private Subject registeredSubjectForAuthorizationRequestHeader(Authorization authorizationRequestHeader) { String realm = _securityConfiguration.getRealm(); String authRealm = authorizationRequestHeader.realm; if (!realm.Equals(authRealm)) { log.errorFormat("!realm.Equals(authRealm); realm = '{0}'; realm = '{1}'", realm, authRealm); throw HttpErrorHelper.unauthorized401FromOriginator(this); } String clientUsername = authorizationRequestHeader.username; Subject client = _securityConfiguration.getClient(clientUsername); if (null == client) { log.errorFormat("null == client; clientUsername = '******'", clientUsername); throw HttpErrorHelper.unauthorized401FromOriginator(this); } return client; }
public void authenticateRequest(String method, Authorization authorizationRequestHeader, Entity entity) { String opaque = authorizationRequestHeader.opaque; log.debug(opaque, "opaque"); if (null == opaque) { log.error("null == opaque"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } try { if (_unauthenticatedSessions.ContainsKey(opaque)) { HttpSecuritySession securitySession = _unauthenticatedSessions[opaque]; Subject registeredSubject = this.registeredSubjectForAuthorizationRequestHeader(authorizationRequestHeader); securitySession.registeredSubject = registeredSubject; securitySession.authorise(method, authorizationRequestHeader, entity); securitySession.updateUsingAuthenticatedRequest(authorizationRequestHeader); _authenticatedSessions[opaque] = securitySession; _unauthenticatedSessions.Remove(opaque); return; } if (_authenticatedSessions.ContainsKey(opaque)) { HttpSecuritySession securitySession = _authenticatedSessions[opaque]; securitySession.authorise(method, authorizationRequestHeader, entity); securitySession.updateUsingAuthenticatedRequest(authorizationRequestHeader); return; } log.errorFormat("bad opaque; opaque = '{0}'", opaque); throw HttpErrorHelper.unauthorized401FromOriginator(this); } catch (BaseException e) // if we catch a 401 ... clean up sesssions associated with the opaque { if (HttpStatus.UNAUTHORIZED_401 == e.FaultCode) { _unauthenticatedSessions.Remove(opaque); _authenticatedSessions.Remove(opaque); } // rethrow throw e; } }
public HttpHeader getHeaderForResponse(Authorization authorization, int responseStatusCode, Entity responseEntity) { if (null == authorization || 401 == responseStatusCode) // add a AuthenticateResponseHeader { HttpSecuritySession securitySession = new HttpSecuritySession(_securityConfiguration.getRealm()); log.debug(securitySession.opaque, "securitySession.opaque"); _unauthenticatedSessions[securitySession.opaque] = securitySession; WwwAuthenticate answer = securitySession.buildWwwAuthenticate(); return answer; } else { String opaque = authorization.opaque; HttpSecuritySession securitySession = _authenticatedSessions[opaque]; AuthenticationInfo answer = securitySession.buildAuthenticationInfo(authorization, responseEntity); return answer; } }
public void handleHttpResponseHeaders(System.Net.WebHeaderCollection headers) { log.enteredMethod(); String wwwAuthenticate = headers.Get("WWW-Authenticate"); if (null != wwwAuthenticate) { log.warn(wwwAuthenticate); WwwAuthenticate authenticateResponseHeader = WwwAuthenticate.buildFromString(wwwAuthenticate); String serverRealm = authenticateResponseHeader.realm; Subject server = _securityConfiguration.getServer(serverRealm); if (null == server) { log.warnFormat("null == _subject; serverRealm = '{0}'", serverRealm); _authorization = null; _ha1 = null; return; } _ha1 = server.getHa1(); _authorization = new Authorization(); _authorization.nc = 1; _authorization.cnonce = SecurityUtilities.generateNonce(); _authorization.nonce = authenticateResponseHeader.nonce; _authorization.opaque = authenticateResponseHeader.opaque; _authorization.qop = authenticateResponseHeader.qop; _authorization.realm = server.Realm; _authorization.username = server.Username; return; // our work here is done } String authenticationInfo = headers.Get("Authentication-Info"); if (null != authenticationInfo) { AuthenticationInfo authenticationInfoHeader = AuthenticationInfo.buildFromString( authenticationInfo ); long nc = _authorization.nc + 1; _authorization.nc = nc; _authorization.nonce = authenticationInfoHeader.nextnonce; return; // our work here is done } log.warn("did not find a 'WWW-Authenticate' or a 'Authentication-Info'"); }
