| | |
|---|
| | | import com.gitblit.auth.AuthenticationProvider; |
|---|
| | | import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider; |
|---|
| | | import com.gitblit.auth.HtpasswdAuthProvider; |
|---|
| | | import com.gitblit.auth.HttpHeaderAuthProvider; |
|---|
| | | import com.gitblit.auth.LdapAuthProvider; |
|---|
| | | import com.gitblit.auth.PAMAuthProvider; |
|---|
| | | import com.gitblit.auth.RedmineAuthProvider; |
|---|
| | |
|---|
| | | // map of shortcut provider names |
|---|
| | | providerNames = new HashMap<String, Class<? extends AuthenticationProvider>>(); |
|---|
| | | providerNames.put("htpasswd", HtpasswdAuthProvider.class); |
|---|
| | | providerNames.put("httpheader", HttpHeaderAuthProvider.class); |
|---|
| | | providerNames.put("ldap", LdapAuthProvider.class); |
|---|
| | | providerNames.put("pam", PAMAuthProvider.class); |
|---|
| | | providerNames.put("redmine", RedmineAuthProvider.class); |
|---|
| | |
|---|
| | | } |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Authenticate a user based on HTTP request parameters. |
|---|
| | | * Used to handle authentication for page requests. |
|---|
| | | * |
|---|
| | | * This allows authentication to occur based on the contents of the request |
|---|
| | | * itself. If no configured @{AuthenticationProvider}s authenticate succesffully, |
|---|
| | | * a request for login will be shown. |
|---|
| | | * |
|---|
| | | * Authentication by X509Certificate is tried first and then by cookie. |
|---|
| | | * |
|---|
| | |
|---|
| | | /** |
|---|
| | | * Authenticate a user based on HTTP request parameters. |
|---|
| | | * |
|---|
| | | * Authentication by servlet container principal, X509Certificate, cookie, |
|---|
| | | * Authentication by custom HTTP header, servlet container principal, X509Certificate, cookie, |
|---|
| | | * and finally BASIC header. |
|---|
| | | * |
|---|
| | | * @param httpRequest |
|---|
| | |
|---|
| | | */ |
|---|
| | | @Override |
|---|
| | | public UserModel authenticate(HttpServletRequest httpRequest, boolean requiresCertificate) { |
|---|
| | | |
|---|
| | | // Check if this request has already been authenticated, and trust that instead of re-processing |
|---|
| | | String reqAuthUser = (String) httpRequest.getAttribute(Constants.ATTRIB_AUTHUSER); |
|---|
| | | if (!StringUtils.isEmpty(reqAuthUser)) { |
|---|
| | | logger.debug("Called servlet authenticate when request is already authenticated."); |
|---|
| | | return userManager.getUserModel(reqAuthUser); |
|---|
| | | } |
|---|
| | | |
|---|
| | | // try to authenticate by servlet container principal |
|---|
| | | if (!requiresCertificate) { |
|---|
| | | Principal principal = httpRequest.getUserPrincipal(); |
|---|
| | |
|---|
| | | UserModel user = userManager.getUserModel(username); |
|---|
| | | if (user != null) { |
|---|
| | | // existing user |
|---|
| | | flagSession(httpRequest, AuthenticationType.CONTAINER); |
|---|
| | | flagRequest(httpRequest, AuthenticationType.CONTAINER, user.username); |
|---|
| | | logger.debug(MessageFormat.format("{0} authenticated by servlet container principal from {1}", |
|---|
| | | user.username, httpRequest.getRemoteAddr())); |
|---|
| | | return validateAuthentication(user, AuthenticationType.CONTAINER); |
|---|
| | |
|---|
| | | } |
|---|
| | | |
|---|
| | | userManager.updateUserModel(user); |
|---|
| | | flagSession(httpRequest, AuthenticationType.CONTAINER); |
|---|
| | | flagRequest(httpRequest, AuthenticationType.CONTAINER, user.username); |
|---|
| | | logger.debug(MessageFormat.format("{0} authenticated and created by servlet container principal from {1}", |
