Example 51 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class PreAuthFilter method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
List<Cookie> cookies = null;
if (userData.getAuthLevel() > 0 && userData.isAuthComplete()) {
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
HttpSession session = request.getSession();
String uid = (String) session.getAttribute("TREMOLO_PRE_AUTH");
if (uid == null || !uid.equals(userData.getUserDN())) {
session.setAttribute("TREMOLO_PRE_AUTH", userData.getUserDN());
HashMap<String, String> uriParams = new HashMap<String, String>();
uriParams.put("fullURI", this.uri);
UrlHolder remHolder = cfg.findURL(this.url);
org.apache.http.client.methods.HttpRequestBase method = null;
if (this.postSAML) {
PrivateKey pk = holder.getConfig().getPrivateKey(this.keyAlias);
java.security.cert.X509Certificate cert = holder.getConfig().getCertificate(this.keyAlias);
Saml2Assertion assertion = new Saml2Assertion(userData.getAttribs().get(this.nameIDAttribute).getValues().get(0), pk, cert, null, this.issuer, this.assertionConsumerURL, this.audience, this.signAssertion, this.signResponse, false, this.nameIDType, this.authnCtxClassRef);
String respXML = "";
try {
respXML = assertion.generateSaml2Response();
} catch (Exception e) {
throw new ServletException("Could not generate SAMLResponse", e);
}
List<NameValuePair> formparams = new ArrayList<NameValuePair>();
String base64 = Base64.encodeBase64String(respXML.getBytes("UTF-8"));
formparams.add(new BasicNameValuePair("SAMLResponse", base64));
if (this.relayState != null && !this.relayState.isEmpty()) {
formparams.add(new BasicNameValuePair("RelayState", this.relayState));
}
UrlEncodedFormEntity entity = new UrlEncodedFormEntity(formparams, "UTF-8");
HttpPost post = new HttpPost(this.assertionConsumerURL);
post.setEntity(entity);
method = post;
} else {
HttpGet get = new HttpGet(remHolder.getProxyURL(uriParams));
method = get;
}
LastMileUtil.addLastMile(cfg, userData.getAttribs().get(loginAttribute).getValues().get(0), this.loginAttribute, method, lastMileKeyAlias, true);
BasicHttpClientConnectionManager bhcm = new BasicHttpClientConnectionManager(cfg.getHttpClientSocketRegistry());
try {
CloseableHttpClient httpclient = HttpClients.custom().setConnectionManager(bhcm).setDefaultRequestConfig(cfg.getGlobalHttpClientConfig()).build();
HttpResponse resp = httpclient.execute(method);
if (resp.getStatusLine().getStatusCode() == 500) {
BufferedReader in = new BufferedReader(new InputStreamReader(resp.getEntity().getContent()));
StringBuffer error = new StringBuffer();
String line = null;
while ((line = in.readLine()) != null) {
error.append(line).append('\n');
}
logger.warn("Pre-Auth Failed : " + error);
}
org.apache.http.Header[] headers = resp.getAllHeaders();
StringBuffer stmp = new StringBuffer();
cookies = new ArrayList<Cookie>();
for (org.apache.http.Header header : headers) {
if (header.getName().equalsIgnoreCase("set-cookie") || header.getName().equalsIgnoreCase("set-cookie2")) {
// System.out.println(header.getValue());
String cookieVal = header.getValue();
/*if (cookieVal.endsWith("HttpOnly")) {
cookieVal = cookieVal.substring(0,cookieVal.indexOf("HttpOnly"));
}
//System.out.println(cookieVal);*/
List<HttpCookie> cookiesx = HttpCookie.parse(cookieVal);
for (HttpCookie cookie : cookiesx) {
String cookieFinalName = cookie.getName();
if (cookieFinalName.equalsIgnoreCase("JSESSIONID")) {
stmp.setLength(0);
stmp.append("JSESSIONID").append('-').append(holder.getApp().getName().replaceAll(" ", "|"));
