use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class AuthSys method doAuth.
// public static final String AUTH_DATA = "AUTO_IDM_AUTH_DATA";
// public static final String AUTH_STEPS = "TREMOLO_AUTH_STEPS";
// public static final String AUTH_CURR_STEP = "TREMOLO_CUR_STEP";
/* (non-Javadoc)
* @see com.tremolosecurity.proxy.auth.AuthSys#doAuth(javax.servlet.ServletRequest, javax.servlet.ServletResponse, com.tremolosecurity.proxy.util.NextSys)
*/
public void doAuth(ServletRequest req, ServletResponse resp, NextSys next) throws IOException, ServletException {
req.setAttribute(AuthManager.NEXT_SYS, next);
ConfigManager cfg = (ConfigManager) req.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
if (((HttpServletRequest) req).getRequestURI().startsWith(cfg.getAuthPath())) {
next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
return;
}
HttpSession session = ((HttpServletRequest) req).getSession();
AuthController actl = (AuthController) session.getAttribute(ProxyConstants.AUTH_CTL);
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
if (urlChain == null) {
// chain.doFilter(req, resp);
next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
return;
}
AuthInfo authData = actl.getAuthInfo();
if (authData == null || !authData.isAuthComplete()) {
if (cfg.getAuthManager().nextAuth((HttpServletRequest) req, (HttpServletResponse) resp, session, false, next)) {
next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
}
} else {
boolean mustFail = false;
if (act == null) {
StringBuilder sb = new StringBuilder().append("Authentication chain '").append(urlChain).append("' does not exist. All authentication requests will fail");
logger.warn(sb.toString());
act = cfg.getAuthFailChain();
mustFail = true;
}
if (authData.getAuthLevel() < act.getLevel() || mustFail) {
// step up authentication, clear existing auth data
session.removeAttribute(ProxyConstants.AUTH_CTL);
holder.getConfig().createAnonUser(session);
cfg.getAuthManager().nextAuth((HttpServletRequest) req, (HttpServletResponse) resp, session, false, next);
} else {
// chain.doFilter(req, resp);
next.nextSys((HttpServletRequest) req, (HttpServletResponse) resp);
}
}
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class AuthorizationAuthMech method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
Attribute rulesCfg = authParams.get("rules");
List<AzRule> rules = new ArrayList<AzRule>();
for (String val : rulesCfg.getValues()) {
StringTokenizer toker = new StringTokenizer(val, ";", false);
toker.hasMoreTokens();
String scope = toker.nextToken();
toker.hasMoreTokens();
String constraint = toker.nextToken();
try {
AzRule rule = new AzRule(scope, constraint, null, GlobalEntries.getGlobalEntries().getConfigManager(), null);
rules.add(rule);
} catch (ProvisioningException e) {
throw new ServletException("Could not create az rule", e);
}
}
as.setSuccess(azSys.checkRules(ac.getAuthInfo(), GlobalEntries.getGlobalEntries().getConfigManager(), rules, new HashMap<String, Object>()));
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class FullMappingAuthMech method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep step) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
TargetType tt = new TargetType();
Attribute map = authParams.get("map");
for (String mapping : map.getValues()) {
int firstPipe = mapping.indexOf('|');
int secondPipe = mapping.indexOf('|', firstPipe + 1);
String destAttr = mapping.substring(0, firstPipe);
String type = mapping.substring(firstPipe + 1, secondPipe);
String value = mapping.substring(secondPipe + 1);
TargetAttributeType tat = new TargetAttributeType();
tat.setName(destAttr);
tat.setSourceType(type);
tat.setSource(value);
tt.getTargetAttribute().add(tat);
}
try {
MapIdentity mapper = new MapIdentity(tt);
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
User orig = new User(ac.getAuthInfo().getUserDN());
orig.getAttribs().putAll(ac.getAuthInfo().getAttribs());
User mapped = mapper.mapUser(orig);
ac.getAuthInfo().getAttribs().clear();
ac.getAuthInfo().getAttribs().putAll(mapped.getAttribs());
} catch (ProvisioningException e) {
throw new ServletException("Could not map user", e);
}
step.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class LogUserAgentAuth method doGet.
