io.getlime.security.powerauth.rest.api.spring.provider.PowerAuthAuthenticationProvider Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of powerauth-restful-security-spring-annotation Show documentation
Show all versions of powerauth-restful-security-spring-annotation Show documentation
PowerAuth RESTful API Security Annotations for Spring
/*
* PowerAuth integration libraries for RESTful API applications, examples and
* related software components
*
* Copyright (C) 2018 Wultra s.r.o.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see applicationRoles,
List activationFlags, AuthenticationContext authenticationContext,
String version, PowerAuthHttpHeader httpHeader, PowerAuthActivation activationContext) {
final PowerAuthApiAuthenticationImpl apiAuthentication = new PowerAuthApiAuthenticationImpl();
apiAuthentication.setActivationId(activationId);
apiAuthentication.setUserId(userId);
apiAuthentication.setApplicationId(applicationId);
apiAuthentication.setApplicationRoles(applicationRoles);
apiAuthentication.setActivationFlags(activationFlags);
apiAuthentication.setAuthenticationContext(authenticationContext);
apiAuthentication.setAuthenticated(true);
apiAuthentication.setVersion(version);
apiAuthentication.setHttpHeader(httpHeader);
apiAuthentication.setActivationContext(activationContext);
return apiAuthentication;
}
/**
* Prepare activation detail with provided attributes.
* @param activationId Activation ID.
* @param userId User ID.
* @param activationStatus Activation status.
* @param blockedReason Reason why activation was blocked.
* @param activationFlags Activation flags.
* @param authenticationContext Authentication context.
* @param version PowerAuth protocol version.
* @return Initialized instance of API authentication.
*/
private PowerAuthActivationImpl copyActivationAttributes(String activationId, String userId, ActivationStatus activationStatus, String blockedReason,
List activationFlags, AuthenticationContext authenticationContext, String version) {
final PowerAuthActivationImpl activationContext = new PowerAuthActivationImpl();
activationContext.setActivationId(activationId);
activationContext.setUserId(userId);
activationContext.setActivationStatus(activationStatus);
activationContext.setBlockedReason(blockedReason);
activationContext.setActivationFlags(activationFlags);
activationContext.setAuthenticationContext(authenticationContext);
activationContext.setVersion(version);
return activationContext;
}
/**
* Validate the signature from the PowerAuth HTTP header against the provided HTTP method, request body and URI identifier.
* Make sure to accept only allowed signatures.
* @param httpMethod HTTP method (GET, POST, ...)
* @param httpBody Body of the HTTP request.
* @param requestUriIdentifier Request URI identifier.
* @param httpAuthorizationHeader PowerAuth HTTP authorization header.
* @param allowedSignatureTypes Allowed types of the signature.
* @param forcedSignatureVersion Forced signature version, optional parameter used during upgrade.
* @return Instance of a PowerAuthApiAuthenticationImpl on successful authorization.
* @throws PowerAuthAuthenticationException In case authorization fails, exception is raised.
*/
public PowerAuthApiAuthentication validateRequestSignature(
@Nonnull String httpMethod,
@Nullable byte[] httpBody,
@Nonnull String requestUriIdentifier,
@Nonnull String httpAuthorizationHeader,
@Nonnull List allowedSignatureTypes,
@Nullable Integer forcedSignatureVersion
) throws PowerAuthAuthenticationException {
final PowerAuthApiAuthentication apiAuthentication = validateRequestSignatureWithActivationDetails(httpMethod, httpBody, requestUriIdentifier, httpAuthorizationHeader, allowedSignatureTypes, forcedSignatureVersion);
if (!apiAuthentication.getAuthenticationContext().isValid()) {
// Traditionally, failed signature validation returns null value for PowerAuthApiAuthentication
return null;
}
return apiAuthentication;
}
@Override
public @Nonnull PowerAuthApiAuthentication validateRequestSignatureWithActivationDetails(@Nonnull String httpMethod, @Nullable byte[] httpBody, @Nonnull String requestUriIdentifier, @Nonnull String httpAuthorizationHeader, @Nonnull List allowedSignatureTypes, @Nullable Integer forcedSignatureVersion) throws PowerAuthAuthenticationException {
// Check for HTTP PowerAuth signature header
if (httpAuthorizationHeader.equals("undefined")) {
logger.warn("Signature HTTP header is missing");
throw new PowerAuthHeaderMissingException();
}
// Parse HTTP header
final PowerAuthSignatureHttpHeader header = new PowerAuthSignatureHttpHeader().fromValue(httpAuthorizationHeader);
// Validate the header
try {
PowerAuthSignatureHttpHeaderValidator.validate(header);
