private Subject registeredSubjectForAuthorizationRequestHeader(Authorization authorizationRequestHeader)
{
String realm = _securityConfiguration.getRealm();
String authRealm = authorizationRequestHeader.realm;
if (!realm.Equals(authRealm))
{
log.errorFormat("!realm.Equals(authRealm); realm = '{0}'; realm = '{1}'", realm, authRealm);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
String clientUsername = authorizationRequestHeader.username;
Subject client = _securityConfiguration.getClient(clientUsername);
if (null == client)
{
log.errorFormat("null == client; clientUsername = '******'", clientUsername);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
return client;
}
public void authenticateRequest(String method, Authorization authorizationRequestHeader, Entity entity)
{
String opaque = authorizationRequestHeader.opaque;
log.debug(opaque, "opaque");
if (null == opaque)
{
log.error("null == opaque");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
try
{
if (_unauthenticatedSessions.ContainsKey(opaque))
{
HttpSecuritySession securitySession = _unauthenticatedSessions[opaque];
Subject registeredSubject = this.registeredSubjectForAuthorizationRequestHeader(authorizationRequestHeader);
securitySession.registeredSubject = registeredSubject;
securitySession.authorise(method, authorizationRequestHeader, entity);
securitySession.updateUsingAuthenticatedRequest(authorizationRequestHeader);
_authenticatedSessions[opaque] = securitySession;
_unauthenticatedSessions.Remove(opaque);
return;
}
if (_authenticatedSessions.ContainsKey(opaque))
{
HttpSecuritySession securitySession = _authenticatedSessions[opaque];
securitySession.authorise(method, authorizationRequestHeader, entity);
securitySession.updateUsingAuthenticatedRequest(authorizationRequestHeader);
return;
}
log.errorFormat("bad opaque; opaque = '{0}'", opaque);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
catch (BaseException e) // if we catch a 401 ... clean up sesssions associated with the opaque
{
if (HttpStatus.UNAUTHORIZED_401 == e.FaultCode)
{
_unauthenticatedSessions.Remove(opaque);
_authenticatedSessions.Remove(opaque);
}
// rethrow
throw e;
}
}
public HttpHeader getHeaderForResponse(Authorization authorization, int responseStatusCode, Entity responseEntity)
{
if (null == authorization || 401 == responseStatusCode) // add a AuthenticateResponseHeader
{
HttpSecuritySession securitySession = new HttpSecuritySession(_securityConfiguration.getRealm());
log.debug(securitySession.opaque, "securitySession.opaque");
_unauthenticatedSessions[securitySession.opaque] = securitySession;
WwwAuthenticate answer = securitySession.buildWwwAuthenticate();
return answer;
}
else
{
String opaque = authorization.opaque;
HttpSecuritySession securitySession = _authenticatedSessions[opaque];
AuthenticationInfo answer = securitySession.buildAuthenticationInfo(authorization, responseEntity);
return answer;
}
}
public void handleHttpResponseHeaders(System.Net.WebHeaderCollection headers)
{
log.enteredMethod();
String wwwAuthenticate = headers.Get("WWW-Authenticate");
if (null != wwwAuthenticate)
{
log.warn(wwwAuthenticate);
WwwAuthenticate authenticateResponseHeader = WwwAuthenticate.buildFromString(wwwAuthenticate);
String serverRealm = authenticateResponseHeader.realm;
Subject server = _securityConfiguration.getServer(serverRealm);
if (null == server)
{
log.warnFormat("null == _subject; serverRealm = '{0}'", serverRealm);
_authorization = null;
_ha1 = null;
return;
}
_ha1 = server.getHa1();
_authorization = new Authorization();
_authorization.nc = 1;
_authorization.cnonce = SecurityUtilities.generateNonce();
_authorization.nonce = authenticateResponseHeader.nonce;
_authorization.opaque = authenticateResponseHeader.opaque;
_authorization.qop = authenticateResponseHeader.qop;
_authorization.realm = server.Realm;
_authorization.username = server.Username;
return; // our work here is done
}
String authenticationInfo = headers.Get("Authentication-Info");
if (null != authenticationInfo)
{
AuthenticationInfo authenticationInfoHeader = AuthenticationInfo.buildFromString( authenticationInfo );
long nc = _authorization.nc + 1;
