Search in sources :

Example 26 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class PersistentCookie method doWork.

private void doWork(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    as.setExecuted(true);
    MyVDConnection myvd = cfgMgr.getMyVD();
    // HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
    // SharedSession.getSharedSession().getSession(req.getSession().getId());
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    if (holder == null) {
        throw new ServletException("Holder is null");
    }
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    Attribute attr = authParams.get("cookieName");
    if (attr == null) {
        throw new ServletException("No cookie name specified");
    }
    String cookieName = attr.getValues().get(0);
    boolean useSSLSessionID;
    attr = authParams.get("useSSLSessionID");
    if (attr == null) {
        useSSLSessionID = false;
    } else {
        useSSLSessionID = attr.getValues().get(0).equalsIgnoreCase("true");
    }
    attr = authParams.get("millisToLive");
    if (attr == null) {
        throw new ServletException("No milliseconds to live specified");
    }
    long millisToLive = Long.parseLong(attr.getValues().get(0));
    attr = authParams.get("keyAlias");
    if (attr == null) {
        throw new ServletException("No key name specified");
    }
    String keyAlias = attr.getValues().get(0);
    Cookie authCookie = null;
    if (request.getCookies() == null) {
        as.setSuccess(false);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    for (Cookie cookie : request.getCookies()) {
        if (cookie.getName().equalsIgnoreCase(cookieName)) {
            authCookie = cookie;
            break;
        }
    }
    if (authCookie == null) {
        as.setSuccess(false);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    com.tremolosecurity.lastmile.LastMile lastmile = new com.tremolosecurity.lastmile.LastMile();
    SecretKey key = this.cfgMgr.getSecretKey(keyAlias);
    if (key == null) {
        throw new ServletException("Secret key '" + keyAlias + "' does not exist");
    }
    try {
        String cookieVal = authCookie.getValue();
        if (cookieVal.startsWith("\"")) {
            cookieVal = cookieVal.substring(1, cookieVal.length() - 1);
        }
        lastmile.loadLastMielToken(cookieVal, key);
    } catch (Exception e) {
        logger.warn("Could not decrypt cookie", e);
        as.setSuccess(false);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    if (!lastmile.isValid()) {
        logger.warn("Cookie no longer valid");
        as.setSuccess(false);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    boolean found = false;
    boolean validip = false;
    boolean validSslSessionId = !useSSLSessionID;
    String dn = null;
    for (Attribute attrib : lastmile.getAttributes()) {
        if (attrib.getName().equalsIgnoreCase("CLIENT_IP")) {
            validip = attrib.getValues().get(0).equals(request.getRemoteAddr());
        } else if (attrib.getName().equalsIgnoreCase("DN")) {
            dn = attrib.getValues().get(0);
        } else if (attrib.getName().equalsIgnoreCase("SSL_SESSION_ID")) {
            Object sessionID = request.getAttribute("javax.servlet.request.ssl_session_id");
            if (sessionID instanceof byte[]) {
                sessionID = new String(Base64.encodeBase64((byte[]) sessionID));
            }
            validSslSessionId = attrib.getValues().get(0).equals(sessionID);
        }
    }
    if (dn != null && validip && validSslSessionId) {
        try {
            LDAPSearchResults res = myvd.search(dn, 0, "(objectClass=*)", new ArrayList<String>());
            if (res.hasMore()) {
                LDAPEntry entry = res.next();
                Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
                AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
                ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
                while (it.hasNext()) {
                    LDAPAttribute ldapattr = it.next();
                    attr = new Attribute(ldapattr.getName());
                    String[] vals = ldapattr.getStringValueArray();
                    for (int i = 0; i < vals.length; i++) {
                        attr.getValues().add(vals[i]);
                    }
                    authInfo.getAttribs().put(attr.getName(), attr);
                }
                as.setSuccess(true);
            } else {
                as.setSuccess(false);
            }
        } catch (LDAPException e) {
            if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
                logger.error("Could not authenticate user", e);
            }
            as.setSuccess(false);
        }
    } else {
        as.setSuccess(false);
    }
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) LDAPEntry(com.novell.ldap.LDAPEntry) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection) Cookie(javax.servlet.http.Cookie) LDAPAttribute(com.novell.ldap.LDAPAttribute) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) HttpSession(javax.servlet.http.HttpSession) AuthController(com.tremolosecurity.proxy.auth.AuthController) LDAPException(com.novell.ldap.LDAPException) ServletException(javax.servlet.ServletException) IOException(java.io.IOException) SecretKey(javax.crypto.SecretKey) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException)

Example 27 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class SecretQuestionAuth method doPost.

