diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/HttpHeaderToken.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/HttpHeaderToken.java index 7d77c8ae52337..f7b7761e8c8e9 100644 --- a/sandbox/libs/authn/src/main/java/org/opensearch/authn/HttpHeaderToken.java +++ b/sandbox/libs/authn/src/main/java/org/opensearch/authn/HttpHeaderToken.java @@ -8,8 +8,6 @@ package org.opensearch.authn; -import org.apache.shiro.authc.AuthenticationToken; - public class HttpHeaderToken implements AuthenticationToken { public final static String HEADER_NAME = "Authorization"; @@ -22,14 +20,4 @@ public HttpHeaderToken(final String headerValue) { public String getHeaderValue() { return headerValue; } - - @Override - public Object getPrincipal() { - return null; - } - - @Override - public Object getCredentials() { - return null; - } } diff --git a/server/src/main/java/org/opensearch/identity/AuthenticationTokenHandler.java b/server/src/main/java/org/opensearch/identity/AuthenticationTokenHandler.java index 40b7ee5d3b0f4..73a39b5cbd47f 100644 --- a/server/src/main/java/org/opensearch/identity/AuthenticationTokenHandler.java +++ b/server/src/main/java/org/opensearch/identity/AuthenticationTokenHandler.java @@ -26,7 +26,7 @@ public class AuthenticationTokenHandler { * @param authenticationToken the token from which to extract * @return the extracted shiro auth token to be used to perform login */ - public static AuthenticationToken extractAuthToken(org.opensearch.authn.AuthenticationToken authenticationToken) { + public static AuthenticationToken extractShiroAuthToken(org.opensearch.authn.AuthenticationToken authenticationToken) { AuthenticationToken authToken = null; if (authenticationToken instanceof HttpHeaderToken) { diff --git a/server/src/main/java/org/opensearch/identity/internal/InternalAuthenticationManager.java b/server/src/main/java/org/opensearch/identity/internal/InternalAuthenticationManager.java index b83f4888e0e9c..d831f34b8d18d 100644 --- a/server/src/main/java/org/opensearch/identity/internal/InternalAuthenticationManager.java +++ b/server/src/main/java/org/opensearch/identity/internal/InternalAuthenticationManager.java @@ -30,6 +30,10 @@ public InternalAuthenticationManager() { SecurityUtils.setSecurityManager(securityManager); } + public InternalAuthenticationManager(SecurityManager securityManager) { + SecurityUtils.setSecurityManager(securityManager); + } + @Override public Subject getSubject() { return new InternalSubject(SecurityUtils.getSubject()); diff --git a/server/src/main/java/org/opensearch/identity/internal/InternalSubject.java b/server/src/main/java/org/opensearch/identity/internal/InternalSubject.java index 210bc7de1776f..678a29f0933df 100644 --- a/server/src/main/java/org/opensearch/identity/internal/InternalSubject.java +++ b/server/src/main/java/org/opensearch/identity/internal/InternalSubject.java @@ -60,7 +60,7 @@ public String toString() { */ public void login(AuthenticationToken authenticationToken) { - org.apache.shiro.authc.AuthenticationToken authToken = AuthenticationTokenHandler.extractAuthToken(authenticationToken); + org.apache.shiro.authc.AuthenticationToken authToken = AuthenticationTokenHandler.extractShiroAuthToken(authenticationToken); // Unsupported auth header found if (authToken == null) { diff --git a/server/src/main/java/org/opensearch/rest/SecurityRestFilter.java b/server/src/main/java/org/opensearch/rest/SecurityRestFilter.java index d2803d48171b0..bbf6733543988 100644 --- a/server/src/main/java/org/opensearch/rest/SecurityRestFilter.java +++ b/server/src/main/java/org/opensearch/rest/SecurityRestFilter.java @@ -7,8 +7,10 @@ import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.opensearch.authn.AuthenticationToken; import org.opensearch.authn.HttpHeaderToken; import org.opensearch.authn.Principals; +import org.opensearch.authn.Subject; import org.opensearch.client.node.NodeClient; import org.opensearch.identity.Identity; @@ -18,8 +20,6 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; -import static org.opensearch.node.Node.INTERNAL_REALM; - /** * Adds a wrapper to all rest requests to add authentication mechanism * @@ -91,12 +91,16 @@ private boolean authenticate(RestRequest request, RestChannel channel, NodeClien .stream() .findFirst(); + Subject subject = null; // TODO: Handle anonymous Auth - Allowed or Disallowed (set by the user of the system) - 401 or Login-redirect ?? if (authHeader.isPresent()) { try { - HttpHeaderToken token = new HttpHeaderToken(authHeader.get()); // support other type of header tokens - INTERNAL_REALM.authenticateWithToken(token); // set subject should happen here via Subject.login() + // support other type of header tokens + AuthenticationToken token = new HttpHeaderToken(authHeader.get()); + + subject = Identity.getAuthManager().getSubject(); + subject.login(token); return true; } catch (final Exception e) { final BytesRestResponse bytesRestResponse = BytesRestResponse.createSimpleErrorResponse( @@ -110,8 +114,7 @@ private boolean authenticate(RestRequest request, RestChannel channel, NodeClien } // proceed to check if Auth Header was missing - boolean isUnauthenticatedPrincipal = Identity.getAuthManager() - .getSubject() + boolean isUnauthenticatedPrincipal = subject .getPrincipal() .equals(Principals.UNAUTHENTICATED.getPrincipal());