List of usage examples for javax.security.auth.message MessageInfo getRequestMessage
public Object getRequestMessage();
From source file:net.java.jaspicoil.SimpleBasicServerAuthModule.java
/** * Authenticate a received service request. * <p/>/* w ww.j av a2 s .c o m*/ * This method is called to transform the mechanism-specific request message * acquired by calling getRequestMessage (on messageInfo) into the validated * application message to be returned to the message processing runtime. If * the received message is a (mechanism-specific) meta-message, the method * implementation must attempt to transform the meta-message into a * corresponding mechanism-specific response message, or to the validated * application request message. The runtime will bind a validated * application message into the the corresponding service invocation. * <p> * This method conveys the outcome of its message processing either by * returning an AuthStatus value or by throwing an AuthException. * <p/> * From a performance point of view this method will be called twice for * each resource with a security constraint on it. Resources with no * security constraint do not result in a call to this method. * * @param messageInfo * A contextual object that encapsulates the client request and * server response objects, and that may be used to save state * across a sequence of calls made to the methods of this * interface for the purpose of completing a secure message * exchange. * @param clientSubject * A Subject that represents the source of the service request. * It is used by the method implementation to store Principals * and credentials validated in the request. * @param serviceSubject * A Subject that represents the recipient of the service * request, or null. It may be used by the method implementation * as the source of Principals or credentials to be used to * validate the request. If the Subject is not null, the method * implementation may add additional Principals or credentials * (pertaining to the recipient of the service request) to the * Subject. * @return An AuthStatus object representing the completion status of the * processing performed by the method. The AuthStatus values that * may be returned by this method are defined as follows: * <p/> * <ul> * <li>AuthStatus.SUCCESS when the application request message was * successfully validated. The validated request message is * available by calling getRequestMessage on messageInfo. * <p/> * <li>AuthStatus.SEND_SUCCESS to indicate that * validation/processing of the request message successfully * produced the secured application response message (in * messageInfo). The secured response message is available by * calling getResponseMessage on messageInfo. * <p/> * <li>AuthStatus.SEND_CONTINUE to indicate that message validation * is incomplete, and that a preliminary response was returned as * the response message in messageInfo. * <p/> * When this status value is returned to challenge an application * request message, the challenged request must be saved by the * authentication module such that it can be recovered when the * module's validateRequest message is called to process the request * returned for the challenge. * <p/> * <li>AuthStatus.SEND_FAILURE to indicate that message validation * failed and that an appropriate failure response message is * available by calling getResponseMessage on messageInfo. * </ul> * @throws AuthException When the message processing failed without * establishing a failure response message (in messageInfo). */ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { // Get the servlet context final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); final HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); final String auth = request.getHeader(AUTHORIZATION_HEADER); // Test prefix for HTTP BASIC Auth if (auth != null && StringUtils.startsWithIgnoreCase(auth, "basic ")) { // We might have a valid header, so try to decode it final String data = new String(Base64.decodeBase64(auth.substring(BASIC_PREFIX_LENGTH)), UTF_8); final int splitIndex = data.indexOf(':'); if (splitIndex < 0) { return sendErrorAndAuthenticateRequest(request, response, "Wrong WWW-Authenticate header format"); } final String username = data.substring(splitIndex); final char[] password = data.substring(splitIndex + 1, data.length()).toCharArray(); // Prepare the JAAS callback to feed any LoginModule with user and password final NameCallback nameCallback = new NameCallback("username"); nameCallback.setName(username); final PasswordCallback passwordCallback = new PasswordCallback(getRealm(request), false); passwordCallback.setPassword(password); final CallbackHandler delegatedHandler = new CallbackHandler() { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { final Callback c = callbacks[i]; if (c instanceof NameCallback) { ((NameCallback) c).setName(username); } else if (c instanceof PasswordCallback) { ((PasswordCallback) c).setPassword(password); } else { throw new UnsupportedOperationException( String.format("Callback type %s (%s) is not supported yet.", c.getClass(), c)); } } } }; if (this.jaasContextName == null) { throw new UnsupportedOperationException( "No delegate JAAS context found. As per JASPIC JAAS Bridge profile, this parameter is requiered."); } try { // Create a new JAAS context with the delegated data & try to login final LoginContext context = new LoginContext(this.jaasContextName, delegatedHandler); context.login(); // Get the authenticated subject from the JAAS context Subject authenticatedSubject = context.getSubject(); final PasswordValidationCallback passwordValidationCallback = new PasswordValidationCallback( authenticatedSubject, username, password); // notify JASPIC containerr for the name, password and subject this.handler.handle(new Callback[] { passwordValidationCallback }); } catch (final LoginException ex) { // If there was any issue during the JAAS login, fail the process final AuthException aex = new AuthException( String.format("Fail to login user %s with the delegated JAAS context %s", username, this.jaasContextName)); aex.initCause(ex); } catch (final IOException e) { LOG.log(Level.WARNING, "Unable to call the handlers for name=" + nameCallback, e); } catch (final UnsupportedCallbackException e) { LOG.log(Level.WARNING, "Unable to call the handlers for name=" + nameCallback, e); } } else if (this.mandatory) { return sendErrorAndAuthenticateRequest(request, response, "AuthModule was mandatory but no valid credential was provided"); } else { LOG.info("No authentication was provided bu Basic AuthModule is not mandatory so return SUCCESS."); } return AuthStatus.SUCCESS; }
From source file:com.yoshio3.modules.AzureADServerAuthModule.java
@Override public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { HttpServletRequest httpRequest = (HttpServletRequest) messageInfo.getRequestMessage(); HttpServletResponse httpResponse = (HttpServletResponse) messageInfo.getResponseMessage(); Callback[] callbacks;//from w w w . j a va 2s . com //Azure AD ?????????? // if returning as a redirect after authenticating on Azure AD //??????????????? //?????????????????????????? // as there is no principal information, if authentication was successful add info to the principal Map<String, String> params = new HashMap<>(); httpRequest.getParameterMap().keySet().stream().forEach(key -> { params.put(key, httpRequest.getParameterMap().get(key)[0]); }); String currentUri = getCurrentUri(httpRequest); //????????? // if the authentication result is not included in the session if (!getSessionPrincipal(httpRequest)) { if (!isRedirectedRequestFromAuthServer(httpRequest, params)) { try { // Azure AD ? Redirect // redirect to Azure ID return redirectOpenIDServer(httpResponse, currentUri); } catch (IOException ex) { LOGGER.log(Level.SEVERE, "Invalid redirect URL", ex); return AuthStatus.SEND_FAILURE; } } else { // Azure AD ???????? // if it's a request returning from Azure AD messageInfo.getMap().put("javax.servlet.http.registerSession", Boolean.TRUE.toString()); messageInfo.getMap().put("javax.servlet.http.authType", "AzureADServerAuthModule"); return getAuthResultFromServerAndSetSession(clientSubject, httpRequest, params, currentUri); } } else { try { //??????? // if the authentication result is included in the session AzureADUserPrincipal sessionPrincipal = (AzureADUserPrincipal) httpRequest.getUserPrincipal(); AuthenticationResult authenticationResult = sessionPrincipal.getAuthenticationResult(); if (authenticationResult.getExpiresOnDate().before(new Date())) { //???????? // if the authentication date is old - get an access token from the refresh token AuthenticationResult authResult = getAccessTokenFromRefreshToken( authenticationResult.getRefreshToken(), currentUri); setSessionPrincipal(httpRequest, new AzureADUserPrincipal(authResult)); } CallerPrincipalCallback callerCallBack = new CallerPrincipalCallback(clientSubject, sessionPrincipal); String[] groups = getGroupList(sessionPrincipal); GroupPrincipalCallback groupPrincipalCallback = new GroupPrincipalCallback(clientSubject, groups); callbacks = new Callback[] { callerCallBack, groupPrincipalCallback }; handler.handle(callbacks); return AuthStatus.SUCCESS; } catch (Throwable ex) { LOGGER.log(Level.SEVERE, "Invalid Session Info", ex); return AuthStatus.SEND_FAILURE; } } }
From source file:net.java.jaspicoil.MSPacSpnegoServerAuthModule.java
