org.xdi.oxauth.auth.AuthenticationFilter の継承関係図

org.xdi.oxauth.auth.AuthenticationFilter 連携図

公開メンバ関数
void	init (FilterConfig filterConfig) throws ServletException

void	doFilter (ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException

String	getRealm ()

void	setRealm (String realm)

void	destroy ()

静的公開変数類
static final String	ACCESS_TOKEN_PREFIX = "AccessToken "

static final String	REALM = "oxAuth"

非公開メンバ関数
void	processAuthByAccessToken (HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain filterChain)

void	processSessionAuth (ErrorResponseFactory errorResponseFactory, String p_sessionId, HttpServletRequest p_httpRequest, HttpServletResponse p_httpResponse, FilterChain p_filterChain) throws IOException, ServletException

void	processBasicAuth (ClientService clientService, ErrorResponseFactory errorResponseFactory, HttpServletRequest servletRequest, HttpServletResponse servletResponse, FilterChain filterChain)

void	processBearerAuth (HttpServletRequest servletRequest, HttpServletResponse servletResponse, FilterChain filterChain)

void	processPostAuth (ClientService clientService, ClientFilterService clientFilterService, ErrorResponseFactory errorResponseFactory, HttpServletRequest servletRequest, HttpServletResponse servletResponse, FilterChain filterChain, boolean tokenEndpoint)

void	processJwtAuth (HttpServletRequest servletRequest, HttpServletResponse servletResponse, FilterChain filterChain)

void	sendError (HttpServletResponse servletResponse)

非公開変数類
Logger	log

Authenticator	authenticator

SessionIdService	sessionIdService

ClientService	clientService

ClientFilterService	clientFilterService

ErrorResponseFactory	errorResponseFactory

AppConfiguration	appConfiguration

Identity	identity

AuthorizationGrantList	authorizationGrantList

String	realm

詳解

著者: Javier Rojas Blum

バージョン: August 23, 2018

関数詳解

◆ destroy()

void org.xdi.oxauth.auth.AuthenticationFilter.destroy ( )

inline

434 {

435 }

◆ doFilter()

void org.xdi.oxauth.auth.AuthenticationFilter.doFilter	(	ServletRequest	servletRequest,
		ServletResponse	servletResponse,
		final FilterChain	filterChain
	)		throws IOException, ServletException

inline

                                                  {
         final HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
         final HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
 
         try {
             final String requestUrl = httpRequest.getRequestURL().toString();
             log.trace("Get request to: '{}'", requestUrl);
 
             boolean tokenEndpoint = ServerUtil.isSameRequestPath(requestUrl, appConfiguration.getTokenEndpoint());
             boolean umaTokenEndpoint = requestUrl.endsWith("/uma/token");
             String authorizationHeader = httpRequest.getHeader("Authorization");
 
             if (tokenEndpoint || umaTokenEndpoint) {
                 log.debug("Starting token endpoint authentication");
 
                 // #686 : allow authenticated client via user access_token
                 if (StringUtils.isNotBlank(authorizationHeader) && authorizationHeader.startsWith(ACCESS_TOKEN_PREFIX)) {
                     processAuthByAccessToken(httpRequest, httpResponse, filterChain);
                     return;
                 }
 
                 if (httpRequest.getParameter("client_assertion") != null
                         && httpRequest.getParameter("client_assertion_type") != null) {
                     log.debug("Starting JWT token endpoint authentication");
                     processJwtAuth(httpRequest, httpResponse, filterChain);
                 } else if (authorizationHeader != null && authorizationHeader.startsWith("Basic ")) {
                     log.debug("Starting Basic Auth token endpoint authentication");
                     processBasicAuth(clientService, errorResponseFactory, httpRequest, httpResponse, filterChain);
                 } else {
                     log.debug("Starting POST Auth token endpoint authentication");
                     processPostAuth(clientService, clientFilterService, errorResponseFactory, httpRequest, httpResponse,
                             filterChain, tokenEndpoint);
                 }
             } else if (authorizationHeader != null) {
                 if (authorizationHeader.startsWith("Bearer ")) {
                     processBearerAuth(httpRequest, httpResponse, filterChain);
                 } else if (authorizationHeader.startsWith("Basic ")) {
                     processBasicAuth(clientService, errorResponseFactory, httpRequest, httpResponse, filterChain);
                 } else {
                     httpResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + getRealm() + "\"");
 
