This is an automated email from the ASF dual-hosted git repository. radcortez pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 5df4e8f70be6fae6d66654068adf708466c1de96 Author: Roberto Cortez <[email protected]> AuthorDate: Tue Dec 18 23:31:24 2018 +0000 TOMEE-2365 - CDI Extension to register AuthenticationMechanism if definitions are found. --- .../security/cdi/BasicAuthenticationMechanism.java | 80 ++++++++++++++++++++++ .../tomee/security/cdi/TomEESecurityExtension.java | 53 ++++++++++++++ .../services/javax.enterprise.inject.spi.Extension | 33 +++++++++ .../src/test/resources/META-INF/beans.xml | 0 4 files changed, 166 insertions(+) diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java new file mode 100644 index 0000000..8f433fa --- /dev/null +++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java @@ -0,0 +1,80 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomee.security.cdi; + +import org.apache.tomee.security.identitystore.TomEEIdentityStoreHandler; + +import javax.enterprise.context.ApplicationScoped; +import javax.inject.Inject; +import javax.security.enterprise.AuthenticationException; +import javax.security.enterprise.AuthenticationStatus; +import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism; +import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext; +import javax.security.enterprise.credential.BasicAuthenticationCredential; +import javax.security.enterprise.identitystore.CredentialValidationResult; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.core.HttpHeaders; + +import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.VALID; + +@ApplicationScoped +public class BasicAuthenticationMechanism implements HttpAuthenticationMechanism { + @Inject + private TomEEIdentityStoreHandler identityStoreHandler; + + @Override + public AuthenticationStatus validateRequest(final HttpServletRequest request, + final HttpServletResponse response, + final HttpMessageContext httpMessageContext) + throws AuthenticationException { + + if (!httpMessageContext.isProtected()) { + return httpMessageContext.doNothing(); + } + + try { + final CredentialValidationResult result = + identityStoreHandler.validate(new BasicAuthenticationCredential(HttpHeaders.AUTHORIZATION)); + + if (result.getStatus().equals(VALID)) { + return httpMessageContext.notifyContainerAboutLogin(result); + } + + } catch (final IllegalArgumentException | IllegalStateException e) { + // Something was sent in the header was not valid. Fallthrough to the authenticate challenge again. + } + + response.setHeader("WWW-Authenticate", "Basic"); + return httpMessageContext.responseUnauthorized(); + } + + @Override + public AuthenticationStatus secureResponse(final HttpServletRequest request, + final HttpServletResponse response, + final HttpMessageContext httpMessageContext) + throws AuthenticationException { + return null; + } + + @Override + public void cleanSubject(final HttpServletRequest request, + final HttpServletResponse response, + final HttpMessageContext httpMessageContext) { + + } +} diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java new file mode 100644 index 0000000..2f7bf04 --- /dev/null +++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java @@ -0,0 +1,53 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomee.security.cdi; + +import javax.enterprise.context.ApplicationScoped; +import javax.enterprise.event.Observes; +import javax.enterprise.inject.Any; +import javax.enterprise.inject.Default; +import javax.enterprise.inject.spi.AfterBeanDiscovery; +import javax.enterprise.inject.spi.AnnotatedType; +import javax.enterprise.inject.spi.Extension; +import javax.enterprise.inject.spi.ProcessAnnotatedType; +import javax.security.enterprise.authentication.mechanism.http.BasicAuthenticationMechanismDefinition; +import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism; +import java.util.HashSet; +import java.util.Set; + +public class TomEESecurityExtension implements Extension { + private final Set<AnnotatedType> basicAuthentication = new HashSet<>(); + + void processAuthenticationMechanismDefinitions(@Observes final ProcessAnnotatedType<?> processAnnotatedType) { + final AnnotatedType<?> annotatedType = processAnnotatedType.getAnnotatedType(); + if (annotatedType.isAnnotationPresent(BasicAuthenticationMechanismDefinition.class)) { + basicAuthentication.add(annotatedType); + } + } + + void registerAuthenticationMechanism(@Observes final AfterBeanDiscovery afterBeanDiscovery) { + if (!basicAuthentication.isEmpty()) { + afterBeanDiscovery.addBean() + .id(BasicAuthenticationMechanism.class.getName()) + .beanClass(BasicAuthenticationMechanism.class) + .types(Object.class, HttpAuthenticationMechanism.class, BasicAuthenticationMechanism.class) + .qualifiers(Default.Literal.INSTANCE, Any.Literal.INSTANCE) + .scope(ApplicationScoped.class) + .createWith(creationalContext -> new BasicAuthenticationMechanism()); + } + } +} diff --git a/tomee/tomee-security/src/main/resources/META-INF/services/javax.enterprise.inject.spi.Extension b/tomee/tomee-security/src/main/resources/META-INF/services/javax.enterprise.inject.spi.Extension new file mode 100644 index 0000000..6fc07e8 --- /dev/null +++ b/tomee/tomee-security/src/main/resources/META-INF/services/javax.enterprise.inject.spi.Extension @@ -0,0 +1,33 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +org.apache.tomee.security.cdi.TomEESecurityExtension diff --git a/tomee/tomee-security/src/test/resources/META-INF/beans.xml b/tomee/tomee-security/src/test/resources/META-INF/beans.xml new file mode 100644 index 0000000..e69de29