|---|
| | | user.username, httpRequest.getRemoteAddr())); |
|---|
| | | return validateAuthentication(user, AuthenticationType.CONTAINER); |
|---|
| | |
|---|
| | | UserModel user = userManager.getUserModel(model.username); |
|---|
| | | X509Metadata metadata = HttpUtils.getCertificateMetadata(httpRequest); |
|---|
| | | if (user != null) { |
|---|
| | | flagSession(httpRequest, AuthenticationType.CERTIFICATE); |
|---|
| | | flagRequest(httpRequest, AuthenticationType.CERTIFICATE, user.username); |
|---|
| | | logger.debug(MessageFormat.format("{0} authenticated by client certificate {1} from {2}", |
|---|
| | | user.username, metadata.serialNumber, httpRequest.getRemoteAddr())); |
|---|
| | | return validateAuthentication(user, AuthenticationType.CERTIFICATE); |
|---|
| | |
|---|
| | | if (!StringUtils.isEmpty(cookie)) { |
|---|
| | | user = userManager.getUserModel(cookie.toCharArray()); |
|---|
| | | if (user != null) { |
|---|
| | | flagSession(httpRequest, AuthenticationType.COOKIE); |
|---|
| | | flagRequest(httpRequest, AuthenticationType.COOKIE, user.username); |
|---|
| | | logger.debug(MessageFormat.format("{0} authenticated by cookie from {1}", |
|---|
| | | user.username, httpRequest.getRemoteAddr())); |
|---|
| | | return validateAuthentication(user, AuthenticationType.COOKIE); |
|---|
| | |
|---|
| | | if (values.length == 2) { |
|---|
| | | String username = values[0]; |
|---|
| | | char[] password = values[1].toCharArray(); |
|---|
| | | user = authenticate(username, password); |
|---|
| | | user = authenticate(username, password, httpRequest.getRemoteAddr()); |
|---|
| | | if (user != null) { |
|---|
| | | flagSession(httpRequest, AuthenticationType.CREDENTIALS); |
|---|
| | | flagRequest(httpRequest, AuthenticationType.CREDENTIALS, user.username); |
|---|
| | | logger.debug(MessageFormat.format("{0} authenticated by BASIC request header from {1}", |
|---|
| | | user.username, httpRequest.getRemoteAddr())); |
|---|
| | | return validateAuthentication(user, AuthenticationType.CREDENTIALS); |
|---|
| | | } else { |
|---|
| | | logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", |
|---|
| | | username, httpRequest.getRemoteAddr())); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | // Check each configured AuthenticationProvider |
|---|
| | | for (AuthenticationProvider ap : authenticationProviders) { |
|---|
| | | UserModel authedUser = ap.authenticate(httpRequest); |
|---|
| | | if (null != authedUser) { |
|---|
| | | flagRequest(httpRequest, ap.getAuthenticationType(), authedUser.username); |
|---|
| | | logger.debug(MessageFormat.format("{0} authenticated by {1} from {2} for {3}", |
|---|
| | | authedUser.username, ap.getServiceName(), httpRequest.getRemoteAddr(), |
|---|
| | | httpRequest.getPathInfo())); |
|---|
| | | return validateAuthentication(authedUser, ap.getAuthenticationType()); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | return null; |
|---|
| | |
|---|
| | | return user; |
|---|
| | | } |
|---|
| | | |
|---|
| | | protected void flagSession(HttpServletRequest httpRequest, AuthenticationType authenticationType) { |
|---|
| | | httpRequest.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, authenticationType); |
|---|
| | | protected void flagRequest(HttpServletRequest httpRequest, AuthenticationType authenticationType, String authedUsername) { |
|---|
| | | httpRequest.setAttribute(Constants.ATTRIB_AUTHUSER, authedUsername); |
|---|
| | | httpRequest.setAttribute(Constants.ATTRIB_AUTHTYPE, authenticationType); |
|---|
| | | } |
|---|
| | | |
|---|
| | | /** |
|---|
| | |
|---|
| | | * @return a user object or null |
