Examples with AuthChainType com.tremolosecurity.config.xml.AuthChainType used on opensource projects
Example 31 with AuthChainType
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class SAML2Auth method procLogoutResp.
private String procLogoutResp(HttpServletRequest request, HttpServletResponse response, DocumentBuilderFactory factory, String saml, String relayState, String url) throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, Exception, UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, ServletException {
LogoutResponseUnmarshaller marshaller = new LogoutResponseUnmarshaller();
DocumentBuilder builder = factory.newDocumentBuilder();
Element root = builder.parse(new InputSource(new StringReader(saml))).getDocumentElement();
LogoutResponse logout = (LogoutResponse) marshaller.unmarshall(root);
String issuer = logout.getIssuer().getValue();
boolean found = false;
String algType = null;
String logoutURL = null;
List<String> sigKeys = new ArrayList<String>();
// Search for the right mechanism configuration
for (String chainname : cfgMgr.getAuthChains().keySet()) {
AuthChainType act = cfgMgr.getAuthChains().get(chainname);
for (AuthMechType amt : act.getAuthMech()) {
for (ParamWithValueType pt : amt.getParams().getParam()) {
String value = "";
if (pt.getValue() != null && !pt.getValue().isBlank()) {
value = pt.getValue();
} else {
value = pt.getValueAttribute();
}
if (pt.getName().equalsIgnoreCase("entityID") && value.equalsIgnoreCase(issuer)) {
// found the correct mechanism
found = true;
for (ParamWithValueType ptx : amt.getParams().getParam()) {
String valuex = "";
if (ptx.getValue() != null && !ptx.getValue().isBlank()) {
valuex = pt.getValue();
} else {
valuex = ptx.getValueAttribute();
}
if (ptx.getName().equalsIgnoreCase("sigAlg")) {
algType = valuex;
} else if (ptx.getName().equalsIgnoreCase("logoutURL")) {
logoutURL = valuex;
} else if (ptx.getName().equalsIgnoreCase("idpSigKeyName")) {
sigKeys.add(valuex);
}
}
break;
}
}
if (found) {
break;
}
}
if (found) {
break;
}
}
if (!found) {
throw new ServletException("Entity ID '" + issuer + "' not found");
}
String authnSig = request.getParameter("Signature");
if (authnSig != null) {
String sigAlg = request.getParameter("SigAlg");
StringBuffer query = new StringBuffer();
String qs = request.getQueryString();
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "SAMLResponse"));
query.append('&');
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "RelayState"));
query.append('&');
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "SigAlg"));
boolean validated = false;
for (String sigKeyName : sigKeys) {
java.security.cert.X509Certificate cert = this.cfgMgr.getCertificate(sigKeyName);
if (cert == null) {
continue;
}
String xmlAlg = SAML2Auth.xmlDigSigAlgs.get(algType);
if (!sigAlg.equalsIgnoreCase(xmlAlg)) {
throw new Exception("Invalid signature algorithm : '" + sigAlg + "'");
}
/*if (! logout.getDestination().equals(request.getRequestURL().toString())) {
throw new Exception("Invalid destination");
}*/
java.security.Signature sigv = java.security.Signature.getInstance(SAML2Auth.javaDigSigAlgs.get(algType));
sigv.initVerify(cert.getPublicKey());
sigv.update(query.toString().getBytes("UTF-8"));
if (sigv.verify(Base64.decodeBase64(authnSig.getBytes("UTF-8")))) {
validated = true;
}
}
if (!validated) {
throw new Exception("Signature verification failed");
}
}
response.sendRedirect(logoutURL);
return logoutURL;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
InputSource(org.xml.sax.InputSource)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
XSString(org.opensaml.core.xml.schema.XSString)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
LDAPException(com.novell.ldap.LDAPException)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
IOException(java.io.IOException)
Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException)
ServletException(javax.servlet.ServletException)
SignatureException(java.security.SignatureException)
SAXException(org.xml.sax.SAXException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InitializationException(org.opensaml.core.config.InitializationException)
MalformedURLException(java.net.MalformedURLException)
CertificateException(java.security.cert.CertificateException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
LogoutResponseUnmarshaller(org.opensaml.saml.saml2.core.impl.LogoutResponseUnmarshaller)
ServletException(javax.servlet.ServletException)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
StringReader(java.io.StringReader)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 32 with AuthChainType
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class SAML2Auth method doPost.
