Example 1 with ExternalServiceEndpoint
use of com.epam.pipeline.security.ExternalServiceEndpoint in project cloud-pipeline by epam.
the class SAMLProxyFilter method doFilterInternal.
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
if (!urlMatches(request)) {
filterChain.doFilter(request, response);
return;
}
List<ExternalServiceEndpoint> externalServices = preferenceManager.getPreference(SYSTEM_EXTERNAL_SERVICES_ENDPOINTS);
if (CollectionUtils.isEmpty(externalServices)) {
LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_PROXY_SECURITY_CONFIG_MISSING));
} else {
String samlResponse = request.getParameter("SAMLResponse");
if (StringUtils.isNotBlank(samlResponse)) {
try {
Response decoded = CustomSamlClient.decodeSamlResponse(samlResponse);
String audience = ListUtils.emptyIfNull(decoded.getAssertions()).stream().findFirst().map(Assertion::getConditions).map(conditions -> ListUtils.emptyIfNull(conditions.getAudienceRestrictions()).stream().findFirst()).flatMap(Function.identity()).map(audienceRestriction -> ListUtils.emptyIfNull(audienceRestriction.getAudiences()).stream().findFirst()).flatMap(Function.identity()).map(Audience::getAudienceURI).orElse(StringUtils.EMPTY);
LOGGER.debug("Received SAMLResponse for audience: {}", audience);
Optional<ExternalServiceEndpoint> endpointOpt = externalServices.stream().filter(e -> !StringUtils.EMPTY.equals(audience) && e.getEndpointId().equals(audience)).findFirst();
if (endpointOpt.isPresent()) {
authenticate(samlResponse, decoded, audience, endpointOpt.get());
}
} catch (SAMLException e) {
LOGGER.warn(e.getMessage(), e);
}
}
}
filterChain.doFilter(request, response);
}
Also used :
Response(org.opensaml.saml2.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
SamlResponse(com.coveo.saml.SamlResponse)
FilterChain(javax.servlet.FilterChain)
UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException)
ServletException(javax.servlet.ServletException)
MessageConstants(com.epam.pipeline.common.MessageConstants)
LoggerFactory(org.slf4j.LoggerFactory)
SYSTEM_EXTERNAL_SERVICES_ENDPOINTS(com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS)
Autowired(org.springframework.beans.factory.annotation.Autowired)
OncePerRequestFilter(org.springframework.web.filter.OncePerRequestFilter)
StringUtils(org.apache.commons.lang3.StringUtils)
Function(java.util.function.Function)
CollectionUtils(org.apache.commons.collections4.CollectionUtils)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UserContext(com.epam.pipeline.security.UserContext)
MessageHelper(com.epam.pipeline.common.MessageHelper)
Response(org.opensaml.saml2.core.Response)
ListUtils(org.apache.commons.collections4.ListUtils)
AntPathMatcher(org.springframework.util.AntPathMatcher)
Assertion(org.opensaml.saml2.core.Assertion)
SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder)
PipelineUser(com.epam.pipeline.entity.user.PipelineUser)
SAMLException(org.opensaml.common.SAMLException)
Audience(org.opensaml.saml2.core.Audience)
PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager)
Logger(org.slf4j.Logger)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
IOException(java.io.IOException)
ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint)
File(java.io.File)
SamlResponse(com.coveo.saml.SamlResponse)
List(java.util.List)
UserManager(com.epam.pipeline.manager.user.UserManager)
Optional(java.util.Optional)
FileReader(java.io.FileReader)
Assertion(org.opensaml.saml2.core.Assertion)
SAMLException(org.opensaml.common.SAMLException)
ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint)
Example 2 with ExternalServiceEndpoint
use of com.epam.pipeline.security.ExternalServiceEndpoint in project cloud-pipeline by epam.
the class SAMLProxyAuthenticationProvider method authenticate.
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
SAMLProxyAuthentication auth = (SAMLProxyAuthentication) authentication;
List<ExternalServiceEndpoint> externalServices = preferenceManager.getPreference(SYSTEM_EXTERNAL_SERVICES_ENDPOINTS);
if (CollectionUtils.isEmpty(externalServices)) {
throw new AuthenticationServiceException(messageHelper.getMessage(MessageConstants.ERROR_PROXY_SECURITY_CONFIG_MISSING));
}
if (StringUtils.isNotBlank(auth.getRawSamlResponse())) {
try {
Response decoded = CustomSamlClient.decodeSamlResponse(auth.getRawSamlResponse());
String endpointId = // cut out SSO endpoint
decoded.getDestination().substring(0, decoded.getDestination().length() - CustomSamlClient.SSO_ENDPOINT.length());
Optional<ExternalServiceEndpoint> endpointOpt = externalServices.stream().filter(e -> e.getEndpointId().equals(endpointId)).findFirst();
if (endpointOpt.isPresent()) {
return validateAuthentication(auth, decoded, endpointId, endpointOpt.get());
} else {
throw new AuthenticationServiceException("Authentication error: unexpected external service");
}
} catch (SAMLException e) {
throw new AuthenticationServiceException("Authentication error: ", e);
}
} else {
throw new AuthenticationServiceException("Authentication error: missing SAML token");
}
}
Also used :
Response(org.opensaml.saml2.core.Response)
PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager)
MessageConstants(com.epam.pipeline.common.MessageConstants)
AuthenticationServiceException(org.springframework.security.authentication.AuthenticationServiceException)
SYSTEM_EXTERNAL_SERVICES_ENDPOINTS(com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS)
Autowired(org.springframework.beans.factory.annotation.Autowired)
AuthenticationProvider(org.springframework.security.authentication.AuthenticationProvider)
IOException(java.io.IOException)
ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint)
StringUtils(org.apache.commons.lang3.StringUtils)
File(java.io.File)
CollectionUtils(org.apache.commons.collections4.CollectionUtils)
List(java.util.List)
MessageHelper(com.epam.pipeline.common.MessageHelper)
Response(org.opensaml.saml2.core.Response)
Optional(java.util.Optional)
AuthenticationException(org.springframework.security.core.AuthenticationException)
FileReader(java.io.FileReader)
Authentication(org.springframework.security.core.Authentication)
SAMLException(org.opensaml.common.SAMLException)
SAMLException(org.opensaml.common.SAMLException)
AuthenticationServiceException(org.springframework.security.authentication.AuthenticationServiceException)
ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint)
Aggregations
MessageConstants (com.epam.pipeline.common.MessageConstants)2
MessageHelper (com.epam.pipeline.common.MessageHelper)2
PreferenceManager (com.epam.pipeline.manager.preference.PreferenceManager)2
SYSTEM_EXTERNAL_SERVICES_ENDPOINTS (com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS)2
ExternalServiceEndpoint (com.epam.pipeline.security.ExternalServiceEndpoint)2
File (java.io.File)2
FileReader (java.io.FileReader)2
IOException (java.io.IOException)2
List (java.util.List)2
Optional (java.util.Optional)2
CollectionUtils (org.apache.commons.collections4.CollectionUtils)2
StringUtils (org.apache.commons.lang3.StringUtils)2
SAMLException (org.opensaml.common.SAMLException)2
Response (org.opensaml.saml2.core.Response)2
Autowired (org.springframework.beans.factory.annotation.Autowired)2
SamlResponse (com.coveo.saml.SamlResponse)1
PipelineUser (com.epam.pipeline.entity.user.PipelineUser)1
UserManager (com.epam.pipeline.manager.user.UserManager)1
UserContext (com.epam.pipeline.security.UserContext)1
Function (java.util.function.Function)1