/** * Secure a service response before sending it to the client. * <p/>/*from www . j a va2s.c om*/ * This method is called to transform the response message acquired by * calling getResponseMessage (on messageInfo) into the mechanism-specific * form to be sent by the runtime. * <p> * This method conveys the outcome of its message processing either by * returning an AuthStatus value or by throwing an AuthException. * * @param messageInfo * A contextual object that encapsulates the client request and * server response objects, and that may be used to save state * across a sequence of calls made to the methods of this * interface for the purpose of completing a secure message * exchange. * @param serviceSubject * A Subject that represents the source of the service response, * or null. It may be used by the method implementation to * retrieve Principals and credentials necessary to secure the * response. If the Subject is not null, the method * implementation may add additional Principals or credentials * (pertaining to the source of the service response) to the * Subject. * @return An AuthStatus object representing the completion status of the * processing performed by the method. The AuthStatus values that * may be returned by this method are defined as follows: * <p/> * <ul> * <li>AuthStatus.SEND_SUCCESS when the application response message * was successfully secured. The secured response message may be * obtained by calling getResponseMessage on messageInfo. * <p/> * <li>AuthStatus.SEND_CONTINUE to indicate that the application * response message (within messageInfo) was replaced with a * security message that should elicit a security-specific response * (in the form of a request) from the peer. * <p/> * This status value serves to inform the calling runtime that (to * successfully complete the message exchange) it will need to be * capable of continuing the message dialog by processing at least * one additional request/response exchange (after having sent the * response message returned in messageInfo). * <p/> * When this status value is returned, the application response must * be saved by the authentication module such that it can be * recovered when the module's validateRequest message is called to * process the elicited response. * <p/> * <li>AuthStatus.SEND_FAILURE to indicate that a failure occurred * while securing the response message and that an appropriate * failure response message is available by calling * getResponseMeessage on messageInfo. * </ul> * @throws AuthException When the message processing failed without * establishing a failure response message (in messageInfo). */ public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); final Principal clientPrincipal = request.getUserPrincipal(); // There should be a session as validate request created one at the end final HttpSession session = request.getSession(false); // As the session might have changed in the middle (for security // reason), // we make sure the settings are saved. Plus if coming from // SessionState.ESTABLISHED // on an existing session, we might have still something to set for the // next Filters updateSessionAndHeader(request, session, clientPrincipal); debug("secureResponse was called and session was updated"); return AuthStatus.SEND_SUCCESS; }
From source file:net.java.jaspicoil.MSPacSpnegoServerAuthModule.java
/** * Authenticate a received service request. * <p/>//from ww w . ja v a 2 s . c o m * This method is called to transform the mechanism-specific request message * acquired by calling getRequestMessage (on messageInfo) into the validated * application message to be returned to the message processing runtime. If * the received message is a (mechanism-specific) meta-message, the method * implementation must attempt to transform the meta-message into a * corresponding mechanism-specific response message, or to the validated * application request message. The runtime will bind a validated * application message into the the corresponding service invocation. * <p> * This method conveys the outcome of its message processing either by * returning an AuthStatus value or by throwing an AuthException. * <p/> * From a performance point of view this method will be called twice for * each resource with a security constraint on it. Resources with no * security constraint do not result in a call to this method. * * @param messageInfo * A contextual object that encapsulates the client request and * server response objects, and that may be used to save state * across a sequence of calls made to the methods of this * interface for the purpose of completing a secure message * exchange. * @param clientSubject * A Subject that represents the source of the service request. * It is used by the method implementation to store Principals * and credentials validated in the request. * @param serviceSubject * A Subject that represents the recipient of the service * request, or null. It may be used by the method implementation * as the source of Principals or credentials to