@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp, AuthStep as) throws ServletException, IOException {
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession)
// req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest)
// req).getSession();
// //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) req).getSession();
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
AuthInfo userData = ((AuthController) req.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
if (userData.isAuthComplete() && userData.getAuthLevel() > 0) {
// Session is already set, just redirect to relay state
String relayState = this.getFinalURL(req, resp);
if (relayState == null) {
throw new ServletException("No RelayState or default RelayState");
}
resp.sendRedirect(relayState);
return;
}
if (as == null) {
// this is a special case - idp initiated means there's no context
ArrayList<AuthStep> auths = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthSteps();
int id = 0;
for (AuthMechType amt : act.getAuthMech()) {
AuthStep asx = new AuthStep();
asx.setId(id);
asx.setExecuted(false);
asx.setRequired(amt.getRequired().equals("required"));
asx.setSuccess(false);
auths.add(asx);
id++;
}
as = auths.get(0);
}
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String defaultOC = authParams.get("defaultOC").getValues().get(0);
String spEncKey = null;
if (authParams.get("spEncKey") != null) {
spEncKey = authParams.get("spEncKey").getValues().get(0);
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
AuthMechType amt = act.getAuthMech().get(as.getId());
List<String> sigCertNames = authParams.get("idpSigKeyName").getValues();
List<X509Certificate> sigCerts = new ArrayList<X509Certificate>();
boolean isMultiIdp = authParams.get("isMultiIdP") != null && authParams.get("isMultiIdP").getValues().get(0).equalsIgnoreCase("true");
String ldapAttrib = authParams.get("ldapAttribute").getValues().get(0);
String dnLabel = authParams.get("dnOU").getValues().get(0);
String samlResp = req.getParameter("SAMLResponse");
String xml = null;
xml = new String(Base64.decodeBase64(samlResp), "UTF-8");
boolean assertionSigned = true;
if (authParams.get("assertionsSigned") != null) {
assertionSigned = Boolean.parseBoolean(authParams.get("assertionsSigned").getValues().get(0));
}
boolean responseSigned = false;
if (authParams.get("responsesSigned") != null) {
responseSigned = Boolean.parseBoolean(authParams.get("responsesSigned").getValues().get(0));
}
boolean assertionEncrypted = false;
if (authParams.get("assertionEncrypted") != null) {
assertionEncrypted = Boolean.parseBoolean(authParams.get("assertionEncrypted").getValues().get(0));
}
if (logger.isDebugEnabled()) {
logger.debug("=========saml2resp============");
logger.debug(xml);
logger.debug("=========saml2resp============");
}
xml = xml.replaceAll("<!--.*-->", "");
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
try {
DocumentBuilder builder = factory.newDocumentBuilder();
Element root = builder.parse(new InputSource(new StringReader(xml))).getDocumentElement();
Response samlResponse = (Response) XMLObjectSupport.getUnmarshaller(root).unmarshall(root);
if (isMultiIdp) {
try {
String dn = authParams.get("idpDir").getValues().get(0);
LDAPSearchResults res = cfgMgr.getMyVD().search(dn, 2, equal("issuer", samlResponse.getIssuer().getValue()).toString(), new ArrayList<String>());
if (!res.hasMore()) {
throw new ServletException("No IdP found");
}
LDAPEntry entry = res.next();
java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");
sigCerts.add((java.security.cert.X509Certificate) cf.generateCertificate(new ByteArrayInputStream(Base64.decodeBase64(entry.getAttribute("idpSig").getStringValue()))));
} catch (LDAPException e) {
throw new ServletException("Could not load IdP data", e);
} catch (CertificateException e) {
throw new ServletException("Could not load IdP data", e);
}
} else {
for (String sigCertName : sigCertNames) {
sigCerts.add(cfgMgr.getCertificate(sigCertName));
}
}
if (responseSigned) {
if (samlResponse.getSignature() != null) {
boolean foundSigned = false;
for (X509Certificate sigCert : sigCerts) {
if (sigCert != null) {
BasicCredential sigCred = new BasicCredential(sigCert.getPublicKey());
sigCred.setUsageType(UsageType.SIGNING);
try {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
profileValidator.validate(samlResponse.getSignature());
