Example 56 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class SessionTimeoutChecker method createOpenSession.
private HttpSession createOpenSession(HttpServletRequest req, HttpServletResponse resp, ServletContext ctx) throws Exception {
byte[] idBytes = new byte[20];
random.nextBytes(idBytes);
StringBuffer b = new StringBuffer();
b.append('f').append(Hex.encodeHexString(idBytes));
String id = b.toString();
// HttpSession session = req.getSession(true);
TremoloHttpSession tsession = new TremoloHttpSession(id);
tsession.setOpen(true);
tsession.refresh(this.ctx, this);
this.anonMech.createSession(tsession, this.anonChainType);
AuthController actl = (AuthController) tsession.getAttribute(ProxyConstants.AUTH_CTL);
AuthInfo auInfo = actl.getAuthInfo();
auInfo.setAuthComplete(true);
// session.setAttribute(app.getCookieConfig().getSessionCookieName(),
// tsession);
tsession.setAttribute(OpenUnisonConstants.TREMOLO_SESSION_ID, id);
// TODO add global session timeout
// tsession.setMaxInactiveInterval(app.getCookieConfig().getTimeout());
// TODO add global open session name
Cookie sessionCookie = new Cookie(cfg.getCfg().getApplications().getOpenSessionCookieName(), id);
sessionCookie.setPath("/");
sessionCookie.setSecure(cfg.getCfg().getApplications().isOpenSessionSecure());
sessionCookie.setHttpOnly(cfg.getCfg().getApplications().isOpenSessionHttpOnly());
sessionCookie.setMaxAge(-1);
// TODO add secure?
// sessionCookie.setSecure(app.getCookieConfig().isSecure());
resp.addCookie(sessionCookie);
sessions.put(id, tsession);
return tsession;
}
Also used :
Cookie(javax.servlet.http.Cookie)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Example 57 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class SessionTimeoutChecker method createSession.
private HttpSession createSession(ApplicationType app, HttpServletRequest req, HttpServletResponse resp, ServletContext ctx, SecretKey encKey) throws Exception {
byte[] idBytes = new byte[20];
random.nextBytes(idBytes);
StringBuffer b = new StringBuffer();
b.append('f').append(Hex.encodeHexString(idBytes));
String id = b.toString();
// HttpSession session = req.getSession(true);
TremoloHttpSession tsession = new TremoloHttpSession(id);
tsession.setAppName(app.getName());
tsession.refresh(this.ctx, this);
tsession.setOpen(false);
this.anonMech.createSession(tsession, this.anonChainType);
AuthController actl = (AuthController) tsession.getAttribute(ProxyConstants.AUTH_CTL);
AuthInfo auInfo = actl.getAuthInfo();
auInfo.setAuthComplete(true);
// session.setAttribute(app.getCookieConfig().getSessionCookieName(),
// tsession);
tsession.setAttribute(OpenUnisonConstants.TREMOLO_SESSION_ID, id);
tsession.setMaxInactiveInterval(app.getCookieConfig().getTimeout());
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, encKey);
byte[] encSessionKey = cipher.doFinal(id.getBytes("UTF-8"));
String base64d = new String(org.bouncycastle.util.encoders.Base64.encode(encSessionKey));
Token token = new Token();
token.setEncryptedRequest(base64d);
token.setIv(new String(org.bouncycastle.util.encoders.Base64.encode(cipher.getIV())));
Gson gson = new Gson();
String cookie = gson.toJson(token);
byte[] btoken = cookie.getBytes("UTF-8");