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    MyVDConnection myvd = cfgMgr.getMyVD();
    // HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
    // SharedSession.getSharedSession().getSession(req.getSession().getId());
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    String alg = authParams.get("alg").getValues().get(0);
    String salt = authParams.get("salt").getValues().get(0);
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    AuthMechType amt = act.getAuthMech().get(as.getId());
    ArrayList<SecretQuestion> questions = (ArrayList<SecretQuestion>) request.getSession(true).getAttribute("TREMOLO_SECRET_ANSWERS");
    if (questions == null) {
        this.doGet(request, response, as);
        return;
    }
    int i = 0;
    StringBuffer b = new StringBuffer();
    for (SecretQuestion sq : questions) {
        b.setLength(0);
        b.append("answer").append(i);
        String answer = request.getParameter(b.toString());
        if (!sq.checkAnswer(alg, answer, salt)) {
            if (amt.getRequired().equals("required")) {
                as.setSuccess(false);
                holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
                return;
            }
        }
        i++;
    }
    as.setSuccess(true);
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) ArrayList(java.util.ArrayList) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) AuthController(com.tremolosecurity.proxy.auth.AuthController) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection)

Example 28 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class AcknowledgeAuthMech method doPost.

@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp, AuthStep as) throws ServletException, IOException {
    if (req.getParameter("acknowledge") == null) {
        this.doGet(req, resp, as);
        return;
    }
    // SharedSession.getSharedSession().getSession(req.getSession().getId());
    HttpSession session = ((HttpServletRequest) req).getSession();
    UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
    RequestHolder reqHolder = ((AuthController) req.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    AuthMechType amt = act.getAuthMech().get(as.getId());
    if (req.getParameter("acknowledge") != null && req.getParameter("acknowledge").equalsIgnoreCase("yes")) {
        as.setSuccess(true);
    } else {
        as.setSuccess(false);
    }
    String redirectToURL = req.getParameter("target");
    if (redirectToURL != null && !redirectToURL.isEmpty()) {
        reqHolder.setURL(redirectToURL);
    }
    holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) LDAPAttribute(com.novell.ldap.LDAPAttribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) TremoloHttpSession(com.tremolosecurity.proxy.TremoloHttpSession) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Example 29 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class AnonAuth method setAnonCtx.

private void setAnonCtx(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws ServletException, IOException {
    // SharedSession.getSharedSession().getSession(req.getSession().getId());
    HttpSession session = request.getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
    AuthMechType amt = act.getAuthMech().get(as.getId());
    createSession(session, act);
    as.setSuccess(true);
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) HttpSession(javax.servlet.http.HttpSession) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Example 30 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class AuthMgrSys method doAuthMgr.

