- Principal p = trans.getUserPrincipal();
- if (p instanceof BasicPrincipal) {
- // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok
- // otherwise, it wouldn't have gotten here.
- resp.setStatus(HttpStatus.OK_200);
- } else if (p instanceof X509Principal) {
- // have to check Basic Auth here, because it might be CSP.
- String authz = req.getHeader("Authorization");
- if(authz.startsWith("Basic ")) {
- BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf();
- if(bht!=null) {
- BasicPrincipal bp = new BasicPrincipal(authz,"");
- CredVal cv = bht.getCredVal(bp.getDomain());
- if(cv!=null) {
- if(cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) {
- resp.setStatus(HttpStatus.OK_200);
- } else {
- resp.setStatus(HttpStatus.FORBIDDEN_403);
- }
- }
- } else {
- String decoded = Symm.base64noSplit.decode(authz.substring(6));
- int colon = decoded.indexOf(':');
- TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
- try {
- if(directAAFUserPass.validate(
- decoded.substring(0,colon),
- CredVal.Type.PASSWORD ,
- decoded.substring(colon+1).getBytes(),trans)) {
-
- resp.setStatus(HttpStatus.OK_200);
- } else {
- // DME2 at this version crashes without some sort of response
- resp.getOutputStream().print("");
- resp.setStatus(HttpStatus.FORBIDDEN_403);
- }
- } finally {
- tt.done();
- }
- }
- }
- } else if(p == null) {
- trans.error().log("Transaction not Authenticated... no Principal");
- resp.setStatus(HttpStatus.FORBIDDEN_403);
- } else {
- trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");
- // For Auth Security questions, we don't give any info to client on why failed
- resp.setStatus(HttpStatus.FORBIDDEN_403);
- }
- }
- },"text/plain","*/*","*");
-
- /**
- * returns whether a given Credential is valid
- */
- authzAPI.route(POST, "/authn/validate", API.CRED_REQ, new Code(facade,"Is given Credential valid?",true) {
- @Override
- public void handle(
- AuthzTrans trans,
- HttpServletRequest req,
- HttpServletResponse resp) throws Exception {
-
- Result<Date> r = context.doesCredentialMatch(trans, req, resp);
- if(r.isOK()) {
- resp.setStatus(HttpStatus.OK_200);
- } else {
- // For Security, we don't give any info out on why failed, other than forbidden
- // Can't do "401", because that is on the call itself
- resp.setStatus(HttpStatus.FORBIDDEN_403);
- }
- }
- });
+ Principal p = trans.getUserPrincipal();
+ if (p instanceof BasicPrincipal) {
+ // the idea is that if call is made with this credential, and it's a BasicPrincipal, it's ok
+ // otherwise, it wouldn't have gotten here.
+ resp.setStatus(HttpStatus.OK_200);
+ } else if (p instanceof X509Principal) {
+ // have to check Basic Auth here, because it might be CSP.
+ String authz = req.getHeader("Authorization");
+ if (authz.startsWith("Basic ")) {
+ BasicHttpTaf bht = ((X509Principal)p).getBasicHttpTaf();
+ if (bht!=null) {
+ BasicPrincipal bp = new BasicPrincipal(authz,"");
+ CredVal cv = bht.getCredVal(bp.getDomain());
+ if (cv!=null) {
+ if (cv.validate(bp.getName(), Type.PASSWORD, bp.getCred(), null) ) {
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ resp.setStatus(HttpStatus.UNAUTHORIZED_401);
+ }
+ }
+ } else {
+ String decoded = Symm.base64noSplit.decode(authz.substring(6));
+ int colon = decoded.indexOf(':');
+ TimeTaken tt = trans.start("Direct Validation", Env.REMOTE);
+ try {
+ if (directAAFUserPass.validate(
+ decoded.substring(0,colon),
+ CredVal.Type.PASSWORD ,
+ decoded.substring(colon+1).getBytes(),trans)) {
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ // DME2 at this version crashes without some sort of response
+ resp.getOutputStream().print("");
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ }
+ } finally {
+ tt.done();
+ }
+ }
+ }
+ } else if (p == null) {
+ trans.error().log("Transaction not Authenticated... no Principal");
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ } else {
+ trans.checkpoint("Basic Auth Check Failed: This wasn't a Basic Auth Trans");
+ // For Auth Security questions, we don't give any info to client on why failed
+ resp.setStatus(HttpStatus.FORBIDDEN_403);
+ }
+ }
+ },"text/plain","*/*","*");
+
+ /**
+ * returns whether a given Credential is valid
+ */
+ authzAPI.route(POST, "/authn/validate", API.CRED_REQ, new Code(facade,"Is given Credential valid?",true) {
+ @Override
+ public void handle(
+ AuthzTrans trans,
+ HttpServletRequest req,
+ HttpServletResponse resp) throws Exception {
+ // will be a valid Entity. Do we need to add permission
+ //if(trans.fish("ns","password","request")) or the like
+ Result<Date> r = context.doesCredentialMatch(trans, req, resp);
+ if (r.isOK()) {
+ resp.setStatus(HttpStatus.OK_200);
+ } else {
+ // For Security, we don't give any info out on why failed, other than forbidden
+ // Can't do "401", because that is on the call itself
+ // 403 Implies you MAY NOT Ask.
+ resp.setStatus(HttpStatus.NOT_ACCEPTABLE_406);
+ }
+ }
+ });