                     httpResponse.sendError(401, "Not authorized");
                 }
             } else {
                 String sessionId = httpRequest.getParameter(AuthorizeRequestParam.SESSION_ID);
                 List<Prompt> prompts = Prompt.fromString(httpRequest.getParameter(AuthorizeRequestParam.PROMPT), " ");
 
                 if (StringUtils.isBlank(sessionId)) {
                     // OXAUTH-297 : check whether session_id is present in cookie
                     sessionId = sessionIdService.getSessionIdFromCookie(httpRequest);
                 }
 
                 SessionId sessionIdObject = null;
                 if (StringUtils.isNotBlank(sessionId)) {
                     sessionIdObject = sessionIdService.getSessionId(sessionId);
                 }
                 if (sessionIdObject != null && SessionIdState.AUTHENTICATED == sessionIdObject.getState()
                         && !prompts.contains(Prompt.LOGIN)) {
                     processSessionAuth(errorResponseFactory, sessionId, httpRequest, httpResponse, filterChain);
                 } else {
                     filterChain.doFilter(httpRequest, httpResponse);
                 }
             }
         } catch (IOException ex) {
             log.error(ex.getMessage(), ex);
         } catch (Exception ex) {
             log.error(ex.getMessage(), ex);
         }
     }

◆ getRealm()

String org.xdi.oxauth.auth.AuthenticationFilter.getRealm ( )

inline

                              {
         if (realm != null) {
             return realm;
         } else {
             return REALM;
         }
     }

◆ init()

void org.xdi.oxauth.auth.AuthenticationFilter.init ( FilterConfig filterConfig ) throws ServletException

inline

80 {

81 }

◆ processAuthByAccessToken()

void org.xdi.oxauth.auth.AuthenticationFilter.processAuthByAccessToken	(	HttpServletRequest	httpRequest,
		HttpServletResponse	httpResponse,
		FilterChain	filterChain
	)

inlineprivate

                                                                                                                                      {
         try {
             String accessToken = httpRequest.getHeader("Authorization").substring(ACCESS_TOKEN_PREFIX.length());
             if (StringUtils.isNotBlank(accessToken)) {
                 AuthorizationGrant grant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
                 if (grant != null && grant.getAccessToken(accessToken).isValid()) {
                     Client client = grant.getClient();
 
                     authenticator.configureSessionClient(client);
 
                     filterChain.doFilter(httpRequest, httpResponse);
                     return;
                 }
             }
         } catch (Exception ex) {
             log.error("Failed to authenticate client by access_token", ex);
         }
 
         sendError(httpResponse);
     }

◆ processBasicAuth()

void org.xdi.oxauth.auth.AuthenticationFilter.processBasicAuth	(	ClientService	clientService,
		ErrorResponseFactory	errorResponseFactory,
		HttpServletRequest	servletRequest,
		HttpServletResponse	servletResponse,
		FilterChain	filterChain
	)

inlineprivate

                                                                                                                                    {
         boolean requireAuth = true;
 
         try {
             String header = servletRequest.getHeader("Authorization");
             if (header != null && header.startsWith("Basic ")) {
                 String base64Token = header.substring(6);
                 String token = new String(Base64.decodeBase64(base64Token), Util.UTF8_STRING_ENCODING);
 
                 String username = "";
                 String password = "";
                 int delim = token.indexOf(":");
 
                 if (delim != -1) {
                     // oxAuth #677 URL decode the username and password
                     username = URLDecoder.decode(token.substring(0, delim), Util.UTF8_STRING_ENCODING);
                     password = URLDecoder.decode(token.substring(delim + 1), Util.UTF8_STRING_ENCODING);
                 }
 
                 requireAuth = !StringHelper.equals(username, identity.getCredentials().getUsername())
                         || !identity.isLoggedIn();
 