public void authenticateRequest(String method, Authorization authorization) { this.authenticateRequest(method, authorization, null); }
public void updateUsingAuthenticatedRequest(Authorization authorizationRequestHeader) { _cnonce = authorizationRequestHeader.cnonce; _cnoncesUsed[_cnonce] = _cnonce; _nc = authorizationRequestHeader.nc; _nonce = SecurityUtilities.generateNonce(); }
public AuthenticationInfo buildAuthenticationInfo(Authorization authorization, Entity responseEntity) { log.enteredMethod(); AuthenticationInfo answer = new AuthenticationInfo(); answer.cnonce = _cnonce; answer.nc = _nc; answer.nextnonce = _nonce; answer.qop = authorization.qop; /* * rspauth field */ String ha1 = _registeredSubject.ha1(); // from RFC-2617, section 3.2.3, we leave the method out ... String ha2 = getHa2("", authorization.qop, authorization.uri, responseEntity); String unhashedRspauth = String.Format("{0}:{1}:{2:x8}:{3}:{4}:{5}", ha1, authorization.nonce, authorization.nc, authorization.cnonce, authorization.qop, ha2); String rspauth = SecurityUtilities.md5HashOfString(unhashedRspauth); answer.rspauth = rspauth; return answer; }
public void authorise(String method, Authorization authorization) { authorise(method, authorization, null); }
// this method has no effect on the state of 'self' ... // sections 3.2.2.1-3.2.2.3 of RFC-2617 // entity can be null public void authorise(String method, Authorization authorization, Entity entity) { this.validateAuthorization(authorization); { String ha1 = _registeredSubject.ha1(); String ha2 = getHa2(method, authorization.qop, authorization.uri, entity); String unhashedResponse = String.Format("{0}:{1}:{2:x8}:{3}:{4}:{5}", ha1, authorization.nonce, authorization.nc, authorization.cnonce, authorization.qop, ha2); String expectedResponse = SecurityUtilities.md5HashOfString(unhashedResponse); if (!expectedResponse.Equals(authorization.response)) { log.errorFormat("!expectedResponse.Equals(authorization.response); expectedResponse = '{0}'; authorization.response = '{1}'", expectedResponse, authorization.response); throw HttpErrorHelper.unauthorized401FromOriginator(this); } } _idleSince = DateTime.Now; }
private void validateAuthorization(Authorization authorization) { if (null == authorization) { log.error("null == authorization"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } if (null == _registeredSubject) // should not happen, but ... { log.error("null == _registeredSubject"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } // username & realm ... _registeredSubject.validateAuthorizationRequestHeader(authorization); // cnonce ... String submittedCnonce = authorization.cnonce; if (null == submittedCnonce) { log.error("null == submittedCnonce"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } // cnonce & nc ... if (submittedCnonce.Equals(_cnonce)) // client is re-using cnonce { if ((_nc + 1) != authorization.nc) { log.errorFormat("(_nc + 1) != authorization.nc; _nc = {0}; authorization.nc = {1}", _nc, authorization.nc); throw HttpErrorHelper.unauthorized401FromOriginator(this); } } else // client has a new cnonce { if (1 != authorization.nc) { log.errorFormat("1 != authorization.nc; authorization.nc = {0}", authorization.nc); throw HttpErrorHelper.unauthorized401FromOriginator(this); } if (_cnoncesUsed.ContainsKey(submittedCnonce)) { log.errorFormat("_cnoncesUsed.ContainsKey(submittedCnonce); submittedCnonce = '{0}'", submittedCnonce); throw HttpErrorHelper.unauthorized401FromOriginator(this); } } // nonce ... if (null == authorization.nonce) { log.errorFormat("null == authorization.nonce"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } if (!