Examples with IdpSession - com.haulmont.cuba.security.global.IdpSession

Example 11 with IdpSession

use of com.haulmont.cuba.security.global.IdpSession in project cuba by cuba-platform.

the class BaseIdpSessionFilter method getIdpSession.

@Nullable
protected IdpSession getIdpSession(String idpTicket) throws IdpActivationException {
    String idpBaseURL = webIdpConfig.getIdpBaseURL();
    if (!idpBaseURL.endsWith("/")) {
        idpBaseURL += "/";
    }
    String idpTicketActivateUrl = idpBaseURL + "service/activate";
    HttpPost httpPost = new HttpPost(idpTicketActivateUrl);
    httpPost.setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.getMimeType());
    UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(Arrays.asList(new BasicNameValuePair("serviceProviderTicket", idpTicket), new BasicNameValuePair("trustedServicePassword", webIdpConfig.getIdpTrustedServicePassword())), StandardCharsets.UTF_8);
    httpPost.setEntity(formEntity);
    HttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager();
    HttpClient client = HttpClientBuilder.create().setConnectionManager(connectionManager).build();
    String idpResponse;
    try {
        HttpResponse httpResponse = client.execute(httpPost);
        int statusCode = httpResponse.getStatusLine().getStatusCode();
        if (statusCode == 410) {
            // used old ticket
            return null;
        }
        if (statusCode != 200) {
            throw new IdpActivationException("Idp respond with status " + statusCode);
        }
        idpResponse = new BasicResponseHandler().handleResponse(httpResponse);
    } catch (IOException e) {
        throw new IdpActivationException(e);
    } finally {
        connectionManager.shutdown();
    }
    IdpSession session;
    try {
        session = new Gson().fromJson(idpResponse, IdpSession.class);
    } catch (JsonSyntaxException e) {
        throw new IdpActivationException("Unable to parse idp response", e);
    }
    return session;
}

Also used : HttpPost(org.apache.http.client.methods.HttpPost) BasicResponseHandler(org.apache.http.impl.client.BasicResponseHandler) HttpResponse(org.apache.http.HttpResponse) Gson(com.google.gson.Gson) UrlEncodedFormEntity(org.apache.http.client.entity.UrlEncodedFormEntity) IOException(java.io.IOException) JsonSyntaxException(com.google.gson.JsonSyntaxException) BasicNameValuePair(org.apache.http.message.BasicNameValuePair) HttpClient(org.apache.http.client.HttpClient) IdpSession(com.haulmont.cuba.security.global.IdpSession) HttpClientConnectionManager(org.apache.http.conn.HttpClientConnectionManager) BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager) BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager) Nullable(javax.annotation.Nullable)

Example 12 with IdpSession

use of com.haulmont.cuba.security.global.IdpSession in project cuba by cuba-platform.