String encCookie = new String(org.bouncycastle.util.encoders.Base64.encode(btoken));
Cookie sessionCookie;
sessionCookie = new Cookie(app.getCookieConfig().getSessionCookieName(), encCookie);
// logger.debug("session size : " +
// org.apache.directory.shared.ldap.util.Base64.encode(encSession).length);
String domain = ProxyTools.getInstance().getCookieDomain(app.getCookieConfig(), req);
if (domain != null) {
sessionCookie.setDomain(domain);
}
sessionCookie.setPath("/");
sessionCookie.setSecure(false);
sessionCookie.setMaxAge(-1);
sessionCookie.setSecure(app.getCookieConfig().isSecure());
sessionCookie.setHttpOnly(app.getCookieConfig().isHttpOnly() != null && app.getCookieConfig().isHttpOnly());
// resp.addCookie(sessionCookie);
ProxyResponse.addCookieToResponse(app, sessionCookie, resp);
// delete the opensession if it exists
if (cfg.getCfg().getApplications().getOpenSessionCookieName() != null && !cfg.getCfg().getApplications().getOpenSessionCookieName().isEmpty()) {
Cookie openSessionCookie = new Cookie(cfg.getCfg().getApplications().getOpenSessionCookieName(), id);
openSessionCookie.setPath("/");
openSessionCookie.setSecure(cfg.getCfg().getApplications().isOpenSessionSecure());
openSessionCookie.setHttpOnly(cfg.getCfg().getApplications().isOpenSessionHttpOnly());
openSessionCookie.setMaxAge(0);
resp.addCookie(openSessionCookie);
}
sessions.put(id, tsession);
return tsession;
}Example 58 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class ConfigSys method doConfig.
/* (non-Javadoc)
* @see com.tremolosecurity.proxy.ConfigSys#doConfig(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, com.tremolosecurity.proxy.util.NextSys)
*/
public void doConfig(HttpServletRequest req, HttpServletResponse resp, NextSys nextSys) throws IOException, ServletException {
UrlHolder holder = null;
AuthInfo userAuth = null;
try {
SessionManager sessionManager = (SessionManager) this.ctx.getAttribute(ProxyConstants.TREMOLO_SESSION_MANAGER);
boolean setSessionCookie = false;
boolean checkLogout = false;
RequestHolder reqHolder = (RequestHolder) req.getAttribute(ProxyConstants.TREMOLO_REQ_HOLDER);
holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
boolean isForcedAuth = req.getAttribute(ProxyConstants.TREMOLO_IS_FORCED_AUTH) != null ? (Boolean) req.getAttribute(ProxyConstants.TREMOLO_IS_FORCED_AUTH) : false;
checkLogout = true;
StringBuffer resetsb = new StringBuffer(cfg.getAuthPath()).append("resetChain");
HttpSession sharedSession = req.getSession();
if (sharedSession != null) {
AuthController actl = (AuthController) sharedSession.getAttribute(ProxyConstants.AUTH_CTL);
if (actl != null && actl.getHolder() != null) {
RequestHolder presentHolder = actl.getHolder();
AuthInfo authdata = actl.getAuthInfo();
userAuth = authdata;
if (!req.getRequestURI().startsWith(cfg.getAuthPath()) && /*&& ! presentHolder.getUrlNoQueryString().equalsIgnoreCase(req.getRequestURL().toString())*/
(authdata == null || !authdata.isAuthComplete())) {
// we're going to ignore requests for favicon.ico
if (!req.getRequestURI().endsWith("/favicon.ico") && !req.getRequestURI().endsWith("/apple-touch-icon-precomposed.png") && !req.getRequestURI().endsWith("/apple-touch-icon.png")) {
sharedSession.removeAttribute(ProxyConstants.AUTH_CTL);