_nonce.Equals(authorization.nonce)) { log.errorFormat("!_nonce.Equals(authorization.nonce); _nonce = {0}; authorization.nonce = {1}", _nonce, authorization.nonce); throw HttpErrorHelper.unauthorized401FromOriginator(this); } // opaque ... if (!_opaque.Equals(authorization.opaque)) // should not happen but ... { log.errorFormat("!_opaque.Equals(authorization.opaque); _opaque = '{0}'; authorization.opaque = '{1}'", _opaque, authorization.opaque); throw HttpErrorHelper.unauthorized401FromOriginator(this); } // qop ... if (null == authorization.qop) { log.error("null == authorization.qop"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } if (("auth".Equals(authorization.qop) || "auth-int".Equals(authorization.qop))) { // ok } else { log.errorFormat("unsupported qop; authorization.qop = '{0}'", authorization.qop); throw HttpErrorHelper.unauthorized401FromOriginator(this); } // response if (null == authorization.response) { log.error("null == authorization.response"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } // uri if (null == authorization.uri) { log.error("null == authorization.uri"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } }
public void validateAuthorizationRequestHeader(Authorization authorizationRequestHeader) { String realm = authorizationRequestHeader.realm; // realm ... if (null == realm) { log.error("null == realm"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } if (!_realm.Equals(realm)) { log.errorFormat("!_realm.Equals(realm); _realm = '{0}'; realm = '{1}'", _realm, realm); throw HttpErrorHelper.unauthorized401FromOriginator(this); } // username ... String username = authorizationRequestHeader.username; if (null == username) { log.error("null == username"); throw HttpErrorHelper.unauthorized401FromOriginator(this); } else if (!_username.Equals(username)) // someone is switching user names { log.errorFormat("!_username.Equals(username); _username = '******'; username = '******'", _username, username); throw HttpErrorHelper.unauthorized401FromOriginator(this); } }
/////////////////////////////////////////////////////////////////////// public static Authorization buildFromString( String credentials ) { Authorization answer = new Authorization(); AuthenticationHeaderScanner authenticationHeaderScanner = new AuthenticationHeaderScanner(credentials); authenticationHeaderScanner.scanPastDigestString(); String name = authenticationHeaderScanner.scanName(); while (null != name) { if ("cnonce".Equals(name)) { String value = authenticationHeaderScanner.scanQuotedValue(); answer._cnonce = value; } else if ("nc".Equals(name)) { uint value = authenticationHeaderScanner.scanHexUInt32(); answer._nc = value; } else if ("nonce".Equals(name)) { String value = authenticationHeaderScanner.scanQuotedValue(); answer._nonce = value; } else if ("opaque".Equals(name)) { String value = authenticationHeaderScanner.scanQuotedValue(); answer._opaque = value; } else if ("qop".Equals(name)) { String value = authenticationHeaderScanner.scanValue(); answer._qop = value; } else if ("realm".Equals(name)) { String value = authenticationHeaderScanner.scanQuotedValue(); answer._realm = value; } else if ("response".Equals(name)) { String value = authenticationHeaderScanner.scanQuotedValue(); answer._response = value; } else if ("uri".Equals(name)) { String value = authenticationHeaderScanner.scanQuotedValue(); answer._uri = value; } else if ("username".Equals(name)) { String value = authenticationHeaderScanner.scanQuotedValue(); log.debug(value, "value"); answer._username = value; } else { // 'auth-param' is permitted according to 3.2.2 of RFC-2617 // 'auth-param' in section 3.2.1 of RFC-2617 says ... // Any unrecognized directive MUST be ignored. // String value = authenticationHeaderScanner.scanValue(); String warning = String.Format("unrecognised name-value pair. name = '{0}', value = '{1}'", name, value); log.warn(warning); } name = authenticationHeaderScanner.scanName(); } return answer; }