_authorization.nc = nc;
_authorization.nonce = authenticationInfoHeader.nextnonce;
return; // our work here is done
}
log.warn("did not find a 'WWW-Authenticate' or a 'Authentication-Info'");
}
public void authenticateRequest(String method, Authorization authorization)
{
this.authenticateRequest(method, authorization, null);
}
public void updateUsingAuthenticatedRequest(Authorization authorizationRequestHeader)
{
_cnonce = authorizationRequestHeader.cnonce;
_cnoncesUsed[_cnonce] = _cnonce;
_nc = authorizationRequestHeader.nc;
_nonce = SecurityUtilities.generateNonce();
}
public AuthenticationInfo buildAuthenticationInfo(Authorization authorization, Entity responseEntity)
{
log.enteredMethod();
AuthenticationInfo answer = new AuthenticationInfo();
answer.cnonce = _cnonce;
answer.nc = _nc;
answer.nextnonce = _nonce;
answer.qop = authorization.qop;
/*
* rspauth field
*/
String ha1 = _registeredSubject.ha1();
// from RFC-2617, section 3.2.3, we leave the method out ...
String ha2 = getHa2("", authorization.qop, authorization.uri, responseEntity);
String unhashedRspauth = String.Format("{0}:{1}:{2:x8}:{3}:{4}:{5}",
ha1, authorization.nonce, authorization.nc,
authorization.cnonce, authorization.qop, ha2);
String rspauth = SecurityUtilities.md5HashOfString(unhashedRspauth);
answer.rspauth = rspauth;
return answer;
}
public void authorise(String method, Authorization authorization)
{
authorise(method, authorization, null);
}
// this method has no effect on the state of 'self' ...
// sections 3.2.2.1-3.2.2.3 of RFC-2617
// entity can be null
public void authorise(String method, Authorization authorization, Entity entity)
{
this.validateAuthorization(authorization);
{
String ha1 = _registeredSubject.ha1();
String ha2 = getHa2(method, authorization.qop, authorization.uri, entity);
String unhashedResponse = String.Format("{0}:{1}:{2:x8}:{3}:{4}:{5}",
ha1, authorization.nonce, authorization.nc, authorization.cnonce, authorization.qop, ha2);
String expectedResponse = SecurityUtilities.md5HashOfString(unhashedResponse);
if (!expectedResponse.Equals(authorization.response))
{
log.errorFormat("!expectedResponse.Equals(authorization.response); expectedResponse = '{0}'; authorization.response = '{1}'", expectedResponse, authorization.response);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
}
_idleSince = DateTime.Now;
}
private void validateAuthorization(Authorization authorization)
{
if (null == authorization)
{
log.error("null == authorization");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
if (null == _registeredSubject) // should not happen, but ...
{
log.error("null == _registeredSubject");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
// username & realm ...
_registeredSubject.validateAuthorizationRequestHeader(authorization);
// cnonce ...
String submittedCnonce = authorization.cnonce;
if (null == submittedCnonce)
{
log.error("null == submittedCnonce");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
// cnonce & nc ...
if (submittedCnonce.Equals(_cnonce)) // client is re-using cnonce
{
if ((_nc + 1) != authorization.nc)
{
log.errorFormat("(_nc + 1) != authorization.nc; _nc = {0}; authorization.nc = {1}", _nc, authorization.nc);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
}
else // client has a new cnonce
{
if (1 != authorization.nc)
{
log.errorFormat("1 != authorization.nc; authorization.nc = {0}", authorization.nc);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
if (_cnoncesUsed.ContainsKey(submittedCnonce))
{
log.errorFormat("_cnoncesUsed.ContainsKey(submittedCnonce); submittedCnonce = '{0}'", submittedCnonce);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
}
// nonce ...
if (null == authorization.nonce)
{
log.errorFormat("null == authorization.nonce");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
if (!_nonce.Equals(authorization.nonce))
{
log.errorFormat("!_nonce.Equals(authorization.nonce); _nonce = {0}; authorization.nonce = {1}", _nonce, authorization.nonce);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
// opaque ...
if (!_opaque.Equals(authorization.opaque)) // should not happen but ...
