activemq-shiro/src/main/java/org/apache/activemq/shiro/authc/AuthenticationFilter.java - activemq - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.activemq.shiro.authc;

 import org.apache.activemq.broker.ConnectionContext;
 import org.apache.activemq.command.ConnectionInfo;
 import org.apache.activemq.security.SecurityContext;
 import org.apache.activemq.shiro.ConnectionReference;
 import org.apache.activemq.shiro.env.EnvironmentFilter;
 import org.apache.activemq.shiro.subject.ConnectionSubjectResolver;
 import org.apache.activemq.shiro.subject.SubjectConnectionReference;
 import org.apache.activemq.shiro.subject.SubjectSecurityContext;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.subject.Subject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 /**
  * The {@code AuthenticationFilter} enforces if authentication is required before allowing the broker filter chain
  * to continue.
  * <p/>
  * This implementation performs a connection-level authentication assertion:  If the {@link Subject} associated with the
  * connection<b>*</b> is not authenticated, and the
  * {@link AuthenticationPolicy AuthenticationPolicy} requires the {@code Subject} to be authenticated, it will attempt
  * to {@link Subject#login(org.apache.shiro.authc.AuthenticationToken) login} the Subject automatically.  The
  * {@link AuthenticationToken} used to login is created by the
  * {@link #getAuthenticationTokenFactory() authenticationTokenFactory}, typically by acquiring any credentials
  * associated with the connection.
  * <p/>
  * Once the connection's {@code Subject} is authenticated as necessary, the broker filter chain will continue
  * as expected.
  * <p/>
  * <b>*</b>: The upstream {@link org.apache.activemq.shiro.subject.SubjectFilter} is expected to execute before this one, ensuring a Subject instance
  * is already associated with the connection.
  *
  * @since 5.10.0
  */
 public class AuthenticationFilter extends EnvironmentFilter {

     private static final Logger LOG = LoggerFactory.getLogger(AuthenticationFilter.class);

     private AuthenticationPolicy authenticationPolicy;
     private AuthenticationTokenFactory authenticationTokenFactory;

     public AuthenticationFilter() {
         this.authenticationPolicy = new DefaultAuthenticationPolicy();
         this.authenticationTokenFactory = new DefaultAuthenticationTokenFactory();
     }

     public AuthenticationPolicy getAuthenticationPolicy() {
         return authenticationPolicy;
     }

     public void setAuthenticationPolicy(AuthenticationPolicy authenticationPolicy) {
         this.authenticationPolicy = authenticationPolicy;
     }

     public AuthenticationTokenFactory getAuthenticationTokenFactory() {
         return authenticationTokenFactory;
     }

     public void setAuthenticationTokenFactory(AuthenticationTokenFactory authenticationTokenFactory) {
         this.authenticationTokenFactory = authenticationTokenFactory;
     }

     protected Subject getSubject(ConnectionReference conn) {
         return new ConnectionSubjectResolver(conn).getSubject();
     }

     @Override
     public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception {

         if (isEnabled()) { //disabled means don't enforce authentication (i.e. allow anonymous access):

             Subject subject = getSubject(new ConnectionReference(context, info, getEnvironment()));

             if (!subject.isAuthenticated()) {

                 SubjectConnectionReference connection = new SubjectConnectionReference(context, info, getEnvironment(), subject);

                 if (this.authenticationPolicy.isAuthenticationRequired(connection)) {
                     AuthenticationToken token = this.authenticationTokenFactory.getAuthenticationToken(connection);
                     if (token == null) {
                         String msg = "Unable to obtain authentication credentials for newly established connection.  " +
                                 "Authentication is required.";
                         throw new AuthenticationException(msg);
                     }
                     //token is not null - login the current subject:
                     subject.login(token);
                 }
             }
         }

         super.addConnection(context, info);
     }

     @Override
     public void removeConnection(ConnectionContext context, ConnectionInfo info, Throwable error) throws Exception {
         try {
             super.removeConnection(context, info, error);
         } finally {
             SecurityContext secCtx = context.getSecurityContext();

             if (secCtx instanceof SubjectSecurityContext) {

                 SubjectSecurityContext subjectSecurityContext = (SubjectSecurityContext) secCtx;
                 Subject subject = subjectSecurityContext.getSubject();

                 if (subject != null) {
                     try {
                         subject.logout();
                     } catch (Throwable t) {
                         String msg = "Unable to cleanly logout connection Subject during connection removal.  This is " +
                                 "unexpected but not critical: it can be safely ignored because the " +
                                 "connection will no longer be used.";
                         LOG.info(msg, t);
                     }
                 }
             }
         }
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.activemq.shiro.authc;

