pac4j / spark-pac4j Goto Github PK

Do we already have DIGEST authentication mechanism for SparkJava?

if so, can you share us some samples?

and all dependencies, Java 8...
Rename RequiresAuthenticationFilter as SecurityFilter

SAML protocol not redirecting to the idp.

As described here: https://groups.google.com/forum/?fromgroups=#!topic/pac4j-users/iaOL56dDfN0

Whenever I add a SecurityFilter to a path, the Request#body becomes blank. In fact, the entire Request object becomes uninitialized, and you have to use Request#raw to get the underlying HttpServletRequest.

Code:

HeaderClient headerClient = new HeaderClient("Authorization", jwtAuthenticator);
Clients clients = new Clients(headerClient);
Config config = new Config(clients);
config.setHttpActionAdapter(new DefaultHttpActionAdapter());
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN");

before(((request, response) -> log.trace("Received API Call: {} {}", request.requestMethod(), request.contextPath())));
before("/api/users/*", new SecurityFilter(config, "HeaderClient", "admin"));

post("/api/users", (request, response) -> {
    log.debug("Request body: {}", request.body()); // will show up as blank 
   // ... do something
});

I noticed that the security filter uses SecurityGrantedAccessException to decide whether authorization
is granted. Is there any reason why such "good" result is indicated by an exception?

And maybe remove the getStatus (and getBody) method by the way.

On the spark-pa4j README, it is stated that you can leave away the clientName parameter on the RequiresAuthenticationFilter:

clientName (optional): the list of client names (separated by commas) used for authentication. If the user is not authenticated, direct clients are tried successively then if the user is still not authenticated and if the first client is an indirect one, this client is used to start the authentication. Otherwise, a 401 HTTP error is returned. If the client_name request parameter is provided, only the matching client is selected

This is not how it is implemented: If you leave the clientName empty, all requests are prevented. This is due to the condition in the DefaultClientFinder.find which is called from RequiresAuthenticationFilter which will return an empty client-list if no client-name is specified.

Could someone clarify if this is
a) A documentation bug
b) An implementation bug

I'm currently searching for the feature to require an authentication without explicitly specifying a client and haven't found it.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• Update dependency com.github.spotbugs:spotbugs-maven-plugin to v4.8.3.1
• Update dependency org.pac4j:pac4j-javaee to v6

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

I had a question on handling authn failures with the LoginForm.

For anyone else, I was using the request.params() rather than the correct request.queryParams( "error" ) method to retrieve the authn failure (which you can then use in the template rendering)

See: https://groups.google.com/forum/?fromgroups#!topic/pac4j-dev/yGoRxfYQn8U

The Spark-Pac4J library regarding SAML doesn't' seem to register correctly the callback URL when receiving the SAML Response.

The error I get is:

ERROR org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder - SAML message intended destination endpoint 'https://localhost/callback?client_name=Saml2Client' did not match the recipient endpoint 'https://localhost/callback'

As described here: Pac4J-GoogleGroups.

Hello, I'm Actually using Spark-Java with pac4j as a module on a module based application. Because the module does not have an own ClassLoader, the Class org.pac4j.core.profile.CommonProfile will not be found. Why? The Class is actually shaded into the module.

Whenever SecurityFilter is established (with indirect client configured) before an URL which is used, for example, to upload/put/post data it wipes request body after redirection loop is done (with FormClient).