SignatureValidator.validate(samlResponse.getSignature(), sigCred);
foundSigned = true;
} catch (org.opensaml.xmlsec.signature.support.SignatureException se) {
}
}
}
if (!foundSigned) {
throw new ServletException("could not validate response");
}
} else {
throw new Exception("Response not signed");
}
}
Assertion assertion = null;
if (samlResponse.getEncryptedAssertions().size() > 0) {
try {
EncryptedAssertion encAssertion = samlResponse.getEncryptedAssertions().get(0);
PrivateKey privKey = this.cfgMgr.getPrivateKey(spEncKey);
PublicKey pubKey = this.cfgMgr.getCertificate(spEncKey).getPublicKey();
Credential credential = new BasicCredential(pubKey, privKey);
StaticKeyInfoCredentialResolver resolver = new StaticKeyInfoCredentialResolver(credential);
Decrypter decrypter = new Decrypter(null, resolver, new InlineEncryptedKeyResolver());
decrypter.setRootInNewDocument(true);
assertion = decrypter.decrypt(encAssertion);
} catch (Exception e) {
throw new ServletException("Error decrypting assertion", e);
}
} else {
if (assertionEncrypted) {
throw new Exception("Assertion not encrypted");
}
if (samlResponse.getAssertions().size() == 0) {
throw new Exception("No assertions found");
}
assertion = (Assertion) samlResponse.getAssertions().get(0);
}
if (assertionSigned) {
if (assertion.getSignature() != null) {
boolean foundSigned = false;
for (X509Certificate sigCert : sigCerts) {
if (sigCert != null) {
BasicCredential sigCred = new BasicCredential(sigCert.getPublicKey());
sigCred.setUsageType(UsageType.SIGNING);
try {
SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator();
profileValidator.validate(assertion.getSignature());
SignatureValidator.validate(assertion.getSignature(), sigCred);
foundSigned = true;
} catch (org.opensaml.xmlsec.signature.support.SignatureException se) {
}
}
}
if (!foundSigned) {
throw new ServletException("Assertion can not be validated with a trusted certificate");
}
} else {
throw new Exception("No assertion signature");
}
}
// If it made it here, the assertion is valid, lets check the authncontextclassref
Attribute authnContextClassRef = authParams.get("authCtxRef");
if (authnContextClassRef != null && authnContextClassRef.getValues().size() > 0 && !authnContextClassRef.getValues().get(0).isEmpty() && !authnContextClassRef.getValues().get(0).equalsIgnoreCase("none") && (assertion.getAuthnStatements() == null || assertion.getAuthnStatements().size() == 0 || assertion.getAuthnStatements().get(0).getAuthnContext() == null || assertion.getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef() == null || assertion.getAuthnStatements().get(0).getAuthnContext() == null || assertion.getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef() == null || assertion.getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getURI() == null || !assertion.getAuthnStatements().get(0).getAuthnContext().getAuthnContextClassRef().getURI().equalsIgnoreCase(authnContextClassRef.getValues().get(0)))) {
logger.warn("Can not validate the authentication context classref");
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
return;
}
try {
if (authParams.get("dontLinkToLDAP") == null || authParams.get("dontLinkToLDAP").getValues().get(0).equalsIgnoreCase("false")) {
StringBuffer filter = new StringBuffer();
filter.append('(').append(ldapAttrib).append('=').append(assertion.getSubject().getNameID().getValue()).append(')');
LDAPSearchResults res = myvd.search(AuthUtil.getChainRoot(cfgMgr, act), 2, filter.toString(), new ArrayList<String>());
if (res.hasMore()) {
createUserFromDir(session, act, ldapAttrib, assertion, res);
} else {
createUnlinkedUser(session, act, ldapAttrib, dnLabel, defaultOC, assertion);
}
} else {
createUnlinkedUser(session, act, ldapAttrib, dnLabel, defaultOC, assertion);
}
} catch (LDAPException e) {
if (e.getResultCode() == 32) {
createUnlinkedUser(session, act, ldapAttrib, dnLabel, defaultOC, assertion);
} else {
throw e;
}
}
// logout management
Attribute logoutURLAttr = authParams.get("idpRedirLogoutURL");
if (logoutURLAttr != null && logoutURLAttr.getValues().size() > 0 && !logoutURLAttr.getValues().get(0).isEmpty() && authParams.get("spSigKey") != null && authParams.get("spSigKey").getValues().size() > 0) {
String logoutURL = logoutURLAttr.getValues().get(0);
String sessionIndex = assertion.getAuthnStatements().get(0).getSessionIndex();
