use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class UserOnlyAuthMech method doPost.
@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp, AuthStep as) throws ServletException, IOException {
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) req).getSession();
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String uidAttr = "uid";
if (authParams.get("uidAttr") != null) {
uidAttr = authParams.get("uidAttr").getValues().get(0);
}
boolean uidIsFilter = false;
if (authParams.get("uidIsFilter") != null) {
uidIsFilter = authParams.get("uidIsFilter").getValues().get(0).equalsIgnoreCase("true");
}
String noUserJSP = authParams.get("noUserJSP").getValues().get(0);
String filter = "";
if (uidIsFilter) {
StringBuffer b = new StringBuffer();
int lastIndex = 0;
int index = uidAttr.indexOf('$');
while (index >= 0) {
b.append(uidAttr.substring(lastIndex, index));
lastIndex = uidAttr.indexOf('}', index) + 1;
String reqName = uidAttr.substring(index + 2, lastIndex - 1);
b.append(req.getParameter(reqName));
index = uidAttr.indexOf('$', index + 1);
}
b.append(uidAttr.substring(lastIndex));
filter = b.toString();
} else {
StringBuffer b = new StringBuffer();
b.append("(").append(uidAttr).append("=").append(req.getParameter("user")).append(")");
filter = b.toString();
}
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
try {
LDAPSearchResults res = myvd.search(AuthUtil.getChainRoot(cfgMgr, act), 2, filter, new ArrayList<String>());
if (res.hasMore()) {
LDAPEntry entry = res.next();
Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
while (it.hasNext()) {
LDAPAttribute attrib = it.next();
Attribute attr = new Attribute(attrib.getName());
String[] vals = attrib.getStringValueArray();
for (int i = 0; i < vals.length; i++) {
attr.getValues().add(vals[i]);
}
authInfo.getAttribs().put(attr.getName(), attr);
}
as.setSuccess(true);
} else {
as.setSuccess(false);
resp.sendRedirect(noUserJSP);
return;
}
} catch (LDAPException e) {
logger.error("Could not find user", e);
as.setSuccess(false);
resp.sendRedirect(noUserJSP);
return;
}
String redirectToURL = req.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
}
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class AuthManagerImpl method execAuth.
/* (non-Javadoc)
* @see com.tremolosecurity.proxy.auth.sys.AuthManager#execAuth(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession, boolean, com.tremolosecurity.config.util.UrlHolder, com.tremolosecurity.config.xml.AuthChainType, java.lang.String, com.tremolosecurity.proxy.util.NextSys)
*/
@Override
public boolean execAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, UrlHolder holder, AuthChainType act, String finalURL, NextSys next) throws IOException, ServletException {
boolean shortCircut = false;
ConfigManager cfg = (ConfigManager) req.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
// Generate an AuthChainType based on the existing chain+includes
if (act != cfg.getAuthFailChain()) {
act = this.buildACT(act, cfg);
}
if (act.getLevel() == 0 && (act != cfg.getAuthFailChain())) {
AuthController actl = (AuthController) session.getAttribute(ProxyConstants.AUTH_CTL);
// there's no need to go through the process
String anonMechName = act.getAuthMech().get(0).getName();
MechanismType mt = holder.getConfig().getAuthMechs().get(anonMechName);
AnonAuth anonAuth = (AnonAuth) holder.getConfig().getAuthMech(mt.getUri());
anonAuth.createSession(session, act);
return finishSuccessfulLogin(req, resp, holder, act, actl.getHolder(), actl, next);
}
RequestHolder reqHolder;
int step = -1;
AuthController actl = (AuthController) req.getSession().getAttribute(ProxyConstants.AUTH_CTL);
ArrayList<AuthStep> auths = actl.getAuthSteps();
