/** * Create a principal instance for an id (or name). * * @param id identification used both for name and id attributes of this principal * @return a new principal with the specified id (and name) */ static Principal create(String id) { return Principal.builder() .id(id) .build(); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private void atnSpanFinish(Span atnSpan, AuthenticationResponse response) { response.user() .ifPresent(subject -> atnSpan .log("security.user: " + subject.principal().getName())); response.service() .ifPresent(subject -> atnSpan.log("security.service: " + subject.principal().getName())); atnSpan.log("status: " + response.status()); atnSpan.finish(); }
private CompletionStage<AuthenticationResponse> enhance(Subject subject, AuthenticationResponse previousResponse) { String username = subject.principal().getName(); List<? extends Grant> grants = roleCache.computeValue(username, () -> getGrantsFromServer(username)) .orElse(CollectionsHelper.listOf()); AuthenticationResponse.Builder builder = AuthenticationResponse.builder(); builder.user(buildSubject(subject, grants)); previousResponse.service().ifPresent(builder::service); previousResponse.description().ifPresent(builder::description); builder.requestHeaders(previousResponse.requestHeaders()); AuthenticationResponse response = builder.build(); return CompletableFuture.completedFuture(response); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
Principal buildPrincipal(Jwt jwt) { String subject = jwt.subject() .orElseThrow(() -> new JwtException("JWT does not contain subject claim, cannot create principal.")); String name = jwt.preferredUsername() .orElse(subject); Principal.Builder builder = Principal.builder(); builder.name(name) .id(subject); jwt.payloadClaims() .forEach((key, jsonValue) -> builder.addAttribute(key, JwtUtil.toObject(jsonValue))); jwt.email().ifPresent(value -> builder.addAttribute("email", value)); jwt.emailVerified().ifPresent(value -> builder.addAttribute("email_verified", value)); jwt.locale().ifPresent(value -> builder.addAttribute("locale", value)); jwt.familyName().ifPresent(value -> builder.addAttribute("family_name", value)); jwt.givenName().ifPresent(value -> builder.addAttribute("given_name", value)); jwt.fullName().ifPresent(value -> builder.addAttribute("full_name", value)); return builder.build(); }
protected void authenticate(SecurityFilter.FilterContext context, Span securitySpan, SecurityContext securityContext) { Span atnSpan = startNewSpan(securitySpan.context(), "security:atn"); try { SecurityDefinition methodSecurity = context.getMethodSecurity(); if (methodSecurity.requiresAuthentication()) { //authenticate request SecurityClientBuilder<AuthenticationResponse> clientBuilder = securityContext .atnClientBuilder() .optional(methodSecurity.authenticationOptional()) .requestMessage(toRequestMessage(context)) .responseMessage(context.getResponseMessage()) .tracingSpan(atnSpan); clientBuilder.explicitProvider(methodSecurity.getAuthenticator()); processAuthentication(context, clientBuilder, methodSecurity); } } finally { if (context.isTraceSuccess()) { List<String> logs = new LinkedList<>(); securityContext.user() .ifPresent(user -> logs.add("security.user: " + user.principal().getName())); securityContext.service() .ifPresent(service -> logs.add("security.service: " + service.principal().getName())); finishSpan(atnSpan, logs); } else { HttpUtil.traceError(atnSpan, context.getTraceThrowable(), context.getTraceDescription()); } } }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private Principal buildPrincipal(Jwt jwt) { String subject = jwt.subject() .orElseThrow(() -> new JwtException("JWT does not contain subject claim, cannot create principal.")); String name = jwt.preferredUsername() .orElse(subject); Principal.Builder builder = Principal.builder(); builder.name(name) .id(subject); jwt.payloadClaims() .forEach((key, jsonValue) -> builder.addAttribute(key, JwtUtil.toObject(jsonValue))); jwt.email().ifPresent(value -> builder.addAttribute("email", value)); jwt.emailVerified().ifPresent(value -> builder.addAttribute("email_verified", value)); jwt.locale().ifPresent(value -> builder.addAttribute("locale", value)); jwt.familyName().ifPresent(value -> builder.addAttribute("family_name", value)); jwt.givenName().ifPresent(value -> builder.addAttribute("given_name", value)); jwt.fullName().ifPresent(value -> builder.addAttribute("full_name", value)); return builder.build(); } }
