Search in sources :

Example 1 with BaseAuthenticationToken

use of org.codice.ddf.security.handler.api.BaseAuthenticationToken in project ddf by codice.

the class IdpEndpoint method handleLogin.

protected org.opensaml.saml.saml2.core.Response handleLogin(AuthnRequest authnRequest, String authMethod, HttpServletRequest request, AuthObj authObj, boolean passive, boolean hasCookie) throws SecurityServiceException, WSSecurityException, SimpleSign.SignatureException, ConstraintViolationException {
    LOGGER.debug("Performing login for user. passive: {}, cookie: {}", passive, hasCookie);
    BaseAuthenticationToken token = null;
    request.setAttribute(ContextPolicy.ACTIVE_REALM, BaseAuthenticationToken.ALL_REALM);
    if (PKI.equals(authMethod)) {
        LOGGER.debug("Logging user in via PKI.");
        PKIHandler pkiHandler = new PKIHandler();
        pkiHandler.setTokenFactory(tokenFactory);
        try {
            HandlerResult handlerResult = pkiHandler.getNormalizedToken(request, null, null, false);
            if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
                token = handlerResult.getToken();
            }
        } catch (ServletException e) {
            LOGGER.info("Encountered an exception while checking for PKI auth info.", e);
        }
    } else if (USER_PASS.equals(authMethod)) {
        LOGGER.debug("Logging user in via BASIC auth.");
        if (authObj != null && authObj.username != null && authObj.password != null) {
            token = new UPAuthenticationToken(authObj.username, authObj.password, BaseAuthenticationToken.ALL_REALM);
        } else {
            BasicAuthenticationHandler basicAuthenticationHandler = new BasicAuthenticationHandler();
            HandlerResult handlerResult = basicAuthenticationHandler.getNormalizedToken(request, null, null, false);
            if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
                token = handlerResult.getToken();
            }
        }
    } else if (SAML.equals(authMethod)) {
        LOGGER.debug("Logging user in via SAML assertion.");
        token = new SAMLAuthenticationToken(null, authObj.assertion, BaseAuthenticationToken.ALL_REALM);
    } else if (GUEST.equals(authMethod) && guestAccess) {
        LOGGER.debug("Logging user in as Guest.");
        token = new GuestAuthenticationToken(BaseAuthenticationToken.ALL_REALM, request.getRemoteAddr());
    } else {
        throw new IllegalArgumentException("Auth method is not supported.");
    }
    org.w3c.dom.Element samlToken = null;
    String statusCode;
    if (hasCookie) {
        samlToken = getSamlAssertion(request);
        statusCode = StatusCode.SUCCESS;
    } else {
        try {
            statusCode = StatusCode.AUTHN_FAILED;
            Subject subject = securityManager.getSubject(token);
            for (Object principal : subject.getPrincipals().asList()) {
                if (principal instanceof SecurityAssertion) {
                    SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
                    samlToken = securityToken.getToken();
                }
            }
            if (samlToken != null) {
                statusCode = StatusCode.SUCCESS;
            }
        } catch (SecurityServiceException e) {
            if (!passive) {
                throw e;
            } else {
                statusCode = StatusCode.AUTHN_FAILED;
            }
        }
    }
    LOGGER.debug("User log in successful.");
    return SamlProtocol.createResponse(SamlProtocol.createIssuer(SystemBaseUrl.constructUrl("/idp/login", true)), SamlProtocol.createStatus(statusCode), authnRequest.getID(), samlToken);
}
Also used : SecurityServiceException(ddf.security.service.SecurityServiceException) GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken) PKIHandler(org.codice.ddf.security.handler.pki.PKIHandler) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) SecurityAssertion(ddf.security.assertion.SecurityAssertion) SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken) Subject(ddf.security.Subject) ServletException(javax.servlet.ServletException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Element(org.w3c.dom.Element) BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) BasicAuthenticationHandler(org.codice.ddf.security.handler.basic.BasicAuthenticationHandler) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) SignableXMLObject(org.opensaml.xmlsec.signature.SignableXMLObject) XMLObject(org.opensaml.core.xml.XMLObject)