cookieFinalName = stmp.toString();
}
// logger.info("Adding cookie name '" + cookieFinalName + "'='" + cookie.getValue() + "'");
Cookie respcookie = new Cookie(cookieFinalName, cookie.getValue());
respcookie.setComment(cookie.getComment());
if (cookie.getDomain() != null) {
// respcookie.setDomain(cookie.getDomain());
}
respcookie.setMaxAge((int) cookie.getMaxAge());
respcookie.setPath(cookie.getPath());
respcookie.setSecure(cookie.getSecure());
respcookie.setVersion(cookie.getVersion());
cookies.add(respcookie);
if (request.getCookieNames().contains(respcookie.getName())) {
request.removeCookie(cookieFinalName);
}
request.addCookie(new Cookie(cookie.getName(), cookie.getValue()));
}
}
}
} finally {
bhcm.shutdown();
}
}
}
chain.nextFilter(request, response, chain);
if (cookies != null) {
for (Cookie cookie : cookies) {
response.addCookie(cookie);
}
}
}
Also used :
HttpPost(org.apache.http.client.methods.HttpPost)
PrivateKey(java.security.PrivateKey)
HashMap(java.util.HashMap)
HttpGet(org.apache.http.client.methods.HttpGet)
ArrayList(java.util.ArrayList)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
BasicNameValuePair(org.apache.http.message.BasicNameValuePair)
BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager)
HttpCookie(java.net.HttpCookie)
Cookie(javax.servlet.http.Cookie)
NameValuePair(org.apache.http.NameValuePair)
BasicNameValuePair(org.apache.http.message.BasicNameValuePair)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
InputStreamReader(java.io.InputStreamReader)
HttpSession(javax.servlet.http.HttpSession)
HttpResponse(org.apache.http.HttpResponse)
UrlEncodedFormEntity(org.apache.http.client.entity.UrlEncodedFormEntity)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ConfigManager(com.tremolosecurity.config.util.ConfigManager)
ProtocolException(org.apache.http.ProtocolException)
ServletException(javax.servlet.ServletException)
MalformedCookieException(org.apache.http.cookie.MalformedCookieException)
Saml2Assertion(com.tremolosecurity.saml.Saml2Assertion)
BufferedReader(java.io.BufferedReader)
HttpCookie(java.net.HttpCookie)
Example 52 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class OAuth2JWT method loadUnlinkedUser.
public static void loadUnlinkedUser(HttpSession session, String noMatchOU, String uidAttr, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
String uid = (String) jwtNVP.get(uidAttr);
StringBuffer dn = new StringBuffer();
dn.append(uidAttr).append('=').append(uid).append(",ou=").append(noMatchOU).append(",").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot());
AuthInfo authInfo = new AuthInfo(dn.toString(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
for (Object o : jwtNVP.keySet()) {
String s = (String) o;
Attribute attr;
Object oAttr = jwtNVP.get(s);
if (logger.isDebugEnabled()) {
logger.debug(s + " type - '" + oAttr.getClass().getName() + "'");
}
if (oAttr instanceof JSONArray) {
attr = new Attribute(s);
for (Object ox : ((JSONArray) oAttr)) {
attr.getValues().add((String) ox);
}
} else {
attr = new Attribute(s, oAttr.toString());
}
authInfo.getAttribs().put(attr.getName(), attr);
}
authInfo.getAttribs().put("objectClass", new Attribute("objectClass", defaultObjectClass));
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
JSONArray(org.json.simple.JSONArray)
JSONObject(org.json.simple.JSONObject)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Example 53 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class OAuth2JWT method processToken.
