private void atnSpanFinish(Span atnSpan, AuthenticationResponse response) { response.user() .ifPresent(subject -> atnSpan .log("security.user: " + subject.principal().getName())); response.service() .ifPresent(subject -> atnSpan.log("security.service: " + subject.principal().getName())); atnSpan.log("status: " + response.status()); atnSpan.finish(); }
private CompletionStage<AuthenticationResponse> enhance(Subject subject, AuthenticationResponse previousResponse) { String username = subject.principal().getName(); List<? extends Grant> grants = roleCache.computeValue(username, () -> getGrantsFromServer(username)) .orElse(CollectionsHelper.listOf()); AuthenticationResponse.Builder builder = AuthenticationResponse.builder(); builder.user(buildSubject(subject, grants)); previousResponse.service().ifPresent(builder::service); previousResponse.description().ifPresent(builder::description); builder.requestHeaders(previousResponse.requestHeaders()); AuthenticationResponse response = builder.build(); return CompletableFuture.completedFuture(response); }
protected void authenticate(SecurityFilter.FilterContext context, Span securitySpan, SecurityContext securityContext) { Span atnSpan = startNewSpan(securitySpan.context(), "security:atn"); try { SecurityDefinition methodSecurity = context.getMethodSecurity(); if (methodSecurity.requiresAuthentication()) { //authenticate request SecurityClientBuilder<AuthenticationResponse> clientBuilder = securityContext .atnClientBuilder() .optional(methodSecurity.authenticationOptional()) .requestMessage(toRequestMessage(context)) .responseMessage(context.getResponseMessage()) .tracingSpan(atnSpan); clientBuilder.explicitProvider(methodSecurity.getAuthenticator()); processAuthentication(context, clientBuilder, methodSecurity); } } finally { if (context.isTraceSuccess()) { List<String> logs = new LinkedList<>(); securityContext.user() .ifPresent(user -> logs.add("security.user: " + user.principal().getName())); securityContext.service() .ifPresent(service -> logs.add("security.service: " + service.principal().getName())); finishSpan(atnSpan, logs); } else { HttpUtil.traceError(atnSpan, context.getTraceThrowable(), context.getTraceDescription()); } } }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private void atnSpanFinish(Span atnSpan, AuthenticationResponse response) { response.getUser() .ifPresent(subject -> atnSpan .log("security.user: " + subject.getPrincipal().getName())); response.getService() .ifPresent(subject -> atnSpan.log("security.service: " + subject.getPrincipal().getName())); atnSpan.log("status: " + response.getStatus()); atnSpan.finish(); }
protected void authenticate(SecurityFilter.FilterContext context, Span securitySpan, SecurityContext securityContext) { Span atnSpan = startNewSpan(securitySpan.context(), "security:atn"); try { SecurityDefinition methodSecurity = context.getMethodSecurity(); if (methodSecurity.requiresAuthentication()) { //authenticate request SecurityClientBuilder<AuthenticationResponse> clientBuilder = securityContext .atnClientBuilder() .optional(methodSecurity.authenticationOptional()) .requestMessage(toRequestMessage(context)) .responseMessage(context.getResponseMessage()) .tracingSpan(atnSpan); clientBuilder.explicitProvider(methodSecurity.getAuthenticator()); processAuthentication(context, clientBuilder, methodSecurity); } } finally { if (context.isTraceSuccess()) { List<String> logs = new LinkedList<>(); securityContext.user() .ifPresent(user -> logs.add("security.user: " + user.principal().getName())); securityContext.service() .ifPresent(service -> logs.add("security.service: " + service.principal().getName())); finishSpan(atnSpan, logs); } else { HttpUtil.traceError(atnSpan, context.getTraceThrowable(), context.getTraceDescription()); } } }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }