Example 1 with AnonAuth
use of com.tremolosecurity.proxy.auth.AnonAuth in project OpenUnison by TremoloSecurity.
the class UnisonConfigManagerImpl method loadAuthMechs.
/* (non-Javadoc)
* @see com.tremolosecurity.config.util.ConfigManager#loadAuthMechs()
*/
/* (non-Javadoc)
* @see com.tremolosecurity.config.util.UnisonConfigManager#loadAuthMechs()
*/
@Override
public void loadAuthMechs() throws ServletException {
try {
this.mechs = new HashMap<String, AuthMechanism>();
// UnisonConfigManagerImpl tremoloCfg = (UnisonConfigManagerImpl) ctx.getAttribute(ConfigFilter.TREMOLO_CONFIG);
if (getCfg().getAuthMechs() != null) {
Iterator<MechanismType> mechs = getCfg().getAuthMechs().getMechanism().iterator();
while (mechs.hasNext()) {
MechanismType mt = mechs.next();
initializeAuthenticationMechanism(mt);
}
}
} catch (Exception e) {
throw new ServletException("Could not initialize Auth Mechanism Filter", e);
}
for (String key : this.authChains.keySet()) {
AuthChainType act = this.authChains.get(key);
if (act.getLevel() == 0) {
this.anonAct = act;
String mechName = act.getAuthMech().get(0).getName();
this.anonAuthMech = (AnonAuth) this.getAuthMech(this.authMechs.get(mechName).getUri());
}
}
if (this.anonAuthMech == null) {
this.anonAct = new AuthChainType();
this.anonAct.setFinishOnRequiredSucess(true);
this.anonAct.setLevel(0);
this.anonAct.setName("anon");
this.anonAuthMech = new AnonAuth();
}
if (this.alwaysFailAuth == null) {
this.alwaysFailAuth = new AlwaysFail();
String failAuthUri = this.ctxPath + "/fail";
this.mechs.put(failAuthUri, alwaysFailAuth);
MechanismType fmt = new MechanismType();
fmt.setClassName("com.tremolosecurity.proxy.auth.AlwaysFail");
fmt.setInit(new ConfigType());
fmt.setParams(new ParamListType());
fmt.setName("fail");
fmt.setUri(failAuthUri);
if (this.cfg.getAuthMechs() == null) {
this.cfg.setAuthMechs(new AuthMechTypes());
}
this.cfg.getAuthMechs().getMechanism().add(fmt);
this.alwaysFailAuthMech = fmt;
}
for (String key : this.authChains.keySet()) {
AuthChainType act = this.authChains.get(key);
for (AuthMechType amt : act.getAuthMech()) {
if (amt.getName().equals(this.alwaysFailAuthMech.getName())) {
this.authFailChain = act;
break;
}
}
}
if (this.authFailChain == null) {
this.authFailChain = new AuthChainType();
this.authFailChain.setLevel(0);
this.authFailChain.setName("alwaysfail");
AuthMechType amt = new AuthMechType();
amt.setName(this.alwaysFailAuthMech.getName());
amt.setRequired("required");
amt.setParams(new AuthMechParamType());
this.authFailChain.getAuthMech().add(amt);
}
try {
if (this.getCfg().getAuthMechs() != null && this.getCfg().getAuthMechs().getDynamicAuthMechs() != null && this.getCfg().getAuthMechs().getDynamicAuthMechs().isEnabled()) {
DynamicPortalUrlsType dynamicAuthMechs = this.getCfg().getAuthMechs().getDynamicAuthMechs();
String className = dynamicAuthMechs.getClassName();
HashMap<String, Attribute> cfgAttrs = new HashMap<String, Attribute>();
for (ParamType pt : dynamicAuthMechs.getParams()) {
Attribute attr = cfgAttrs.get(pt.getName());
if (attr == null) {
attr = new Attribute(pt.getName());
cfgAttrs.put(pt.getName(), attr);
}
attr.getValues().add(pt.getValue());
}
DynamicAuthMechs dynCustomAuMechs = (DynamicAuthMechs) Class.forName(className).newInstance();
dynCustomAuMechs.loadDynamicAuthMechs(this, this.getProvisioningEngine(), cfgAttrs);
}
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException | ProvisioningException e) {
throw new ServletException("Could not initialize authentication mechanisms", e);
}
}
Also used :
AuthMechParamType(com.tremolosecurity.config.xml.AuthMechParamType)
AnonAuth(com.tremolosecurity.proxy.auth.AnonAuth)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
ServletException(javax.servlet.ServletException)
DynamicAuthMechs(com.tremolosecurity.proxy.dynamicloaders.DynamicAuthMechs)
AuthMechanism(com.tremolosecurity.proxy.auth.AuthMechanism)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
MechanismType(com.tremolosecurity.config.xml.MechanismType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
ConfigType(com.tremolosecurity.config.xml.ConfigType)
ParamListType(com.tremolosecurity.config.xml.ParamListType)
AuthMechTypes(com.tremolosecurity.config.xml.AuthMechTypes)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
KeyStoreException(java.security.KeyStoreException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
KeyManagementException(java.security.KeyManagementException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
LDAPException(com.novell.ldap.LDAPException)
AzException(com.tremolosecurity.proxy.az.AzException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
JAXBException(javax.xml.bind.JAXBException)
FileNotFoundException(java.io.FileNotFoundException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
CertificateException(java.security.cert.CertificateException)
AuthMechParamType(com.tremolosecurity.config.xml.AuthMechParamType)
ParamType(com.tremolosecurity.config.xml.ParamType)
AlwaysFail(com.tremolosecurity.proxy.auth.AlwaysFail)
DynamicPortalUrlsType(com.tremolosecurity.config.xml.DynamicPortalUrlsType)
Example 2 with AnonAuth
use of com.tremolosecurity.proxy.auth.AnonAuth in project OpenUnison by TremoloSecurity.
