gluu
公開メンバ関数 | 非公開変数類 | 全メンバ一覧
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS クラス
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS 連携図
Collaboration graph

公開メンバ関数

Response startAuthentication (@QueryParam("username") String userName, @QueryParam("keyhandle") String keyHandle, @QueryParam("application") String appId, @QueryParam("session_id") String sessionId)
 
Response finishAuthentication (@FormParam("username") String userName, @FormParam("tokenResponse") String authenticateResponseString)
 

非公開変数類

Logger log
 
AppConfiguration appConfiguration
 
ErrorResponseFactory errorResponseFactory
 
UserService userService
 
AuthenticationService u2fAuthenticationService
 
DeviceRegistrationService deviceRegistrationService
 
UserSessionIdService userSessionIdService
 
ValidationService u2fValidationService
 

詳解

The endpoint allows to start and finish U2F authentication process

著者
Yuriy Movchan
バージョン
August 9, 2017

関数詳解

◆ finishAuthentication()

Response org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.finishAuthentication ( @FormParam("username") String  userName,
@FormParam("tokenResponse") String  authenticateResponseString 
)
inline
146  {
147  String sessionId = null;
148  try {
149  if (appConfiguration.getDisableU2fEndpoint()) {
150  return Response.status(Status.FORBIDDEN).build();
151  }
152 
153  log.debug("Finishing authentication for username '{}' with response '{}'", userName, authenticateResponseString);
154 
155  AuthenticateResponse authenticateResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(authenticateResponseString, AuthenticateResponse.class);
156 
157  String requestId = authenticateResponse.getRequestId();
158  AuthenticateRequestMessageLdap authenticateRequestMessageLdap = u2fAuthenticationService.getAuthenticationRequestMessageByRequestId(requestId);
159  if (authenticateRequestMessageLdap == null) {
160  throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN)
161  .entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
162  }
163  sessionId = authenticateRequestMessageLdap.getSessionId();
164  u2fAuthenticationService.removeAuthenticationRequestMessage(authenticateRequestMessageLdap);
165 
166  AuthenticateRequestMessage authenticateRequestMessage = authenticateRequestMessageLdap.getAuthenticateRequestMessage();
167 
168  String foundUserInum = authenticateRequestMessageLdap.getUserInum();
169  DeviceRegistrationResult deviceRegistrationResult = u2fAuthenticationService.finishAuthentication(authenticateRequestMessage, authenticateResponse, foundUserInum);
170 
171  // If sessionId is not empty update session
172  if (StringHelper.isNotEmpty(sessionId)) {
173  log.debug("There is session id. Setting session id attributes");
174 
175  boolean oneStep = StringHelper.isEmpty(userName);
176  userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, foundUserInum, deviceRegistrationResult, false, oneStep);
177  }
178 
179  AuthenticateStatus authenticationStatus = new AuthenticateStatus(Constants.RESULT_SUCCESS, requestId);
180 
181  // convert manually to avoid possible conflict between resteasy
182  // providers, e.g. jettison, jackson
183  final String entity = ServerUtil.asJson(authenticationStatus);
184 
185  return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
186  } catch (Exception ex) {
187  log.error("Exception happened", ex);
188  if (ex instanceof WebApplicationException) {
189  throw (WebApplicationException) ex;
190  }
191 
192  try {
193  // If sessionId is not empty update session
194  if (StringHelper.isNotEmpty(sessionId)) {
195  log.debug("There is session id. Setting session id status to 'declined'");
196  userSessionIdService.updateUserSessionIdOnError(sessionId);
197  }
198  } catch (Exception ex2) {
199  log.error("Failed to update session id status", ex2);
200  }
201 
202  if (ex instanceof BadInputException) {
203  throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN)
204  .entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
205  }
206 
207  if (ex instanceof DeviceCompromisedException) {
208  DeviceRegistration deviceRegistration = ((DeviceCompromisedException) ex).getDeviceRegistration();
209  try {
210  deviceRegistrationService.disableUserDeviceRegistration(deviceRegistration);
211  } catch (Exception ex2) {
212  log.error("Failed to mark device '{}' as compomised", ex2, deviceRegistration.getId());
213  }
214  throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN)
215  .entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.DEVICE_COMPROMISED)).build());
216  }
217 
218  throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR)
219  .entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
220  }
221  }
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.errorResponseFactory
ErrorResponseFactory errorResponseFactory
Definition: U2fAuthenticationWS.java:66
org.xdi.oxauth.model.configuration.AppConfiguration.getDisableU2fEndpoint
Boolean getDisableU2fEndpoint()
Definition: AppConfiguration.java:1401
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.deviceRegistrationService
DeviceRegistrationService deviceRegistrationService
Definition: U2fAuthenticationWS.java:75
org.xdi.oxauth.service.fido.u2f.DeviceRegistrationService.disableUserDeviceRegistration
void disableUserDeviceRegistration(DeviceRegistration deviceRegistration)
Definition: DeviceRegistrationService.java:149
org.xdi.oxauth.service.fido.u2f.UserSessionIdService.updateUserSessionIdOnError
void updateUserSessionIdOnError(String sessionId)
Definition: UserSessionIdService.java:59
org.xdi.oxauth.model.error.ErrorResponseFactory.getErrorResponse
DefaultErrorResponse getErrorResponse(IErrorType type, String p_state)
Definition: ErrorResponseFactory.java:130
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.u2fAuthenticationService
AuthenticationService u2fAuthenticationService
Definition: U2fAuthenticationWS.java:72
org.xdi.oxauth.service.fido.u2f.AuthenticationService.removeAuthenticationRequestMessage
void removeAuthenticationRequestMessage(AuthenticateRequestMessageLdap authenticateRequestMessageLdap)
Definition: AuthenticationService.java:223
org.xdi.oxauth.model.error.ErrorResponseFactory.getJsonErrorResponse
String getJsonErrorResponse(IErrorType type)
Definition: ErrorResponseFactory.java:210
org.xdi.oxauth.service.fido.u2f.AuthenticationService.getAuthenticationRequestMessageByRequestId
AuthenticateRequestMessageLdap getAuthenticationRequestMessageByRequestId(String requestId)
Definition: AuthenticationService.java:210
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.userSessionIdService
UserSessionIdService userSessionIdService
Definition: U2fAuthenticationWS.java:78
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.appConfiguration
AppConfiguration appConfiguration
Definition: U2fAuthenticationWS.java:63
org.xdi.oxauth.service.fido.u2f.UserSessionIdService.updateUserSessionIdOnFinishRequest
void updateUserSessionIdOnFinishRequest(String sessionId, String userInum, DeviceRegistrationResult deviceRegistrationResult, boolean enroll, boolean oneStep)
Definition: UserSessionIdService.java:39
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.log
Logger log
Definition: U2fAuthenticationWS.java:60
org.xdi.oxauth.model.fido.u2f.RequestMessageLdap.getSessionId
String getSessionId()
Definition: RequestMessageLdap.java:75
org.xdi.oxauth.service.fido.u2f.AuthenticationService.finishAuthentication
DeviceRegistrationResult finishAuthentication(AuthenticateRequestMessage requestMessage, AuthenticateResponse response, String userInum)
Definition: AuthenticationService.java:124