public void doAuthMgr(HttpServletRequest request, HttpServletResponse response, NextSys nextSys, AuthStep as) throws ServletException, IOException {
    // String prefix = "/auth";
    // uri = uri.substring(prefix.length());
    String uri = request.getRequestURI();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    ConfigManager cfgMgr = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
    AuthController actl = (AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL);
    String actName = "";
    if (actl != null && actl.getHolder() == null && holder == null) {
        AuthMechanism authMech = cfgMgr.getAuthMech(request.getRequestURI());
        if (authMech != null) {
            String finalURL = authMech.getFinalURL(request, response);
            if (finalURL != null) {
                try {
                    holder = cfgMgr.findURL(finalURL);
                    String urlChain = holder.getUrl().getAuthChain();
                    AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
                    HashMap<String, Attribute> params = new HashMap<String, Attribute>();
                    ProxyUtil.loadParams(request, params);
                    actl.setHolder(new RequestHolder(HTTPMethod.GET, params, finalURL, true, act.getName(), ((ProxyRequest) request).getQueryStringParams()));
                    request.setAttribute(ProxyConstants.AUTOIDM_CFG, holder);
                    String authChain = holder.getUrl().getAuthChain();
                    holder.getConfig().getAuthManager().loadAmtParams(request.getSession(), act.getAuthMech().get(0));
                } catch (Exception e) {
                    throw new ServletException("Could not run authentication", e);
                }
            }
        } else {
            throw new ServletException("Unknown URI : " + request.getRequestURI());
        }
    }
    if (actl != null && actl.getHolder() != null) {
        actName = actl.getHolder().getAuthChainName();
    } else {
        if (holder != null) {
            actName = holder.getUrl().getAuthChain();
        } else {
            actName = null;
        }
    }
    AuthChainType act = actName != null ? cfgMgr.getAuthChains().get(actName) : null;
    AuthMechanism mech = cfgMgr.getAuthMech(uri);
    if (mech == null || act == null) {
        nextSys.nextSys(request, response);
        return;
    }
    act = AuthManagerImpl.buildACT(act, cfgMgr);
    int step = 0;
    if (as != null) {
        AuthMechType amt = act.getAuthMech().get(as.getId());
        String amtName = amt.getName();
        MechanismType mech2 = cfgMgr.getAuthMechs().get(amtName);
        if (!request.getRequestURI().endsWith(mech2.getUri())) {
            logger.warn("Attempted double post");
            StringBuilder sb = new StringBuilder().append(cfgMgr.getAuthFormsPath()).append("/resetChain.jsp");
            response.sendRedirect(sb.toString());
            return;
        }
        step = as.getId();
    }
    String authMechName = act.getAuthMech().get(step).getName();
    MechanismType mt = cfgMgr.getAuthMechs().get(authMechName);
    String ruri = request.getRequestURI();
    String forwardedURI = (String) request.getAttribute("javax.servlet.forward.request_uri");
    if (forwardedURI != null) {
        ruri = forwardedURI;
    }
    if (request.getMethod().equalsIgnoreCase("get")) {
        mech.doGet(request, response, as);
    } else if (request.getMethod().equalsIgnoreCase("post")) {
        mech.doPost(request, response, as);
    } else if (request.getMethod().equalsIgnoreCase("put") || request.getMethod().equalsIgnoreCase("patch")) {
        mech.doPut(request, response, as);
    } else if (request.getMethod().equalsIgnoreCase("delete")) {
        mech.doDelete(request, response, as);
    } else if (request.getMethod().equalsIgnoreCase("head")) {
        mech.doHead(request, response, as);
    } else if (request.getMethod().equalsIgnoreCase("options")) {
        mech.doOptions(request, response, as);
    } else {
        mech.doGet(request, response, as);
    }
// check for a failed authenction
// Boolean bool = (Boolean) request.getAttribute(AuthMgrSys.AU_RES);
// HttpSession session = ((HttpServletRequest) request).getSession(true);
// session = SharedSession.getSharedSession().getSession(session.getId());
// AuthInfo authData = (AuthInfo) session.getAttribute(AuthSys.AUTH_DATA);
// String urlChain = holder.getUrl().getAuthChain();
// AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
/*if (urlChain != null && bool != null) {
			processAuthResp(request, response, holder, bool);
		}*/
}
Also used : Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) ConfigManager(com.tremolosecurity.config.util.ConfigManager) ServletException(javax.servlet.ServletException) IOException(java.io.IOException) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) MechanismType(com.tremolosecurity.config.xml.MechanismType) ProxyRequest(com.tremolosecurity.proxy.ProxyRequest) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Aggregations

UrlHolder (com.tremolosecurity.config.util.UrlHolder)61 ServletException (javax.servlet.ServletException)42 HttpSession (javax.servlet.http.HttpSession)39 HashMap (java.util.HashMap)38 HttpServletRequest (javax.servlet.http.HttpServletRequest)36 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)34 Attribute (com.tremolosecurity.saml.Attribute)31 AuthMechType (com.tremolosecurity.config.xml.AuthMechType)26 AuthController (com.tremolosecurity.proxy.auth.AuthController)26 IOException (java.io.IOException)26 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)18 RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)18 LDAPException (com.novell.ldap.LDAPException)17 LDAPAttribute (com.novell.ldap.LDAPAttribute)16 ConfigManager (com.tremolosecurity.config.util.ConfigManager)12 MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)10 MalformedURLException (java.net.MalformedURLException)10 ArrayList (java.util.ArrayList)10 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)9 Gson (com.google.gson.Gson)8