-
Notifications
You must be signed in to change notification settings - Fork 1
/
security.clj
57 lines (50 loc) · 2.94 KB
/
security.clj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
(ns slipway.security
(:require [clojure.core.protocols :as p]
[clojure.tools.logging :as log])
(:import (java.util List)
(org.eclipse.jetty.server Authentication$User)
(javax.security.auth.login Configuration) ;; Jetty9/10/11 all use javax in this specific class.
(org.eclipse.jetty.jaas JAASLoginService)
(org.eclipse.jetty.security Authenticator ConstraintSecurityHandler HashLoginService LoginService SecurityHandler)
(org.eclipse.jetty.server Authentication$User Request)))
(defmulti login-service ::login-service)
(defmethod login-service :default [_] nil)
(defmethod login-service "jaas"
[{::keys [realm]}]
(let [config (System/getProperty "java.security.auth.login.config")]
(log/infof "initializing JAASLoginService - realm: %s, java.security.auth.login.config: %s " realm config)
(if config
(when (slurp config)
(doto (JAASLoginService. realm) (.setConfiguration (Configuration/getConfiguration))))
(throw (ex-info (str "start with -Djava.security.auth.login.config=/some/path/to/jaas.config to use Jetty/JAAS auth provider") {})))))
(defmethod login-service "hash"
[{::keys [realm hash-user-file]}]
(log/infof "initializing HashLoginService - realm: %s, realm file: %s" realm hash-user-file)
(if hash-user-file
(when (slurp hash-user-file)
(HashLoginService. realm hash-user-file))
(throw (ex-info (str "set the path to your hash user realm properties file") {}))))
(defn user
[^Request base-request]
(when-let [authentication (.getAuthentication base-request)]
(when (instance? Authentication$User authentication)
(p/datafy authentication))))
(comment
#:slipway.security{:realm "the Jetty authentication realm"
:hash-user-file "the path to a Jetty Hash User File"
:login-service "a Jetty LoginService identifier, 'jaas' and 'hash' supported by default"
:identity-service "a concrete Jetty IdentityService"
:authenticator "a concrete Jetty Authenticator (e.g. FormAuthenticator or BasicAuthenticator)"
:constraint-mappings "a list of concrete Jetty ConstraintMapping"})
(defn handler ^SecurityHandler
[^LoginService login-service {::keys [realm authenticator constraint-mappings identity-service]}]
(log/infof "authenticator %s with %s constraints" (type authenticator) (count constraint-mappings))
(let [security-handler (doto (ConstraintSecurityHandler.)
(.setConstraintMappings ^List constraint-mappings)
(.setAuthenticator ^Authenticator authenticator)
(.setLoginService login-service)
(.setRealmName realm))]
(when identity-service
(log/infof "identity service %s" (type identity-service))
(.setIdentityService security-handler identity-service))
security-handler))