◆ startAuthentication()

Response org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.startAuthentication ( @QueryParam("username") String  userName,
@QueryParam("keyhandle") String  keyHandle,
@QueryParam("application") String  appId,
@QueryParam("session_id") String  sessionId 
)
inline
85  {
86  // Parameter username is deprecated. We uses it only to determine is it's one or two step workflow
87  try {
88  if (appConfiguration.getDisableU2fEndpoint()) {
89  return Response.status(Status.FORBIDDEN).build();
90  }
91 
92  log.debug("Startig authentication with username '{}', keyhandle '{}' for appId '{}' and session_id '{}'", userName, keyHandle, appId, sessionId);
93 
94  if (StringHelper.isEmpty(userName) && StringHelper.isEmpty(keyHandle)) {
95  throw new BadInputException("The request should contains either username or keyhandle");
96  }
97 
98  String foundUserInum = null;
99 
100  boolean twoStep = StringHelper.isNotEmpty(userName);
101  if (twoStep) {
102  boolean valid = u2fValidationService.isValidSessionId(userName, sessionId);
103  if (!valid) {
104  throw new BadInputException(String.format("session_id '%s' is invalid", sessionId));
105  }
106 
107  foundUserInum = userService.getUserInum(userName);
108  } else {
109  // Convert to non padding URL base64 string
110  String keyHandleWithoutPading = Base64Util.base64urlencode(Base64Util.base64urldecode(keyHandle));
111 
112  // In one step we expects empty username and not empty keyhandle
113  foundUserInum = u2fAuthenticationService.getUserInumByKeyHandle(appId, keyHandleWithoutPading);
114  }
115 
116  if (StringHelper.isEmpty(foundUserInum)) {
117  throw new BadInputException(String.format("Failed to find user by userName '%s' or keyHandle '%s' in LDAP", userName, keyHandle));
118  }
119 
120  AuthenticateRequestMessage authenticateRequestMessage = u2fAuthenticationService.buildAuthenticateRequestMessage(appId, foundUserInum);
121  u2fAuthenticationService.storeAuthenticationRequestMessage(authenticateRequestMessage, foundUserInum, sessionId);
122 
123  // convert manually to avoid possible conflict between resteasy
124  // providers, e.g. jettison, jackson
125  final String entity = ServerUtil.asJson(authenticateRequestMessage);
126 
127  return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
128  } catch (Exception ex) {
129  log.error("Exception happened", ex);
130  if (ex instanceof WebApplicationException) {
131  throw (WebApplicationException) ex;
132  }
133 
134  if ((ex instanceof NoEligableDevicesException) || (ex instanceof InvalidKeyHandleDeviceException)) {
135  throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND)
136  .entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.NO_ELIGABLE_DEVICES)).build());
137  }
138 
139  throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR)
140  .entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
141  }
142  }
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.errorResponseFactory
ErrorResponseFactory errorResponseFactory
Definition: U2fAuthenticationWS.java:66
org.xdi.oxauth.model.configuration.AppConfiguration.getDisableU2fEndpoint
Boolean getDisableU2fEndpoint()
Definition: AppConfiguration.java:1401
org.xdi.oxauth.service.fido.u2f.AuthenticationService.storeAuthenticationRequestMessage
void storeAuthenticationRequestMessage(AuthenticateRequestMessage requestMessage, String userInum, String sessionId)
Definition: AuthenticationService.java:189
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.userService
UserService userService
Definition: U2fAuthenticationWS.java:69
org.xdi.oxauth.model.error.ErrorResponseFactory.getErrorResponse
DefaultErrorResponse getErrorResponse(IErrorType type, String p_state)
Definition: ErrorResponseFactory.java:130
org.xdi.oxauth.service.fido.u2f.AuthenticationService.getUserInumByKeyHandle
String getUserInumByKeyHandle(String appId, String keyHandle)
Definition: AuthenticationService.java:227
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.u2fAuthenticationService
AuthenticationService u2fAuthenticationService
Definition: U2fAuthenticationWS.java:72
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.u2fValidationService
ValidationService u2fValidationService
Definition: U2fAuthenticationWS.java:81
org.xdi.oxauth.model.error.ErrorResponseFactory.getJsonErrorResponse
String getJsonErrorResponse(IErrorType type)
Definition: ErrorResponseFactory.java:210
org.xdi.oxauth.service.UserService.getUserInum
String getUserInum(User user)
Definition: UserService.java:106
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.appConfiguration
AppConfiguration appConfiguration
Definition: U2fAuthenticationWS.java:63
org.xdi.oxauth.service.fido.u2f.AuthenticationService.buildAuthenticateRequestMessage
AuthenticateRequestMessage buildAuthenticateRequestMessage(String appId, String userInum)
Definition: AuthenticationService.java:80
org.xdi.oxauth.service.fido.u2f.ValidationService.isValidSessionId
boolean isValidSessionId(String userName, String sessionId)
Definition: ValidationService.java:41
org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.log
Logger log
Definition: U2fAuthenticationWS.java:60

メンバ詳解

◆ appConfiguration

AppConfiguration org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.appConfiguration
private

◆ deviceRegistrationService

DeviceRegistrationService org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.deviceRegistrationService
private

◆ errorResponseFactory

ErrorResponseFactory org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.errorResponseFactory
private

◆ log

Logger org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.log
private

◆ u2fAuthenticationService

AuthenticationService org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.u2fAuthenticationService
private

◆ u2fValidationService

ValidationService org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.u2fValidationService
private

◆ userService

UserService org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.userService
private

◆ userSessionIdService

UserSessionIdService org.xdi.oxauth.ws.rs.fido.u2f.U2fAuthenticationWS.userSessionIdService
private
このクラス詳解は次のファイルから抽出されました:
2018年09月30日(日) 14時46分43秒作成 - gluu / 構成:   doxygen 1.8.13