this.cfg.createAnonUser(sharedSession);
}
} else if (req.getRequestURI().equalsIgnoreCase(resetsb.toString())) {
sharedSession.removeAttribute("TREMOLO_AUTH_URI");
for (AuthStep step : actl.getAuthSteps()) {
step.setExecuted(false);
step.setSuccess(false);
}
actl.setCurrentStep(actl.getAuthSteps().get(0));
String chainName = holder.getUrl().getAuthChain();
AuthChainType chain = cfg.getAuthChains().get(chainName);
String mech = chain.getAuthMech().get(0).getName();
String uri = cfg.getAuthMechs().get(mech).getUri();
holder.getConfig().getAuthManager().loadAmtParams(sharedSession, chain.getAuthMech().get(0));
String redirectURI = "";
if (holder.getConfig().getContextPath().equalsIgnoreCase("/")) {
redirectURI = uri;
} else {
redirectURI = new StringBuffer().append(holder.getConfig().getContextPath()).append(uri).toString();
}
sharedSession.setAttribute("TREMOLO_AUTH_URI", redirectURI);
resp.sendRedirect(redirectURI);
return;
}
}
if (isForcedAuth) {
actl.setHolder(reqHolder);
String authChain = holder.getUrl().getAuthChain();
AuthChainType act = cfg.getAuthChains().get(authChain);
holder.getConfig().getAuthManager().loadAmtParams(sharedSession, act.getAuthMech().get(0));
}
}
if (holder == null) {
if (req.getRequestURI().startsWith(cfg.getAuthPath())) {
req.setAttribute(ProxyConstants.AUTOIDM_MYVD, cfg.getMyVD());
ProxyResponse presp = new ProxyResponse((HttpServletResponse) resp, (HttpServletRequest) req);
// we still need a holder
/*AuthController actl = (AuthController) sharedSession.getAttribute(AuthSys.AUTH_CTL);
if (actl != null) {
holder = cfg.findURL(actl.getHolder().getUrlNoQueryString());
req.setAttribute(ConfigSys.AUTOIDM_CFG, holder);
} else {*/
AuthMechanism authMech = cfg.getAuthMech(((HttpServletRequest) req).getRequestURI());
if (authMech != null) {
String finalURL = authMech.getFinalURL(req, resp);
if (finalURL != null) {
holder = cfg.findURL(finalURL);
} else {
// throw new ServletException("Can not generate holder");
}
} else {
// throw new ServletException("Can not generate holder");
}
// no holder should be needed beyond this point
// }
/*
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
HashMap<String,Attribute> params = new HashMap<String,Attribute>();
ProxyUtil.loadParams(req, params);
reqHolder = new RequestHolder(HTTPMethod.GET,params,finalURL,true,act.getName());
isForcedAuth = true;
req.setAttribute(ConfigSys.AUTOIDM_CFG, holder);
String chainName = holder.getUrl().getAuthChain();
AuthChainType chain = cfg.getAuthChains().get(chainName);
String mech = chain.getAuthMech().get(0).getName();
String uri = cfg.getAuthMechs().get(mech).getUri();
AuthSys.loadAmtParams(sharedSession, chain.getAuthMech().get(0));
}
}
if (holder == null) {
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
AccessLog.log(AccessEvent.NotFound, null, req, null, "Resource Not Found");
return;
}*/
nextSys.nextSys(req, presp);
presp.pushHeadersAndCookies(null);
} else {
String redirectLocation = cfg.getErrorPages().get(HttpServletResponse.SC_NOT_FOUND);
if (redirectLocation != null) {
resp.sendRedirect(redirectLocation);
} else {
resp.setStatus(HttpServletResponse.SC_NOT_FOUND);
}
AccessLog.log(AccessEvent.NotFound, null, req, null, "Resource Not Found");
}
} else {