if (auths.size() == 0) {
int id = 0;
for (AuthMechType amt : act.getAuthMech()) {
AuthStep as = new AuthStep();
as.setId(id);
as.setExecuted(false);
as.setRequired(amt.getRequired().equals("required"));
as.setSuccess(false);
auths.add(as);
id++;
}
boolean anyRequired = false;
for (AuthStep as : auths) {
if (as.isRequired()) {
anyRequired = true;
break;
}
}
if (!anyRequired) {
act.setFinishOnRequiredSucess(true);
}
step = 0;
HashMap<String, Attribute> params = new HashMap<String, Attribute>();
ProxyUtil.loadParams(req, params);
try {
reqHolder = new RequestHolder(RequestHolder.getMethod(req.getMethod()), params, finalURL, act.getName(), ((ProxyRequest) req).getQueryStringParams());
actl.setHolder(reqHolder);
} catch (Exception e) {
throw new ServletException("Error creating request holder", e);
}
} else {
reqHolder = actl.getHolder();
boolean clearAllNotRequired = false;
// determine the step
for (AuthStep as : auths) {
if (as.isSuccess()) {
// TODO Check to see if the user is locked out
if (act.getCompliance() != null && act.getCompliance().isEnabled()) {
Attribute lastFailed = actl.getAuthInfo().getAttribs().get(act.getCompliance().getLastFailedAttribute());
Attribute numFailures = actl.getAuthInfo().getAttribs().get(act.getCompliance().getNumFailedAttribute());
if (logger.isDebugEnabled()) {
logger.debug("lastFailed Attribute : '" + lastFailed + "'");
logger.debug("numFailures Attribute : '" + numFailures + "'");
}
if (lastFailed != null && numFailures != null) {
long lastFailedTS = lastFailed.getValues().size() > 0 ? Long.parseLong(lastFailed.getValues().get(0)) : 0;
int numPrevFailures = Integer.parseInt(numFailures.getValues().size() > 0 ? numFailures.getValues().get(0) : "0");
long now = new DateTime(DateTimeZone.UTC).getMillis();
long lockedUntil = lastFailedTS + act.getCompliance().getMaxLockoutTime();
if (logger.isDebugEnabled()) {
logger.debug("Num Failed : " + numPrevFailures);
logger.debug("Last Failed : '" + lastFailedTS + "'");
logger.info("Now : '" + now + "'");
logger.info("Locked Until : '" + lockedUntil + "'");
logger.info("locked >= now? : '" + (lockedUntil >= now) + "'");
logger.info("max fails? : '" + act.getCompliance().getMaxFailedAttempts() + "'");
logger.info("too many fails : '" + (numPrevFailures >= act.getCompliance().getMaxFailedAttempts()) + "'");
}
if (lockedUntil >= now && numPrevFailures >= act.getCompliance().getMaxFailedAttempts()) {
try {
failAuthentication(req, resp, holder, act);
} catch (Exception e) {
throw new ServletException("Could not complete authentication failure", e);
}
return false;
}
}
}
if (act.isFinishOnRequiredSucess()) {
step = -1;
clearAllNotRequired = true;
}
} else {
if (as.isRequired()) {
if (as.isExecuted()) {
try {
failAuthentication(req, resp, holder, act);
} catch (Exception e) {
throw new ServletException("Could not complete authentication failure", e);
}
return false;
} else {
step = as.getId();
break;
}
} else {
if (clearAllNotRequired) {
as.setExecuted(true);
as.setSuccess(true);
} else {
if (as.isExecuted()) {
} else {
step = as.getId();
break;
}
}
}
}
}
}
if (step != -1) {
/*if (jsRedirect && step < auths.size()) {
step++;
}*/
AuthStep curStep = auths.get(step);
actl.setCurrentStep(curStep);
AuthMechType amt = act.getAuthMech().get(step);
loadAmtParams(session, amt);
// req.getRequestDispatcher(authFilterURI).forward(req, resp);
Cookie sessionCookieName = new Cookie("autoIdmSessionCookieName", holder.getApp().getCookieConfig().getSessionCookieName());
String domain = ProxyTools.getInstance().getCookieDomain(holder.getApp().getCookieConfig(), req);
if (domain != null) {
sessionCookieName.setDomain(domain);
}
sessionCookieName.setPath("/");
sessionCookieName.setMaxAge(-1);
