private static String calculateCodeVerifierHash(final String method, final String codeVerifier) { if ("plain".equalsIgnoreCase(method)) { return codeVerifier; } if ("S256".equalsIgnoreCase(method)) { val sha256 = DigestUtils.sha256(codeVerifier); return EncodingUtils.encodeUrlSafeBase64(sha256.getBytes(StandardCharsets.UTF_8)); } throw new CredentialsException("Code verification method is unrecognized: " + method); } }
throw new CredentialsException("No X509 certificate"); throw new CredentialsException("No X509 principal"); throw new CredentialsException("No X509 subjectDN"); throw new CredentialsException("No matching for pattern: " + regexpPattern + " in subjectDN: " + subjectDN); throw new CredentialsException("Too many matchings for pattern: " + regexpPattern + " in subjectDN: " + subjectDN);
@Override public void validate(final TokenCredentials credentials, final WebContext context) { if (credentials == null) { throw new CredentialsException("No credential"); } if (!(credentials instanceof DigestCredentials)) { throw new CredentialsException ("Unsupported credentials type " + credentials.getClass()); } DigestCredentials digestCredentials = (DigestCredentials) credentials; String username = digestCredentials.getUsername(); if (CommonHelper.isBlank(username)) { throw new CredentialsException("Username cannot be blank"); } String token = credentials.getToken(); if (CommonHelper.isBlank(token)) { throw new CredentialsException("Token cannot be blank"); } CommonProfile profile = new CommonProfile(); profile.setId(username); credentials.setUserProfile(profile); } }
@Override public void validate(final UsernamePasswordCredentials credentials, final WebContext context) { if (credentials == null) { throw new CredentialsException("No credential"); } String username = credentials.getUsername(); String password = credentials.getPassword(); if (CommonHelper.isBlank(username)) { throw new CredentialsException("Username cannot be blank"); } if (CommonHelper.isBlank(password)) { throw new CredentialsException("Password cannot be blank"); } if (CommonHelper.areNotEquals(username, password)) { throw new CredentialsException("Username : '" + username + "' does not match password"); } final CommonProfile profile = new CommonProfile(); profile.setId(username); profile.addAttribute(Pac4jConstants.USERNAME, username); credentials.setUserProfile(profile); } }
@Override protected void validateCredentials(final UsernamePasswordCredentials credentials, final OAuthRegisteredService registeredService, final WebContext context) { val codeVerifier = credentials.getPassword(); val code = context.getRequestParameter(OAuth20Constants.CODE); val token = this.ticketRegistry.getTicket(code, OAuthCode.class); if (token == null || token.isExpired()) { LOGGER.error("Provided code [{}] is either not found in the ticket registry or has expired", code); throw new CredentialsException("Invalid token: " + code); } val method = StringUtils.defaultString(token.getCodeChallengeMethod(), "plain"); val hash = calculateCodeVerifierHash(method, codeVerifier); if (!hash.equalsIgnoreCase(token.getCodeChallenge())) { LOGGER.error("Code verifier [{}] does not match the challenge [{}]", hash, token.getCodeChallenge()); throw new CredentialsException("Code verification does not match the challenge assigned to: " + token.getId()); } LOGGER.debug("Validated code verifier using verification method [{}]", method); }
@Override public void validate(final TokenCredentials credentials, final WebContext context) { if (credentials == null) { throw new CredentialsException("credentials must not be null"); } if (CommonHelper.isBlank(credentials.getToken())) { throw new CredentialsException("token must not be blank"); } final String token = credentials.getToken(); final CommonProfile profile = new CommonProfile(); profile.setId(token); credentials.setUserProfile(profile); } }
@Override public void validate(final TokenCredentials credentials, final WebContext context) { init(); final String ip = credentials.getToken(); if (!this.pattern.matcher(ip).matches()) { throw new CredentialsException("Unauthorized IP address: " + ip); } final IpProfile profile = getProfileDefinition().newProfile(); profile.setId(ip); logger.debug("profile: {}", profile); credentials.setUserProfile(profile); } }
/** * Validate credentials. * * @param credentials the credentials * @param registeredService the registered service * @param context the context */ protected void validateCredentials(final UsernamePasswordCredentials credentials, final OAuthRegisteredService registeredService, final WebContext context) { if (!OAuth20Utils.checkClientSecret(registeredService, credentials.getPassword())) { throw new CredentialsException("Bad secret for client identifier: " + credentials.getPassword()); } } }
throw new CredentialsException("Bad format of the digest auth header");
logger.debug("JWT is not signed and no signature configurations -> verified"); } else { throw new CredentialsException("A non-signed JWT cannot be accepted as signature configurations have been defined"); throw new CredentialsException("No encryption algorithm found for JWT: " + token); throw new CredentialsException("No signature algorithm found for JWT: " + token); throw new CredentialsException("JWT verification failed: " + token); throw new CredentialsException("Cannot decrypt / verify JWT", e);
@Override public void validate(final TokenCredentials credentials, final WebContext webContext) { val token = credentials.getToken().trim(); val at = this.ticketRegistry.getTicket(token, AccessToken.class); if (at == null || at.isExpired()) { val err = String.format("Access token is not found or has expired. Unable to authenticate requesting party access token %s", token); throw new CredentialsException(err); } if (!at.getScopes().contains(getRequiredScope())) { val err = String.format("Missing scope [%s]. Unable to authenticate requesting party access token %s", OAuth20Constants.UMA_PERMISSION_URL, token); throw new CredentialsException(err); } val profile = new CommonProfile(); val authentication = at.getAuthentication(); val principal = authentication.getPrincipal(); profile.setId(principal.getId()); val attributes = new LinkedHashMap<String, Object>(authentication.getAttributes()); attributes.putAll(principal.getAttributes()); profile.addAttributes(attributes); profile.addPermissions(at.getScopes()); profile.addAttribute(AccessToken.class.getName(), at); LOGGER.debug("Authenticated access token [{}]", profile); credentials.setUserProfile(profile); }
val clientIdAndSecret = getClientIdAndClientSecret(context); if (clientIdAndSecret == null || StringUtils.isBlank(clientIdAndSecret.getKey())) { throw new CredentialsException("No client credentials could be identified in this request"); throw new CredentialsException("Bad secret for client identifier: " + clientId); throw new CredentialsException("Could not authenticate the provided credentials"); credentials.setUserProfile(profile); } catch (final Exception e) { throw new CredentialsException("Cannot login user using CAS internal authentication", e);
@Override public void validate(final UsernamePasswordCredentials credentials, final WebContext context) throws CredentialsException { LOGGER.debug("Authenticating credential [{}]", credentials); val id = credentials.getUsername(); val registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, id); if (registeredService == null) { throw new CredentialsException("Unable to locate registered service for " + id); } val service = this.webApplicationServiceServiceFactory.createService(registeredService.getServiceId()); val audit = AuditableContext.builder() .service(service) .registeredService(registeredService) .build(); val accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit); accessResult.throwExceptionIfNeeded(); validateCredentials(credentials, registeredService, context); val profile = new CommonProfile(); profile.setId(id); credentials.setUserProfile(profile); LOGGER.debug("Authenticated user profile [{}]", profile); }