-
Notifications
You must be signed in to change notification settings - Fork 282
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ELY-2583] Make requestURI and Source-Address available from RealmSuc…
…cessfulAuthenticationEvent and RealmFailedAuthenticationEvent
- Loading branch information
Showing
5 changed files
with
431 additions
and
2 deletions.
There are no files selected for viewing
61 changes: 61 additions & 0 deletions
61
...erver/base/src/main/java/org/wildfly/security/auth/server/RequestInformationCallback.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
/* | ||
* JBoss, Home of Professional Open Source. | ||
* Copyright 2023 Red Hat, Inc., and individual contributors | ||
* as indicated by the @author tags. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package org.wildfly.security.auth.server; | ||
|
||
import org.wildfly.security.auth.callback.ExtendedCallback; | ||
|
||
import javax.security.auth.callback.Callback; | ||
import java.util.HashMap; | ||
|
||
import static org.wildfly.common.Assert.checkNotNullParam; | ||
|
||
/** | ||
* A {@link javax.security.auth.callback.Callback} to inform a server authentication context about current authentication request. | ||
* | ||
*/ | ||
public class RequestInformationCallback implements ExtendedCallback { | ||
|
||
/** | ||
* request URI of the current authentication request | ||
*/ | ||
public static final String REQUEST_URI = "Request-URI"; | ||
|
||
/** | ||
* Properties of the current authentication request | ||
*/ | ||
private final HashMap<String, Object> props; | ||
|
||
/** | ||
* Construct a new instance of this {@link Callback}. | ||
* | ||
* @param props Properties of the current authentication request | ||
*/ | ||
public RequestInformationCallback(HashMap<String, Object> props) { | ||
checkNotNullParam("props", props); | ||
this.props = props; | ||
} | ||
|
||
/** | ||
* Get the properties of this request. | ||
* | ||
* @return properties of the current authentication request | ||
*/ | ||
public HashMap<String, Object> getProperties() { | ||
return this.props; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
89 changes: 89 additions & 0 deletions
89
...in/java/org/wildfly/security/http/util/SetRequestInformationCallbackMechanismFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
/* | ||
* JBoss, Home of Professional Open Source. | ||
* Copyright 2023 Red Hat, Inc., and individual contributors | ||
* as indicated by the @author tags. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package org.wildfly.security.http.util; | ||
|
||
import org.wildfly.security.auth.server.RequestInformationCallback; | ||
import org.wildfly.security.http.HttpAuthenticationException; | ||
import org.wildfly.security.http.HttpServerAuthenticationMechanism; | ||
import org.wildfly.security.http.HttpServerAuthenticationMechanismFactory; | ||
import org.wildfly.security.http.HttpServerRequest; | ||
|
||
import javax.security.auth.callback.Callback; | ||
import javax.security.auth.callback.CallbackHandler; | ||
import javax.security.auth.callback.UnsupportedCallbackException; | ||
import java.io.IOException; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
|
||
import static org.wildfly.common.Assert.checkNotNullParam; | ||
|
||
/** | ||
* A wrapper {@link HttpServerAuthenticationMechanismFactory} that sets the request information using the current authentication request. | ||
* | ||
* @author <a href="mailto:[email protected]">Diana Krepinska</a> | ||
*/ | ||
public class SetRequestInformationCallbackMechanismFactory implements HttpServerAuthenticationMechanismFactory { | ||
|
||
private final HttpServerAuthenticationMechanismFactory delegate; | ||
|
||
/** | ||
* Construct a wrapping mechanism factory instance. | ||
* | ||
* @param delegate the wrapped mechanism factory | ||
*/ | ||
public SetRequestInformationCallbackMechanismFactory(final HttpServerAuthenticationMechanismFactory delegate) { | ||
this.delegate = checkNotNullParam("delegate", delegate); | ||
} | ||
|
||
@Override | ||
public String[] getMechanismNames(Map<String, ?> properties) { | ||
return delegate.getMechanismNames(properties); | ||
} | ||
|
||
@Override | ||
public HttpServerAuthenticationMechanism createAuthenticationMechanism(final String mechanismName, Map<String, ?> properties, | ||
final CallbackHandler callbackHandler) throws HttpAuthenticationException { | ||
final HttpServerAuthenticationMechanism mechanism = delegate.createAuthenticationMechanism(mechanismName, properties, callbackHandler); | ||
return mechanism != null ? new HttpServerAuthenticationMechanism() { | ||
|
||
@Override | ||
public String getMechanismName() { | ||
return mechanism.getMechanismName(); | ||
} | ||
|
||
@Override | ||
public void evaluateRequest(HttpServerRequest request) throws HttpAuthenticationException { | ||
try { | ||
HashMap<String, Object> props = new HashMap<>(); | ||
props.put(RequestInformationCallback.REQUEST_URI, request.getRequestURI()); | ||
callbackHandler.handle(new Callback[]{new RequestInformationCallback(props)}); | ||