@Override
public void processToken(HttpServletRequest request, HttpServletResponse response, AuthStep as, HttpSession session, HashMap<String, Attribute> authParams, AuthChainType act, String realmName, String scope, ConfigManager cfg, String lmToken) throws ServletException, IOException {
String issuer = authParams.get("issuer").getValues().get(0);
HashSet<String> audiences = new HashSet<String>();
if (authParams.get("audience") == null) {
logger.warn("No audience configuration, all requests will fail");
} else {
audiences.addAll(authParams.get("audience").getValues());
}
String fromWellKnown = authParams.get("fromWellKnown") != null ? authParams.get("fromWellKnown").getValues().get(0) : "false";
boolean useWellKnown = fromWellKnown.equalsIgnoreCase("true");
PublicKey pk = null;
if (useWellKnown) {
pk = keyCache.get(issuer);
if (pk == null) {
StringBuilder sb = new StringBuilder();
sb.append(issuer);
if (!issuer.endsWith("/")) {
sb.append("/");
}
sb.append(".well-known/openid-configuration");
String wellKnownURL = sb.toString();
HttpCon http = null;
try {
http = this.createClient();
HttpGet get = new HttpGet(wellKnownURL);
CloseableHttpResponse resp = http.getHttp().execute(get);
String json = EntityUtils.toString(resp.getEntity());
resp.close();
JSONParser parser = new JSONParser();
JSONObject root = (JSONObject) parser.parse(json);
String jwksUrl = (String) root.get("jwks_uri");
get = new HttpGet(jwksUrl);
resp = http.getHttp().execute(get);
json = EntityUtils.toString(resp.getEntity());
resp.close();
JsonWebKey jwk = null;
JsonWebKeySet jks = new JsonWebKeySet(json);
if (jks.getJsonWebKeys().size() == 0) {
jwk = jks.getJsonWebKeys().get(0);
} else {
for (JsonWebKey j : jks.getJsonWebKeys()) {
if (j.getUse().equalsIgnoreCase("sig")) {
jwk = j;
break;
}
}
}
if (jwk == null) {
throw new ServletException("No key found");
}
pk = (PublicKey) jwk.getKey();
keyCache.put(issuer, pk);
} catch (Exception e) {
throw new ServletException("Could not get oidc certs", e);
} finally {
if (http != null) {
http.getHttp().close();
http.getBcm().close();
}
}
}
} else {
String validationKey = authParams.get("validationKey").getValues().get(0);
pk = cfg.getCertificate(validationKey).getPublicKey();
}
boolean linkToDirectory = Boolean.parseBoolean(authParams.get("linkToDirectory").getValues().get(0));
String noMatchOU = authParams.get("noMatchOU").getValues().get(0);
String uidAttr = authParams.get("uidAttr").getValues().get(0);
String lookupFilter = authParams.get("lookupFilter").getValues().get(0);
String defaultObjectClass = authParams.get("defaultObjectClass").getValues().get(0);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
JsonWebSignature jws = new JsonWebSignature();
try {
jws.setCompactSerialization(lmToken);
jws.setKey(pk);
if (!jws.verifySignature()) {
as.setExecuted(true);
as.setSuccess(false);
logger.warn("Could not verify signature");
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
}
String json = jws.getPayload();
JSONObject obj = (JSONObject) new JSONParser().parse(json);
long exp = ((Long) obj.get("exp")) * 1000L;
long nbf = ((Long) obj.get("nbf")) * 1000L;
if (new DateTime(exp).isBeforeNow()) {
as.setExecuted(true);
as.setSuccess(false);
logger.warn("JWT not yet valid");
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
}
if (new DateTime(nbf).isAfterNow()) {
as.setExecuted(true);
as.setSuccess(false);
logger.warn("JWT expired");
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
}
if (!((String) obj.get("iss")).equals(issuer)) {
as.setExecuted(true);
as.setSuccess(false);
logger.warn("JWT invalid issuer");
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
}
Object aud = obj.get("aud");
if (aud == null) {
logger.warn("JWT has no aud");
as.setExecuted(true);
as.setSuccess(false);