the class AuthManagerImpl method execAuth.
/* (non-Javadoc)
* @see com.tremolosecurity.proxy.auth.sys.AuthManager#execAuth(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession, boolean, com.tremolosecurity.config.util.UrlHolder, com.tremolosecurity.config.xml.AuthChainType, java.lang.String, com.tremolosecurity.proxy.util.NextSys)
*/
@Override
public boolean execAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, UrlHolder holder, AuthChainType act, String finalURL, NextSys next) throws IOException, ServletException {
boolean shortCircut = false;
ConfigManager cfg = (ConfigManager) req.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
// Generate an AuthChainType based on the existing chain+includes
if (act != cfg.getAuthFailChain()) {
act = this.buildACT(act, cfg);
}
if (act.getLevel() == 0 && (act != cfg.getAuthFailChain())) {
AuthController actl = (AuthController) session.getAttribute(ProxyConstants.AUTH_CTL);
// there's no need to go through the process
String anonMechName = act.getAuthMech().get(0).getName();
MechanismType mt = holder.getConfig().getAuthMechs().get(anonMechName);
AnonAuth anonAuth = (AnonAuth) holder.getConfig().getAuthMech(mt.getUri());
anonAuth.createSession(session, act);
return finishSuccessfulLogin(req, resp, holder, act, actl.getHolder(), actl, next);
}
RequestHolder reqHolder;
int step = -1;
AuthController actl = (AuthController) req.getSession().getAttribute(ProxyConstants.AUTH_CTL);
ArrayList<AuthStep> auths = actl.getAuthSteps();
if (auths.size() == 0) {
int id = 0;
for (AuthMechType amt : act.getAuthMech()) {
AuthStep as = new AuthStep();
as.setId(id);
as.setExecuted(false);
as.setRequired(amt.getRequired().equals("required"));
as.setSuccess(false);
auths.add(as);
id++;
}
boolean anyRequired = false;
for (AuthStep as : auths) {
if (as.isRequired()) {
anyRequired = true;
break;
}
}
if (!anyRequired) {
act.setFinishOnRequiredSucess(true);
}
step = 0;
HashMap<String, Attribute> params = new HashMap<String, Attribute>();
ProxyUtil.loadParams(req, params);
try {
reqHolder = new RequestHolder(RequestHolder.getMethod(req.getMethod()), params, finalURL, act.getName(), ((ProxyRequest) req).getQueryStringParams());
actl.setHolder(reqHolder);
} catch (Exception e) {
throw new ServletException("Error creating request holder", e);
}
} else {
reqHolder = actl.getHolder();
boolean clearAllNotRequired = false;
// determine the step
for (AuthStep as : auths) {
if (as.isSuccess()) {
// TODO Check to see if the user is locked out
if (act.getCompliance() != null && act.getCompliance().isEnabled()) {
Attribute lastFailed = actl.getAuthInfo().getAttribs().get(act.getCompliance().getLastFailedAttribute());
Attribute numFailures = actl.getAuthInfo().getAttribs().get(act.getCompliance().getNumFailedAttribute());
if (logger.isDebugEnabled()) {
logger.debug("lastFailed Attribute : '" + lastFailed + "'");
logger.debug("numFailures Attribute : '" + numFailures + "'");
}
if (lastFailed != null && numFailures != null) {
long lastFailedTS = lastFailed.getValues().size() > 0 ? Long.parseLong(lastFailed.getValues().get(0)) : 0;
int numPrevFailures = Integer.parseInt(numFailures.getValues().size() > 0 ? numFailures.getValues().get(0) : "0");
long now = new DateTime(DateTimeZone.UTC).getMillis();
long lockedUntil = lastFailedTS + act.getCompliance().getMaxLockoutTime();
if (logger.isDebugEnabled()) {
logger.debug("Num Failed : " + numPrevFailures);
logger.debug("Last Failed : '" + lastFailedTS + "'");
logger.info("Now : '" + now + "'");
logger.info("Locked Until : '" + lockedUntil + "'");
logger.info("locked >= now? : '" + (lockedUntil >= now) + "'");
logger.info("max fails? : '" + act.getCompliance().getMaxFailedAttempts() + "'");
logger.info("too many fails : '" + (numPrevFailures >= act.getCompliance().getMaxFailedAttempts()) + "'");
}
if (lockedUntil >= now && numPrevFailures >= act.getCompliance().getMaxFailedAttempts()) {
try {
failAuthentication(req, resp, holder, act);
} catch (Exception e) {
throw new ServletException("Could not complete authentication failure", e);
}
return false;
}
}
}
if (act.isFinishOnRequiredSucess()) {
step = -1;
clearAllNotRequired = true;
}
} else {
if (as.isRequired()) {
if (as.isExecuted()) {
try {
failAuthentication(req, resp, holder, act);
} catch (Exception e) {
throw new ServletException("Could not complete authentication failure", e);
}
return false;
} else {
step = as.getId();
break;
}
} else {
if (clearAllNotRequired) {
as.setExecuted(true);
as.setSuccess(true);
} else {
if (as.isExecuted()) {
} else {
step = as.getId();
break;
}
}
}
}
}
}
if (step != -1) {
/*if (jsRedirect && step < auths.size()) {
step++;
}*/
AuthStep curStep = auths.get(step);
actl.setCurrentStep(curStep);
AuthMechType amt = act.getAuthMech().get(step);
loadAmtParams(session, amt);
// req.getRequestDispatcher(authFilterURI).forward(req, resp);
Cookie sessionCookieName = new Cookie("autoIdmSessionCookieName", holder.getApp().getCookieConfig().getSessionCookieName());
String domain = ProxyTools.getInstance().getCookieDomain(holder.getApp().getCookieConfig(), req);
if (domain != null) {
sessionCookieName.setDomain(domain);
}
sessionCookieName.setPath("/");
sessionCookieName.setMaxAge(-1);
sessionCookieName.setSecure(false);
if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
ProxyResponse.addCookieToResponse(holder, sessionCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
}
Cookie appCookieName = new Cookie("autoIdmAppName", URLEncoder.encode(holder.getApp().getName(), "UTF-8"));
if (domain != null) {
appCookieName.setDomain(domain);
}
appCookieName.setPath("/");
appCookieName.setMaxAge(-1);
appCookieName.setSecure(false);
if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
ProxyResponse.addCookieToResponse(holder, appCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
}
// resp.addCookie(appCookieName);
String redirectURI = "";
MechanismType nextAuthConfiguration = null;
if (holder.getConfig().getContextPath().equalsIgnoreCase("/")) {
nextAuthConfiguration = holder.getConfig().getAuthMechs().get(amt.getName());
if (nextAuthConfiguration == null) {
StringBuilder sb = new StringBuilder().append("Authentication mechanism '").append(amt.getName()).append("' does not exist, will always fail");
logger.warn(sb.toString());
nextAuthConfiguration = holder.getConfig().getAuthFailMechanism();
}
redirectURI = nextAuthConfiguration.getUri();
} else {
nextAuthConfiguration = holder.getConfig().getAuthMechs().get(amt.getName());
if (nextAuthConfiguration == null) {
StringBuilder sb = new StringBuilder().append("Authentication mechanism '").append(amt.getName()).append("' does not exist, will always fail");
logger.warn(sb.toString());
nextAuthConfiguration = holder.getConfig().getAuthFailMechanism();
}
redirectURI = new StringBuffer().append(holder.getConfig().getContextPath()).append(nextAuthConfiguration.getUri()).toString();
}
req.getSession().setAttribute("TREMOLO_AUTH_URI", redirectURI);
if (jsRedirect) {
StringBuffer b = new StringBuffer();
b.append("<html><head></head><body onload=\"window.location='").append(ProxyTools.getInstance().getFqdnUrl(redirectURI, req)).append("';\"></body></html>");
String respHTML = b.toString();
ProxyData pd = new ProxyData();
pd.setHolder(holder);
pd.setIns(new ByteArrayInputStream(respHTML.getBytes("UTF-8")));
pd.setPostProc(null);
pd.setRequest(null);
pd.setResponse(null);
pd.setText(true);
pd.setLogout(false);
req.setAttribute(ProxyConstants.TREMOLO_PRXY_DATA, pd);
// req.setAttribute(ProxySys.AUTOIDM_STREAM_WRITER,true);
// req.setAttribute(ProxySys.TREMOLO_TXT_DATA, new
// StringBuffer(respHTML));
resp.sendError(401);
} else {
AuthMechanism mech = cfg.getAuthMech(redirectURI);
if (mech == null) {