} catch (IOException | UnsupportedCallbackException e) { | ||
throw new HttpAuthenticationException(e); | ||
} | ||
|
||
mechanism.evaluateRequest(request); | ||
} | ||
|
||
@Override | ||
public void dispose() { | ||
mechanism.dispose(); | ||
} | ||
|
||
} : null; | ||
} | ||
} |
116 changes: 116 additions & 0 deletions
116
tests/base/src/test/java/org/wildfly/security/auth/server/CustomRealm.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
/* | ||
* JBoss, Home of Professional Open Source. | ||
* Copyright 2023 Red Hat, Inc., and individual contributors | ||
* as indicated by the @author tags. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package org.wildfly.security.auth.server; | ||
|
||
import org.wildfly.security.auth.SupportLevel; | ||
import org.wildfly.security.auth.server.event.RealmEvent; | ||
import org.wildfly.security.auth.server.event.RealmFailedAuthenticationEvent; | ||
import org.wildfly.security.auth.server.event.RealmSuccessfulAuthenticationEvent; | ||
import org.wildfly.security.credential.Credential; | ||
import org.wildfly.security.evidence.Evidence; | ||
import org.wildfly.security.evidence.PasswordGuessEvidence; | ||
|
||
import java.security.Principal; | ||
import java.security.spec.AlgorithmParameterSpec; | ||
import java.util.Arrays; | ||
|
||
import static org.junit.Assert.assertEquals; | ||
import static org.junit.Assert.fail; | ||
|
||
public class CustomRealm implements SecurityRealm { | ||
public boolean wasAssertionError = false; | ||
|
||
// this realm does not allow acquiring credentials | ||
public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, String algorithmName, | ||
AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException { | ||
return SupportLevel.UNSUPPORTED; | ||
} | ||
|
||
// this realm will be able to verify password evidences only | ||
public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName) | ||
throws RealmUnavailableException { | ||
return PasswordGuessEvidence.class.isAssignableFrom(evidenceType) ? SupportLevel.POSSIBLY_SUPPORTED : SupportLevel.UNSUPPORTED; | ||
} | ||
|
||
public RealmIdentity getRealmIdentity(final Principal principal) throws RealmUnavailableException { | ||
|
||
if ("myadmin".equals(principal.getName())) { // identity "myadmin" will have password "mypassword" | ||
return new RealmIdentity() { | ||
public Principal getRealmIdentityPrincipal() { | ||
return principal; | ||
} | ||
|
||
public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> credentialType, | ||
String algorithmName, AlgorithmParameterSpec parameterSpec) throws RealmUnavailableException { | ||
return SupportLevel.UNSUPPORTED; | ||
} | ||
|
||
public <C extends Credential> C getCredential(Class<C> credentialType) throws RealmUnavailableException { | ||
return null; | ||
} | ||
|
||
public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> evidenceType, String algorithmName) { | ||
return PasswordGuessEvidence.class.isAssignableFrom(evidenceType) ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED; | ||
} | ||
|
||
// evidence will be accepted if it is password "mypassword" | ||
public boolean verifyEvidence(Evidence evidence) { | ||
if (evidence instanceof PasswordGuessEvidence) { | ||
PasswordGuessEvidence guess = (PasswordGuessEvidence) evidence; | ||
try { | ||
return Arrays.equals("mypassword".toCharArray(), guess.getGuess()); | ||
|
||
} finally { | ||
guess.destroy(); | ||
} | ||
} | ||
return false; | ||
} | ||
|
||
public boolean exists() { | ||
return true; | ||
} | ||
}; | ||
} | ||
return RealmIdentity.NON_EXISTENT; | ||
} | ||
|
||
@Override | ||
public void handleRealmEvent(RealmEvent event) { | ||
try { | ||
|
||
if (event instanceof RealmSuccessfulAuthenticationEvent) { | ||
assertEquals("10.12.14.16", ((RealmSuccessfulAuthenticationEvent) event).getAuthorizationIdentity().getRuntimeAttributes().get("Source-Address").get(0)); | ||
assertEquals("www.test-request-uri.org", ((RealmSuccessfulAuthenticationEvent) event).getAuthorizationIdentity().getRuntimeAttributes().get("Request-URI").get(0)); | ||
assertEquals("myadmin", ((RealmSuccessfulAuthenticationEvent) event).getRealmIdentity().getRealmIdentityPrincipal().getName()); | ||
} | ||
if (event instanceof RealmFailedAuthenticationEvent) { | ||
try { | ||
assertEquals("10.12.14.16", ((RealmFailedAuthenticationEvent) event).getRealmIdentity().getAuthorizationIdentity().getRuntimeAttributes().get("Source-Address").get(0)); | ||
assertEquals("www.test-request-uri.org", ((RealmFailedAuthenticationEvent) event).getRealmIdentity().getAuthorizationIdentity().getRuntimeAttributes().get("Request-URI").get(0)); | ||
assertEquals("myadmin", ((RealmFailedAuthenticationEvent) event).getRealmIdentity().getRealmIdentityPrincipal().getName()); | ||
} catch (RealmUnavailableException e) { | ||
fail("RealmFailedAuthenticationEvent should have runtime attributes associated"); | ||
} | ||
} | ||
} catch (AssertionError e) { | ||
wasAssertionError = true; | ||
} | ||
} | ||
} | ||
|
Oops, something went wrong.