String nameID = assertion.getSubject().getNameID().getValue();
String nameIDFormat = assertion.getSubject().getNameID().getFormat();
Saml2SingleLogout handler = new Saml2SingleLogout(logoutURL, sessionIndex, nameID, nameIDFormat, samlResponse.getDestination(), authParams.get("spSigKey").getValues().get(0), authParams.get("sigAlg").getValues().get(0), authParams.get("entityID").getValues().get(0));
LogoutUtil.addLogoutHandler(req, handler);
}
as.setSuccess(true);
} catch (Exception e) {
logger.error("Error Parsing Assertion", e);
throw new ServletException("error parsing assertion", e);
}
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
}
Also used :
InputSource(org.xml.sax.InputSource)
DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory)
PrivateKey(java.security.PrivateKey)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
XSString(org.opensaml.core.xml.schema.XSString)
AuthStep(com.tremolosecurity.proxy.auth.util.AuthStep)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
LDAPEntry(com.novell.ldap.LDAPEntry)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
PublicKey(java.security.PublicKey)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
Decrypter(org.opensaml.saml.saml2.encryption.Decrypter)
X509Certificate(java.security.cert.X509Certificate)
LDAPException(com.novell.ldap.LDAPException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver)
Attribute(com.tremolosecurity.saml.Attribute)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Element(org.w3c.dom.Element)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
StringReader(java.io.StringReader)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection)
BasicCredential(org.opensaml.security.credential.BasicCredential)
BasicCredential(org.opensaml.security.credential.BasicCredential)
Credential(org.opensaml.security.credential.Credential)
TremoloHttpSession(com.tremolosecurity.proxy.TremoloHttpSession)
HttpSession(javax.servlet.http.HttpSession)
Saml2SingleLogout(com.tremolosecurity.proxy.auth.saml2.Saml2SingleLogout)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
LDAPException(com.novell.ldap.LDAPException)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
IOException(java.io.IOException)
Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException)
ServletException(javax.servlet.ServletException)
SignatureException(java.security.SignatureException)
SAXException(org.xml.sax.SAXException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InitializationException(org.opensaml.core.config.InitializationException)
MalformedURLException(java.net.MalformedURLException)
CertificateException(java.security.cert.CertificateException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Response(org.opensaml.saml.saml2.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Example 33 with AuthChainType
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class SAML2Auth method procLogoutReq.
private String procLogoutReq(HttpServletRequest request, HttpServletResponse response, DocumentBuilderFactory factory, String saml, String relayState, String url) throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, Exception, UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, ServletException {
LogoutRequestUnmarshaller marshaller = new LogoutRequestUnmarshaller();
DocumentBuilder builder = factory.newDocumentBuilder();
Element root = builder.parse(new InputSource(new StringReader(saml))).getDocumentElement();
org.opensaml.saml.saml2.core.impl.LogoutRequestImpl logout = (org.opensaml.saml.saml2.core.impl.LogoutRequestImpl) marshaller.unmarshall(root);
String issuer = logout.getIssuer().getValue();
boolean found = false;
String algType = null;
String logoutURL = null;
String entityID = null;
List<String> sigKeys = new ArrayList<String>();
// Search for the right mechanism configuration
for (String chainname : cfgMgr.getAuthChains().keySet()) {
AuthChainType act = cfgMgr.getAuthChains().get(chainname);
for (AuthMechType amt : act.getAuthMech()) {
for (ParamWithValueType pt : amt.getParams().getParam()) {
String value = "";
if (pt.getValue() != null && !pt.getValue().isBlank()) {
value = pt.getValue();
} else {
value = pt.getValueAttribute();
}
if (pt.getName().equalsIgnoreCase("entityID") && value.equalsIgnoreCase(issuer)) {
// found the correct mechanism
found = true;
for (ParamWithValueType ptx : amt.getParams().getParam()) {