throw new ServletException("Redirect URI '" + redirectURI + "' does not map to an authentication mechanism");
}
req.setAttribute(ProxyConstants.AUTH_REDIR_URI, redirectURI);
if (curStep != null) {
curStep.setExecuted(true);
}
if (req.getMethod().equalsIgnoreCase("get")) {
mech.doGet(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("post")) {
mech.doPost(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("put") || req.getMethod().equalsIgnoreCase("patch")) {
mech.doPut(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("delete")) {
mech.doDelete(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("head")) {
mech.doHead(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("options")) {
mech.doOptions(req, resp, curStep);
}
}
return false;
} else {
boolean success = true;
boolean opSuccess = false;
boolean hasOptional = false;
for (AuthStep as : auths) {
if (as.isRequired()) {
if (!as.isSuccess()) {
success = false;
break;
}
} else {
hasOptional = true;
if (as.isSuccess()) {
opSuccess = true;
}
}
}
boolean allSuccess = success && ((hasOptional && opSuccess) || (!hasOptional));
if (allSuccess) {
return finishSuccessfulLogin(req, resp, holder, act, reqHolder, actl, next);
} else {
throw new ServletException("Unknown state");
/*
* Cookie sessionCookieName = new
* Cookie("autoIdmSessionCookieName","DNE");
* sessionCookieName.setDomain
* (ProxyTools.getInstance().getCookieDomain
* (holder.getApp().getCookieConfig(), req));
* sessionCookieName.setPath("/");
* sessionCookieName.setMaxAge(0);
* sessionCookieName.setSecure(false);
* //resp.addCookie(sessionCookieName);
*
* Cookie appCookieName = new Cookie("autoIdmAppName","DNE");
* appCookieName
* .setDomain(ProxyTools.getInstance().getCookieDomain
* (holder.getApp().getCookieConfig(), req));
* appCookieName.setPath("/"); appCookieName.setMaxAge(0);
* appCookieName.setSecure(false);
* //resp.addCookie(appCookieName);
*/
}
}
}
Also used :
AnonAuth(com.tremolosecurity.proxy.auth.AnonAuth)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthStep(com.tremolosecurity.proxy.auth.util.AuthStep)
DateTime(org.joda.time.DateTime)
ServletException(javax.servlet.ServletException)
AuthMechanism(com.tremolosecurity.proxy.auth.AuthMechanism)
ProxyData(com.tremolosecurity.proxy.ProxyData)
MechanismType(com.tremolosecurity.config.xml.MechanismType)
ProxyRequest(com.tremolosecurity.proxy.ProxyRequest)
Cookie(javax.servlet.http.Cookie)
ProxyResponse(com.tremolosecurity.proxy.ProxyResponse)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ConfigManager(com.tremolosecurity.config.util.ConfigManager)
ServletException(javax.servlet.ServletException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
LDAPException(com.novell.ldap.LDAPException)
IOException(java.io.IOException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Aggregations
LDAPException (com.novell.ldap.LDAPException)2
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)2
MechanismType (com.tremolosecurity.config.xml.MechanismType)2
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)2
AnonAuth (com.tremolosecurity.proxy.auth.AnonAuth)2
AuthMechanism (com.tremolosecurity.proxy.auth.AuthMechanism)2
Attribute (com.tremolosecurity.saml.Attribute)2
IOException (java.io.IOException)2
HashMap (java.util.HashMap)2
ServletException (javax.servlet.ServletException)2
LDAPAttribute (com.novell.ldap.LDAPAttribute)1
ConfigManager (com.tremolosecurity.config.util.ConfigManager)1
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)1
AuthMechParamType (com.tremolosecurity.config.xml.AuthMechParamType)1
AuthMechTypes (com.tremolosecurity.config.xml.AuthMechTypes)1
ConfigType (com.tremolosecurity.config.xml.ConfigType)1
DynamicPortalUrlsType (com.tremolosecurity.config.xml.DynamicPortalUrlsType)1
ParamListType (com.tremolosecurity.config.xml.ParamListType)1
ParamType (com.tremolosecurity.config.xml.ParamType)1
ProxyData (com.tremolosecurity.proxy.ProxyData)1
