private AuthenticationResponse authorizeHeader(SecurityEnvironment env) { List<String> authorization = env.headers().get("Authorization"); AuthenticationResponse response = null; // attempt to validate each authorization, first one that succeeds will finish processing and return for (String authorizationValue : authorization) { if (authorizationValue.toLowerCase().startsWith("signature ")) { response = signatureHeader(CollectionsHelper.listOf(authorizationValue.substring("singature ".length())), env); if (response.status().isSuccess()) { // that was a good header, let's return the response return response; } } } // we have reached the end - all headers validated, none fit, fail or abstain if (optional) { return AuthenticationResponse.abstain(); } // challenge return challenge(env, (null == response) ? "No Signature authorization header" : response.description().orElse("Unknown problem")); }
SecurityResponse.SecurityStatus responseStatus = response.status();
private CompletionStage<AuthenticationResponse> mapSubject(AuthenticationResponse prevResponse) { ProviderRequest providerRequest = new ProviderRequest(context, request.resources(), request.requestEntity(), request.responseEntity()); if (prevResponse.status() == SecurityResponse.SecurityStatus.SUCCESS) { return security.subjectMapper() .map(mapper -> mapper.map(providerRequest, prevResponse)) .orElseGet(() -> CompletableFuture.completedFuture(prevResponse)) .thenApply(newResponse -> { // intentionally checking for instance equality, as that means we are guaranteed no changes if (newResponse == prevResponse) { // no changes were done, response as is return prevResponse; } else { newResponse.user().ifPresent(context::setUser); newResponse.service().ifPresent(context::setService); return newResponse; } }); } else { return CompletableFuture.completedFuture(prevResponse); } }
SecurityResponse.SecurityStatus responseStatus = response.status();
private void atnSpanFinish(Span atnSpan, AuthenticationResponse response) { response.user() .ifPresent(subject -> atnSpan .log("security.user: " + subject.principal().getName())); response.service() .ifPresent(subject -> atnSpan.log("security.service: " + subject.principal().getName())); atnSpan.log("status: " + response.status()); atnSpan.finish(); }
if (authenticationResponse.status() == SecurityResponse.SecurityStatus.ABSTAIN) {
CompositeProviderFlag flag = providerConfig.config.flag(); if (!flag.isValid(thisResponse.status())) { switch (thisResponse.status()) { case SUCCESS: case SUCCESS_FINISH: builder.status(SecurityResponse.SecurityStatus.FAILURE); builder.description("Composite flag forbids this response: " + thisResponse.status()); thisResponse.description().map(builder::description); thisResponse.throwable().map(builder::throwable); thisResponse.status() == SecurityResponse.SecurityStatus.SUCCESS)) { if (prevResponse.status() == SecurityResponse.SecurityStatus.ABSTAIN) { return thisResponse.status().isSuccess() ? thisResponse : prevResponse; if (!thisResponse.status().isSuccess()) { return prevResponse;
if (response.status().isSuccess()) { response.user() .ifPresent(context::setUser);