Search in sources :

Example 1 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class RegisterPasswordResetAuth method doGet.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    HttpSession session = ((HttpServletRequest) request).getSession();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    AuthMechType amt = act.getAuthMech().get(as.getId());
    AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
    AuthInfo au = ac.getAuthInfo();
    Attribute uid = au.getAttribs().get(this.uidAttribute);
    if (uid == null) {
        logger.warn("Attribute : '" + this.uidAttribute + "' does not exist");
        as.setSuccess(false);
    } else {
        ResetUserPasswordOnLogout logoutHandler = new ResetUserPasswordOnLogout(this.workflowName, this.uidAttribute, uid.getValues().get(0));
        LogoutUtil.insertFirstLogoutHandler(request, logoutHandler);
        as.setSuccess(true);
    }
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) AuthController(com.tremolosecurity.proxy.auth.AuthController) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Example 2 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class SamlTransaction method nextAuth.

private boolean nextAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, AuthChainType act) throws ServletException, IOException {
    // HttpSession session = req.getSession(true);
    RequestHolder reqHolder;
    UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
    String urlChain = holder.getUrl().getAuthChain();
    StringBuffer b = genFinalURL(req);
    return holder.getConfig().getAuthManager().execAuth(req, resp, session, jsRedirect, holder, act, b.toString());
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)

Example 3 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class SamlTransaction method procAuthnReq.

private void procAuthnReq(HttpServletRequest request, HttpServletResponse response, DocumentBuilderFactory factory, String saml, String relayState) throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, Exception, UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, ServletException {
    AuthnRequestUnmarshaller marshaller = new AuthnRequestUnmarshaller();
    DocumentBuilder builder = factory.newDocumentBuilder();
    Element root = builder.parse(new InputSource(new StringReader(saml))).getDocumentElement();
    AuthnRequest authn = (AuthnRequest) marshaller.unmarshall(root);
    String issuer = authn.getIssuer().getValue();
    String authnCtx = null;
    if (authn.getRequestedAuthnContext() == null || authn.getRequestedAuthnContext().getAuthnContextClassRefs().size() == 0 || authn.getRequestedAuthnContext().getAuthnContextClassRefs().get(0).getURI() == null) {
        // no authnCtx information, use default
        authnCtx = null;
    } else {
        authnCtx = authn.getRequestedAuthnContext().getAuthnContextClassRefs().get(0).getURI();
    }
    String nameID = null;
    if (authn.getNameIDPolicy() == null) {
        nameID = null;
    } else {
        nameID = authn.getNameIDPolicy().getFormat();
    }
    String binding = authn.getProtocolBinding();
    String url = authn.getAssertionConsumerServiceURL();
    if (logger.isDebugEnabled()) {
        logger.debug("Issuer : '" + issuer + "'");
        logger.debug("Binding : '" + binding + "'");
        logger.debug("URL : '" + url + "'");
        logger.debug("NameID Format : '" + nameID + "'");
        logger.debug("Authn Class Ctx : '" + authnCtx + "'");
    }
    Saml2Trust trust = this.trusts.get(issuer);
    if (trust == null) {
        StringBuffer b = new StringBuffer();
        b.append("Could not find a trust for issuer '").append(issuer).append("'");
        throw new Exception(b.toString());
    }
    if (request.getMethod().equalsIgnoreCase("POST")) {
        if (authn.getSignature() != null) {
            if (logger.isDebugEnabled())
                logger.debug("requiring authn request is signed");
            String validationCert = trust.spSigCert;
            if (logger.isDebugEnabled())
                logger.debug("validation cert name : '" + validationCert + "'");
            UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
            java.security.cert.X509Certificate cert = holder.getConfig().getCertificate(validationCert);
            if (logger.isDebugEnabled())
                logger.debug("validation cert : '" + cert + "'");
            BasicCredential sigCred = new BasicCredential(cert.getPublicKey());
            sigCred.setUsageType(UsageType.SIGNING);
            SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
            profileValidator.validate(authn.getSignature());
            SignatureValidator.validate(authn.getSignature(), sigCred);
        } else if (this.requireSignedAuthn) {
            throw new Exception("No signature on the authentication request");
        }
    } else {
        String authnSig = request.getParameter("Signature");
        if (authnSig != null) {
            String sigAlg = request.getParameter("SigAlg");
            StringBuffer query = new StringBuffer();
            query.append("SAMLRequest=").append(URLEncoder.encode(request.getParameter("SAMLRequest"), "UTF-8"));
            if (relayState != null) {
                query.append("&RelayState=").append(URLEncoder.encode(relayState, "UTF-8"));
            }
            query.append("&SigAlg=").append(URLEncoder.encode(sigAlg, "UTF-8"));
            String validationCert = trust.spSigCert;
            UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
            java.security.cert.X509Certificate cert = holder.getConfig().getCertificate(validationCert);
            if (!Saml2Idp.xmlDigSigAlgs.containsKey(sigAlg)) {
                throw new Exception("Invalid signature algorithm : " + sigAlg);
            }
            if (!authn.getDestination().equals(request.getRequestURL().toString())) {
                throw new Exception("Invalid destination");
            }
            Signature sigv = Signature.getInstance(Saml2Idp.javaDigSigAlgs.get(sigAlg));
            sigv.initVerify(cert.getPublicKey());
            sigv.update(query.toString().getBytes("UTF-8"));
            if (!sigv.verify(Base64.decodeBase64(authnSig.getBytes("UTF-8")))) {
                throw new Exception("Signature verification failed");
            }
        } else if (this.requireSignedAuthn) {
            throw new Exception("No signature on the authentication request");
        }
    }
    doFederation(request, response, issuer, nameID, authnCtx, url, relayState, trust);
}
Also used : InputSource(org.xml.sax.InputSource) Element(org.w3c.dom.Element) AuthnRequestUnmarshaller(org.opensaml.saml.saml2.core.impl.AuthnRequestUnmarshaller) ServletException(javax.servlet.ServletException) SignatureException(java.security.SignatureException) UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SAXException(org.xml.sax.SAXException) InvalidKeyException(java.security.InvalidKeyException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) InitializationException(org.opensaml.core.config.InitializationException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) UrlHolder(com.tremolosecurity.config.util.UrlHolder) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) DocumentBuilder(javax.xml.parsers.DocumentBuilder) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) Signature(java.security.Signature) StringReader(java.io.StringReader) BasicCredential(org.opensaml.security.credential.BasicCredential)