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep step) throws IOException, ServletException {
String header = request.getHeader("User-Agent");
if (header == null) {
header = request.getHeader("user-agent");
}
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
if (header == null) {
logger.warn("No user agent");
} else {
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
StringBuffer b = new StringBuffer();
b.append("dn='");
if (ac == null) {
b.append("No User");
} else {
b.append(ac.getAuthInfo().getUserDN());
}
b.append("' - '").append(header).append("'");
logger.info(b.toString());
}
step.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, request.getSession(), false);
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class UnisonServletFilter method doFilter.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = new LocalSessionRequest((HttpServletRequest) request);
HttpServletResponse resp = (HttpServletResponse) response;
ConfigManager cfg = (ConfigManager) ctx.getAttribute(ProxyConstants.TREMOLO_CONFIG);
SessionManager sessionMgr = (SessionManager) ctx.getAttribute(ProxyConstants.TREMOLO_SESSION_MANAGER);
ProxyRequest pr = null;
try {
pr = new ProxyRequest((HttpServletRequest) req);
} catch (Exception e1) {
logger.error("Unable to create request", e1);
throw new IOException("Could not create request");
}
try {
req.setAttribute(ProxyConstants.TREMOLO_FILTER_CHAIN, chain);
NextEmbSys embSys = new NextEmbSys(this.cfg.getServletContext(), chain, passOn);
/*System.err.println("*** Begin Request ****");
System.err.println("url = '" + ((HttpServletRequest)req).getRequestURL() + "'");
Cookie[] cookies = ((HttpServletRequest) req).getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
System.err.println("'" + cookie.getName() + "'='" + cookie.getValue() + "'");
}
}
System.err.println("*** End Request ****");*/
String fwdProto = req.getHeader("X-Forwarded-Proto");
boolean toSSL = false;
if (cfg.isForceToSSL()) {
if (fwdProto != null) {
toSSL = fwdProto.equalsIgnoreCase("http");
} else {
toSSL = !req.getRequestURL().toString().toLowerCase().startsWith("https");
}
}
if (toSSL) {
StringBuffer redirURL = new StringBuffer();
URL reqURL = new URL(req.getRequestURL().toString());
redirURL.append("https://").append(reqURL.getHost());
if (cfg.getExternalSecurePort() != 443) {
redirURL.append(":").append(cfg.getSecurePort());
}
redirURL.append(reqURL.getPath());
if (reqURL.getQuery() != null) {
redirURL.append('?').append(reqURL.getQuery());
}
resp.sendRedirect(redirURL.toString());
return;
}
// add hsts
if (GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getApplications().isHsts()) {
StringBuffer sb = new StringBuffer();
sb.append("max-age=").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getApplications().getHstsTTL()).append(" ; includeSubDomains");
resp.addHeader("Strict-Transport-Security", sb.toString());
}
req.setAttribute(ProxyConstants.TREMOLO_CFG_OBJ, cfg);
HttpServletRequest servReq = (HttpServletRequest) req;
String URL;
HttpSession sharedSession = null;
UrlHolder holder = null;
URL = servReq.getRequestURL().toString();
holder = cfg.findURL(URL);
boolean isForcedAuth = false;
RequestHolder reqHolder = null;
String sessionCookieName = req.getParameter("sessionCookie");
if (sessionCookieName == null) {
Cookie[] cookies = ((HttpServletRequest) req).getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equals("autoIdmSessionCookieName")) {
sessionCookieName = cookies[i].getValue();
}
}
}
}
if (sessionCookieName == null) {
} else {
}
if (holder == null) {
