use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class FormLoginAuthMech method doPost.
@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp, AuthStep as) throws ServletException, IOException {
String userDN = null;
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) req).getSession();
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String uidAttr = "uid";
if (authParams.get("uidAttr") != null) {
uidAttr = authParams.get("uidAttr").getValues().get(0);
}
boolean uidIsFilter = false;
if (authParams.get("uidIsFilter") != null) {
uidIsFilter = authParams.get("uidIsFilter").getValues().get(0).equalsIgnoreCase("true");
}
String filter = "";
if (uidIsFilter) {
StringBuffer b = new StringBuffer();
int lastIndex = 0;
int index = uidAttr.indexOf('$');
while (index >= 0) {
b.append(uidAttr.substring(lastIndex, index));
lastIndex = uidAttr.indexOf('}', index) + 1;
String reqName = uidAttr.substring(index + 2, lastIndex - 1);
b.append(req.getParameter(reqName));
index = uidAttr.indexOf('$', index + 1);
}
b.append(uidAttr.substring(lastIndex));
filter = b.toString();
} else {
StringBuffer b = new StringBuffer();
String userParam = req.getParameter("user");
b.append('(').append(uidAttr).append('=').append(userParam).append(')');
if (userParam == null) {
filter = "(!(objectClass=*))";
} else {
filter = equal(uidAttr, userParam).toString();
}
}
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
String password = req.getParameter("pwd");
if (password == null || password.trim().length() == 0) {
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
return;
}
try {
LDAPSearchResults res = myvd.search(AuthUtil.getChainRoot(cfgMgr, act), 2, filter, new ArrayList<String>());
if (res.hasMore()) {
LDAPEntry entry = res.next();
userDN = entry.getDN();
myvd.bind(entry.getDN(), req.getParameter("pwd"));
Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
while (it.hasNext()) {
LDAPAttribute attrib = it.next();
Attribute attr = new Attribute(attrib.getName());
String[] vals = attrib.getStringValueArray();
for (int i = 0; i < vals.length; i++) {
attr.getValues().add(vals[i]);
}
authInfo.getAttribs().put(attr.getName(), attr);
}
as.setSuccess(true);
} else {
req.setAttribute(ProxyConstants.AUTH_FAILED_USER_DN, userDN);
as.setSuccess(false);
}
} catch (LDAPException e) {
if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
logger.error("Could not authenticate user", e);
}
req.setAttribute(ProxyConstants.AUTH_FAILED_USER_DN, userDN);
as.setSuccess(false);
}
String redirectToURL = req.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
ProxyRequest pr = (ProxyRequest) req;
pr.removeParameter("pwd");
pr.removeParameter("user");
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
}
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class IWAAuth method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
String header = request.getHeader("Authorization");
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
if (header == null) {
sendFail(request, response, as);
return;
}
SpnegoPrincipal principal = null;
for (String realm : this.domains.keySet()) {
SpnegoAuthenticator authenticator = this.domains.get(realm);
final SpnegoHttpServletResponse spnegoResponse = new SpnegoHttpServletResponse((HttpServletResponse) response);
try {
principal = authenticator.authenticate(request, spnegoResponse);
break;
} catch (GSSException gsse) {
logger.error("Could not authenticate IWA user", gsse);
} catch (Throwable t) {
logger.error("Could not authenticate IWA user", t);
}
}
if (principal == null) {
sendFail(request, response, as);
return;
}
MyVDConnection myvd = cfgMgr.getMyVD();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
// holder.getConfig().getAuthChains().get(urlChain);
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
try {
StringBuffer b = new StringBuffer();
b.append("(userPrincipalName=").append(principal.toString()).append(")");
LDAPSearchResults res = myvd.search(AuthUtil.getChainRoot(cfgMgr, act), 2, equal("userPrincipalName", principal.toString()).toString(), new ArrayList<String>());
if (res.hasMore()) {
logger.info("Loading user attributes");
LDAPEntry entry = res.next();
Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
while (it.hasNext()) {
LDAPAttribute attrib = it.next();
Attribute attr = new Attribute(attrib.getName());
String[] vals = attrib.getStringValueArray();
for (int i = 0; i < vals.length; i++) {
attr.getValues().add(vals[i]);
}
authInfo.getAttribs().put(attr.getName(), attr);
}
as.setSuccess(true);
request.getSession().removeAttribute("TREMOLO_IWA_CHECKED");
} else {
logger.info("user not found, failing");
as.setSuccess(false);
}
} catch (LDAPException e) {
logger.error("Could not authenticate user", e);
as.setSuccess(false);
sendFail(request, response, as);
return;
/*if (amt.getRequired().equals("required")) {
session.setAttribute(AuthSys.AUTH_RES, false);
}*/
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, true);
}
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class SendMessageThread method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (!this.enabled) {
throw new ServletException("Operation Not Supported");
}
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
String finalURL = this.getFinalURL(request, response);
try {
holder = cfgMgr.findURL(finalURL);
request.setAttribute(ProxyConstants.AUTOIDM_CFG, holder);
} catch (Exception e) {
throw new ServletException("Could not run authentication", e);
}
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
if (request.getParameter("email") != null) {
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
String splashRedirect = authParams.get("splashRedirect").getValues().get(0);
String noUserSplash = authParams.get("noUserSplash").getValues().get(0);
generateResetKey(request, response, splashRedirect, noUserSplash, as, act, this.lookupAttributeName);
return;
} else if (request.getParameter("key") == null) {
String emailCollectionRedir = authParams.get("emailCollectionRedir").getValues().get(0);
response.sendRedirect(emailCollectionRedir);
return;
} else {
String key = request.getParameter("key");
org.hibernate.Session con = null;
try {
con = this.sessionFactory.openSession();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
if (as == null || ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthSteps().size() == 0) {
// like saml2 idp initiated, this is a special use case
ArrayList<AuthStep> auths = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthSteps();
int id = 0;
for (AuthMechType amt : act.getAuthMech()) {
AuthStep asx = new AuthStep();
asx.setId(id);
asx.setExecuted(false);
asx.setRequired(amt.getRequired().equals("required"));
asx.setSuccess(false);
auths.add(asx);
id++;
}
as = auths.get(0);
}
AuthMechType amt = act.getAuthMech().get(as.getId());
finishLogin(request, response, session, act, as.getId(), amt, minValidKey, key, con, reqHolder, as);
} catch (SQLException e) {
throw new ServletException("Could not complete login", e);
} finally {
if (con != null) {
con.close();
}
}
}
}
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class PersistentCookie method doWork.
