1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
|
/*
* Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v1.0 which accompanies this distribution,
* and is available at http://www.eclipse.org/legal/epl-v10.html
*/
package org.opendaylight.aaa.shiro.filters;
import static javax.servlet.http.HttpServletResponse.SC_BAD_REQUEST;
import static javax.servlet.http.HttpServletResponse.SC_CREATED;
import static javax.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.oltu.oauth2.as.response.OAuthASResponse;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.OAuthResponse;
import org.apache.oltu.oauth2.common.message.types.TokenType;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
import org.opendaylight.aaa.AuthenticationBuilder;
import org.opendaylight.aaa.ClaimBuilder;
import org.opendaylight.aaa.api.Authentication;
import org.opendaylight.aaa.api.Claim;
import org.opendaylight.aaa.shiro.moon.MoonPrincipal;
import org.opendaylight.aaa.sts.OAuthRequest;
import org.opendaylight.aaa.sts.ServiceLocator;
/**
* MoonOAuthFilter filters oauth1 requests form token based authentication
* @author Alioune BA alioune.ba@orange.com
*
*/
public class MoonOAuthFilter extends AuthenticatingFilter{
private static final String DOMAIN_SCOPE_REQUIRED = "Domain scope required";
private static final String NOT_IMPLEMENTED = "not_implemented";
private static final String UNAUTHORIZED = "unauthorized";
private static final String UNAUTHORIZED_CREDENTIALS = "Unauthorized: Login/Password incorrect";
static final String TOKEN_GRANT_ENDPOINT = "/token";
static final String TOKEN_REVOKE_ENDPOINT = "/revoke";
static final String TOKEN_VALIDATE_ENDPOINT = "/validate";
@Override
protected UsernamePasswordToken createToken(ServletRequest request, ServletResponse response) throws Exception {
// TODO Auto-generated method stub
HttpServletRequest httpRequest = (HttpServletRequest) request;
OAuthRequest oauthRequest = new OAuthRequest(httpRequest);
return new UsernamePasswordToken(oauthRequest.getUsername(),oauthRequest.getPassword());
}
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
// TODO Auto-generated method stub
Subject currentUser = SecurityUtils.getSubject();
return executeLogin(request, response);
}
protected boolean onLoginSuccess(AuthenticationToken token, Subject subject,
ServletRequest request, ServletResponse response) throws Exception {
HttpServletResponse httpResponse= (HttpServletResponse) response;
MoonPrincipal principal = (MoonPrincipal) subject.getPrincipals().getPrimaryPrincipal();
Claim claim = principal.principalToClaim();
oauthAccessTokenResponse(httpResponse,claim,"",principal.getToken());
return true;
}
protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException e,
ServletRequest request, ServletResponse response) {
HttpServletResponse resp = (HttpServletResponse) response;
error(resp, SC_BAD_REQUEST, UNAUTHORIZED_CREDENTIALS);
return false;
}
protected boolean executeLogin(ServletRequest request, ServletResponse response) throws Exception {
HttpServletRequest req= (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
try {
if (req.getServletPath().equals(TOKEN_GRANT_ENDPOINT)) {
UsernamePasswordToken token = createToken(request, response);
if (token == null) {
String msg = "A valid non-null AuthenticationToken " +
"must be created in order to execute a login attempt.";
throw new IllegalStateException(msg);
}
try {
Subject subject = getSubject(request, response);
subject.login(token);
return onLoginSuccess(token, subject, request, response);
} catch (AuthenticationException e) {
return onLoginFailure(token, e, request, response);
}
} else if (req.getServletPath().equals(TOKEN_REVOKE_ENDPOINT)) {
//TODO: deleteAccessToken(req, resp);
} else if (req.getServletPath().equals(TOKEN_VALIDATE_ENDPOINT)) {
//TODO: validateToken(req, resp);
}
} catch (AuthenticationException e) {
error(resp, SC_UNAUTHORIZED, e.getMessage());
} catch (OAuthProblemException oe) {
error(resp, oe);
} catch (Exception e) {
error(resp, e);
}
return false;
}
private void oauthAccessTokenResponse(HttpServletResponse resp, Claim claim, String clientId, String token)
throws OAuthSystemException, IOException {
if (claim == null) {
throw new AuthenticationException(UNAUTHORIZED);
}
// Cache this token...
Authentication auth = new AuthenticationBuilder(new ClaimBuilder(claim).setClientId(
clientId).build()).setExpiration(tokenExpiration()).build();
ServiceLocator.getInstance().getTokenStore().put(token, auth);
OAuthResponse r = OAuthASResponse.tokenResponse(SC_CREATED).setAccessToken(token)
.setTokenType(TokenType.BEARER.toString())
.setExpiresIn(Long.toString(auth.expiration()))
.buildJSONMessage();
write(resp, r);
}
private void write(HttpServletResponse resp, OAuthResponse r) throws IOException {
resp.setStatus(r.getResponseStatus());
PrintWriter pw = resp.getWriter();
pw.print(r.getBody());
pw.flush();
pw.close();
}
private long tokenExpiration() {
return ServiceLocator.getInstance().getTokenStore().tokenExpiration();
}
// Emit an error OAuthResponse with the given HTTP code
private void error(HttpServletResponse resp, int httpCode, String error) {
try {
OAuthResponse r = OAuthResponse.errorResponse(httpCode).setError(error)
.buildJSONMessage();
write(resp, r);
} catch (Exception e1) {
// Nothing to do here
}
}
private void error(HttpServletResponse resp, OAuthProblemException e) {
try {
OAuthResponse r = OAuthResponse.errorResponse(SC_BAD_REQUEST).error(e)
.buildJSONMessage();
write(resp, r);
} catch (Exception e1) {
// Nothing to do here
}
}
private void error(HttpServletResponse resp, Exception e) {
try {
OAuthResponse r = OAuthResponse.errorResponse(SC_INTERNAL_SERVER_ERROR)
.setError(e.getClass().getName())
.setErrorDescription(e.getMessage()).buildJSONMessage();
write(resp, r);
} catch (Exception e1) {
// Nothing to do here
}
}
}
|
