Search in sources :

Example 46 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class AuthSys method doAuth.

// public static final String AUTH_DATA = "AUTO_IDM_AUTH_DATA";
// public static final String AUTH_STEPS = "TREMOLO_AUTH_STEPS";
// public static final String AUTH_CURR_STEP = "TREMOLO_CUR_STEP";
/* (non-Javadoc)
	 * @see com.tremolosecurity.proxy.auth.AuthSys#doAuth(javax.servlet.ServletRequest, javax.servlet.ServletResponse, com.tremolosecurity.proxy.util.NextSys)
	 */
public void doAuth(ServletRequest req, ServletResponse resp, NextSys next) throws IOException, ServletException {
    req.setAttribute(AuthManager.NEXT_SYS, next);
    ConfigManager cfg = (ConfigManager) req.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
    if (((HttpServletRequest) req).getRequestURI().startsWith(cfg.getAuthPath())) {
        next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
        return;
    }
    HttpSession session = ((HttpServletRequest) req).getSession();
    AuthController actl = (AuthController) session.getAttribute(ProxyConstants.AUTH_CTL);
    UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
    if (urlChain == null) {
        // chain.doFilter(req, resp);
        next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
        return;
    }
    AuthInfo authData = actl.getAuthInfo();
    if (authData == null || !authData.isAuthComplete()) {
        if (cfg.getAuthManager().nextAuth((HttpServletRequest) req, (HttpServletResponse) resp, session, false, next)) {
            next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
        }
    } else {
        boolean mustFail = false;
        if (act == null) {
            StringBuilder sb = new StringBuilder().append("Authentication chain '").append(urlChain).append("' does not exist. All authentication requests will fail");
            logger.warn(sb.toString());
            act = cfg.getAuthFailChain();
            mustFail = true;
        }
        if (authData.getAuthLevel() < act.getLevel() || mustFail) {
            // step up authentication, clear existing auth data
            session.removeAttribute(ProxyConstants.AUTH_CTL);
            holder.getConfig().createAnonUser(session);
            cfg.getAuthManager().nextAuth((HttpServletRequest) req, (HttpServletResponse) resp, session, false, next);
        } else {
            // chain.doFilter(req, resp);
            next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
        }
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) TremoloHttpSession(com.tremolosecurity.proxy.TremoloHttpSession) HttpSession(javax.servlet.http.HttpSession) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) ConfigManager(com.tremolosecurity.config.util.ConfigManager)

Example 47 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class AuthorizationAuthMech method doGet.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    if (holder == null) {
        throw new ServletException("Holder is null");
    }
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
    Attribute rulesCfg = authParams.get("rules");
    List<AzRule> rules = new ArrayList<AzRule>();
    for (String val : rulesCfg.getValues()) {
        StringTokenizer toker = new StringTokenizer(val, ";", false);
        toker.hasMoreTokens();
        String scope = toker.nextToken();
        toker.hasMoreTokens();
        String constraint = toker.nextToken();
        try {
            AzRule rule = new AzRule(scope, constraint, null, GlobalEntries.getGlobalEntries().getConfigManager(), null);
            rules.add(rule);
        } catch (ProvisioningException e) {
            throw new ServletException("Could not create az rule", e);
        }
    }
    as.setSuccess(azSys.checkRules(ac.getAuthInfo(), GlobalEntries.getGlobalEntries().getConfigManager(), rules, new HashMap<String, Object>()));
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) ArrayList(java.util.ArrayList) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) StringTokenizer(java.util.StringTokenizer) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) AzRule(com.tremolosecurity.proxy.az.AzRule)

