Examples with ISecurityContext org.apereo.portal.security.ISecurityContext used on opensource projects

Example 6 with ISecurityContext

use of org.apereo.portal.security.ISecurityContext in project uPortal by Jasig.

the class AbstractPermissionsController method isAuthorized.

/*
     * Protected API.
     */
protected final boolean isAuthorized(HttpServletRequest req) throws Exception {
    /*
         * This is sensitive data;  we must verify that the user
         * has the appropriate level of access to see it...
         */
    // STEP (1):  Is there an IPerson?
    final IPerson person = personManager.getPerson((HttpServletRequest) req);
    if (person != null) {
        // STEP (2):  Is the person authenticated?
        final ISecurityContext securityContext = person.getSecurityContext();
        if (securityContext != null && securityContext.isAuthenticated()) {
            // STEP (3):  Does this user have SUBSCRIBE permission for permissionsAdminChannel?
            IAuthorizationPrincipal principal = authorizationService.newPrincipal((String) person.getAttribute(IPerson.USERNAME), IPerson.class);
            final IPortletDefinition permissionsAdminPortlet = portletDefinitionRegistry.getPortletDefinitionByFname(PERMISSIONS_ADMIN_PORTLET_FNAME);
            if (permissionsAdminPortlet == null) {
                return false;
            }
            final String portletId = permissionsAdminPortlet.getPortletDefinitionId().getStringId();
            if (authorizationService.canPrincipalSubscribe(principal, portletId)) {
                return true;
            }
        }
    }
    return false;
}

Example 7 with ISecurityContext

use of org.apereo.portal.security.ISecurityContext in project uPortal by Jasig.

the class CasTicketUserInfoService method getProxyTicket.

/**
     * Attempt to get a proxy ticket for the current portlet.
     *
     * @param request portlet request
     * @return a proxy ticket, or <code>null</code> if we were unsuccessful
     */
private String getProxyTicket(PortletRequest request) {
    final HttpServletRequest httpServletRequest = this.portalRequestUtils.getPortletHttpRequest(request);
    // try to determine the URL for our portlet
    String targetService = null;
    try {
        URL url = null;
        // if the server port is 80 or 443, don't include it in the URL
        int port = request.getServerPort();
        if (port == 80 || port == 443)
            url = new URL(request.getScheme(), request.getServerName(), request.getContextPath());
        else
            url = new URL(request.getScheme(), request.getServerName(), request.getServerPort(), request.getContextPath());
        targetService = url.toString();
    } catch (MalformedURLException e) {
        log.error("Failed to create a URL for the target portlet", e);
        e.printStackTrace();
        return null;
    }
    // get the CasSecurityContext
    final IUserInstance userInstance = userInstanceManager.getUserInstance(httpServletRequest);
    final IPerson person = userInstance.getPerson();
    final ISecurityContext context = person.getSecurityContext();
    if (context == null) {
        log.error("no security context, no proxy ticket passed to the portlet");
        return null;
    }
    ISecurityContext casContext = getCasContext(context);
    if (casContext == null) {
        log.debug("no CAS security context, no proxy ticket passed to the portlet");
        return null;
    }
    if (!casContext.isAuthenticated()) {
        log.debug("no CAS authentication, no proxy ticket passed to the portlet");
        return null;
    }
    // get a proxy ticket for our portlet from the CasSecurityContext
    String proxyTicket = null;
    try {
        proxyTicket = ((ICasSecurityContext) casContext).getCasServiceToken(targetService);
        log.debug("Put proxy ticket in userinfo: " + proxyTicket);
    } catch (CasProxyTicketAcquisitionException e) {
        log.error("no proxy ticket passed to the portlet: " + e);
    }
    return proxyTicket;
}

Example 8 with ISecurityContext

use of org.apereo.portal.security.ISecurityContext in project uPortal by Jasig.

the class MaxInactiveInterceptor method preHandle.