private void doWork(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
as.setExecuted(true);
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
Attribute attr = authParams.get("cookieName");
if (attr == null) {
throw new ServletException("No cookie name specified");
}
String cookieName = attr.getValues().get(0);
boolean useSSLSessionID;
attr = authParams.get("useSSLSessionID");
if (attr == null) {
useSSLSessionID = false;
} else {
useSSLSessionID = attr.getValues().get(0).equalsIgnoreCase("true");
}
attr = authParams.get("millisToLive");
if (attr == null) {
throw new ServletException("No milliseconds to live specified");
}
long millisToLive = Long.parseLong(attr.getValues().get(0));
attr = authParams.get("keyAlias");
if (attr == null) {
throw new ServletException("No key name specified");
}
String keyAlias = attr.getValues().get(0);
Cookie authCookie = null;
if (request.getCookies() == null) {
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
for (Cookie cookie : request.getCookies()) {
if (cookie.getName().equalsIgnoreCase(cookieName)) {
authCookie = cookie;
break;
}
}
if (authCookie == null) {
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
com.tremolosecurity.lastmile.LastMile lastmile = new com.tremolosecurity.lastmile.LastMile();
SecretKey key = this.cfgMgr.getSecretKey(keyAlias);
if (key == null) {
throw new ServletException("Secret key '" + keyAlias + "' does not exist");
}
try {
String cookieVal = authCookie.getValue();
if (cookieVal.startsWith("\"")) {
cookieVal = cookieVal.substring(1, cookieVal.length() - 1);
}
lastmile.loadLastMielToken(cookieVal, key);
} catch (Exception e) {
logger.warn("Could not decrypt cookie", e);
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
if (!lastmile.isValid()) {
logger.warn("Cookie no longer valid");
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
boolean found = false;
boolean validip = false;
boolean validSslSessionId = !useSSLSessionID;
String dn = null;
for (Attribute attrib : lastmile.getAttributes()) {
if (attrib.getName().equalsIgnoreCase("CLIENT_IP")) {
validip = attrib.getValues().get(0).equals(request.getRemoteAddr());
} else if (attrib.getName().equalsIgnoreCase("DN")) {
dn = attrib.getValues().get(0);
} else if (attrib.getName().equalsIgnoreCase("SSL_SESSION_ID")) {
Object sessionID = request.getAttribute("javax.servlet.request.ssl_session_id");
if (sessionID instanceof byte[]) {
sessionID = new String(Base64.encodeBase64((byte[]) sessionID));
}
validSslSessionId = attrib.getValues().get(0).equals(sessionID);
}
}
if (dn != null && validip && validSslSessionId) {
try {
LDAPSearchResults res = myvd.search(dn, 0, "(objectClass=*)", new ArrayList<String>());
if (res.hasMore()) {
LDAPEntry entry = res.next();
Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
while (it.hasNext()) {
LDAPAttribute ldapattr = it.next();
attr = new Attribute(ldapattr.getName());
String[] vals = ldapattr.getStringValueArray();
for (int i = 0; i < vals.length; i++) {
attr.getValues().add(vals[i]);
}
authInfo.getAttribs().put(attr.getName(), attr);
}
as.setSuccess(true);
} else {
as.setSuccess(false);
}
} catch (LDAPException e) {
if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
logger.error("Could not authenticate user", e);
}
as.setSuccess(false);
}
} else {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class SecretQuestionAuth method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String alg = authParams.get("alg").getValues().get(0);
String salt = authParams.get("salt").getValues().get(0);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
ArrayList<SecretQuestion> questions = (ArrayList<SecretQuestion>) request.getSession(true).getAttribute("TREMOLO_SECRET_ANSWERS");
if (questions == null) {
this.doGet(request, response, as);
return;
}
int i = 0;
StringBuffer b = new StringBuffer();
for (SecretQuestion sq : questions) {
b.setLength(0);
b.append("answer").append(i);
String answer = request.getParameter(b.toString());
if (!sq.checkAnswer(alg, answer, salt)) {
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
}
i++;
}
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Aggregations