|---|
| | | */ |
|---|
| | | @Override |
|---|
| | | public UserModel authenticate(String username, char[] password) { |
|---|
| | | public UserModel authenticate(String username, char[] password, String remoteIP) { |
|---|
| | | if (StringUtils.isEmpty(username)) { |
|---|
| | | // can not authenticate empty username |
|---|
| | | return null; |
|---|
| | | } |
|---|
| | | |
|---|
| | | if (username.equalsIgnoreCase(Constants.FEDERATION_USER)) { |
|---|
| | | // can not authenticate internal FEDERATION_USER at this point |
|---|
| | | // it must be routed to FederationManager |
|---|
| | | return null; |
|---|
| | | } |
|---|
| | | |
|---|
| | | String usernameDecoded = StringUtils.decodeUsername(username); |
|---|
| | | String pw = new String(password); |
|---|
| | | if (StringUtils.isEmpty(pw)) { |
|---|
| | |
|---|
| | | |
|---|
| | | // try local authentication |
|---|
| | | if (user != null && user.isLocalAccount()) { |
|---|
| | | return authenticateLocal(user, password); |
|---|
| | | } |
|---|
| | | |
|---|
| | | // try registered external authentication providers |
|---|
| | | for (AuthenticationProvider provider : authenticationProviders) { |
|---|
| | | if (provider instanceof UsernamePasswordAuthenticationProvider) { |
|---|
| | | UserModel returnedUser = provider.authenticate(usernameDecoded, password); |
|---|
| | | if (returnedUser != null) { |
|---|
| | | // user authenticated |
|---|
| | | returnedUser.accountType = provider.getAccountType(); |
|---|
| | | return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); |
|---|
| | | UserModel returnedUser = authenticateLocal(user, password); |
|---|
| | | if (returnedUser != null) { |
|---|
| | | // user authenticated |
|---|
| | | return returnedUser; |
|---|
| | | } |
|---|
| | | } else { |
|---|
| | | // try registered external authentication providers |
|---|
| | | for (AuthenticationProvider provider : authenticationProviders) { |
|---|
| | | if (provider instanceof UsernamePasswordAuthenticationProvider) { |
|---|
| | | UserModel returnedUser = provider.authenticate(usernameDecoded, password); |
|---|
| | | if (returnedUser != null) { |
|---|
| | | // user authenticated |
|---|
| | | returnedUser.accountType = provider.getAccountType(); |
|---|
| | | return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | // could not authenticate locally or with a provider |
|---|
| | | logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", username, |
|---|
| | | remoteIP != null ? remoteIP : "unknown")); |
|---|
| | | |
|---|
| | | return null; |
|---|
| | | } |
|---|
| | | |
|---|
| | |
|---|
| | | @Override |
|---|
| | | public void setCookie(HttpServletRequest request, HttpServletResponse response, UserModel user) { |
|---|
| | | if (settings.getBoolean(Keys.web.allowCookieAuthentication, true)) { |
|---|
| | | HttpSession session = request.getSession(); |
|---|
| | | AuthenticationType authenticationType = (AuthenticationType) session.getAttribute(Constants.AUTHENTICATION_TYPE); |
|---|
| | | boolean standardLogin = authenticationType.isStandard(); |
|---|
| | | boolean standardLogin = true; |
|---|
| | | |
|---|
| | | if (null != request) { |
|---|
| | | // Pull the auth type from the request, it is set there if container managed |
|---|
| | | AuthenticationType authenticationType = (AuthenticationType) request.getAttribute(Constants.ATTRIB_AUTHTYPE); |
|---|
| | | |
|---|
| | | if (null != authenticationType) |
|---|
| | | standardLogin = authenticationType.isStandard(); |
|---|
| | | } |
|---|
| | | |
|---|
| | | if (standardLogin) { |
|---|
| | | Cookie userCookie; |
|---|
