org.apache.brooklyn.rest.security.provider

Class ExplicitUsersSecurityProvider

java.lang.Object

org.apache.brooklyn.rest.security.provider.AbstractSecurityProvider

org.apache.brooklyn.rest.security.provider.ExplicitUsersSecurityProvider

All Implemented Interfaces:

SecurityProvider

public class ExplicitUsersSecurityProvider
extends AbstractSecurityProvider
implements SecurityProvider

Security provider which validates users against passwords according to property keys, as set in BrooklynWebConfig.USERS and BrooklynWebConfig.PASSWORD_FOR_USER(String)

Nested Class Summary

Nested classes/interfaces inherited from interface org.apache.brooklyn.rest.security.provider.SecurityProvider

SecurityProvider.SecurityProviderDeniedAuthentication

Field Summary

Fields

Modifier and Type	Field and Description
static org.slf4j.Logger	LOG

Constructor Summary

Constructors

Constructor and Description
ExplicitUsersSecurityProvider(ManagementContext mgmt)

Method Summary

Modifier and Type	Method and Description
boolean	authenticate(javax.servlet.http.HttpServletRequest request, java.util.function.Supplier<javax.servlet.http.HttpSession> sessionSupplierOnSuccess, java.lang.String user, java.lang.String pass) Perform the authentication.
static boolean	checkExplicitUserPassword(ManagementContext mgmt, java.lang.String user, java.lang.String password) checks the supplied candidate user and password against the expect password (or SHA-256 + SALT thereof) defined as brooklyn properties.
static boolean	checkPassword(java.lang.String candidatePassword, java.lang.String expectedPassword, java.lang.String expectedPasswordSha256, java.lang.String salt) checks a candidate password against the expected credential defined for a given user.
boolean	requiresUserPass() whether this provider requires a user/pass; if this returns false, the framework can send null/null as the user/pass to #authenticate(HttpSession, String, String), and should do that if user/pass info is not immediately available (ie for things like oauth, the framework should not require basic auth if this method returns false)

Methods inherited from class org.apache.brooklyn.rest.security.provider.AbstractSecurityProvider

isAuthenticated, logout

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.brooklyn.rest.security.provider.SecurityProvider

isAuthenticated, logout

Field Detail

LOG

public static final org.slf4j.Logger LOG

Constructor Detail

ExplicitUsersSecurityProvider

public ExplicitUsersSecurityProvider(ManagementContext mgmt)

Method Detail

authenticate

public boolean authenticate(javax.servlet.http.HttpServletRequest request,
                            java.util.function.Supplier<javax.servlet.http.HttpSession> sessionSupplierOnSuccess,
                            java.lang.String user,
                            java.lang.String pass)
                     throws SecurityProvider.SecurityProviderDeniedAuthentication

Description copied from interface: SecurityProvider

Perform the authentication. If SecurityProvider.requiresUserPass() returns false, user/pass may be null; otherwise the framework will guarantee the basic auth is in effect and these values are set. The provider should not send a response but should throw SecurityProvider.SecurityProviderDeniedAuthentication if a custom response is required. It can include a response in that exception, e.g. to provide more information or supply a redirect.

It should not create a session via HttpServletRequest.getSession(), especially if auth is not successful (easy for DOS attack to chew up memory), and even on auth it should use the Supplier given here to get a session (that will create a session) to install. (Note that this will return the MultiSessionAttributeAdapter.getPreferredSession(), not the request's local session.)

On successful auth this method may HttpSession.setAttribute(String, Object) so that SecurityProvider.isAuthenticated(HttpSession) can return quickly on subsequent requests. If so, see SecurityProvider.logout(HttpSession) about clearing those values.

Specified by:

authenticate in interface SecurityProvider

Throws:

SecurityProvider.SecurityProviderDeniedAuthentication

checkExplicitUserPassword

public static boolean checkExplicitUserPassword(ManagementContext mgmt,
                                                java.lang.String user,
                                                java.lang.String password)

checks the supplied candidate user and password against the expect password (or SHA-256 + SALT thereof) defined as brooklyn properties.

checkPassword

public static boolean checkPassword(java.lang.String candidatePassword,
                                    java.lang.String expectedPassword,
                                    java.lang.String expectedPasswordSha256,
                                    java.lang.String salt)

checks a candidate password against the expected credential defined for a given user. the expected credentials can be supplied as an expectedPassword OR as a combination of the SHA-256 hash of the expected password plus a defined salt. the combination of the SHA+SALT allows credentials to be supplied in a non-plaintext manner.

requiresUserPass

public boolean requiresUserPass()

Description copied from interface: SecurityProvider

whether this provider requires a user/pass; if this returns false, the framework can send null/null as the user/pass to #authenticate(HttpSession, String, String), and should do that if user/pass info is not immediately available (ie for things like oauth, the framework should not require basic auth if this method returns false)

Specified by:

requiresUserPass in interface SecurityProvider