// check the session
sharedSession = sessionMgr.getSession(sessionCookieName, holder, ((HttpServletRequest) req), ((HttpServletResponse) resp), this.ctx);
if (sharedSession != null) {
AuthController actl = (AuthController) sharedSession.getAttribute(ProxyConstants.AUTH_CTL);
if (actl.getHolder() != null) {
URL = ((AuthController) sharedSession.getAttribute(ProxyConstants.AUTH_CTL)).getHolder().getURL();
holder = cfg.findURL(URL);
}
}
} else {
sharedSession = sessionMgr.getSession(holder, ((HttpServletRequest) req), ((HttpServletResponse) resp), this.ctx);
}
// LocalSessionRequest lsr = new LocalSessionRequest((HttpServletRequest)req,sharedSession);
if (sharedSession != null) {
pr.setSession(sharedSession);
}
if ((holder == null || holder.getUrl().getUri().equalsIgnoreCase("/")) && req.getRequestURI().startsWith(cfg.getAuthPath()) && sessionCookieName == null) {
// if (req.getRequestURI().startsWith("/auth/")) {
AuthMechanism authMech = cfg.getAuthMech(((HttpServletRequest) req).getRequestURI());
if (authMech != null) {
String finalURL = authMech.getFinalURL(pr, resp);
if (resp.getStatus() == 302) {
// redirect sent, stop processing
return;
}
if (finalURL != null) {
holder = cfg.findURL(finalURL);
if (holder != null) {
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
HashMap<String, Attribute> params = new HashMap<String, Attribute>();
ProxyUtil.loadParams(req, params);
if (req instanceof ProxyRequest) {
reqHolder = new RequestHolder(HTTPMethod.GET, params, finalURL, true, act.getName(), ((ProxyRequest) req).getQueryStringParams());
} else {
reqHolder = new RequestHolder(HTTPMethod.GET, params, finalURL, true, act.getName(), ((com.tremolosecurity.embedd.LocalSessionRequest) req).getQueryStringParams());
}
isForcedAuth = true;
sharedSession = sessionMgr.getSession(holder, ((HttpServletRequest) req), ((HttpServletResponse) resp), this.ctx);
if (sharedSession != null) {
pr.setSession(sharedSession);
}
Cookie lsessionCookieName = new Cookie("autoIdmSessionCookieName", holder.getApp().getCookieConfig().getSessionCookieName());
String domain = ProxyTools.getInstance().getCookieDomain(holder.getApp().getCookieConfig(), req);
if (domain != null) {
lsessionCookieName.setDomain(domain);
}
lsessionCookieName.setPath("/");
lsessionCookieName.setMaxAge(-1);
lsessionCookieName.setSecure(false);
if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
ProxyResponse.addCookieToResponse(holder, lsessionCookieName, (HttpServletResponse) response);
}
Cookie appCookieName = new Cookie("autoIdmAppName", URLEncoder.encode(holder.getApp().getName(), "UTF-8"));
if (domain != null) {
appCookieName.setDomain(domain);
}
appCookieName.setPath("/");
appCookieName.setMaxAge(-1);
appCookieName.setSecure(false);
if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
ProxyResponse.addCookieToResponse(holder, appCookieName, (HttpServletResponse) response);
}
// resp.addCookie(appCookieName);
}
}
}
}
req.setAttribute(ProxyConstants.AUTOIDM_CFG, holder);
req.setAttribute(ProxyConstants.TREMOLO_IS_FORCED_AUTH, isForcedAuth);
req.setAttribute(ProxyConstants.TREMOLO_REQ_HOLDER, reqHolder);
if (!resp.isCommitted()) {
embSys.nextSys(pr, (HttpServletResponse) resp);
}
} catch (Exception e) {
req.setAttribute("TREMOLO_ERROR_REQUEST_URL", req.getRequestURL().toString());
req.setAttribute("TREMOLO_ERROR_EXCEPTION", e);
logger.error("Could not process request", e);
StringBuffer b = new StringBuffer();
b.append(cfg.getAuthFormsPath()).append("error.jsp");
req.getRequestDispatcher(b.toString()).forward(pr, resp);
}
}
Aggregations