ra...@apache.org on 2019/01/17 13:10:19 UTC
[tomee] 05/17: TOMEE-2365 - Implemented SecurityContext
authenticate.
This is an automated email from the ASF dual-hosted git repository.
radcortez pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 58292c94375f582f5d7fa89d5ef810b28bdab067
Author: Roberto Cortez <ra...@yahoo.com>
AuthorDate: Mon Jan 14 16:35:16 2019 +0000
TOMEE-2365 - Implemented SecurityContext authenticate.
---
.../tomee/security/TomEESecurityContext.java | 106 ++++++++++++++++++
.../tomee/security/cdi/TomEESecurityExtension.java | 3 +
.../security/context/SecurityContextTest.java | 121 +++++++++++++++++++++
3 files changed, 230 insertions(+)
diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/TomEESecurityContext.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/TomEESecurityContext.java
new file mode 100644
index 0000000..2e31b06
--- /dev/null
+++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/TomEESecurityContext.java
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomee.security;
+
+import org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl;
+import org.apache.tomee.security.message.TomEEMessageInfo;
+
+import javax.security.auth.Subject;
+import javax.security.auth.message.AuthException;
+import javax.security.auth.message.AuthStatus;
+import javax.security.auth.message.MessageInfo;
+import javax.security.auth.message.config.AuthConfigFactory;
+import javax.security.auth.message.config.AuthConfigProvider;
+import javax.security.auth.message.config.ServerAuthConfig;
+import javax.security.auth.message.config.ServerAuthContext;
+import javax.security.enterprise.AuthenticationStatus;
+import javax.security.enterprise.SecurityContext;
+import javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.security.Principal;
+import java.util.Set;
+
+import static javax.security.auth.message.AuthStatus.SEND_CONTINUE;
+import static javax.security.auth.message.AuthStatus.SEND_FAILURE;
+import static javax.security.auth.message.AuthStatus.SUCCESS;
+
+public class TomEESecurityContext implements SecurityContext {
+ @Override
+ public Principal getCallerPrincipal() {
+ return null;
+ }
+
+ @Override
+ public <T extends Principal> Set<T> getPrincipalsByType(final Class<T> pType) {
+ return null;
+ }
+
+ @Override
+ public boolean isCallerInRole(final String role) {
+ return false;
+ }
+
+ @Override
+ public boolean hasAccessToWebResource(final String resource, final String... methods) {
+ return false;
+ }
+
+ @Override
+ public AuthenticationStatus authenticate(final HttpServletRequest request,
+ final HttpServletResponse response,
+ final AuthenticationParameters parameters) {
+
+ try {
+ final MessageInfo messageInfo = new TomEEMessageInfo(request, response, true, parameters);
+ final ServerAuthContext serverAuthContext = getServerAuthContext(request);
+ final AuthStatus authStatus = serverAuthContext.validateRequest(messageInfo, new Subject(), null);
+
+ return mapToAuthenticationStatus(authStatus);
+
+ } catch (final AuthException e) {
+ return AuthenticationStatus.SEND_FAILURE;
+ }
+ }
+
+ private AuthenticationStatus mapToAuthenticationStatus(final AuthStatus authStatus) {
+ if (SUCCESS.equals(authStatus)) {
+ return AuthenticationStatus.SUCCESS;
+ }
+
+ if (SEND_FAILURE.equals(authStatus)) {
+ return AuthenticationStatus.SEND_FAILURE;
+ }
+
+ if (SEND_CONTINUE.equals(authStatus)) {
+ return AuthenticationStatus.SEND_CONTINUE;
+ }
+
+ throw new IllegalArgumentException();
+ }
+
+ private ServerAuthContext getServerAuthContext(final HttpServletRequest request) throws AuthException {
+ final String appContext = request.getServletContext().getVirtualServerName() + " " + request.getContextPath();
+
+ final AuthConfigProvider authConfigProvider =
+ AuthConfigFactory.getFactory().getConfigProvider("HttpServlet", appContext, null);
+ final ServerAuthConfig serverAuthConfig =
+ authConfigProvider.getServerAuthConfig("HttpServlet", appContext, CallbackHandlerImpl.getInstance());
+
+ return serverAuthConfig.getAuthContext(null, null, null);
+ }
+}
diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java
index 9343c3e..092bcff 100644
--- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java
+++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java
@@ -16,6 +16,7 @@
*/
package org.apache.tomee.security.cdi;
+import org.apache.tomee.security.TomEESecurityContext;