Example 48 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class FullMappingAuthMech method doGet.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep step) throws IOException, ServletException {
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    if (holder == null) {
        throw new ServletException("Holder is null");
    }
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    TargetType tt = new TargetType();
    Attribute map = authParams.get("map");
    for (String mapping : map.getValues()) {
        int firstPipe = mapping.indexOf('|');
        int secondPipe = mapping.indexOf('|', firstPipe + 1);
        String destAttr = mapping.substring(0, firstPipe);
        String type = mapping.substring(firstPipe + 1, secondPipe);
        String value = mapping.substring(secondPipe + 1);
        TargetAttributeType tat = new TargetAttributeType();
        tat.setName(destAttr);
        tat.setSourceType(type);
        tat.setSource(value);
        tt.getTargetAttribute().add(tat);
    }
    try {
        MapIdentity mapper = new MapIdentity(tt);
        AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
        User orig = new User(ac.getAuthInfo().getUserDN());
        orig.getAttribs().putAll(ac.getAuthInfo().getAttribs());
        User mapped = mapper.mapUser(orig);
        ac.getAuthInfo().getAttribs().clear();
        ac.getAuthInfo().getAttribs().putAll(mapped.getAttribs());
    } catch (ProvisioningException e) {
        throw new ServletException("Could not map user", e);
    }
    step.setSuccess(true);
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : User(com.tremolosecurity.provisioning.core.User) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) MapIdentity(com.tremolosecurity.provisioning.mapping.MapIdentity) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) TargetAttributeType(com.tremolosecurity.config.xml.TargetAttributeType) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) TargetType(com.tremolosecurity.config.xml.TargetType)

Example 49 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class LogUserAgentAuth method doGet.

public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep step) throws IOException, ServletException {
    String header = request.getHeader("User-Agent");
    if (header == null) {
        header = request.getHeader("user-agent");
    }
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    if (holder == null) {
        throw new ServletException("Holder is null");
    }
    if (header == null) {
        logger.warn("No user agent");
    } else {
        AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
        StringBuffer b = new StringBuffer();
        b.append("dn='");
        if (ac == null) {
            b.append("No User");
        } else {
            b.append(ac.getAuthInfo().getUserDN());
        }
        b.append("' - '").append(header).append("'");
        logger.info(b.toString());
    }
    step.setSuccess(true);
    holder.getConfig().getAuthManager().nextAuth(request, response, request.getSession(), false);
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException)