{
log.errorFormat("!_opaque.Equals(authorization.opaque); _opaque = '{0}'; authorization.opaque = '{1}'", _opaque, authorization.opaque);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
// qop ...
if (null == authorization.qop)
{
log.error("null == authorization.qop");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
if (("auth".Equals(authorization.qop) || "auth-int".Equals(authorization.qop)))
{
// ok
}
else
{
log.errorFormat("unsupported qop; authorization.qop = '{0}'", authorization.qop);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
// response
if (null == authorization.response)
{
log.error("null == authorization.response");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
// uri
if (null == authorization.uri)
{
log.error("null == authorization.uri");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
}
public void validateAuthorizationRequestHeader(Authorization authorizationRequestHeader)
{
String realm = authorizationRequestHeader.realm;
// realm ...
if (null == realm)
{
log.error("null == realm");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
if (!_realm.Equals(realm))
{
log.errorFormat("!_realm.Equals(realm); _realm = '{0}'; realm = '{1}'", _realm, realm);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
// username ...
String username = authorizationRequestHeader.username;
if (null == username)
{
log.error("null == username");
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
else if (!_username.Equals(username)) // someone is switching user names
{
log.errorFormat("!_username.Equals(username); _username = '******'; username = '******'", _username, username);
throw HttpErrorHelper.unauthorized401FromOriginator(this);
}
}
///////////////////////////////////////////////////////////////////////
public static Authorization buildFromString( String credentials ) {
Authorization answer = new Authorization();
AuthenticationHeaderScanner authenticationHeaderScanner = new AuthenticationHeaderScanner(credentials);
authenticationHeaderScanner.scanPastDigestString();
String name = authenticationHeaderScanner.scanName();
while (null != name)
{
if ("cnonce".Equals(name))
{
String value = authenticationHeaderScanner.scanQuotedValue();
answer._cnonce = value;
}
else if ("nc".Equals(name))
{
uint value = authenticationHeaderScanner.scanHexUInt32();
answer._nc = value;
}
else if ("nonce".Equals(name))
{
String value = authenticationHeaderScanner.scanQuotedValue();
answer._nonce = value;
}
else if ("opaque".Equals(name))
{
String value = authenticationHeaderScanner.scanQuotedValue();
answer._opaque = value;
}
else if ("qop".Equals(name))
{
String value = authenticationHeaderScanner.scanValue();
answer._qop = value;
}
else if ("realm".Equals(name))
{
String value = authenticationHeaderScanner.scanQuotedValue();
answer._realm = value;
}
else if ("response".Equals(name))
{
String value = authenticationHeaderScanner.scanQuotedValue();
answer._response = value;
}
else if ("uri".Equals(name))
{
String value = authenticationHeaderScanner.scanQuotedValue();
answer._uri = value;
}
else if ("username".Equals(name))
{
String value = authenticationHeaderScanner.scanQuotedValue();
log.debug(value, "value");
answer._username = value;
}
else
{
// 'auth-param' is permitted according to 3.2.2 of RFC-2617
// 'auth-param' in section 3.2.1 of RFC-2617 says ...
// Any unrecognized directive MUST be ignored.
//
String value = authenticationHeaderScanner.scanValue();
String warning = String.Format("unrecognised name-value pair. name = '{0}', value = '{1}'", name, value);
log.warn(warning);
}
name = authenticationHeaderScanner.scanName();
}
return answer;
}
