Skip to content
Permalink
Browse files
JUDDI-920 this should enable http based authentication
  • Loading branch information
spyhunter99 committed Jan 17, 2015
1 parent 3e1322f commit 86d58ae417563ea973a970b76914352becb31fb8
Showing 4 changed files with 171 additions and 140 deletions.
@@ -14,7 +14,6 @@
* limitations under the License.
*
*/

package org.apache.juddi.api.impl;

import java.util.Date;
@@ -36,163 +35,190 @@
import org.apache.juddi.v3.error.AuthTokenRequiredException;
import org.apache.juddi.v3.error.AuthTokenExpiredException;
import org.apache.juddi.v3.error.ErrorMessage;
import org.apache.juddi.v3.error.UnknownUserException;
import org.uddi.v3_service.DispositionReportFaultMessage;

/**Although this class is abstract, it provides token validation
/**
* Although this class is abstract, it provides token validation
*
* @author <a href="mailto:jfaath@apache.org">Jeff Faath</a>
*
* @author <a href="mailto:alexoree@apache.org">Alex O'Ree</a> - modified to include token expiration validation
*
* @author <a href="mailto:alexoree@apache.org">Alex O'Ree</a> - modified to
* include token expiration validation
*/
public abstract class AuthenticatedService {
public static final int AUTHTOKEN_ACTIVE = 1;
public static final int AUTHTOKEN_RETIRED = 0;
static final Log logger = LogFactory.getLog(AuthenticatedService.class);

public static final int AUTHTOKEN_ACTIVE = 1;
public static final int AUTHTOKEN_RETIRED = 0;
static final Log logger = LogFactory.getLog(AuthenticatedService.class);
/**
* the node id of this server instance, as loaded from the config file
*/
protected static String node = "UNDEFINED_NODE_NAME";
protected String baseUrlSSL="UNDEFINED";
protected String baseUrl="UNDEFINED";
public AuthenticatedService(){
protected static String node = "UNDEFINED_NODE_NAME";
protected String baseUrlSSL = "UNDEFINED";
protected String baseUrl = "UNDEFINED";

public AuthenticatedService() {
try {
node = AppConfig.getConfiguration().getString(Property.JUDDI_NODE_ID, "UNDEFINED_NODE_NAME");
node=node.trim();
baseUrlSSL=AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL_SECURE, Property.DEFAULT_BASE_URL_SECURE);
baseUrlSSL=AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL, Property.DEFAULT_BASE_URL);
node = node.trim();
baseUrlSSL = AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL_SECURE, Property.DEFAULT_BASE_URL_SECURE);
baseUrlSSL = AppConfig.getConfiguration().getString(Property.JUDDI_BASE_URL, Property.DEFAULT_BASE_URL);
} catch (ConfigurationException ex) {
logger.fatal(null, ex);
}
}



@Resource
protected WebServiceContext ctx;
public UddiEntityPublisher getEntityPublisher(EntityManager em, String authInfo) throws DispositionReportFaultMessage {

if (authInfo == null || authInfo.length() == 0)
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthRequired"));

org.apache.juddi.model.AuthToken modelAuthToken = em.find(org.apache.juddi.model.AuthToken.class, authInfo);
if (modelAuthToken == null)
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));

int allowedMinutesOfInactivity = 0;
try {
allowedMinutesOfInactivity = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_TIMEOUT, 0);
} catch (ConfigurationException ce) {
logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from "
+ "the application's configuration. No automatic timeout token invalidation will occur. "
+ ce.getMessage(), ce);
}
int maxMinutesOfAge = 0;
try {
maxMinutesOfAge = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_EXPIRATION, 0);
} catch (ConfigurationException ce) {
logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from "
+ "the application's configuration. No automatic timeout token invalidation will occur. "
+ ce.getMessage(), ce);
}
Date now = new Date();
// 0 or negative means token does not expire
if (allowedMinutesOfInactivity > 0) {
// expire tokens after # minutes of inactivity
// compare the time in milli-seconds
if (now.getTime() > modelAuthToken.getLastUsed().getTime() + allowedMinutesOfInactivity * 60000l) {
logger.info("AUDIT: FAILTURE Token " + modelAuthToken.getAuthToken() + " expired due to inactivity "+getRequestorsIPAddress());
modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
}
}
if (maxMinutesOfAge > 0) {
// expire tokens when max age is reached
// compare the time in milli-seconds
if (now.getTime() > modelAuthToken.getCreated().getTime() + maxMinutesOfAge * 60000l) {

logger.info("AUDIT: FAILURE - Token " + modelAuthToken.getAuthorizedName() + " expired due to old age " + getRequestorsIPAddress());
modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
}
}

if (modelAuthToken.getTokenState() == AUTHTOKEN_RETIRED){

throw new AuthTokenExpiredException(new ErrorMessage("errors.auth.AuthTokenExpired"));

public UddiEntityPublisher getEntityPublisher(EntityManager em, String authInfo) throws DispositionReportFaultMessage {
boolean useAuthInfo = true;
try {
useAuthInfo = AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTHENTICATOR_USE_TOKEN, true);
} catch (ConfigurationException ex) {