Example 2 with BaseAuthenticationToken

use of org.codice.ddf.security.handler.api.BaseAuthenticationToken in project ddf by codice.

the class WssBasicAuthenticationHandler method getBaseAuthenticationToken.

protected BaseAuthenticationToken getBaseAuthenticationToken(String realm, String username, String password) {
    if (null == parser) {
        throw new IllegalStateException("XMLParser must be configured.");
    }
    UsernameTokenType usernameTokenType = new UsernameTokenType();
    AttributedString user = new AttributedString();
    user.setValue(username);
    usernameTokenType.setUsername(user);
    String usernameToken = null;
    // Add a password
    PasswordString pass = new PasswordString();
    pass.setValue(password);
    pass.setType(WSConstants.PASSWORD_TEXT);
    JAXBElement<PasswordString> passwordType = new JAXBElement<>(QNameConstants.PASSWORD, PasswordString.class, pass);
    usernameTokenType.getAny().add(passwordType);
    // Marshall the received JAXB object into a DOM Element
    List<String> ctxPath = new ArrayList<>(2);
    ctxPath.add(ObjectFactory.class.getPackage().getName());
    ctxPath.add(org.apache.cxf.ws.security.sts.provider.model.wstrust14.ObjectFactory.class.getPackage().getName());
    ParserConfigurator configurator = parser.configureParser(ctxPath, WssBasicAuthenticationHandler.class.getClassLoader());
    ByteArrayOutputStream os = new ByteArrayOutputStream();
    JAXBElement<UsernameTokenType> tokenType = new JAXBElement<>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameTokenType);
    try {
        parser.marshal(configurator, tokenType, os);
        usernameToken = os.toString("UTF-8");
    } catch (ParserException | UnsupportedEncodingException ex) {
        LOGGER.info("Unable to parse username token.", ex);
    }
    BaseAuthenticationToken baseAuthenticationToken = new BaseAuthenticationToken(null, "", usernameToken);
    baseAuthenticationToken.setUseWssSts(true);
    return baseAuthenticationToken;
}
Also used : ParserException(org.codice.ddf.parser.ParserException) UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType) ArrayList(java.util.ArrayList) UnsupportedEncodingException(java.io.UnsupportedEncodingException) AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString) PasswordString(org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString) JAXBElement(javax.xml.bind.JAXBElement) ByteArrayOutputStream(java.io.ByteArrayOutputStream) PasswordString(org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString) ParserConfigurator(org.codice.ddf.parser.ParserConfigurator) AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString) BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken)

Example 3 with BaseAuthenticationToken

use of org.codice.ddf.security.handler.api.BaseAuthenticationToken in project ddf by codice.

the class BasicAuthenticationHandlerTest method testIllegalStateException.

@Test(expected = IllegalStateException.class)
public void testIllegalStateException() {
    BasicAuthenticationHandler handler = new BasicAuthenticationHandler();
    UPAuthenticationToken result = (UPAuthenticationToken) handler.extractAuthInfo("Basic " + Base64.getEncoder().encodeToString(CREDENTIALS.getBytes()), "TestRealm");
    assertNotNull(result);
    assertEquals("admin", result.getUsername());
    assertEquals("password", result.getPassword());
    assertEquals("TestRealm", result.getRealm());
    WssBasicAuthenticationHandler wssHandler = new WssBasicAuthenticationHandler(null);
    BaseAuthenticationToken wssResult = wssHandler.extractAuthInfo("Basic " + Base64.getEncoder().encodeToString(CREDENTIALS.getBytes()), "TestRealm");
}
Also used : BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) Test(org.junit.Test)

Example 4 with BaseAuthenticationToken

use of org.codice.ddf.security.handler.api.BaseAuthenticationToken in project ddf by codice.

the class BasicAuthenticationHandlerTest method testExtractAuthInfo.