req.setAttribute(ProxyConstants.AUTOIDM_CFG, holder);
req.setAttribute(ProxyConstants.AUTOIDM_MYVD, cfg.getMyVD());
ProxyResponse presp = new ProxyResponse((HttpServletResponse) resp, (HttpServletRequest) req);
ProxyData pd = null;
try {
nextSys.nextSys(req, presp);
pd = (ProxyData) req.getAttribute(ProxyConstants.TREMOLO_PRXY_DATA);
if (holder.getApp().getCookieConfig() != null) {
String logouturi = holder.getApp().getCookieConfig().getLogoutURI();
AuthController actl = (AuthController) sharedSession.getAttribute(ProxyConstants.AUTH_CTL);
if (actl != null) {
AuthInfo authdata = actl.getAuthInfo();
userAuth = authdata;
if ((req.getRequestURI().equalsIgnoreCase(logouturi) || (pd != null && pd.isLogout())) && (authdata != null)) {
// Execute logout handlers
ArrayList<LogoutHandler> logoutHandlers = (ArrayList<LogoutHandler>) sharedSession.getAttribute(LogoutUtil.LOGOUT_HANDLERS);
if (logoutHandlers != null) {
for (LogoutHandler h : logoutHandlers) {
h.handleLogout(req, presp);
}
}
sessionManager.clearSession(holder, sharedSession, (HttpServletRequest) req, (HttpServletResponse) resp);
}
}
}
presp.pushHeadersAndCookies(holder);
if (pd != null && pd.getIns() != null) {
if (pd.getResponse() == null) {
this.procData(pd.getRequest(), resp, holder, pd.isText(), pd.getIns(), sessionManager);
} else {
this.procData(pd.getRequest(), pd.getResponse(), holder, pd.isText(), pd.getIns(), pd.getPostProc(), sessionManager);
}
}
} finally {
if (pd != null && pd.getHttpRequestBase() != null) {
pd.getHttpRequestBase().releaseConnection();
if (!resp.isCommitted()) {
resp.getOutputStream().flush();
resp.getOutputStream().close();
}
}
}
}
} catch (Exception e) {
ApplicationType appType = null;
if (holder != null) {
appType = holder.getApp();
} else {
appType = new ApplicationType();
appType.setName("UNKNOWN");
}
AccessLog.log(AccessEvent.Error, appType, (HttpServletRequest) req, userAuth, "NONE");
req.setAttribute("TREMOLO_ERROR_REQUEST_URL", req.getRequestURL().toString());
req.setAttribute("TREMOLO_ERROR_EXCEPTION", e);
logger.error("Could not process request", e);
String redirectLocation = cfg.getErrorPages().get(500);
if (redirectLocation != null) {
resp.sendRedirect(redirectLocation);
} else {
StringBuffer b = new StringBuffer();
b.append(cfg.getAuthFormsPath()).append("error.jsp");
resp.setStatus(500);
req.getRequestDispatcher(b.toString()).forward(req, resp);
}
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
HttpSession(javax.servlet.http.HttpSession)
ArrayList(java.util.ArrayList)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthStep(com.tremolosecurity.proxy.auth.util.AuthStep)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ServletException(javax.servlet.ServletException)
SocketException(java.net.SocketException)
IOException(java.io.IOException)
ConnectionClosedException(org.apache.http.ConnectionClosedException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ApplicationType(com.tremolosecurity.config.xml.ApplicationType)
AuthMechanism(com.tremolosecurity.proxy.auth.AuthMechanism)
LogoutHandler(com.tremolosecurity.proxy.logout.LogoutHandler)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 59 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class SamlTransaction method completeFederation.