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
} else if (aud instanceof JSONArray) {
JSONArray auds = (JSONArray) aud;
boolean found = false;
for (Object audVal : auds) {
if (audiences.contains((String) audVal)) {
found = true;
}
}
if (!found) {
as.setExecuted(true);
as.setSuccess(false);
logger.warn("Invalid audience");
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
}
} else {
if (!audiences.contains((String) aud)) {
as.setExecuted(true);
as.setSuccess(false);
logger.warn("Invalid audience");
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
}
}
if (!linkToDirectory) {
loadUnlinkedUser(session, noMatchOU, uidAttr, act, obj, defaultObjectClass);
as.setSuccess(true);
} else {
lookupUser(as, session, cfg.getMyVD(), noMatchOU, uidAttr, lookupFilter, act, obj, defaultObjectClass);
}
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
as.setExecuted(true);
as.setSuccess(true);
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
} catch (JoseException | ParseException e) {
throw new ServletException("Could not process JWT", e);
}
}
Also used :
JoseException(org.jose4j.lang.JoseException)
HttpGet(org.apache.http.client.methods.HttpGet)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
DateTime(org.joda.time.DateTime)
ServletException(javax.servlet.ServletException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
HashSet(java.util.HashSet)
PublicKey(java.security.PublicKey)
JsonWebKey(org.jose4j.jwk.JsonWebKey)
JSONArray(org.json.simple.JSONArray)
JsonWebKeySet(org.jose4j.jwk.JsonWebKeySet)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
LDAPException(com.novell.ldap.LDAPException)
ServletException(javax.servlet.ServletException)
ParseException(org.json.simple.parser.ParseException)
IOException(java.io.IOException)
JoseException(org.jose4j.lang.JoseException)
HttpCon(com.tremolosecurity.provisioning.util.HttpCon)
JSONObject(org.json.simple.JSONObject)
JsonWebSignature(org.jose4j.jws.JsonWebSignature)
JSONParser(org.json.simple.parser.JSONParser)
JSONObject(org.json.simple.JSONObject)
ParseException(org.json.simple.parser.ParseException)
Example 54 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class AuthManagerImpl method execAuth.
/* (non-Javadoc)
* @see com.tremolosecurity.proxy.auth.sys.AuthManager#execAuth(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession, boolean, com.tremolosecurity.config.util.UrlHolder, com.tremolosecurity.config.xml.AuthChainType, java.lang.String, com.tremolosecurity.proxy.util.NextSys)
*/
@Override
public boolean execAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, UrlHolder holder, AuthChainType act, String finalURL, NextSys next) throws IOException, ServletException {
boolean shortCircut = false;
ConfigManager cfg = (ConfigManager) req.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
// Generate an AuthChainType based on the existing chain+includes
if (act != cfg.getAuthFailChain()) {
act = this.buildACT(act, cfg);
}
if (act.getLevel() == 0 && (act != cfg.getAuthFailChain())) {
AuthController actl = (AuthController) session.getAttribute(ProxyConstants.AUTH_CTL);
// there's no need to go through the process
String anonMechName = act.getAuthMech().get(0).getName();
MechanismType mt = holder.getConfig().getAuthMechs().get(anonMechName);
AnonAuth anonAuth = (AnonAuth) holder.getConfig().getAuthMech(mt.getUri());
anonAuth.createSession(session, act);
return finishSuccessfulLogin(req, resp, holder, act, actl.getHolder(), actl, next);
}
RequestHolder reqHolder;
int step = -1;
AuthController actl = (AuthController) req.getSession().getAttribute(ProxyConstants.AUTH_CTL);
ArrayList<AuthStep> auths = actl.getAuthSteps();
if (auths.size() == 0) {
int id = 0;
for (AuthMechType amt : act.getAuthMech()) {
AuthStep as = new AuthStep();
as.setId(id);