be used to * validate the request. If the Subject is not null, the method * implementation may add additional Principals or credentials * (pertaining to the recipient of the service request) to the * Subject. * @return An AuthStatus object representing the completion status of the * processing performed by the method. The AuthStatus values that * may be returned by this method are defined as follows: * <p/> * <ul> * <li>AuthStatus.SUCCESS when the application request message was * successfully validated. The validated request message is * available by calling getRequestMessage on messageInfo. * <p/> * <li>AuthStatus.SEND_SUCCESS to indicate that * validation/processing of the request message successfully * produced the secured application response message (in * messageInfo). The secured response message is available by * calling getResponseMessage on messageInfo. * <p/> * <li>AuthStatus.SEND_CONTINUE to indicate that message validation * is incomplete, and that a preliminary response was returned as * the response message in messageInfo. * <p/> * When this status value is returned to challenge an application * request message, the challenged request must be saved by the * authentication module such that it can be recovered when the * module's validateRequest message is called to process the request * returned for the challenge. * <p/> * <li>AuthStatus.SEND_FAILURE to indicate that message validation * failed and that an appropriate failure response message is * available by calling getResponseMessage on messageInfo. * </ul> * @throws AuthException When the message processing failed without * establishing a failure response message (in messageInfo). */ @SuppressWarnings("unchecked") public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { // Extra check (disabled withour -ea) if mandatory value is consistent // with initialize phase assert messageInfo.getMap().containsKey(IS_MANDATORY_INFO_KEY) == this.mandatory; // Get the servlet context final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); final HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); // Invalidate any existing session to prevent session fixture attempt HttpSession session = request.getSession(false); if (session != null) { final SessionState state = (SessionState) session.getAttribute(MAGIC_SESSION_STATE_KEY); if (state == null) { // Session was not created by us, we will invalidate an existing // session that was not created by us session.invalidate(); LOG.warning( "An existing session was invalidated. This might be a session fixture attempt, so failing the authentication."); return AuthStatus.SEND_FAILURE; } else if (SessionState.ESTABLISHED.equals(state)) { // The context was already fully established once within this // session. return AuthStatus.SUCCESS; } } debugRequest(request); // should specify encoder final String authorization = request.getHeader(AUTHORIZATION_HEADER); if (authorization != null && authorization.startsWith(NEGOTIATE)) { final String negotiateString = authorization.substring(NEGOTIATE.length() + 1); final byte[] requestToken = Base64.decodeBase64(negotiateString); if (serviceSubject == null) { // If no service subject was provided by the container then set // a service subject // from the global context. serviceSubject = this.serviceSubject; } try { // Create a validation action byte[] gssToken = null; final KerberosValidateAction kva = new KerberosValidateAction(this.servicePrincipal, requestToken, serviceSubject); try { // Validate using the service (server) Subject gssToken = Subject.doAs(this.serviceSubject, kva); } catch (final PrivilegedActionException e) { final GSSException gex = new GSSException(GSSException.DEFECTIVE_TOKEN); gex.initCause(e); gex.setMinor(GSSException.UNAVAILABLE, "Unable to perform Kerberos validation"); throw gex; } if (kva.getContext() != null) { final String responseToken = Base64.encodeBase64String(gssToken); response.setHeader(AUTHENTICATION_HEADER, "Negotiate " + responseToken); debugToken("GSS Response token set to {0}", gssToken); } if (!kva.isEstablished()) { debug("GSS Dialog must continue to succeed"); session.setAttribute(MAGIC_SESSION_STATE_KEY, SessionState.IN_PROGRESS); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); return AuthStatus.SEND_CONTINUE; } else { final Oid mechId = kva.getMech(); final GSSName name = kva.getSrcName(); if (!authorizeCaller(request, requestToken, name, clientSubject)) { return sendFailureMessage(response, "Failed to authorize the caller/client"); } // As no valid session should exist anymore, simply create a // new one session = request.getSession(true); final Principal clientPrincipal = new KerberosPrincipal( name.canonicalize(GSS_KRB5_MECH_OID).toString()); updateSessionAndHeader(request, session, clientPrincipal); session.setAttribute(MAGIC_SESSION_STATE_KEY, SessionState.ESTABLISHED); /* * Store