sessionCookieName.setSecure(false);
if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
ProxyResponse.addCookieToResponse(holder, sessionCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
}
Cookie appCookieName = new Cookie("autoIdmAppName", URLEncoder.encode(holder.getApp().getName(), "UTF-8"));
if (domain != null) {
appCookieName.setDomain(domain);
}
appCookieName.setPath("/");
appCookieName.setMaxAge(-1);
appCookieName.setSecure(false);
if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
ProxyResponse.addCookieToResponse(holder, appCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
}
// resp.addCookie(appCookieName);
String redirectURI = "";
MechanismType nextAuthConfiguration = null;
if (holder.getConfig().getContextPath().equalsIgnoreCase("/")) {
nextAuthConfiguration = holder.getConfig().getAuthMechs().get(amt.getName());
if (nextAuthConfiguration == null) {
StringBuilder sb = new StringBuilder().append("Authentication mechanism '").append(amt.getName()).append("' does not exist, will always fail");
logger.warn(sb.toString());
nextAuthConfiguration = holder.getConfig().getAuthFailMechanism();
}
redirectURI = nextAuthConfiguration.getUri();
} else {
nextAuthConfiguration = holder.getConfig().getAuthMechs().get(amt.getName());
if (nextAuthConfiguration == null) {
StringBuilder sb = new StringBuilder().append("Authentication mechanism '").append(amt.getName()).append("' does not exist, will always fail");
logger.warn(sb.toString());
nextAuthConfiguration = holder.getConfig().getAuthFailMechanism();
}
redirectURI = new StringBuffer().append(holder.getConfig().getContextPath()).append(nextAuthConfiguration.getUri()).toString();
}
req.getSession().setAttribute("TREMOLO_AUTH_URI", redirectURI);
if (jsRedirect) {
StringBuffer b = new StringBuffer();
b.append("<html><head></head><body onload=\"window.location='").append(ProxyTools.getInstance().getFqdnUrl(redirectURI, req)).append("';\"></body></html>");
String respHTML = b.toString();
ProxyData pd = new ProxyData();
pd.setHolder(holder);
pd.setIns(new ByteArrayInputStream(respHTML.getBytes("UTF-8")));
pd.setPostProc(null);
pd.setRequest(null);
pd.setResponse(null);
pd.setText(true);
pd.setLogout(false);
req.setAttribute(ProxyConstants.TREMOLO_PRXY_DATA, pd);
// req.setAttribute(ProxySys.AUTOIDM_STREAM_WRITER,true);
// req.setAttribute(ProxySys.TREMOLO_TXT_DATA, new
// StringBuffer(respHTML));
resp.sendError(401);
} else {
AuthMechanism mech = cfg.getAuthMech(redirectURI);
if (mech == null) {
throw new ServletException("Redirect URI '" + redirectURI + "' does not map to an authentication mechanism");
}
req.setAttribute(ProxyConstants.AUTH_REDIR_URI, redirectURI);
if (curStep != null) {
curStep.setExecuted(true);
}
if (req.getMethod().equalsIgnoreCase("get")) {
mech.doGet(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("post")) {
mech.doPost(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("put") || req.getMethod().equalsIgnoreCase("patch")) {
mech.doPut(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("delete")) {
mech.doDelete(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("head")) {
mech.doHead(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("options")) {
mech.doOptions(req, resp, curStep);
}
}
return false;
} else {
boolean success = true;
boolean opSuccess = false;
boolean hasOptional = false;
for (AuthStep as : auths) {
if (as.isRequired()) {
if (!as.isSuccess()) {
success = false;
break;
}
} else {
hasOptional = true;
if (as.isSuccess()) {
opSuccess = true;
}
}
}
boolean allSuccess = success && ((hasOptional && opSuccess) || (!hasOptional));
if (allSuccess) {
return finishSuccessfulLogin(req, resp, holder, act, reqHolder, actl, next);
} else {