}
if (ctx !=null){
try{
boolean check=true;
try{
check=AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP, true);
if (useAuthInfo) {

if (authInfo == null || authInfo.length() == 0) {
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthRequired"));
}

org.apache.juddi.model.AuthToken modelAuthToken = em.find(org.apache.juddi.model.AuthToken.class, authInfo);
if (modelAuthToken == null) {
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
}

int allowedMinutesOfInactivity = 0;
try {
allowedMinutesOfInactivity = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_TIMEOUT, 0);
} catch (ConfigurationException ce) {
logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from "
+ "the application's configuration. No automatic timeout token invalidation will occur. "
+ ce.getMessage(), ce);
}
int maxMinutesOfAge = 0;
try {
maxMinutesOfAge = AppConfig.getConfiguration().getInt(Property.JUDDI_AUTH_TOKEN_EXPIRATION, 0);
} catch (ConfigurationException ce) {
logger.error("Error reading property " + Property.JUDDI_AUTH_TOKEN_EXPIRATION + " from "
+ "the application's configuration. No automatic timeout token invalidation will occur. "
+ ce.getMessage(), ce);
}
catch (ConfigurationException ex){
logger.warn("Error loading config property " + Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP +
" Enforcing Same IP for Auth Tokens will be enabled by default", ex);
Date now = new Date();
// 0 or negative means token does not expire
if (allowedMinutesOfInactivity > 0) {
// expire tokens after # minutes of inactivity
// compare the time in milli-seconds
if (now.getTime() > modelAuthToken.getLastUsed().getTime() + allowedMinutesOfInactivity * 60000l) {
logger.info("AUDIT: FAILTURE Token " + modelAuthToken.getAuthToken() + " expired due to inactivity " + getRequestorsIPAddress());
modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
}
}
if (check){
MessageContext mc = ctx.getMessageContext();
HttpServletRequest req = null;
if (mc!=null){
req=(HttpServletRequest)mc.get(MessageContext.SERVLET_REQUEST);
}
if (req!=null &&
modelAuthToken.getIPAddress()!=null &&
modelAuthToken.getIPAddress()!=null &&
!modelAuthToken.getIPAddress().equalsIgnoreCase(req.getRemoteAddr()))
{
modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
logger.error("AUDIT FAILURE - Security Alert - Attempt to use issued auth token from a different IP address, user " +
modelAuthToken.getAuthorizedName() + ", issued IP " + modelAuthToken.getIPAddress() +
", attempted use from " + req.getRemoteAddr() + ", forcing reauthentication.");
if (maxMinutesOfAge > 0) {
// expire tokens when max age is reached
// compare the time in milli-seconds
if (now.getTime() > modelAuthToken.getCreated().getTime() + maxMinutesOfAge * 60000l) {

logger.info("AUDIT: FAILURE - Token " + modelAuthToken.getAuthorizedName() + " expired due to old age " + getRequestorsIPAddress());
modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
}
}

if (modelAuthToken.getTokenState() == AUTHTOKEN_RETIRED) {

throw new AuthTokenExpiredException(new ErrorMessage("errors.auth.AuthTokenExpired"));
}
if (ctx != null) {
try {
boolean check = true;
try {
check = AppConfig.getConfiguration().getBoolean(Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP, true);
} catch (ConfigurationException ex) {
logger.warn("Error loading config property " + Property.JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP
+ " Enforcing Same IP for Auth Tokens will be enabled by default", ex);
}
if (check) {
MessageContext mc = ctx.getMessageContext();
HttpServletRequest req = null;
if (mc != null) {
req = (HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST);
}
if (req != null
&& modelAuthToken.getIPAddress() != null
&& modelAuthToken.getIPAddress() != null
&& !modelAuthToken.getIPAddress().equalsIgnoreCase(req.getRemoteAddr())) {
modelAuthToken.setTokenState(AUTHTOKEN_RETIRED);
logger.error("AUDIT FAILURE - Security Alert - Attempt to use issued auth token from a different IP address, user "
+ modelAuthToken.getAuthorizedName() + ", issued IP " + modelAuthToken.getIPAddress()
+ ", attempted use from " + req.getRemoteAddr() + ", forcing reauthentication.");
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
//invalidate the token, someone's intercepted it or it was reused on another ip
}
}
} catch (Exception ex) {
if (ex instanceof AuthTokenRequiredException) {
throw (AuthTokenRequiredException) ex;
}
logger.error("unexpected error caught looking up requestor's ip address", ex);
}