                 // Only authenticate if username doesn't match Identity.username
                 // and user isn't authenticated
                 if (requireAuth) {
                     if (!username.equals(identity.getCredentials().getUsername()) || !identity.isLoggedIn()) {
                         if (servletRequest.getRequestURI().endsWith("/token")) {
                             Client client = clientService.getClient(username);
                             if (client == null
                                     || AuthenticationMethod.CLIENT_SECRET_BASIC != client.getAuthenticationMethod()) {
                                 throw new Exception("The Token Authentication Method is not valid.");
                             }
                         }
 
                         identity.getCredentials().setUsername(username);
                         identity.getCredentials().setPassword(password);
 
                         requireAuth = !authenticator.authenticateWebService(servletRequest);
                     }
                 }
             }
 
             if (!requireAuth) {
                 filterChain.doFilter(servletRequest, servletResponse);
                 return;
             }
         } catch (UnsupportedEncodingException ex) {
             log.info("Basic authentication failed", ex);
         } catch (ServletException ex) {
             log.info("Basic authentication failed", ex);
         } catch (IOException ex) {
             log.info("Basic authentication failed", ex);
         } catch (Exception ex) {
             log.info("Basic authentication failed", ex);
         }
 
         if (requireAuth && !identity.isLoggedIn()) {
             sendError(servletResponse);
         }
     }

◆ processBearerAuth()

void org.xdi.oxauth.auth.AuthenticationFilter.processBearerAuth	(	HttpServletRequest	servletRequest,
		HttpServletResponse	servletResponse,
		FilterChain	filterChain
	)

inlineprivate

                                                             {
         try {
             String header = servletRequest.getHeader("Authorization");
             if (header != null && header.startsWith("Bearer ")) {
                 // Immutable object
                 // servletRequest.getParameterMap().put("access_token", new
                 // String[]{accessToken});
                 filterChain.doFilter(servletRequest, servletResponse);
             }
         } catch (ServletException ex) {
             log.info("Bearer authorization failed: {}", ex);
         } catch (IOException ex) {
             log.info("Bearer authorization failed: {}", ex);
         } catch (Exception ex) {
             log.info("Bearer authorization failed: {}", ex);
         }
     }

◆ processJwtAuth()

void org.xdi.oxauth.auth.AuthenticationFilter.processJwtAuth	(	HttpServletRequest	servletRequest,
		HttpServletResponse	servletResponse,
		FilterChain	filterChain
	)

inlineprivate

                                                          {
         boolean authorized = false;
 
         try {
             if (servletRequest.getParameter("client_assertion") != null
                     && servletRequest.getParameter("client_assertion_type") != null) {
                 String clientId = servletRequest.getParameter("client_id");
                 ClientAssertionType clientAssertionType = ClientAssertionType
                         .fromString(servletRequest.getParameter("client_assertion_type"));
                 String encodedAssertion = servletRequest.getParameter("client_assertion");
 
                 if (clientAssertionType == ClientAssertionType.JWT_BEARER) {
                     ClientAssertion clientAssertion = new ClientAssertion(appConfiguration, clientId,
                             clientAssertionType, encodedAssertion);
 
                     String username = clientAssertion.getSubjectIdentifier();
                     String password = clientAssertion.getClientSecret();
 
                     // Only authenticate if username doesn't match
                     // Identity.username and user isn't authenticated
                     if (!username.equals(identity.getCredentials().getUsername()) || !identity.isLoggedIn()) {
                         identity.getCredentials().setUsername(username);
                         identity.getCredentials().setPassword(password);
 