as.setExecuted(false);
as.setRequired(amt.getRequired().equals("required"));
as.setSuccess(false);
auths.add(as);
id++;
}
boolean anyRequired = false;
for (AuthStep as : auths) {
if (as.isRequired()) {
anyRequired = true;
break;
}
}
if (!anyRequired) {
act.setFinishOnRequiredSucess(true);
}
step = 0;
HashMap<String, Attribute> params = new HashMap<String, Attribute>();
ProxyUtil.loadParams(req, params);
try {
reqHolder = new RequestHolder(RequestHolder.getMethod(req.getMethod()), params, finalURL, act.getName(), ((ProxyRequest) req).getQueryStringParams());
actl.setHolder(reqHolder);
} catch (Exception e) {
throw new ServletException("Error creating request holder", e);
}
} else {
reqHolder = actl.getHolder();
boolean clearAllNotRequired = false;
// determine the step
for (AuthStep as : auths) {
if (as.isSuccess()) {
// TODO Check to see if the user is locked out
if (act.getCompliance() != null && act.getCompliance().isEnabled()) {
Attribute lastFailed = actl.getAuthInfo().getAttribs().get(act.getCompliance().getLastFailedAttribute());
Attribute numFailures = actl.getAuthInfo().getAttribs().get(act.getCompliance().getNumFailedAttribute());
if (logger.isDebugEnabled()) {
logger.debug("lastFailed Attribute : '" + lastFailed + "'");
logger.debug("numFailures Attribute : '" + numFailures + "'");
}
if (lastFailed != null && numFailures != null) {
long lastFailedTS = lastFailed.getValues().size() > 0 ? Long.parseLong(lastFailed.getValues().get(0)) : 0;
int numPrevFailures = Integer.parseInt(numFailures.getValues().size() > 0 ? numFailures.getValues().get(0) : "0");
long now = new DateTime(DateTimeZone.UTC).getMillis();
long lockedUntil = lastFailedTS + act.getCompliance().getMaxLockoutTime();
if (logger.isDebugEnabled()) {
logger.debug("Num Failed : " + numPrevFailures);
logger.debug("Last Failed : '" + lastFailedTS + "'");
logger.info("Now : '" + now + "'");
logger.info("Locked Until : '" + lockedUntil + "'");
logger.info("locked >= now? : '" + (lockedUntil >= now) + "'");
logger.info("max fails? : '" + act.getCompliance().getMaxFailedAttempts() + "'");
logger.info("too many fails : '" + (numPrevFailures >= act.getCompliance().getMaxFailedAttempts()) + "'");
}
if (lockedUntil >= now && numPrevFailures >= act.getCompliance().getMaxFailedAttempts()) {
try {
failAuthentication(req, resp, holder, act);
} catch (Exception e) {
throw new ServletException("Could not complete authentication failure", e);
}
return false;
}
}
}
if (act.isFinishOnRequiredSucess()) {
step = -1;
clearAllNotRequired = true;
}
} else {
if (as.isRequired()) {
if (as.isExecuted()) {
try {
failAuthentication(req, resp, holder, act);
} catch (Exception e) {
throw new ServletException("Could not complete authentication failure", e);
}
return false;
} else {
step = as.getId();
break;
}
} else {
if (clearAllNotRequired) {
as.setExecuted(true);
as.setSuccess(true);
} else {
if (as.isExecuted()) {
} else {
step = as.getId();
break;
}
}
}
}
}
}
if (step != -1) {
/*if (jsRedirect && step < auths.size()) {
step++;
}*/
AuthStep curStep = auths.get(step);
actl.setCurrentStep(curStep);
AuthMechType amt = act.getAuthMech().get(step);
loadAmtParams(session, amt);
// req.getRequestDispatcher(authFilterURI).forward(req, resp);
Cookie sessionCookieName = new Cookie("autoIdmSessionCookieName", holder.getApp().getCookieConfig().getSessionCookieName());
String domain = ProxyTools.getInstance().getCookieDomain(holder.getApp().getCookieConfig(), req);
if (domain != null) {
sessionCookieName.setDomain(domain);
}
sessionCookieName.setPath("/");
sessionCookieName.setMaxAge(-1);
sessionCookieName.setSecure(false);
if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
ProxyResponse.addCookieToResponse(holder, sessionCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
}
