/* * * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. * */ package org.apache.qpid.server.management.plugin.servlet.rest; import org.apache.commons.codec.binary.Base64; import org.codehaus.jackson.map.ObjectMapper; import org.codehaus.jackson.map.SerializationConfig; import org.apache.log4j.Logger; import org.apache.qpid.server.model.Broker; import org.apache.qpid.server.registry.ApplicationRegistry; import org.apache.qpid.server.security.auth.manager.AuthenticationManager; import org.apache.qpid.server.security.auth.sasl.UsernamePrincipal; import javax.security.auth.Subject; import javax.security.sasl.SaslException; import javax.security.sasl.SaslServer; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import java.io.IOException; import java.io.PrintWriter; import java.security.Principal; import java.security.SecureRandom; import java.util.LinkedHashMap; import java.util.Map; import java.util.Random; public class SaslServlet extends AbstractServlet { private static final Logger LOGGER = Logger.getLogger(SaslServlet.class); private static final SecureRandom SECURE_RANDOM = new SecureRandom(); private static final String ATTR_RANDOM = "SaslServlet.Random"; private static final String ATTR_ID = "SaslServlet.ID"; private static final String ATTR_SASL_SERVER = "SaslServlet.SaslServer"; private static final String ATTR_EXPIRY = "SaslServlet.Expiry"; private static final long SASL_EXCHANGE_EXPIRY = 1000L; public SaslServlet() { super(); } public SaslServlet(Broker broker) { super(broker); } protected void onGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("application/json"); response.setStatus(HttpServletResponse.SC_OK); response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); response.setDateHeader ("Expires", 0); HttpSession session = request.getSession(); Random rand = getRandom(session); AuthenticationManager authManager = ApplicationRegistry.getInstance().getAuthenticationManager(getSocketAddress(request)); String[] mechanisms = authManager.getMechanisms().split(" "); Map outputObject = new LinkedHashMap(); final Subject subject = (Subject) session.getAttribute("subject"); if(subject != null) { final Principal principal = subject.getPrincipals().iterator().next(); outputObject.put("user", principal.getName()); } else if (request.getRemoteUser() != null) { outputObject.put("user", request.getRemoteUser()); } outputObject.put("mechanisms", (Object) mechanisms); final PrintWriter writer = response.getWriter(); ObjectMapper mapper = new ObjectMapper(); mapper.configure(SerializationConfig.Feature.INDENT_OUTPUT, true); mapper.writeValue(writer, outputObject); } private Random getRandom(final HttpSession session) { Random rand = (Random) session.getAttribute(ATTR_RANDOM); if(rand == null) { synchronized (SECURE_RANDOM) { rand = new Random(SECURE_RANDOM.nextLong()); } session.setAttribute(ATTR_RANDOM, rand); } return rand; } @Override protected void onPost(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { try { response.setContentType("application/json"); response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); response.setDateHeader("Expires", 0); HttpSession session = request.getSession(); String mechanism = request.getParameter("mechanism"); String id = request.getParameter("id"); String saslResponse = request.getParameter("response"); AuthenticationManager authManager = ApplicationRegistry.getInstance().getAuthenticationManager(getSocketAddress(request)); if(mechanism != null) { if(id == null) { SaslServer saslServer = authManager.createSaslServer(mechanism, request.getServerName(), null/*TODO*/); evaluateSaslResponse(response, session, saslResponse, saslServer); } else { response.setStatus(HttpServletResponse.SC_EXPECTATION_FAILED); session.removeAttribute(ATTR_ID); session.removeAttribute(ATTR_SASL_SERVER); session.removeAttribute(ATTR_EXPIRY); } } else { if(id != null) { if(id.equals(session.getAttribute(ATTR_ID)) && System.currentTimeMillis() < (Long) session.getAttribute(ATTR_EXPIRY)) { SaslServer saslServer = (SaslServer) session.getAttribute(ATTR_SASL_SERVER); evaluateSaslResponse(response, session, saslResponse, saslServer); } else { response.setStatus(HttpServletResponse.SC_EXPECTATION_FAILED); session.removeAttribute(ATTR_ID); session.removeAttribute(ATTR_SASL_SERVER); session.removeAttribute(ATTR_EXPIRY); } } else { response.setStatus(HttpServletResponse.SC_EXPECTATION_FAILED); session.removeAttribute(ATTR_ID); session.removeAttribute(ATTR_SASL_SERVER); session.removeAttribute(ATTR_EXPIRY); } } } catch(IOException e) { LOGGER.error("Error processing SASL request", e); throw e; } catch(RuntimeException e) { LOGGER.error("Error processing SASL request", e); throw e; } } private void evaluateSaslResponse(final HttpServletResponse response, final HttpSession session, final String saslResponse, final SaslServer saslServer) throws IOException { final String id; byte[] challenge; try { challenge = saslServer.evaluateResponse(saslResponse == null ? new byte[0] : Base64.decodeBase64(saslResponse.getBytes())); } catch(SaslException e) { session.removeAttribute(ATTR_ID); session.removeAttribute(ATTR_SASL_SERVER); session.removeAttribute(ATTR_EXPIRY); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); return; } if(saslServer.isComplete()) { final Subject subject = new Subject(); subject.getPrincipals().add(new UsernamePrincipal(saslServer.getAuthorizationID())); session.setAttribute("subject", subject); session.removeAttribute(ATTR_ID); session.removeAttribute(ATTR_SASL_SERVER); session.removeAttribute(ATTR_EXPIRY); response.setStatus(HttpServletResponse.SC_OK); } else { Random rand = getRandom(session); id = String.valueOf(rand.nextLong()); session.setAttribute(ATTR_ID, id); session.setAttribute(ATTR_SASL_SERVER, saslServer); session.setAttribute(ATTR_EXPIRY, System.currentTimeMillis() + SASL_EXCHANGE_EXPIRY); response.setStatus(HttpServletResponse.SC_OK); Map outputObject = new LinkedHashMap(); outputObject.put("id", id); outputObject.put("challenge", new String(Base64.encodeBase64(challenge))); final PrintWriter writer = response.getWriter(); ObjectMapper mapper = new ObjectMapper(); mapper.configure(SerializationConfig.Feature.INDENT_OUTPUT, true); mapper.writeValue(writer, outputObject); } } }