                         authenticator.authenticateWebService(servletRequest, true);
                         authorized = true;
                     }
                 }
             }
 
             filterChain.doFilter(servletRequest, servletResponse);
         } catch (ServletException ex) {
             log.info("JWT authentication failed: {}", ex);
         } catch (IOException ex) {
             log.info("JWT authentication failed: {}", ex);
         } catch (InvalidJwtException ex) {
             log.info("JWT authentication failed: {}", ex);
         }
 
         if (!authorized) {
             sendError(servletResponse);
         }
     }

◆ processPostAuth()

void org.xdi.oxauth.auth.AuthenticationFilter.processPostAuth	(	ClientService	clientService,
		ClientFilterService	clientFilterService,
		ErrorResponseFactory	errorResponseFactory,
		HttpServletRequest	servletRequest,
		HttpServletResponse	servletResponse,
		FilterChain	filterChain,
		boolean	tokenEndpoint
	)

inlineprivate

                                                                                                                       {
         try {
             String clientId = "";
             String clientSecret = "";
             boolean isExistUserPassword = false;
             if (StringHelper.isNotEmpty(servletRequest.getParameter("client_id"))
                     && StringHelper.isNotEmpty(servletRequest.getParameter("client_secret"))) {
                 clientId = servletRequest.getParameter("client_id");
                 clientSecret = servletRequest.getParameter("client_secret");
                 isExistUserPassword = true;
             }
             log.trace("isExistUserPassword: {}", isExistUserPassword);
 
             boolean requireAuth = !StringHelper.equals(clientId, identity.getCredentials().getUsername())
                     || !identity.isLoggedIn();
             log.debug("requireAuth: '{}'", requireAuth);
 
             if (requireAuth) {
                 if (isExistUserPassword) {
                     Client client = clientService.getClient(clientId);
                     if (client != null && AuthenticationMethod.CLIENT_SECRET_POST == client.getAuthenticationMethod()) {
                         // Only authenticate if username doesn't match
                         // Identity.username and user isn't authenticated
                         if (!clientId.equals(identity.getCredentials().getUsername()) || !identity.isLoggedIn()) {
                             identity.logout();
 
                             identity.getCredentials().setUsername(clientId);
                             identity.getCredentials().setPassword(clientSecret);
 
                             requireAuth = !authenticator.authenticateWebService(servletRequest);
                         } else {
                             authenticator.configureSessionClient(client);
                         }
                     }
                 } else if (Boolean.TRUE.equals(appConfiguration.getClientAuthenticationFiltersEnabled())) {
                     String clientDn = clientFilterService
                             .processAuthenticationFilters(servletRequest.getParameterMap());
                     if (clientDn != null) {
                         Client client = clientService.getClientByDn(clientDn);
 
                         identity.logout();
 
                         identity.getCredentials().setUsername(client.getClientId());
                         identity.getCredentials().setPassword(null);
 
                         requireAuth = !authenticator.authenticateWebService(servletRequest, true);
                     }
                 } else if (tokenEndpoint) {
                     Client client = clientService.getClient(servletRequest.getParameter("client_id"));
                     if (client != null && client.getAuthenticationMethod() == AuthenticationMethod.NONE) {
                         identity.logout();
 
                         identity.getCredentials().setUsername(client.getClientId());
                         identity.getCredentials().setPassword(null);
 
                         requireAuth = !authenticator.authenticateWebService(servletRequest, true);
                     }
                 }
             }
 
             if (!requireAuth) {
                 filterChain.doFilter(servletRequest, servletResponse);
                 return;
             }
 
             if (requireAuth && !identity.isLoggedIn()) {
                 sendError(servletResponse);
             }
         } catch (ServletException ex) {
             log.error("Post authentication failed: {}", ex);
         } catch (IOException ex) {
             log.error("Post authentication failed: {}", ex);
         } catch (Exception ex) {
             log.error("Post authentication failed: {}", ex);
         }
     }