Cookie appCookieName = new Cookie("autoIdmAppName", URLEncoder.encode(holder.getApp().getName(), "UTF-8"));
if (domain != null) {
appCookieName.setDomain(domain);
}
appCookieName.setPath("/");
appCookieName.setMaxAge(-1);
appCookieName.setSecure(false);
if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
ProxyResponse.addCookieToResponse(holder, appCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
}
// resp.addCookie(appCookieName);
String redirectURI = "";
MechanismType nextAuthConfiguration = null;
if (holder.getConfig().getContextPath().equalsIgnoreCase("/")) {
nextAuthConfiguration = holder.getConfig().getAuthMechs().get(amt.getName());
if (nextAuthConfiguration == null) {
StringBuilder sb = new StringBuilder().append("Authentication mechanism '").append(amt.getName()).append("' does not exist, will always fail");
logger.warn(sb.toString());
nextAuthConfiguration = holder.getConfig().getAuthFailMechanism();
}
redirectURI = nextAuthConfiguration.getUri();
} else {
nextAuthConfiguration = holder.getConfig().getAuthMechs().get(amt.getName());
if (nextAuthConfiguration == null) {
StringBuilder sb = new StringBuilder().append("Authentication mechanism '").append(amt.getName()).append("' does not exist, will always fail");
logger.warn(sb.toString());
nextAuthConfiguration = holder.getConfig().getAuthFailMechanism();
}
redirectURI = new StringBuffer().append(holder.getConfig().getContextPath()).append(nextAuthConfiguration.getUri()).toString();
}
req.getSession().setAttribute("TREMOLO_AUTH_URI", redirectURI);
if (jsRedirect) {
StringBuffer b = new StringBuffer();
b.append("<html><head></head><body onload=\"window.location='").append(ProxyTools.getInstance().getFqdnUrl(redirectURI, req)).append("';\"></body></html>");
String respHTML = b.toString();
ProxyData pd = new ProxyData();
pd.setHolder(holder);
pd.setIns(new ByteArrayInputStream(respHTML.getBytes("UTF-8")));
pd.setPostProc(null);
pd.setRequest(null);
pd.setResponse(null);
pd.setText(true);
pd.setLogout(false);
req.setAttribute(ProxyConstants.TREMOLO_PRXY_DATA, pd);
// req.setAttribute(ProxySys.AUTOIDM_STREAM_WRITER,true);
// req.setAttribute(ProxySys.TREMOLO_TXT_DATA, new
// StringBuffer(respHTML));
resp.sendError(401);
} else {
AuthMechanism mech = cfg.getAuthMech(redirectURI);
if (mech == null) {
throw new ServletException("Redirect URI '" + redirectURI + "' does not map to an authentication mechanism");
}
req.setAttribute(ProxyConstants.AUTH_REDIR_URI, redirectURI);
if (curStep != null) {
curStep.setExecuted(true);
}
if (req.getMethod().equalsIgnoreCase("get")) {
mech.doGet(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("post")) {
mech.doPost(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("put") || req.getMethod().equalsIgnoreCase("patch")) {
mech.doPut(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("delete")) {
mech.doDelete(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("head")) {
mech.doHead(req, resp, curStep);
} else if (req.getMethod().equalsIgnoreCase("options")) {
mech.doOptions(req, resp, curStep);
}
}
return false;
} else {
boolean success = true;
boolean opSuccess = false;
boolean hasOptional = false;
for (AuthStep as : auths) {
if (as.isRequired()) {
if (!as.isSuccess()) {
success = false;
break;
}
} else {
hasOptional = true;
if (as.isSuccess()) {
opSuccess = true;
}
}
}
boolean allSuccess = success && ((hasOptional && opSuccess) || (!hasOptional));
if (allSuccess) {
return finishSuccessfulLogin(req, resp, holder, act, reqHolder, actl, next);
} else {
throw new ServletException("Unknown state");
/*
* Cookie sessionCookieName = new
* Cookie("autoIdmSessionCookieName","DNE");
* sessionCookieName.setDomain
* (ProxyTools.getInstance().getCookieDomain
* (holder.getApp().getCookieConfig(), req));
* sessionCookieName.setPath("/");