the mechId in the MessageInfo to indicate which * authentication mechanism was used successfully (JASPIC * Requirement) */ messageInfo.getMap().put(AUTH_TYPE_INFO_KEY, mechId != null ? mechId.toString() : "Undefined GSS Mechanism"); debug("GSS Dialog is complete"); } } catch (final GSSException gsse) { debug("GSS Dialog has failed : {0}", gsse); if (requestToken != null) { debug("Bad token detected {0}", gsse); debugToken("Bad token was {0}", requestToken); if (isNTLMToken(requestToken)) { // There is a high probability it was a NTLM SPNEGO // token return sendFailureMessage(response, "No support for NTLM"); } } // for other errors throw an AuthException final AuthException ae = new AuthException(); ae.initCause(gsse); throw ae; } } else if (this.mandatory) { response.setHeader(AUTHENTICATION_HEADER, NEGOTIATE); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); debug("Negotiate was added to the HTTP header : {0}", NEGOTIATE); return AuthStatus.SEND_CONTINUE; } else if (authorization != null) { LOG.warning("An authorization header was ignored."); } return AuthStatus.SUCCESS; }
From source file:org.forgerock.openam.jaspi.modules.session.LocalSSOTokenSessionModule.java
/** * Validates the request by checking the validity of the SSOToken ID from the AM cookie. * <p>//from w ww . ja va 2s .c o m * If the SSOToken ID is a restricted token then the request must also contain a url parameter "requester" which * must contain the application SSOToken ID of the application the restricted token was issued for. * * @param messageInfo {@inheritDoc} * @param clientSubject {@inheritDoc} * @param serviceSubject {@inheritDoc} * @return {@inheritDoc} * @throws AuthException If there is a problem validating the request. */ @Override public AuthStatus validateRequest(final MessageInfo messageInfo, final Subject clientSubject, Subject serviceSubject) throws AuthException { if (!isInitialised()) { initDependencies(); } final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); String requester = request.getParameter(REQUESTER_URL_PARAM); if (requester != null) { try { SSOToken requesterToken = getFactory().getTokenFromId(requester); if (getFactory().isTokenValid(requesterToken)) { Object o = RestrictedTokenContext.doUsing(requesterToken, new RestrictedTokenAction() { public Object run() throws Exception { return validate(request, messageInfo, clientSubject); } }); return (AuthStatus) o; } } catch (Exception ex) { throw new AuthException("An error occurred whilst trying to use restricted token."); } } return validate(request, messageInfo, clientSubject); }
From source file:org.forgerock.openidm.jaspi.modules.IDMJaspiModuleWrapper.java
private void setClientIPAddress(MessageInfo messageInfo) { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); String ipAddress;//from ww w. ja v a2s .co m if (logClientIPHeader == null) { ipAddress = request.getRemoteAddr(); } else { ipAddress = request.getHeader(logClientIPHeader); if (ipAddress == null) { ipAddress = request.getRemoteAddr(); } } getContextMap(messageInfo).put("ipAddress", ipAddress); }
From source file:org.forgerock.openidm.jaspi.modules.IDMJaspiModuleWrapper.java
/** * If the request contains the X-OpenIDM-NoSession header, sets the skipSession property on the MessageInfo, * and then calls the underlying auth module's secureResponse method. * * @param messageInfo {@inheritDoc}//from ww w . j a v a2 s .co m * @param serviceSubject {@inheritDoc} * @return {@inheritDoc} * @throws AuthException {@inheritDoc} */ @SuppressWarnings("unchecked") @Override public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { final HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); final String noSession = request.getHeader(NO_SESSION); if (Boolean.parseBoolean(noSession)) { messageInfo.getMap().put("skipSession", true); } return authModule.secureResponse(messageInfo, serviceSubject); }
From source file:org.forgerock.openidm.jaspi.modules.IDMUserAuthModule.java
/** * Validates the request by authenticating against either the client certificate in the request, internally or * Basic Authentication from the request header internally. * * @param messageInfo {@inheritDoc}/*from ww w. j a v a 2 s. c om*/ * @param clientSubject {@inheritDoc} * @param serviceSubject {@inheritDoc} * @param authData {@inheritDoc} * @return {@inheritDoc} */ @Override protected AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject, AuthData authData) { HttpServletRequest req = (HttpServletRequest) messageInfo.getRequestMessage(); boolean authenticated; final String headerLogin = req.getHeader(HEADER_USERNAME); String basicAuth = req.getHeader("Authorization"); // if we see the certificate port this request is for client auth only if (allowClientCertOnly(req)) { authenticated = authenticateUsingClientCert(req, authData); //Auth success will be logged in IDMServerAuthModule super type. } else if (headerLogin != null) { authenticated = authenticateUser(req, authData); //Auth success will be logged in IDMServerAuthModule super type. } else if (basicAuth != null) { authenticated = authenticateUsingBasicAuth(basicAuth, authData); //Auth success will be logged in IDMServerAuthModule super type. } else { //Auth failure will be logged in IDMServerAuthModule super type. return AuthStatus.SEND_FAILURE; } authData.setResource(queryOnResource); logger.debug("Found valid session for {} id {} with roles {}", authData.getUsername(), authData.getUserId(), authData.getRoles()); if (authenticated) { clientSubject.getPrincipals().add(new Principal() { public String getName() { return headerLogin; } }); } return authenticated ? AuthStatus.SUCCESS : AuthStatus.SEND_FAILURE; }
From source file:org.forgerock.openidm.jaspi.modules.IWAPassthroughModule.java
/** * Uses the IWA authentication module with fall through to the Passthrough authentication module to validate the * request./*from w w w . j ava 2 s.c o m*/ * * If the OpenIDM username header has been set then Passthrough is used. * If the OpenIDM username header is not set the IWA is used. * If IWA fails then Passthrough is used. * If Passthrough fails then the method returns AuthStatus.SEND_FAILURE. * If either Passthrough or IWA succeeds then the method return AuthStatus.SUCCESS. * * @param messageInfo {@inheritDoc} * @param clientSubject {@inheritDoc} * @param serviceSubject {@inheritDoc} * @param authData {@inheritDoc} * @return {@inheritDoc} * @throws AuthException If there is a problem performing the authentication. */ @Override protected AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject, AuthData authData) throws AuthException { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); //Set pass through auth resource on request so can be accessed by authnPopulateContext.js script. passthroughModule.setPassThroughAuthOnRequest(messageInfo); String xOpenIDMUsername = request.getHeader("X-OpenIDM-Username"); String xOpenIdmPassword = request.getHeader("X-OpenIDM-Password"); if (!StringUtils.isEmpty(xOpenIDMUsername) && !StringUtils.isEmpty(xOpenIdmPassword)) { // skip straight to ad passthrough LOGGER.debug("IWAPassthroughModule: Have OpenIDM username, falling back to AD Passthrough"); return passthroughModule.validateRequest(messageInfo, clientSubject, serviceSubject, authData); } AuthStatus authStatus = super.validateRequest(messageInfo, clientSubject, serviceSubject, authData); if (AuthStatus.SEND_FAILURE.equals(authStatus)) { return passthroughModule.validateRequest(messageInfo, clientSubject, serviceSubject, authData); } else { return authStatus; } }
From source file:org.forgerock.openidm.jaspi.modules.PassthroughModule.java
/** * Validates the client's request by passing through the request to be authenticated against a OpenICF Connector. * * @param messageInfo {@inheritDoc}//from w w w . j a v a 2 s. co m * @param clientSubject {@inheritDoc} * @param serviceSubject {@inheritDoc} * @param authData {@inheritDoc} * @return {@inheritDoc} * @throws AuthException If there is a problem performing the authentication. */ @Override protected AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject, AuthData authData) throws AuthException { LOGGER.debug("PassthroughModule: validateRequest START"); HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); try { LOGGER.debug("PassthroughModule: Delegating call to internal AuthFilter"); //Set pass through auth resource on request so can be accessed by authnPopulateContext.js script. setPassThroughAuthOnRequest(messageInfo); final String username = request.getHeader("X-OpenIDM-Username"); String password = request.getHeader("X-OpenIDM-Password"); if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) { LOGGER.debug("Failed authentication, missing or empty headers"); //Auth failure will be logged in IDMServerAuthModule super type. return AuthStatus.SEND_FAILURE; } authData.setUsername(username); clientSubject.getPrincipals().add(new Principal() { public String getName() { return username; } }); boolean authenticated = passthroughAuthenticator.authenticate(authData, password); if (authenticated) { LOGGER.debug("PassthroughModule: Authentication successful"); LOGGER.debug("Found valid session for {} id {} with roles {}", authData.getUsername(), authData.getUserId(), authData.getRoles()); //Auth success will be logged in IDMServerAuthModule super type. return AuthStatus.SUCCESS; } else { LOGGER.debug("PassthroughModule: Authentication failed"); //Auth failure will be logged in IDMServerAuthModule super type. return AuthStatus.SEND_FAILURE; } } finally { LOGGER.debug("PassthroughModule: validateRequest END"); } }