◆ processSessionAuth()

void org.xdi.oxauth.auth.AuthenticationFilter.processSessionAuth	(	ErrorResponseFactory	errorResponseFactory,
		String	p_sessionId,
		HttpServletRequest	p_httpRequest,
		HttpServletResponse	p_httpResponse,
		FilterChain	p_filterChain
	)		throws IOException, ServletException

inlineprivate

                                                  {
         boolean requireAuth;
 
         requireAuth = !authenticator.authenticateBySessionId(p_sessionId);
         log.trace("Process Session Auth, sessionId = {}, requireAuth = {}", p_sessionId, requireAuth);
 
         if (!requireAuth) {
             try {
                 p_filterChain.doFilter(p_httpRequest, p_httpResponse);
             } catch (Exception ex) {
                 log.error("Failed to process session authentication", ex);
                 requireAuth = true;
             }
         }
 
         if (requireAuth) {
             sendError(p_httpResponse);
         }
     }

◆ sendError()

void org.xdi.oxauth.auth.AuthenticationFilter.sendError ( HttpServletResponse servletResponse )

inlineprivate

                                                                 {
         PrintWriter out = null;
         try {
             out = servletResponse.getWriter();
 
             servletResponse.setStatus(401);
             servletResponse.addHeader("WWW-Authenticate", "Basic realm=\"" + getRealm() + "\"");
             servletResponse.setContentType("application/json;charset=UTF-8");
             out.write(errorResponseFactory.getErrorAsJson(TokenErrorResponseType.INVALID_CLIENT));
         } catch (IOException ex) {
             log.error(ex.getMessage(), ex);
         } finally {
             if (out != null) {
                 out.close();
             }
         }
     }

◆ setRealm()

void org.xdi.oxauth.auth.AuthenticationFilter.setRealm ( String realm )

inline

                                        {
         this.realm = realm;
     }

メンバ詳解

◆ ACCESS_TOKEN_PREFIX

final String org.xdi.oxauth.auth.AuthenticationFilter.ACCESS_TOKEN_PREFIX = "AccessToken "

static

◆ appConfiguration

AppConfiguration org.xdi.oxauth.auth.AuthenticationFilter.appConfiguration

private

◆ authenticator

Authenticator org.xdi.oxauth.auth.AuthenticationFilter.authenticator

private

◆ authorizationGrantList

AuthorizationGrantList org.xdi.oxauth.auth.AuthenticationFilter.authorizationGrantList

private

◆ clientFilterService

ClientFilterService org.xdi.oxauth.auth.AuthenticationFilter.clientFilterService

private

◆ clientService

ClientService org.xdi.oxauth.auth.AuthenticationFilter.clientService

private

◆ errorResponseFactory

ErrorResponseFactory org.xdi.oxauth.auth.AuthenticationFilter.errorResponseFactory

private

◆ identity

Identity org.xdi.oxauth.auth.AuthenticationFilter.identity

private

◆ log

Logger org.xdi.oxauth.auth.AuthenticationFilter.log

private

◆ realm

String org.xdi.oxauth.auth.AuthenticationFilter.realm

private

◆ REALM

final String org.xdi.oxauth.auth.AuthenticationFilter.REALM = "oxAuth"

static

◆ sessionIdService

SessionIdService org.xdi.oxauth.auth.AuthenticationFilter.sessionIdService

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/gluu/src/oxAuth/Server/src/main/java/org/xdi/oxauth/auth/AuthenticationFilter.java

公開メンバ関数

静的公開変数類

非公開メンバ関数

非公開変数類

詳解

関数詳解

◆ destroy()

◆ doFilter()

◆ getRealm()

◆ init()

◆ processAuthByAccessToken()

◆ processBasicAuth()

◆ processBearerAuth()

◆ processJwtAuth()

◆ processPostAuth()

◆ processSessionAuth()

◆ sendError()

◆ setRealm()

メンバ詳解

◆ ACCESS_TOKEN_PREFIX

◆ appConfiguration

◆ authenticator

◆ authorizationGrantList

◆ clientFilterService

◆ clientService

◆ errorResponseFactory

◆ identity

◆ log

◆ realm

◆ REALM

◆ sessionIdService