} catch (InvalidPowerAuthHttpHeaderException ex) {
logger.warn("Signature HTTP header validation failed, error: {}", ex.getMessage());
logger.debug(ex.getMessage(), ex);
throw new PowerAuthSignatureInvalidException();
}
// Check if the signature type is allowed
final PowerAuthSignatureTypes expectedSignatureType = PowerAuthSignatureTypes.getEnumFromString(header.getSignatureType());
if (expectedSignatureType == null || !allowedSignatureTypes.contains(expectedSignatureType)) {
logger.warn("Invalid signature type: {}", expectedSignatureType);
throw new PowerAuthSignatureTypeInvalidException();
}
// Configure PowerAuth authentication object
final PowerAuthSignatureAuthenticationImpl powerAuthAuthentication = new PowerAuthSignatureAuthenticationImpl();
powerAuthAuthentication.setActivationId(header.getActivationId());
powerAuthAuthentication.setApplicationKey(header.getApplicationKey());
powerAuthAuthentication.setNonce(BaseEncoding.base64().decode(header.getNonce()));
powerAuthAuthentication.setSignatureType(header.getSignatureType());
powerAuthAuthentication.setSignature(header.getSignature());
powerAuthAuthentication.setHttpMethod(httpMethod);
powerAuthAuthentication.setRequestUri(requestUriIdentifier);
powerAuthAuthentication.setData(httpBody);
powerAuthAuthentication.setVersion(header.getVersion());
powerAuthAuthentication.setHttpHeader(header);
powerAuthAuthentication.setForcedSignatureVersion(forcedSignatureVersion);
// Call the authentication based on signature authentication object
final PowerAuthApiAuthentication auth = (PowerAuthApiAuthentication) this.authenticate(powerAuthAuthentication);
// In case authentication is null, throw PowerAuth exception
if (auth == null) {
logger.debug("Signature validation failed");
throw new PowerAuthSignatureInvalidException();
}
return auth;
}
/**
* Validate token header for simple token-based authentication.
*
* @param tokenHeader Token header.
* @param allowedSignatureTypes Allowed types of the signature.
* @return Authentication object in case authentication is correctly obtained.
* @throws PowerAuthAuthenticationException In case of authentication failure.
*/
public @Nullable PowerAuthApiAuthentication validateToken(@Nonnull String tokenHeader, @Nonnull List allowedSignatureTypes) throws PowerAuthAuthenticationException {
final PowerAuthApiAuthentication apiAuthentication = validateTokenWithActivationDetails(tokenHeader, allowedSignatureTypes);
if (!apiAuthentication.getAuthenticationContext().isValid()) {
// Traditionally, failed token validation returns null value for PowerAuthApiAuthentication
return null;
}
return apiAuthentication;
}
@Nonnull
@Override
public PowerAuthApiAuthentication validateTokenWithActivationDetails(@Nonnull String tokenHeader, @Nonnull List allowedSignatureTypes) throws PowerAuthAuthenticationException {
// Check for HTTP PowerAuth signature header
if (tokenHeader.equals("undefined")) {
logger.warn("Token HTTP header is missing");
throw new PowerAuthHeaderMissingException();
}
// Parse HTTP header
final PowerAuthTokenHttpHeader header = new PowerAuthTokenHttpHeader().fromValue(tokenHeader);
// Validate the header
try {
PowerAuthTokenHttpHeaderValidator.validate(header);
} catch (InvalidPowerAuthHttpHeaderException ex) {
logger.warn("Token validation failed, error: {}", ex.getMessage());
logger.debug(ex.getMessage(), ex);
throw new PowerAuthTokenInvalidException();
}
// Prepare authentication object
final PowerAuthTokenAuthenticationImpl powerAuthTokenAuthentication = new PowerAuthTokenAuthenticationImpl();
powerAuthTokenAuthentication.setTokenId(header.getTokenId());
powerAuthTokenAuthentication.setTokenDigest(header.getTokenDigest());
powerAuthTokenAuthentication.setNonce(header.getNonce());
powerAuthTokenAuthentication.setTimestamp(header.getTimestamp());
powerAuthTokenAuthentication.setVersion(header.getVersion());
powerAuthTokenAuthentication.setHttpHeader(header);
// Call the authentication based on token authentication object
final PowerAuthApiAuthentication auth = (PowerAuthApiAuthentication) this.authenticate(powerAuthTokenAuthentication);
// In case authentication is null, throw PowerAuth exception
if (auth == null) {
logger.debug("Invalid token value");
throw new PowerAuthTokenInvalidException();
}
// Check if the signature type is allowed
final PowerAuthSignatureTypes expectedSignatureType = auth.getAuthenticationContext().getSignatureType();
if (expectedSignatureType == null || !allowedSignatureTypes.contains(expectedSignatureType)) {
logger.warn("Invalid signature type in token validation: {}", expectedSignatureType);
throw new PowerAuthSignatureTypeInvalidException();
}
return auth;
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy