Package org.eclipse.jetty.security.openid

Class OpenIdAuthenticator

  • All Implemented Interfaces:
    Authenticator
    public class OpenIdAuthenticator
extends LoginAuthenticator

    Implements authentication using OpenId Connect on top of OAuth 2.0.

    The OpenIdAuthenticator redirects unauthenticated requests to the OpenID Connect Provider. The End-User is eventually redirected back with an Authorization Code to the /j_security_check URI within the context. The Authorization Code is then used to authenticate the user through the OpenIdCredentials and OpenIdLoginService.

    Once a user is authenticated the OpenID Claims can be retrieved through an attribute on the session with the key CLAIMS. The full response containing the OAuth 2.0 Access Token can be obtained with the session attribute RESPONSE.

    SessionAuthentication is then used to wrap Authentication results so that they are associated with the session.

    • Field Detail

      • LOG

        private static final Logger LOG

      • J_SECURITY_CHECK

        public static final java.lang.String J_SECURITY_CHECK
        See Also:
        Constant Field Values

      • CSRF_TOKEN

        @Deprecated
public static final java.lang.String CSRF_TOKEN
        Deprecated.
        See Also:
        Constant Field Values

      • _secureRandom

        private final java.security.SecureRandom _secureRandom

      • _errorPage

        private java.lang.String _errorPage

      • _errorPath

        private java.lang.String _errorPath

      • _errorQuery

        private java.lang.String _errorQuery

      • _alwaysSaveUri

        private boolean _alwaysSaveUri

    • Constructor Detail

      • OpenIdAuthenticator

        public OpenIdAuthenticator()

      • OpenIdAuthenticator

        public OpenIdAuthenticator​(OpenIdConfiguration configuration,
                           java.lang.String errorPage)

    • Method Detail

      • getAuthMethod

        public java.lang.String getAuthMethod()
        Returns:
        The name of the authentication method

      • setAlwaysSaveUri

        @Deprecated
public void setAlwaysSaveUri​(boolean alwaysSave)
        Deprecated.

      • isAlwaysSaveUri

        @Deprecated
public boolean isAlwaysSaveUri()
        Deprecated.

      • setErrorPage

        private void setErrorPage​(java.lang.String path)

      • login

        public UserIdentity login​(java.lang.String username,
                          java.lang.Object credentials,
                          javax.servlet.ServletRequest request)
        Description copied from class: LoginAuthenticator
        If the UserIdentity is not null after this method calls LoginService.login(String, Object, ServletRequest), it is assumed that the user is fully authenticated and we need to change the session id to prevent session fixation vulnerability. If the UserIdentity is not necessarily fully authenticated, then subclasses must override this method and determine when the UserIdentity IS fully authenticated and renew the session id.
        Overrides:
        login in class LoginAuthenticator
        Parameters:
        username - the username of the client to be authenticated
        credentials - the user's credential
        request - the inbound request that needs authentication

      • prepareRequest

        public void prepareRequest​(javax.servlet.ServletRequest request)
        Description copied from interface: Authenticator
        Called prior to validateRequest. The authenticator can manipulate the request to update it with information that can be inspected prior to validateRequest being called. The primary purpose of this method is to satisfy the Servlet Spec 3.1 section 13.6.3 on handling Form authentication where the http method of the original request causing authentication is not the same as the http method resulting from the redirect after authentication.
        Specified by:
        prepareRequest in interface Authenticator
        Overrides:
        prepareRequest in class LoginAuthenticator
        Parameters:
        request - the request to manipulate

      • validateRequest

        public Authentication validateRequest​(javax.servlet.ServletRequest req,
                                      javax.servlet.ServletResponse res,
                                      boolean mandatory)
                               throws ServerAuthException
        Description copied from interface: Authenticator
        Validate a request
        Parameters:
        req - The request
        res - The response
        mandatory - True if authentication is mandatory.
        Returns:
        An Authentication. If Authentication is successful, this will be a Authentication.User. If a response has been sent by the Authenticator (which can be done for both successful and unsuccessful authentications), then the result will implement Authentication.ResponseSent. If Authentication is not mandatory, then a Authentication.Deferred may be returned.
        Throws:
        ServerAuthException - if unable to validate request

      • sendError

        private void sendError​(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response,
                       java.lang.String message)
                throws java.io.IOException
        Report an error case either by redirecting to the error page if it is defined, otherwise sending a 403 response. If the message parameter is not null, a query parameter with a key of ERROR_PARAMETER and value of the error message will be logged and added to the error redirect URI if the error page is defined.
        Parameters:
        request - the request.
        response - the response.
        message - the reason for the error or null.
        Throws:
        java.io.IOException - if sending the error fails for any reason.

      • isJSecurityCheck

        public boolean isJSecurityCheck​(java.lang.String uri)

      • isErrorPage

        public boolean isErrorPage​(java.lang.String pathInContext)

      • getRedirectUri

        private java.lang.String getRedirectUri​(javax.servlet.http.HttpServletRequest request)

      • getChallengeUri

        protected java.lang.String getChallengeUri​(Request request)

      • secureResponse

        public boolean secureResponse​(javax.servlet.ServletRequest req,
                              javax.servlet.ServletResponse res,
                              boolean mandatory,
                              Authentication.User validatedUser)
        Description copied from interface: Authenticator
        is response secure
        Parameters:
        req - the request
        res - the response
        mandatory - if security is mandator
        validatedUser - the user that was validated
        Returns:
        true if response is secure