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
    final HttpSession session = request.getSession(false);
    if (session == null) {
        return true;
    }
    // Now see if authentication was successful...
    final IPerson person = this.personManager.getPerson((HttpServletRequest) request);
    if (person == null) {
        return true;
    }
    // Check if the session max inactive value has already been set
    Boolean isAlreadySet = (Boolean) person.getAttribute(this.SESSION_MAX_INACTIVE_SET_ATTR);
    if (isAlreadySet != null && isAlreadySet.equals(Boolean.TRUE)) {
        if (log.isDebugEnabled()) {
            log.debug("Session.setMaxInactiveInterval() has already been determined for user '" + person.getAttribute(IPerson.USERNAME) + "'");
        }
        return true;
    }
    final ISecurityContext securityContext = person.getSecurityContext();
    if (securityContext != null && securityContext.isAuthenticated()) {
        // We have an authenticated user... let's see if any MAX_INACTIVE settings apply...
        IAuthorizationPrincipal principal = authorizationService.newPrincipal((String) person.getAttribute(IPerson.USERNAME), IPerson.class);
        Integer rulingGrant = null;
        Integer rulingDeny = null;
        IPermission[] permissions = authorizationService.getAllPermissionsForPrincipal(principal, IPermission.PORTAL_SYSTEM, "MAX_INACTIVE", null);
        assert (permissions != null);
        if (permissions.length == 0) {
            // No max inactive permission set for this user
            if (log.isInfoEnabled()) {
                log.info("No MAX_INACTIVE permissions apply to user '" + person.getAttribute(IPerson.USERNAME) + "'");
            }
            person.setAttribute(this.SESSION_MAX_INACTIVE_SET_ATTR, Boolean.TRUE);
            return true;
        }
        for (IPermission p : permissions) {
            // First be sure the record applies currently...
            long now = System.currentTimeMillis();
            if (p.getEffective() != null && p.getEffective().getTime() > now) {
                // It's *TOO EARLY* for this record... move on.
                continue;
            }
            if (p.getExpires() != null && p.getExpires().getTime() < now) {
                // It's *TOO LATE* for this record... move on.
                continue;
            }
            if (p.getType().equals(IPermission.PERMISSION_TYPE_GRANT)) {
                try {
                    Integer grantEntry = Integer.valueOf(p.getTarget());
                    if (rulingGrant == null || grantEntry.intValue() < 0 || /* Any negative number trumps all */
                    rulingGrant.intValue() < grantEntry.intValue()) {
                        rulingGrant = grantEntry;
                    }
                } catch (NumberFormatException nfe) {
                    log.warn("Invalid MAX_INACTIVE permission grant '" + p.getTarget() + "';  target must be an integer value.");
                }
            } else if (p.getType().equals(IPermission.PERMISSION_TYPE_DENY)) {
                try {
                    Integer denyEntry = Integer.valueOf(p.getTarget());
                    if (rulingDeny == null || rulingDeny.intValue() > denyEntry.intValue()) {
                        rulingDeny = denyEntry;
                    }
                } catch (NumberFormatException nfe) {
                    log.warn("Invalid MAX_INACTIVE permission deny '" + p.getTarget() + "';  target must be an integer value.");
                }
            } else {
                log.warn("Unknown permission type:  " + p.getType());
            }
        }
        if (rulingDeny != null && rulingDeny.intValue() < 0) {
            // Negative MaxInactiveInterval values mean the session never
            // times out, so a negative DENY is somewhat nonsensical... just
            // clear it.
            log.warn("A MAX_INACTIVE DENY entry improperly specified a negative target:  " + rulingDeny.intValue());
            rulingDeny = null;
        }
        if (rulingGrant != null || rulingDeny != null) {
            // We only want to intervene if there's some actual value
            // specified... otherwise we'll just let the container settings
            //govern.
            int maxInactive = rulingGrant != null ? rulingGrant.intValue() : // If rulingGrant is null, rulingDeny won't be...
            0;
            if (rulingDeny != null) {
                // Applying DENY entries is tricky b/c GRANT entries may be negative...
                int limit = rulingDeny.intValue();
                if (maxInactive >= 0) {
                    maxInactive = limit < maxInactive ? limit : maxInactive;
                } else {
                    // The best grant was negative (unlimited), so go with limit...
                    maxInactive = limit;
                }
            }
            // Apply the specified setting...
            session.setMaxInactiveInterval(maxInactive);
            person.setAttribute(this.SESSION_MAX_INACTIVE_SET_ATTR, Boolean.TRUE);
            if (log.isInfoEnabled()) {
                log.info("Setting maxInactive to '" + maxInactive + "' for user '" + person.getAttribute(IPerson.USERNAME) + "'");
            }
        }
    }
    return true;
}

Example 9 with ISecurityContext

use of org.apereo.portal.security.ISecurityContext in project uPortal by Jasig.

the class PortletPreferencesFactoryImpl method isGuestUser.

protected boolean isGuestUser(HttpServletRequest containerRequest) {
    //Checking for isAuth instead of isGuest to allow for authenticated guest customization of prefs
    final IPerson person = this.personManager.getPerson(containerRequest);
    final ISecurityContext securityContext = person.getSecurityContext();
    return !securityContext.isAuthenticated();
}

Example 10 with ISecurityContext

use of org.apereo.portal.security.ISecurityContext in project uPortal by Jasig.

the class CachedPasswordUserInfoService method getUserInfo.

/*
     * (non-Javadoc)
     * @see org.apache.pluto.container.UserInfoService#getUserInfo(javax.portlet.PortletRequest, org.apache.pluto.container.PortletWindow)
     */
@Override
public Map<String, String> getUserInfo(PortletRequest request, PortletWindow portletWindow) throws PortletContainerException {
    Map<String, String> userInfo = new HashMap<String, String>();
    // check to see if a password is expected by this portlet
    if (isPasswordRequested(request, portletWindow)) {
        log.debug("Portlet named {} wants a password", portletWindow.getPortletDefinition().getPortletName());
        final HttpServletRequest httpServletRequest = this.portalRequestUtils.getPortletHttpRequest(request);
        final IUserInstance userInstance = userInstanceManager.getUserInstance(httpServletRequest);
        final IPerson person = userInstance.getPerson();
        final ISecurityContext context = person.getSecurityContext();
        // if it is, attempt to request a password
        String password = getPassword(context);
        log.debug(password != null ? "Have a non-null password" : "password was null");
        if (this.decryptPassword && password != null) {
            log.debug("Attempting to decrypt password");
            password = stringEncryptionService.decrypt(password);
            log.debug("Password decryption complete, password is length {}", password != null ? password.length() : "is null");
        }
        if (password != null) {
            userInfo.put(this.passwordKey, password);
            log.debug("Found password with length {} for portlet name {}", password.length() != 0 ? "non-zero" : 0, portletWindow.getPortletDefinition().getPortletName());
        }
    }
    return userInfo;
}