Example 4 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class SamlTransaction method doFederation.

private void doFederation(HttpServletRequest request, HttpServletResponse response, String issuer, String nameID, String authnCtx, String url, String relayState, Saml2Trust trust) throws Exception, ServletException, IOException {
    if (authnCtx == null) {
        authnCtx = trust.params.get("defaultAuthCtx").getValues().get(0);
    }
    if (nameID == null) {
        nameID = trust.params.get("defaultNameId").getValues().get(0);
    }
    String authChain = trust.authChainMap.get(authnCtx);
    if (authChain == null) {
        StringBuffer b = new StringBuffer();
        b.append("IdP does not have an authenticaiton chain configured with '").append(authnCtx).append("'");
        throw new Exception(b.toString());
    }
    String nameIDAttr = trust.nameIDMap.get(nameID);
    if (logger.isDebugEnabled()) {
        logger.debug("Auth Chain : '" + authChain + "'");
        logger.debug("NameID Attr : '" + nameIDAttr + "'");
    }
    HttpSession session = request.getSession();
    AuthInfo authData = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    AuthChainType act = holder.getConfig().getAuthChains().get(authChain);
    if (url == null) {
        url = trust.params.get("httpPostRespURL").getValues().get(0);
    }
    SamlTransaction transaction = new SamlTransaction();
    transaction.issuer = issuer;
    transaction.nameIDAttr = nameIDAttr;
    transaction.nameIDFormat = nameID;
    transaction.postToURL = url;
    transaction.authnCtxName = authnCtx;
    transaction.relayState = relayState;
    session.setAttribute(Saml2Idp.TRANSACTION_DATA, transaction);
    if (authData == null || !authData.isAuthComplete() && !(authData.getAuthLevel() < act.getLevel())) {
        nextAuth(request, response, session, false, act);
    } else {
        if (authData.getAuthLevel() < act.getLevel()) {
            // step up authentication, clear existing auth data
            /*AuthController controller = ((AuthController) session.getAttribute(AuthSys.AUTH_CTL));
				controller.setHolder(null);
				for (AuthStep as : controller.getAuthSteps()) {
					as.setExecuted(false);
					as.setSuccess(false);
				}*/
            session.removeAttribute(ProxyConstants.AUTH_CTL);
            holder.getConfig().createAnonUser(session);
            nextAuth(request, response, session, false, act);
        } else {
            // chain.doFilter(req, resp);
            // next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
            StringBuffer b = genFinalURL(request);
            response.sendRedirect(b.toString());
        }
    }
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) HttpSession(javax.servlet.http.HttpSession) AuthController(com.tremolosecurity.proxy.auth.AuthController) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) ServletException(javax.servlet.ServletException) SignatureException(java.security.SignatureException) UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SAXException(org.xml.sax.SAXException) InvalidKeyException(java.security.InvalidKeyException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) InitializationException(org.opensaml.core.config.InitializationException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)