throw new ServletException("Unknown state");
/*
* Cookie sessionCookieName = new
* Cookie("autoIdmSessionCookieName","DNE");
* sessionCookieName.setDomain
* (ProxyTools.getInstance().getCookieDomain
* (holder.getApp().getCookieConfig(), req));
* sessionCookieName.setPath("/");
* sessionCookieName.setMaxAge(0);
* sessionCookieName.setSecure(false);
* //resp.addCookie(sessionCookieName);
*
* Cookie appCookieName = new Cookie("autoIdmAppName","DNE");
* appCookieName
* .setDomain(ProxyTools.getInstance().getCookieDomain
* (holder.getApp().getCookieConfig(), req));
* appCookieName.setPath("/"); appCookieName.setMaxAge(0);
* appCookieName.setSecure(false);
* //resp.addCookie(appCookieName);
*/
}
}
}
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class SMSAuth method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String keyFromForm = request.getParameter("key");
if (keyFromForm == null) {
this.doGet(request, response, as);
return;
}
String keyFromSession = (String) request.getSession().getAttribute("TREMOLO_SMS_KEY");
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
boolean authenticated = keyFromForm.equals(keyFromSession);
if (authenticated) {
session.removeAttribute("TREMOLO_SMS_KEY");
}
as.setExecuted(true);
as.setSuccess(authenticated);
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class OAuth2Bearer method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
String basicHdr = request.getHeader("Authorization");
boolean fromHeader = true;
if (basicHdr == null) {
basicHdr = request.getParameter("access_token");
fromHeader = false;
}
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
AuthMechType amt = act.getAuthMech().get(as.getId());
String realmName = authParams.get("realm").getValues().get(0);
String scope = null;
if (authParams.get("scope") != null) {
scope = authParams.get("scope").getValues().get(0);
}
ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
String accessToken = null;
if (basicHdr == null) {
as.setExecuted(false);
sendFail(response, realmName, scope, null, null);
return;
} else {
if (fromHeader) {
accessToken = basicHdr.substring(basicHdr.indexOf(' ') + 1);
} else {
accessToken = basicHdr;
}
}
processToken(request, response, as, session, authParams, act, realmName, scope, cfg, accessToken);
}
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class U2fAuth method startAuthentication.
private void startAuthentication(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws ServletException, MalformedURLException, IOException {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
String formURI = authParams.get("formURI").getValues().get(0);
List<SecurityKeyData> keys;
try {
keys = U2fUtil.loadUserKeys(userData, challengeStoreAttribute, encyrptionKeyName);
} catch (Exception e1) {
throw new ServletException("Could not loak keys", e1);
}
Set<String> origins = new HashSet<String>();
String appID = U2fUtil.getApplicationId(request);
origins.add(appID);
U2FServer u2f = new U2FServerUnison(this.challengeGen, new UnisonDataStore(UUID.randomUUID().toString(), keys), new BouncyCastleCrypto(), origins);
String uid = userData.getAttribs().get(uidAttributeName).getValues().get(0);
if (keys == null || keys.size() == 0) {
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
U2fSignRequest sigReq = null;
try {
sigReq = u2f.getSignRequest(uid, appID);
} catch (U2FException e) {
logger.error("Could not start authentication", e);
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
Gson gson = new Gson();
request.getSession().setAttribute(AUTH_SIGN_REQ, sigReq);
request.getSession().setAttribute(AUTH_SIGN_REQ_JSON, gson.toJson(sigReq));
request.getSession().setAttribute(SERVER, u2f);
response.sendRedirect(formURI);
}
Aggregations