* sessionCookieName.setMaxAge(0);
* sessionCookieName.setSecure(false);
* //resp.addCookie(sessionCookieName);
*
* Cookie appCookieName = new Cookie("autoIdmAppName","DNE");
* appCookieName
* .setDomain(ProxyTools.getInstance().getCookieDomain
* (holder.getApp().getCookieConfig(), req));
* appCookieName.setPath("/"); appCookieName.setMaxAge(0);
* appCookieName.setSecure(false);
* //resp.addCookie(appCookieName);
*/
}
}
}
Also used :
AnonAuth(com.tremolosecurity.proxy.auth.AnonAuth)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthStep(com.tremolosecurity.proxy.auth.util.AuthStep)
DateTime(org.joda.time.DateTime)
ServletException(javax.servlet.ServletException)
AuthMechanism(com.tremolosecurity.proxy.auth.AuthMechanism)
ProxyData(com.tremolosecurity.proxy.ProxyData)
MechanismType(com.tremolosecurity.config.xml.MechanismType)
ProxyRequest(com.tremolosecurity.proxy.ProxyRequest)
Cookie(javax.servlet.http.Cookie)
ProxyResponse(com.tremolosecurity.proxy.ProxyResponse)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ConfigManager(com.tremolosecurity.config.util.ConfigManager)
ServletException(javax.servlet.ServletException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
LDAPException(com.novell.ldap.LDAPException)
IOException(java.io.IOException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Example 55 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class CallWorkflow method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
request.setAttribute("com.tremolosecurity.unison.proxy.noRedirectOnError", "com.tremolosecurity.unison.proxy.noRedirectOnError");
if (request.getServletRequest().getMethod().equalsIgnoreCase("POST")) {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
response.setContentType("application/json");
String json = new String((byte[]) request.getAttribute(ProxySys.MSG_BODY));
Gson gson = new Gson();
WFCall wfCall = gson.fromJson(json.toString(), WFCall.class);
if (!allowedWorkflows.contains(wfCall.getName())) {
logger.warn(wfCall.getName() + " not authorized");
response.getServletResponse().sendError(403);
} else {
try {
com.tremolosecurity.provisioning.workflow.ExecuteWorkflow exec = new com.tremolosecurity.provisioning.workflow.ExecuteWorkflow();
exec.execute(wfCall, GlobalEntries.getGlobalEntries().getConfigManager());
} catch (Throwable t) {
logger.error("Error executing workflow", t);
response.getServletResponse().sendError(500);
}
}
} else {
logger.warn("Invalid HTTPS Method : '" + request.getServletRequest().getMethod() + "'");
response.getServletResponse().sendError(500);
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
WFCall(com.tremolosecurity.provisioning.service.util.WFCall)
Gson(com.google.gson.Gson)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Aggregations
AuthController (com.tremolosecurity.proxy.auth.AuthController)76
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)59
Attribute (com.tremolosecurity.saml.Attribute)45
ServletException (javax.servlet.ServletException)28
HttpSession (javax.servlet.http.HttpSession)28
UrlHolder (com.tremolosecurity.config.util.UrlHolder)26
HashMap (java.util.HashMap)25
IOException (java.io.IOException)24
LDAPAttribute (com.novell.ldap.LDAPAttribute)21
LDAPException (com.novell.ldap.LDAPException)19
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)19
Gson (com.google.gson.Gson)18
RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)17
HttpServletRequest (javax.servlet.http.HttpServletRequest)15
LDAPSearchResults (com.novell.ldap.LDAPSearchResults)14
ConfigManager (com.tremolosecurity.config.util.ConfigManager)14
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)12
MalformedURLException (java.net.MalformedURLException)12
ArrayList (java.util.ArrayList)12
LDAPEntry (com.novell.ldap.LDAPEntry)11