Example 5 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class EmbForward method doEmbResults.

public void doEmbResults(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain, NextSys nextSys) throws ServletException, IOException {
    ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
    if (((HttpServletRequest) request).getRequestURI().startsWith(cfg.getAuthPath())) {
        filterChain.doFilter(request, response);
        // nextSys.nextSys((HttpServletRequest) request, (HttpServletResponse) response);
        return;
    }
    boolean isText = false;
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    HttpFilterRequest filterReq = new HttpFilterRequestImpl(request, null);
    HttpFilterResponse filterResp = new HttpFilterResponseImpl(response);
    HttpFilterChain chain = new HttpFilterChainImpl(holder, new EmbPostProc(filterChain));
    try {
        chain.nextFilter(filterReq, filterResp, chain);
    } catch (Exception e) {
        logger.error("Error", e);
        throw new ServletException(e);
    }
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) HttpFilterResponse(com.tremolosecurity.proxy.filter.HttpFilterResponse) ServletException(javax.servlet.ServletException) HttpFilterRequestImpl(com.tremolosecurity.proxy.filter.HttpFilterRequestImpl) HttpFilterResponseImpl(com.tremolosecurity.proxy.filter.HttpFilterResponseImpl) HttpFilterChainImpl(com.tremolosecurity.proxy.filter.HttpFilterChainImpl) HttpFilterChain(com.tremolosecurity.proxy.filter.HttpFilterChain) HttpFilterRequest(com.tremolosecurity.proxy.filter.HttpFilterRequest) ConfigManager(com.tremolosecurity.config.util.ConfigManager) ServletException(javax.servlet.ServletException) IOException(java.io.IOException)

Aggregations

UrlHolder (com.tremolosecurity.config.util.UrlHolder)61 ServletException (javax.servlet.ServletException)42 HttpSession (javax.servlet.http.HttpSession)39 HashMap (java.util.HashMap)38 HttpServletRequest (javax.servlet.http.HttpServletRequest)36 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)34 Attribute (com.tremolosecurity.saml.Attribute)31 AuthMechType (com.tremolosecurity.config.xml.AuthMechType)26 AuthController (com.tremolosecurity.proxy.auth.AuthController)26 IOException (java.io.IOException)26 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)18 RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)18 LDAPException (com.novell.ldap.LDAPException)17 LDAPAttribute (com.novell.ldap.LDAPAttribute)16 ConfigManager (com.tremolosecurity.config.util.ConfigManager)12 MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)10 MalformedURLException (java.net.MalformedURLException)10 ArrayList (java.util.ArrayList)10 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)9 Gson (com.google.gson.Gson)8