the class BaseIdpSessionFilter method doFilter.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    // send static files without authentication
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    if (StringUtils.startsWith(httpRequest.getRequestURI(), httpRequest.getContextPath() + "/VAADIN/")) {
        chain.doFilter(request, response);
        return;
    }
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    String idpBaseURL = webIdpConfig.getIdpBaseURL();
    if (Strings.isNullOrEmpty(idpBaseURL)) {
        log.error("Application property cuba.web.idp.url is not set");
        httpResponse.setStatus(500);
        return;
    }
    if (!idpBaseURL.endsWith("/")) {
        idpBaseURL += "/";
    }
    String requestUrl = httpRequest.getRequestURL().toString();
    if (StringUtils.startsWith(requestUrl, idpBaseURL)) {
        chain.doFilter(httpRequest, response);
        return;
    }
    HttpSession session = httpRequest.getSession(true);
    Lock sessionLock = (Lock) session.getAttribute(IDP_SESSION_LOCK_ATTRIBUTE);
    if (sessionLock == null) {
        sessionCheckLock.lock();
        try {
            sessionLock = (Lock) session.getAttribute(IDP_SESSION_LOCK_ATTRIBUTE);
            if (sessionLock == null) {
                sessionLock = new ReentrantLock();
                session.setAttribute(IDP_SESSION_LOCK_ATTRIBUTE, sessionLock);
            }
        } finally {
            sessionCheckLock.unlock();
        }
    }
    IdpSession boundIdpSession;
    sessionLock.lock();
    try {
        session.getAttribute(IDP_SESSION_LOCK_ATTRIBUTE);
    } catch (IllegalStateException e) {
        // Someone might have invalidated the session between fetching the lock and acquiring it.
        sessionLock.unlock();
        log.debug("Invalidated session {}", session.getId());
        httpResponse.sendRedirect(httpRequest.getRequestURL().toString());
        return;
    }
    try {
        if ("GET".equals(httpRequest.getMethod()) && httpRequest.getParameter(IDP_TICKET_REQUEST_PARAM) != null) {
            String idpTicket = httpRequest.getParameter(IDP_TICKET_REQUEST_PARAM);
            IdpSession idpSession;
            try {
                idpSession = getIdpSession(idpTicket);
            } catch (IdpActivationException e) {
                log.error("Unable to obtain IDP session by ticket", e);
                httpResponse.setStatus(500);
                return;
            }
            if (idpSession == null) {
                log.warn("Used old IDP ticket {}, send redirect", idpTicket);
                // used old ticket, send redirect
                httpResponse.sendRedirect(getIdpRedirectUrl(httpRequest));
                return;
            }
            session.invalidate();
            session = httpRequest.getSession(true);
            session.setAttribute(IDP_SESSION_LOCK_ATTRIBUTE, sessionLock);
            session.setAttribute(IDP_SESSION_ATTRIBUTE, idpSession);
            log.debug("IDP session {} obtained, redirect to application", idpSession);
            String redirectUrl;
            try {
                redirectUrl = getRedirectUrlWithoutIdpTicket(httpRequest);
            } catch (URISyntaxException e) {
                log.error("Unable to compose redirect URL", e);
                httpResponse.setStatus(500);
                return;
            }
            httpResponse.addHeader("P3P", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
            httpResponse.sendRedirect(redirectUrl);
            return;
        }
        if (session.getAttribute(IDP_SESSION_ATTRIBUTE) == null) {
            if ("GET".equals(httpRequest.getMethod()) && !StringUtils.startsWith(httpRequest.getRequestURI(), httpRequest.getContextPath() + "/PUSH")) {
                httpResponse.sendRedirect(getIdpRedirectUrl(httpRequest));
            }
            return;
        }
        boundIdpSession = (IdpSession) session.getAttribute(IDP_SESSION_ATTRIBUTE);
    } finally {
        sessionLock.unlock();
    }
    HttpServletRequest authenticatedRequest = new IdpServletRequestWrapper(httpRequest, new IdpSessionPrincipalImpl(boundIdpSession));
    chain.doFilter(authenticatedRequest, response);
}

Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ReentrantLock(java.util.concurrent.locks.ReentrantLock) HttpSession(javax.servlet.http.HttpSession) IdpSession(com.haulmont.cuba.security.global.IdpSession) HttpServletResponse(javax.servlet.http.HttpServletResponse) URISyntaxException(java.net.URISyntaxException) ReentrantLock(java.util.concurrent.locks.ReentrantLock) Lock(java.util.concurrent.locks.Lock)

Example 13 with IdpSession

use of com.haulmont.cuba.security.global.IdpSession in project cuba by cuba-platform.

the class IdpLoginLifecycleManager method onAppStarted.