String valuex = "";
if (ptx.getValue() != null && !ptx.getValue().isBlank()) {
valuex = pt.getValue();
} else {
valuex = ptx.getValueAttribute();
}
if (ptx.getName().equalsIgnoreCase("sigAlg")) {
algType = valuex;
} else if (ptx.getName().equalsIgnoreCase("triggerLogoutURL")) {
logoutURL = valuex;
} else if (ptx.getName().equalsIgnoreCase("idpSigKeyName")) {
sigKeys.add(valuex);
}
}
break;
}
}
if (found) {
break;
}
}
if (found) {
break;
}
}
if (!found) {
throw new ServletException("Entity ID '" + issuer + "' not found");
}
String authnSig = request.getParameter("Signature");
if (authnSig != null) {
String sigAlg = request.getParameter("SigAlg");
StringBuffer query = new StringBuffer();
String qs = request.getQueryString();
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "SAMLRequest"));
query.append('&');
if (request.getParameter("RelayState") != null) {
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "RelayState"));
query.append('&');
}
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "SigAlg"));
boolean validated = false;
for (String sigKeyName : sigKeys) {
java.security.cert.X509Certificate cert = this.cfgMgr.getCertificate(sigKeyName);
if (cert == null) {
continue;
}
String xmlAlg = SAML2Auth.xmlDigSigAlgs.get(algType);
if (!sigAlg.equalsIgnoreCase(xmlAlg)) {
throw new Exception("Invalid signature algorithm : '" + sigAlg + "'");
}
/*if (! logout.getDestination().equals(request.getRequestURL().toString())) {
throw new Exception("Invalid destination");
}*/
java.security.Signature sigv = java.security.Signature.getInstance(SAML2Auth.javaDigSigAlgs.get(algType));
sigv.initVerify(cert.getPublicKey());
sigv.update(query.toString().getBytes("UTF-8"));
if (sigv.verify(Base64.decodeBase64(authnSig.getBytes("UTF-8")))) {
validated = true;
}
}
if (!validated) {
throw new Exception("Signature verification failed");
}
}
response.sendRedirect(new StringBuilder().append(logoutURL).append("?logoutreq=").append(URLEncoder.encode(logout.getID(), "UTF-8")).toString());
// return logoutURL;
return null;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
InputSource(org.xml.sax.InputSource)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
LogoutRequestUnmarshaller(org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller)
XSString(org.opensaml.core.xml.schema.XSString)
ServletException(javax.servlet.ServletException)
StringReader(java.io.StringReader)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
LDAPException(com.novell.ldap.LDAPException)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
IOException(java.io.IOException)
Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException)
ServletException(javax.servlet.ServletException)
SignatureException(java.security.SignatureException)
SAXException(org.xml.sax.SAXException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InitializationException(org.opensaml.core.config.InitializationException)
MalformedURLException(java.net.MalformedURLException)
CertificateException(java.security.cert.CertificateException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
Example 34 with AuthChainType
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class PersistentCookieResult method createResultCookie.
@Override
public void createResultCookie(Cookie cookie, HttpServletRequest request, HttpServletResponse response) throws ServletException {
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
ConfigManager mgr = holder.getConfig();
HashSet<String> mechs = new HashSet<String>();
for (String mechName : mgr.getAuthMechs().keySet()) {
MechanismType mech = mgr.getAuthMechs().get(mechName);
if (mech.getClassName().equalsIgnoreCase("com.tremolosecurity.proxy.auth.persistentCookie.PersistentCookie")) {
mechs.add(mechName);
}
}
AuthController authCtl = (AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL);
String chainName = authCtl.getAuthInfo().getAuthChain();
AuthChainType chain = mgr.getAuthChains().get(chainName);
chain = AuthManagerImpl.buildACT(chain, mgr);
int millisToLive = 0;
String keyAlias = "";
boolean useSSLSession = false;
for (AuthMechType amt : chain.getAuthMech()) {
if (mechs.contains(amt.getName())) {
for (ParamWithValueType pt : amt.getParams().getParam()) {
String value = "";
if (pt.getValue() != null && !pt.getValue().isBlank()) {
value = pt.getValue();
} else {