	import org.apache.activemq.broker.ConnectionContext;
	import org.apache.activemq.command.ConnectionInfo;
	import org.apache.activemq.security.SecurityContext;
	import org.apache.activemq.shiro.ConnectionReference;
	import org.apache.activemq.shiro.env.EnvironmentFilter;
	import org.apache.activemq.shiro.subject.ConnectionSubjectResolver;
	import org.apache.activemq.shiro.subject.SubjectConnectionReference;
	import org.apache.activemq.shiro.subject.SubjectSecurityContext;
	import org.apache.shiro.authc.AuthenticationException;
	import org.apache.shiro.authc.AuthenticationToken;
	import org.apache.shiro.subject.Subject;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	/**
	* The {@code AuthenticationFilter} enforces if authentication is required before allowing the broker filter chain
	* to continue.
	* <p/>
	* This implementation performs a connection-level authentication assertion: If the {@link Subject} associated with the
	* connection<b>*</b> is not authenticated, and the
	* {@link AuthenticationPolicy AuthenticationPolicy} requires the {@code Subject} to be authenticated, it will attempt
	* to {@link Subject#login(org.apache.shiro.authc.AuthenticationToken) login} the Subject automatically. The
	* {@link AuthenticationToken} used to login is created by the
	* {@link #getAuthenticationTokenFactory() authenticationTokenFactory}, typically by acquiring any credentials
	* associated with the connection.
	* <p/>
	* Once the connection's {@code Subject} is authenticated as necessary, the broker filter chain will continue
	* as expected.
	* <p/>
	* <b>*</b>: The upstream {@link org.apache.activemq.shiro.subject.SubjectFilter} is expected to execute before this one, ensuring a Subject instance
	* is already associated with the connection.
	*
	* @since 5.10.0
	*/
	public class AuthenticationFilter extends EnvironmentFilter {

	private static final Logger LOG = LoggerFactory.getLogger(AuthenticationFilter.class);

	private AuthenticationPolicy authenticationPolicy;
	private AuthenticationTokenFactory authenticationTokenFactory;

	public AuthenticationFilter() {
	this.authenticationPolicy = new DefaultAuthenticationPolicy();
	this.authenticationTokenFactory = new DefaultAuthenticationTokenFactory();
	}

	public AuthenticationPolicy getAuthenticationPolicy() {
	return authenticationPolicy;
	}

	public void setAuthenticationPolicy(AuthenticationPolicy authenticationPolicy) {
	this.authenticationPolicy = authenticationPolicy;
	}

	public AuthenticationTokenFactory getAuthenticationTokenFactory() {
	return authenticationTokenFactory;
	}

	public void setAuthenticationTokenFactory(AuthenticationTokenFactory authenticationTokenFactory) {
	this.authenticationTokenFactory = authenticationTokenFactory;
	}

	protected Subject getSubject(ConnectionReference conn) {
	return new ConnectionSubjectResolver(conn).getSubject();
	}

	@Override
	public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception {

	if (isEnabled()) { //disabled means don't enforce authentication (i.e. allow anonymous access):

	Subject subject = getSubject(new ConnectionReference(context, info, getEnvironment()));

	if (!subject.isAuthenticated()) {

	SubjectConnectionReference connection = new SubjectConnectionReference(context, info, getEnvironment(), subject);

	if (this.authenticationPolicy.isAuthenticationRequired(connection)) {
	AuthenticationToken token = this.authenticationTokenFactory.getAuthenticationToken(connection);
	if (token == null) {
	String msg = "Unable to obtain authentication credentials for newly established connection. " +
	"Authentication is required.";
	throw new AuthenticationException(msg);
	}
	//token is not null - login the current subject:
	subject.login(token);
	}
	}
	}

	super.addConnection(context, info);
	}

	@Override
	public void removeConnection(ConnectionContext context, ConnectionInfo info, Throwable error) throws Exception {
	try {
	super.removeConnection(context, info, error);
	} finally {
	SecurityContext secCtx = context.getSecurityContext();

	if (secCtx instanceof SubjectSecurityContext) {

	SubjectSecurityContext subjectSecurityContext = (SubjectSecurityContext) secCtx;
	Subject subject = subjectSecurityContext.getSubject();

	if (subject != null) {
	try {
	subject.logout();
	} catch (Throwable t) {
	String msg = "Unable to cleanly logout connection Subject during connection removal. This is " +
	"unexpected but not critical: it can be safely ignored because the " +
	"connection will no longer be used.";
	LOG.info(msg, t);
	}
	}
	}
	}
	}
	}