Example 50 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class UnisonServletFilter method doFilter.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = new LocalSessionRequest((HttpServletRequest) request);
    HttpServletResponse resp = (HttpServletResponse) response;
    ConfigManager cfg = (ConfigManager) ctx.getAttribute(ProxyConstants.TREMOLO_CONFIG);
    SessionManager sessionMgr = (SessionManager) ctx.getAttribute(ProxyConstants.TREMOLO_SESSION_MANAGER);
    ProxyRequest pr = null;
    try {
        pr = new ProxyRequest((HttpServletRequest) req);
    } catch (Exception e1) {
        logger.error("Unable to create request", e1);
        throw new IOException("Could not create request");
    }
    try {
        req.setAttribute(ProxyConstants.TREMOLO_FILTER_CHAIN, chain);
        NextEmbSys embSys = new NextEmbSys(this.cfg.getServletContext(), chain, passOn);
        /*System.err.println("*** Begin Request ****");
			System.err.println("url = '" + ((HttpServletRequest)req).getRequestURL() + "'");
			Cookie[] cookies = ((HttpServletRequest) req).getCookies();
			if (cookies != null) {
				for (Cookie cookie : cookies) {
					System.err.println("'" + cookie.getName() + "'='" + cookie.getValue() + "'");
				}
			}
			System.err.println("*** End Request ****");*/
        String fwdProto = req.getHeader("X-Forwarded-Proto");
        boolean toSSL = false;
        if (cfg.isForceToSSL()) {
            if (fwdProto != null) {
                toSSL = fwdProto.equalsIgnoreCase("http");
            } else {
                toSSL = !req.getRequestURL().toString().toLowerCase().startsWith("https");
            }
        }
        if (toSSL) {
            StringBuffer redirURL = new StringBuffer();
            URL reqURL = new URL(req.getRequestURL().toString());
            redirURL.append("https://").append(reqURL.getHost());
            if (cfg.getExternalSecurePort() != 443) {
                redirURL.append(":").append(cfg.getSecurePort());
            }
            redirURL.append(reqURL.getPath());
            if (reqURL.getQuery() != null) {
                redirURL.append('?').append(reqURL.getQuery());
            }
            resp.sendRedirect(redirURL.toString());
            return;
        }
        // add hsts
        if (GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getApplications().isHsts()) {
            StringBuffer sb = new StringBuffer();
            sb.append("max-age=").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getApplications().getHstsTTL()).append(" ; includeSubDomains");
            resp.addHeader("Strict-Transport-Security", sb.toString());
        }
        req.setAttribute(ProxyConstants.TREMOLO_CFG_OBJ, cfg);
        HttpServletRequest servReq = (HttpServletRequest) req;
        String URL;
        HttpSession sharedSession = null;
        UrlHolder holder = null;
        URL = servReq.getRequestURL().toString();
        holder = cfg.findURL(URL);
        boolean isForcedAuth = false;
        RequestHolder reqHolder = null;
        String sessionCookieName = req.getParameter("sessionCookie");
        if (sessionCookieName == null) {
            Cookie[] cookies = ((HttpServletRequest) req).getCookies();
            if (cookies != null) {
                for (int i = 0; i < cookies.length; i++) {
                    if (cookies[i].getName().equals("autoIdmSessionCookieName")) {
                        sessionCookieName = cookies[i].getValue();
                    }
                }
            }
        }
        if (sessionCookieName == null) {
        } else {
        }
        if (holder == null) {
            // check the session
            sharedSession = sessionMgr.getSession(sessionCookieName, holder, ((HttpServletRequest) req), ((HttpServletResponse) resp), this.ctx);
            if (sharedSession != null) {
                AuthController actl = (AuthController) sharedSession.getAttribute(ProxyConstants.AUTH_CTL);
                if (actl.getHolder() != null) {
                    URL = ((AuthController) sharedSession.getAttribute(ProxyConstants.AUTH_CTL)).getHolder().getURL();
                    holder = cfg.findURL(URL);
                }
            }
        } else {
            sharedSession = sessionMgr.getSession(holder, ((HttpServletRequest) req), ((HttpServletResponse) resp), this.ctx);
        }
        // LocalSessionRequest lsr = new LocalSessionRequest((HttpServletRequest)req,sharedSession);
        if (sharedSession != null) {
            pr.setSession(sharedSession);
        }
        if ((holder == null || holder.getUrl().getUri().equalsIgnoreCase("/")) && req.getRequestURI().startsWith(cfg.getAuthPath()) && sessionCookieName == null) {
            // if (req.getRequestURI().startsWith("/auth/")) {
            AuthMechanism authMech = cfg.getAuthMech(((HttpServletRequest) req).getRequestURI());
            if (authMech != null) {
                String finalURL = authMech.getFinalURL(pr, resp);
                if (resp.getStatus() == 302) {
                    // redirect sent, stop processing
                    return;
                }
                if (finalURL != null) {
                    holder = cfg.findURL(finalURL);
                    if (holder != null) {
                        String urlChain = holder.getUrl().getAuthChain();