@Test
public void testExtractAuthInfo() {
    Parser parser = new XmlParser();
    BasicAuthenticationHandler handler = new BasicAuthenticationHandler();
    UPAuthenticationToken result = (UPAuthenticationToken) handler.extractAuthInfo("Basic " + Base64.getEncoder().encodeToString(CREDENTIALS.getBytes()), "TestRealm");
    assertNotNull(result);
    assertEquals("admin", result.getUsername());
    assertEquals("password", result.getPassword());
    assertEquals("TestRealm", result.getRealm());
    WssBasicAuthenticationHandler wssHandler = new WssBasicAuthenticationHandler(parser);
    BaseAuthenticationToken wssResult = wssHandler.extractAuthInfo("Basic " + Base64.getEncoder().encodeToString(CREDENTIALS.getBytes()), "TestRealm");
    assertNotNull(wssResult);
    assertEquals("", wssResult.getRealm());
    result = (UPAuthenticationToken) handler.extractAuthInfo("Basic " + Base64.getEncoder().encodeToString(":password".getBytes()), "TestRealm");
    assertNotNull(result);
    assertEquals("", result.getUsername());
    assertEquals("password", result.getPassword());
    assertEquals("TestRealm", result.getRealm());
    result = (UPAuthenticationToken) handler.extractAuthInfo("Basic " + Base64.getEncoder().encodeToString("user:".getBytes()), "TestRealm");
    assertNotNull(result);
    assertEquals("user", result.getUsername());
    assertEquals("", result.getPassword());
    assertEquals("TestRealm", result.getRealm());
    result = (UPAuthenticationToken) handler.extractAuthInfo("Basic " + Base64.getEncoder().encodeToString("user/password".getBytes()), "TestRealm");
    assertNull(result);
    result = (UPAuthenticationToken) handler.extractAuthInfo("Basic " + Base64.getEncoder().encodeToString("".getBytes()), "TestRealm");
    assertNull(result);
}
Also used : XmlParser(org.codice.ddf.parser.xml.XmlParser) BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) Parser(org.codice.ddf.parser.Parser) XmlParser(org.codice.ddf.parser.xml.XmlParser) Test(org.junit.Test)

Example 5 with BaseAuthenticationToken

use of org.codice.ddf.security.handler.api.BaseAuthenticationToken in project ddf by codice.

the class GuestHandler method getNormalizedToken.

/**
     * This method takes a guest request and attaches a username token
     * to the HTTP request to allow access. The method also allows the user to
     * sign-in and authenticate.
     *
     * @param request  http request to obtain attributes from and to pass into any local filter chains required
     * @param response http response to return http responses or redirects
     * @param chain    original filter chain (should not be called from your handler)
     * @param resolve  flag with true implying that credentials should be obtained, false implying return if no credentials are found.
     * @return HandlerResult
     */
@Override
public HandlerResult getNormalizedToken(ServletRequest request, ServletResponse response, FilterChain chain, boolean resolve) {
    HandlerResult result = new HandlerResult();
    String realm = (String) request.getAttribute(ContextPolicy.ACTIVE_REALM);
    // For guest - if credentials were provided, return them, if not, then return guest credentials
    BaseAuthenticationToken authToken = getAuthToken((HttpServletRequest) request, (HttpServletResponse) response, chain);
    result.setSource(realm + "-GuestHandler");
    result.setStatus(HandlerResult.Status.COMPLETED);
    result.setToken(authToken);
    return result;
}
Also used : BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)

Aggregations

BaseAuthenticationToken (org.codice.ddf.security.handler.api.BaseAuthenticationToken)15 HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)5 SAMLAuthenticationToken (org.codice.ddf.security.handler.api.SAMLAuthenticationToken)4 UPAuthenticationToken (org.codice.ddf.security.handler.api.UPAuthenticationToken)4 Test (org.junit.Test)4 BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)3 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3 Subject (ddf.security.Subject)2 SecurityAssertion (ddf.security.assertion.SecurityAssertion)2 ServletException (javax.servlet.ServletException)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 AttributedString (org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString)2 PasswordString (org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString)2 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2 PKIAuthenticationToken (org.codice.ddf.security.handler.api.PKIAuthenticationToken)2 Element (org.w3c.dom.Element)2 SecurityAssertionImpl (ddf.security.assertion.impl.SecurityAssertionImpl)1 SecurityServiceException (ddf.security.service.SecurityServiceException)1 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1