@Order(Events.HIGHEST_PLATFORM_PRECEDENCE + 10)
@EventListener
protected void onAppStarted(AppStartedEvent event) throws LoginException {
    Connection connection = event.getApp().getConnection();
    // can be already authenticated by another event listener
    if (webIdpConfig.getIdpEnabled() && !connection.isAuthenticated()) {
        VaadinRequest currentRequest = VaadinService.getCurrentRequest();
        if (currentRequest != null) {
            Principal principal = currentRequest.getUserPrincipal();
            if (principal instanceof IdpSessionPrincipal) {
                IdpSession idpSession = ((IdpSessionPrincipal) principal).getIdpSession();
                Locale locale = event.getApp().getLocale();
                ExternalUserCredentials credentials = new ExternalUserCredentials(principal.getName(), locale);
                credentials.setSessionAttributes(ImmutableMap.of(IdpService.IDP_USER_SESSION_ATTRIBUTE, idpSession.getId()));
                connection.login(credentials);
            }
        }
    }
}

Also used : Locale(java.util.Locale) ExternalUserCredentials(com.haulmont.cuba.web.security.ExternalUserCredentials) Connection(com.haulmont.cuba.web.Connection) IdpSession(com.haulmont.cuba.security.global.IdpSession) VaadinRequest(com.vaadin.server.VaadinRequest) Principal(java.security.Principal) Order(org.springframework.core.annotation.Order) EventListener(org.springframework.context.event.EventListener)

Example 14 with IdpSession

use of com.haulmont.cuba.security.global.IdpSession in project cuba by cuba-platform.

the class IdpServiceBean method setSessionAttribute.

@Override
public IdpSession setSessionAttribute(String sessionId, String name, Serializable value) {
    IdpSession session = sessionStore.getSession(sessionId);
    if (session != null) {
        Map<String, Object> attributes = session.getAttributes();
        if (attributes == null) {
            attributes = new HashMap<>();
            session.setAttributes(attributes);
        }
        attributes.put(name, value);
        sessionStore.propagate(session.getId());
    }
    return session;
}

Also used : IdpSession(com.haulmont.cuba.security.global.IdpSession)

Example 15 with IdpSession

use of com.haulmont.cuba.security.global.IdpSession in project cuba by cuba-platform.

the class IdpAuthProvider method userSessionLoggedIn.

@Override
public void userSessionLoggedIn(UserSession session) {
    VaadinRequest currentRequest = VaadinService.getCurrentRequest();
    if (currentRequest != null) {
        Principal principal = currentRequest.getUserPrincipal();
        if (principal instanceof IdpSessionPrincipal) {
            IdpSession idpSession = ((IdpSessionPrincipal) principal).getIdpSession();
            session.setAttribute(IdpService.IDP_USER_SESSION_ATTRIBUTE, idpSession.getId());
        }
    }
}

Also used : IdpSession(com.haulmont.cuba.security.global.IdpSession) VaadinRequest(com.vaadin.server.VaadinRequest) IdpSessionPrincipal(com.haulmont.cuba.web.security.idp.IdpSessionPrincipal) Principal(java.security.Principal) IdpSessionPrincipal(com.haulmont.cuba.web.security.idp.IdpSessionPrincipal)

Aggregations

IdpSession (com.haulmont.cuba.security.global.IdpSession)18 Gson (com.google.gson.Gson)4 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)3 JsonSyntaxException (com.google.gson.JsonSyntaxException)2 VaadinRequest (com.vaadin.server.VaadinRequest)2 IOException (java.io.IOException)2 Principal (java.security.Principal)2 Nullable (javax.annotation.Nullable)2 HttpResponse (org.apache.http.HttpResponse)2 HttpClient (org.apache.http.client.HttpClient)2 UrlEncodedFormEntity (org.apache.http.client.entity.UrlEncodedFormEntity)2 HttpPost (org.apache.http.client.methods.HttpPost)2 HttpClientConnectionManager (org.apache.http.conn.HttpClientConnectionManager)2 BasicResponseHandler (org.apache.http.impl.client.BasicResponseHandler)2 BasicHttpClientConnectionManager (org.apache.http.impl.conn.BasicHttpClientConnectionManager)2 BasicNameValuePair (org.apache.http.message.BasicNameValuePair)2 Test (org.junit.Test)2 AuthenticationDetails (com.haulmont.cuba.security.auth.AuthenticationDetails)1 LoginPasswordCredentials (com.haulmont.cuba.security.auth.LoginPasswordCredentials)1 User (com.haulmont.cuba.security.entity.User)1