import org.apache.tomee.security.identitystore.TomEEDefaultIdentityStore;
import org.apache.tomee.security.identitystore.TomEEIdentityStoreHandler;
@@ -55,6 +56,8 @@ public class TomEESecurityExtension implements Extension {
beforeBeanDiscovery.addAnnotatedType(beanManager.createAnnotatedType(AutoApplySessionInterceptor.class));
beforeBeanDiscovery.addAnnotatedType(beanManager.createAnnotatedType(LoginToContinueInterceptor.class));
+
+ beforeBeanDiscovery.addAnnotatedType(beanManager.createAnnotatedType(TomEESecurityContext.class));
}
void processAuthenticationMechanismDefinitions(@Observes
diff --git a/tomee/tomee-security/src/test/java/org/apache/tomee/security/context/SecurityContextTest.java b/tomee/tomee-security/src/test/java/org/apache/tomee/security/context/SecurityContextTest.java
new file mode 100644
index 0000000..efb7898
--- /dev/null
+++ b/tomee/tomee-security/src/test/java/org/apache/tomee/security/context/SecurityContextTest.java
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomee.security.context;
+
+import org.apache.tomee.security.AbstractTomEESecurityTest;
+import org.junit.Ignore;
+import org.junit.Test;
+
+import javax.inject.Inject;
+import javax.security.enterprise.AuthenticationException;
+import javax.security.enterprise.AuthenticationStatus;
+import javax.security.enterprise.SecurityContext;
+import javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters;
+import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
+import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext;
+import javax.security.enterprise.credential.UsernamePasswordCredential;
+import javax.security.enterprise.identitystore.CredentialValidationResult;
+import javax.security.enterprise.identitystore.IdentityStoreHandler;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.client.ClientBuilder;
+import javax.ws.rs.core.Response;
+import java.io.IOException;
+
+import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.VALID;
+import static org.junit.Assert.assertEquals;
+
+public class SecurityContextTest extends AbstractTomEESecurityTest {
+ @Test
+ public void authenticate() throws Exception {
+ final String servlet = "http://localhost:" + container.getConfiguration().getHttpPort() + "/securityContext";
+ final Response response = ClientBuilder.newBuilder()
+ .build()
+ .target(servlet)
+ .queryParam("username", "tomcat")
+ .queryParam("password", "tomcat")
+ .request()
+ .get();
+ assertEquals(200, response.getStatus());
+ assertEquals("ok!", response.readEntity(String.class));
+ }
+
+ @Test
+ public void wrongPassword() throws Exception {
+ final String servlet = "http://localhost:" + container.getConfiguration().getHttpPort() + "/securityContext";
+ assertEquals(401, ClientBuilder.newBuilder().build()
+ .target(servlet)
+ .queryParam("username", "tomcat")
+ .queryParam("password", "wrong")
+ .request()
+ .get().getStatus());
+ }
+
+ @WebServlet(urlPatterns = "/securityContext")
+ public static class TestServlet extends HttpServlet {
+ @Inject
+ private SecurityContext securityContext;
+
+ @Override
+ protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
+ throws ServletException, IOException {
+
+ final AuthenticationParameters parameters =
+ AuthenticationParameters.withParams()
+ .credential(new UsernamePasswordCredential(req.getParameter("username"),
+ req.getParameter("password")))
+ .newAuthentication(true);
+
+ securityContext.authenticate(req, resp, parameters);
+
+ resp.getWriter().write("ok!");
+ }
+ }
+
+ public static class SecurityContextHttpAuthenticationMechanism implements HttpAuthenticationMechanism {
+ @Inject
+ private IdentityStoreHandler identityStoreHandler;
+
+ @Override
+ public AuthenticationStatus validateRequest(final HttpServletRequest request,
+ final HttpServletResponse response,
+ final HttpMessageContext httpMessageContext)
+ throws AuthenticationException {
+
+ if (httpMessageContext.isAuthenticationRequest()) {
+ try {
+ final CredentialValidationResult result =
+ identityStoreHandler.validate(httpMessageContext.getAuthParameters().getCredential());
+
+ if (result.getStatus().equals(VALID)) {
+ return httpMessageContext.notifyContainerAboutLogin(result);
+ }
+
+ } catch (final IllegalArgumentException | IllegalStateException e) {
+ // Something was sent in the header was not valid.
+ }
+
+ return httpMessageContext.responseUnauthorized();
+ }
+
+ return httpMessageContext.doNothing();
+ }
+ }
+}