private void atnSpanFinish(Span atnSpan, AuthenticationResponse response) { response.getUser() .ifPresent(subject -> atnSpan .log("security.user: " + subject.getPrincipal().getName())); response.getService() .ifPresent(subject -> atnSpan.log("security.service: " + subject.getPrincipal().getName())); atnSpan.log("status: " + response.getStatus()); atnSpan.finish(); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private Subject buildSubject(UserStore.User user) { Subject.Builder builder = Subject.builder() .principal(Principal.builder() .name(user.login()) .build()) .addPrivateCredential(UserStore.User.class, user); user.roles() .forEach(role -> builder.addGrant(Role.create(role))); return builder.build(); }
protected void authenticate(SecurityFilter.FilterContext context, Span securitySpan, SecurityContext securityContext) { Span atnSpan = startNewSpan(securitySpan.context(), "security:atn"); try { SecurityDefinition methodSecurity = context.getMethodSecurity(); if (methodSecurity.requiresAuthentication()) { //authenticate request SecurityClientBuilder<AuthenticationResponse> clientBuilder = securityContext .atnClientBuilder() .optional(methodSecurity.authenticationOptional()) .requestMessage(toRequestMessage(context)) .responseMessage(context.getResponseMessage()) .tracingSpan(atnSpan); clientBuilder.explicitProvider(methodSecurity.getAuthenticator()); processAuthentication(context, clientBuilder, methodSecurity); } } finally { if (context.isTraceSuccess()) { List<String> logs = new LinkedList<>(); securityContext.user() .ifPresent(user -> logs.add("security.user: " + user.principal().getName())); securityContext.service() .ifPresent(service -> logs.add("security.service: " + service.principal().getName())); finishSpan(atnSpan, logs); } else { HttpUtil.traceError(atnSpan, context.getTraceThrowable(), context.getTraceDescription()); } } }
private Subject buildSubject(UserStore.User user) { Subject.Builder builder = Subject.builder() .principal(Principal.builder() .name(user.login()) .build()) .addPrivateCredential(UserStore.User.class, user); user.roles() .forEach(role -> builder.addGrant(Role.create(role))); return builder.build(); }
private AuthenticationResponse validateSignature(SecurityEnvironment env, HttpSignature httpSignature, InboundClientDefinition clientDefinition) { // validate algorithm Optional<String> validationResult = httpSignature.validate(env, clientDefinition, inboundRequiredHeaders.headers(env.method(), env.headers())); if (validationResult.isPresent()) { return AuthenticationResponse.failed(validationResult.get()); } Principal principal = Principal.builder() .name(clientDefinition.principalName()) .addAttribute(ATTRIB_NAME_KEY_ID, clientDefinition.keyId()) .build(); Subject subject = Subject.builder() .principal(principal) .build(); if (clientDefinition.subjectType() == SubjectType.USER) { return AuthenticationResponse.success(subject); } else { return AuthenticationResponse.successService(subject); } }
Principal ANONYMOUS_PRINCIPAL = Principal.builder() .name("<ANONYMOUS>") .addAttribute("anonymous", true)
private Subject buildSubject(String accessToken, GoogleIdToken.Payload payload) { TokenCredential.Builder builder = TokenCredential.builder(); builder.issueTime(toInstant(payload.getIssuedAtTimeSeconds())); builder.expTime(toInstant(payload.getExpirationTimeSeconds())); builder.issuer(payload.getIssuer()); builder.token(accessToken); builder.addToken(GoogleIdToken.Payload.class, payload); String email = payload.getEmail(); String userId = payload.getSubject(); Principal principal = Principal.builder() .id(userId) .name((null == email) ? userId : email) .addAttribute("fullName", payload.get("name")) .addAttribute("emailVerified", payload.getEmailVerified()) .addAttribute("locale", payload.get("locale")) .addAttribute("familyName", payload.get("family_name")) .addAttribute("givenName", payload.get("given_name")) .addAttribute("pictureUrl", payload.get("picture")) .build(); return Subject.builder() .principal(principal) .addPublicCredential(TokenCredential.class, builder.build()) .build(); }
Principal buildPrincipal(Jwt jwt) { String subject = jwt.subject() .orElseThrow(() -> new JwtException("JWT does not contain subject claim, cannot create principal.")); String name = jwt.preferredUsername() .orElse(subject); Principal.Builder builder = Principal.builder(); builder.name(name) .id(subject); jwt.payloadClaims() .forEach((key, jsonValue) -> builder.addAttribute(key, JwtUtil.toObject(jsonValue))); jwt.email().ifPresent(value -> builder.addAttribute("email", value)); jwt.emailVerified().ifPresent(value -> builder.addAttribute("email_verified", value)); jwt.locale().ifPresent(value -> builder.addAttribute("locale", value)); jwt.familyName().ifPresent(value -> builder.addAttribute("family_name", value)); jwt.givenName().ifPresent(value -> builder.addAttribute("given_name", value)); jwt.fullName().ifPresent(value -> builder.addAttribute("full_name", value)); return builder.build(); }