value = pt.getValueAttribute();
}
if (pt.getName().equalsIgnoreCase("millisToLive")) {
millisToLive = Integer.parseInt(value);
}
if (pt.getName().equalsIgnoreCase("useSSLSessionID") && value.equalsIgnoreCase("true")) {
useSSLSession = true;
} else if (pt.getName().equalsIgnoreCase("keyAlias")) {
keyAlias = value;
}
}
}
}
DateTime now = new DateTime();
DateTime expires = now.plusMillis(millisToLive);
com.tremolosecurity.lastmile.LastMile lastmile = null;
try {
lastmile = new com.tremolosecurity.lastmile.LastMile("/", now, expires, 0, "NONE");
} catch (URISyntaxException e) {
// not possible
}
lastmile.getAttributes().add(new Attribute("DN", authCtl.getAuthInfo().getUserDN()));
lastmile.getAttributes().add(new Attribute("CLIENT_IP", request.getRemoteAddr()));
if (useSSLSession) {
Object sessionID = request.getAttribute("javax.servlet.request.ssl_session_id");
if (sessionID instanceof byte[]) {
sessionID = new String(Base64.encodeBase64((byte[]) sessionID));
}
lastmile.getAttributes().add(new Attribute("SSL_SESSION_ID", (String) sessionID));
}
try {
cookie.setValue(new StringBuilder().append('"').append(lastmile.generateLastMileToken(mgr.getSecretKey(keyAlias))).append('"').toString());
} catch (Exception e) {
throw new ServletException("Could not encrypt persistent cookie", e);
}
cookie.setMaxAge(millisToLive / 1000);
}
Also used :
Attribute(com.tremolosecurity.saml.Attribute)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
URISyntaxException(java.net.URISyntaxException)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ConfigManager(com.tremolosecurity.config.util.ConfigManager)
DateTime(org.joda.time.DateTime)
ServletException(javax.servlet.ServletException)
URISyntaxException(java.net.URISyntaxException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
MechanismType(com.tremolosecurity.config.xml.MechanismType)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
HashSet(java.util.HashSet)
Example 35 with AuthChainType
use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.
the class CreateSecretQuestionsTask method init.
@Override
public void init(WorkflowTask task, Map<String, Attribute> params) throws ProvisioningException {
numQuestions = Integer.parseInt(params.get("numQuestions").getValues().get(0));
questionNamePrefix = params.get("questionNamePrefix").getValues().get(0);
questionValuePrefix = params.get("questionValuePrefix").getValues().get(0);
chainName = params.get("chainName").getValues().get(0);
if (params.get("mechName") != null) {
this.mechName = params.get("mechName").getValues().get(0);
} else {
this.mechName = "SecretQuestions";
}
for (AuthChainType act : task.getConfigManager().getCfg().getAuthChains().getChain()) {
if (act.getName().equalsIgnoreCase(chainName)) {
for (AuthMechType amt : act.getAuthMech()) {
if (amt.getName().equalsIgnoreCase(this.mechName)) {
for (ParamWithValueType pt : amt.getParams().getParam()) {
String value = "";
if (pt.getValue() != null && !pt.getValue().isBlank()) {
value = pt.getValue();
} else {
value = pt.getValueAttribute();
}
if (pt.getName().equalsIgnoreCase("alg")) {
this.alg = value;
}
if (pt.getName().equalsIgnoreCase("salt")) {
this.salt = value;
}
if (pt.getName().equalsIgnoreCase("questionAttr")) {
this.questionAttr = value;
}
}
}
}
}
}
}
Also used :
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Aggregations
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)52
UrlHolder (com.tremolosecurity.config.util.UrlHolder)34
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)34
HttpSession (javax.servlet.http.HttpSession)33
HashMap (java.util.HashMap)32
ServletException (javax.servlet.ServletException)32
Attribute (com.tremolosecurity.saml.Attribute)28
HttpServletRequest (javax.servlet.http.HttpServletRequest)28
IOException (java.io.IOException)21
AuthController (com.tremolosecurity.proxy.auth.AuthController)19
LDAPException (com.novell.ldap.LDAPException)18
LDAPAttribute (com.novell.ldap.LDAPAttribute)17
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)14
RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)13
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)12
MalformedURLException (java.net.MalformedURLException)10
LDAPSearchResults (com.novell.ldap.LDAPSearchResults)9
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)9
ArrayList (java.util.ArrayList)9
LDAPEntry (com.novell.ldap.LDAPEntry)8