}
Authenticator authenticator = AuthenticatorFactory.getAuthenticator();
UddiEntityPublisher entityPublisher = authenticator.identify(authInfo, modelAuthToken.getAuthorizedName(), ctx);

// Must make sure the returned publisher has all the necessary fields filled
if (entityPublisher == null) {
logger.warn("AUDIT FAILURE - Auth token invalid, publisher does not exist " + getRequestorsIPAddress());
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
//invalidate the token, someone's intercepted it or it was reused on another ip
}
}
}
catch (Exception ex){
if (ex instanceof AuthTokenRequiredException)
throw (AuthTokenRequiredException)ex;
logger.error("unexpected error caught looking up requestor's ip address", ex);
}

}
Authenticator authenticator = AuthenticatorFactory.getAuthenticator();
UddiEntityPublisher entityPublisher = authenticator.identify(authInfo, modelAuthToken.getAuthorizedName(), ctx);

// Must make sure the returned publisher has all the necessary fields filled
if (entityPublisher == null) {
logger.warn("AUDIT FAILURE - Auth token invalided, publisher does not exist "+ getRequestorsIPAddress());
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
}
if (entityPublisher.getAuthorizedName() == null){
logger.warn("AUDIT FAILURE - Auth token invalided, username does exist"+ getRequestorsIPAddress());
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
if (entityPublisher.getAuthorizedName() == null) {
logger.warn("AUDIT FAILURE - Auth token invalid, username does exist" + getRequestorsIPAddress());
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
}
// Auth token is being used. Adjust appropriate values so that it's internal 'expiration clock' is reset.
modelAuthToken.setLastUsed(new Date());
modelAuthToken.setNumberOfUses(modelAuthToken.getNumberOfUses() + 1);
return entityPublisher;
} else {
//use non-token based authentication
Authenticator authenticator = AuthenticatorFactory.getAuthenticator();
UddiEntityPublisher entityPublisher = authenticator.identify(null, null, ctx);
// Must make sure the returned publisher has all the necessary fields filled
if (entityPublisher == null) {
logger.warn("AUDIT FAILURE - Auth token invalid, publisher does not exist " + getRequestorsIPAddress());
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
}
if (entityPublisher.getAuthorizedName() == null) {
logger.warn("AUDIT FAILURE - Auth token invalid, username does exist" + getRequestorsIPAddress());
throw new AuthTokenRequiredException(new ErrorMessage("errors.auth.AuthInvalid"));
}
return entityPublisher;

}
// Auth token is being used. Adjust appropriate values so that it's internal 'expiration clock' is reset.
modelAuthToken.setLastUsed(new Date());
modelAuthToken.setNumberOfUses(modelAuthToken.getNumberOfUses() + 1);

return entityPublisher;

}

}

/**
* Attempts to get the requestor's ip address from the servlet context, defaults to null it it can't be
* retrieved
* Attempts to get the requestor's ip address from the servlet context,
* defaults to null it it can't be retrieved
*
* @return requestor's ip address or null if it's not available
*/
public String getRequestorsIPAddress()
{
try {
MessageContext mc = ctx.getMessageContext();
HttpServletRequest req = null;
if (mc != null) {
req = (HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST);
}
if (req != null) {
return req.getRemoteAddr();
public String getRequestorsIPAddress() {
try {
MessageContext mc = ctx.getMessageContext();
HttpServletRequest req = null;
if (mc != null) {
req = (HttpServletRequest) mc.get(MessageContext.SERVLET_REQUEST);
}
if (req != null) {
return req.getRemoteAddr();
}
} catch (Exception ex) {
logger.debug("Error caught looking up the requestor's ip address", ex);
}
} catch (Exception ex) {
logger.debug("Error caught looking up the requestor's ip address", ex);
}
return null;
return null;
}
}
@@ -84,6 +84,11 @@ public interface Property {
*/
public final static String JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP = "juddi.auth.token.enforceSameIPRule";

/**
* Whether not the token is used with each transition, default should be true
*/
public final static String JUDDI_AUTHENTICATOR_USE_TOKEN = "juddi.auth.authenticator[@useAuthToken]";

/**
* This points to the class of the authenticator
*/

0 comments on commit 86d58ae

Please sign in to comment.