                        AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
                        HashMap<String, Attribute> params = new HashMap<String, Attribute>();
                        ProxyUtil.loadParams(req, params);
                        if (req instanceof ProxyRequest) {
                            reqHolder = new RequestHolder(HTTPMethod.GET, params, finalURL, true, act.getName(), ((ProxyRequest) req).getQueryStringParams());
                        } else {
                            reqHolder = new RequestHolder(HTTPMethod.GET, params, finalURL, true, act.getName(), ((com.tremolosecurity.embedd.LocalSessionRequest) req).getQueryStringParams());
                        }
                        isForcedAuth = true;
                        sharedSession = sessionMgr.getSession(holder, ((HttpServletRequest) req), ((HttpServletResponse) resp), this.ctx);
                        if (sharedSession != null) {
                            pr.setSession(sharedSession);
                        }
                        Cookie lsessionCookieName = new Cookie("autoIdmSessionCookieName", holder.getApp().getCookieConfig().getSessionCookieName());
                        String domain = ProxyTools.getInstance().getCookieDomain(holder.getApp().getCookieConfig(), req);
                        if (domain != null) {
                            lsessionCookieName.setDomain(domain);
                        }
                        lsessionCookieName.setPath("/");
                        lsessionCookieName.setMaxAge(-1);
                        lsessionCookieName.setSecure(false);
                        if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
                            ProxyResponse.addCookieToResponse(holder, lsessionCookieName, (HttpServletResponse) response);
                        }
                        Cookie appCookieName = new Cookie("autoIdmAppName", URLEncoder.encode(holder.getApp().getName(), "UTF-8"));
                        if (domain != null) {
                            appCookieName.setDomain(domain);
                        }
                        appCookieName.setPath("/");
                        appCookieName.setMaxAge(-1);
                        appCookieName.setSecure(false);
                        if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
                            ProxyResponse.addCookieToResponse(holder, appCookieName, (HttpServletResponse) response);
                        }
                    // resp.addCookie(appCookieName);
                    }
                }
            }
        }
        req.setAttribute(ProxyConstants.AUTOIDM_CFG, holder);
        req.setAttribute(ProxyConstants.TREMOLO_IS_FORCED_AUTH, isForcedAuth);
        req.setAttribute(ProxyConstants.TREMOLO_REQ_HOLDER, reqHolder);
        if (!resp.isCommitted()) {
            embSys.nextSys(pr, (HttpServletResponse) resp);
        }
    } catch (Exception e) {
        req.setAttribute("TREMOLO_ERROR_REQUEST_URL", req.getRequestURL().toString());
        req.setAttribute("TREMOLO_ERROR_EXCEPTION", e);
        logger.error("Could not process request", e);
        StringBuffer b = new StringBuffer();
        b.append(cfg.getAuthFormsPath()).append("error.jsp");
        req.getRequestDispatcher(b.toString()).forward(pr, resp);
    }
}
Also used : Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) NextEmbSys(com.tremolosecurity.embedd.NextEmbSys) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) URL(java.net.URL) HttpServletRequest(javax.servlet.http.HttpServletRequest) LocalSessionRequest(com.tremolosecurity.embedd.LocalSessionRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) AuthMechanism(com.tremolosecurity.proxy.auth.AuthMechanism) ProxyRequest(com.tremolosecurity.proxy.ProxyRequest) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) Cookie(javax.servlet.http.Cookie) SessionManager(com.tremolosecurity.proxy.SessionManager) HttpSession(javax.servlet.http.HttpSession) HttpServletResponse(javax.servlet.http.HttpServletResponse) IOException(java.io.IOException) AuthController(com.tremolosecurity.proxy.auth.AuthController) ConfigManager(com.tremolosecurity.config.util.ConfigManager) ServletException(javax.servlet.ServletException) IOException(java.io.IOException)

Aggregations

UrlHolder (com.tremolosecurity.config.util.UrlHolder)61 ServletException (javax.servlet.ServletException)42 HttpSession (javax.servlet.http.HttpSession)39 HashMap (java.util.HashMap)38 HttpServletRequest (javax.servlet.http.HttpServletRequest)36 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)34 Attribute (com.tremolosecurity.saml.Attribute)31 AuthMechType (com.tremolosecurity.config.xml.AuthMechType)26 AuthController (com.tremolosecurity.proxy.auth.AuthController)26 IOException (java.io.IOException)26 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)18 RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)18 LDAPException (com.novell.ldap.LDAPException)17 LDAPAttribute (com.novell.ldap.LDAPAttribute)16 ConfigManager (com.tremolosecurity.config.util.ConfigManager)12 MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)10 MalformedURLException (java.net.MalformedURLException)10 ArrayList (java.util.ArrayList)10 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)9 Gson (com.google.gson.Gson)8