private void completeFederation(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException, MalformedURLException {
final SamlTransaction transaction = (SamlTransaction) request.getSession().getAttribute(Saml2Idp.TRANSACTION_DATA);
final AuthInfo authInfo = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
if (!authInfo.isAuthComplete()) {
logger.warn("Attempted completetd federation before autthentication is completeed, clearing authentication and redirecting to the original URL");
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
request.getSession().removeAttribute(ProxyConstants.AUTH_CTL);
holder.getConfig().createAnonUser(request.getSession());
this.postErrorResponse(transaction, request, response, authInfo, holder);
return;
}
request.setAttribute(AzSys.FORCE, "true");
NextSys completeFed = new NextSys() {
@Override
public void nextSys(final HttpServletRequest request, final HttpServletResponse response) throws IOException, ServletException {
// System.out.println("Authorized!!!!");
final AuthInfo authInfo = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
HttpFilterRequest filterReq = new HttpFilterRequestImpl(request, null);
HttpFilterResponse filterResp = new HttpFilterResponseImpl(response);
PostProcess postProc = new PostProcess() {
@Override
public void postProcess(HttpFilterRequest req, HttpFilterResponse resp, UrlHolder holder, HttpFilterChain chain) throws Exception {
postResponse(transaction, request, response, authInfo, holder);
}
@Override
public boolean addHeader(String name) {
return false;
}
};
HttpFilterChain chain = new HttpFilterChainImpl(holder, postProc);
try {
chain.nextFilter(filterReq, filterResp, chain);
} catch (Exception e) {
throw new ServletException(e);
}
}
};
AzSys az = new AzSys();
az.doAz(request, response, completeFed);
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
NextSys(com.tremolosecurity.proxy.util.NextSys)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ServletException(javax.servlet.ServletException)
SignatureException(java.security.SignatureException)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SAXException(org.xml.sax.SAXException)
InvalidKeyException(java.security.InvalidKeyException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InitializationException(org.opensaml.core.config.InitializationException)
MalformedURLException(java.net.MalformedURLException)
IOException(java.io.IOException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpFilterResponse(com.tremolosecurity.proxy.filter.HttpFilterResponse)
ServletException(javax.servlet.ServletException)
PostProcess(com.tremolosecurity.proxy.filter.PostProcess)
HttpFilterRequestImpl(com.tremolosecurity.proxy.filter.HttpFilterRequestImpl)
HttpFilterResponseImpl(com.tremolosecurity.proxy.filter.HttpFilterResponseImpl)
AzSys(com.tremolosecurity.proxy.auth.AzSys)
HttpFilterChainImpl(com.tremolosecurity.proxy.filter.HttpFilterChainImpl)
HttpFilterChain(com.tremolosecurity.proxy.filter.HttpFilterChain)
HttpFilterRequest(com.tremolosecurity.proxy.filter.HttpFilterRequest)
Example 60 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class GroupBase2Attribute method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
HttpSession session = request.getSession();
if (session.getAttribute(key) == null) {
AuthInfo authInfo = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
boolean isMember = false;
StringBuffer filter = new StringBuffer();
LDAPSearchResults res = cfgMgr.getMyVD().search(groupDN, 2, equal(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getGroupMemberAttribute(), authInfo.getUserDN()).toString(), attribs);
if (res.hasMore()) {
res.next();
isMember = true;
logger.debug("User is member");
} else {
isMember = false;
logger.debug("User is NOT member");
}
if (isMember) {
Attribute attr = authInfo.getAttribs().get(this.attributeName);
if (attr == null) {
attr = new Attribute(this.attributeName);
authInfo.getAttribs().put(this.attributeName, attr);
}
attr.getValues().add(this.attributeValue);
}
session.setAttribute(key, key);
}
chain.nextFilter(request, response, chain);
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
Attribute(com.tremolosecurity.saml.Attribute)
HttpSession(javax.servlet.http.HttpSession)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Aggregations
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)71
AuthController (com.tremolosecurity.proxy.auth.AuthController)59
Attribute (com.tremolosecurity.saml.Attribute)46
LDAPAttribute (com.novell.ldap.LDAPAttribute)27
IOException (java.io.IOException)25
ServletException (javax.servlet.ServletException)24
HttpSession (javax.servlet.http.HttpSession)23
Gson (com.google.gson.Gson)22
LDAPException (com.novell.ldap.LDAPException)22
LDAPSearchResults (com.novell.ldap.LDAPSearchResults)22
LDAPEntry (com.novell.ldap.LDAPEntry)19
HashMap (java.util.HashMap)19
UrlHolder (com.tremolosecurity.config.util.UrlHolder)18
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)18
MalformedURLException (java.net.MalformedURLException)15
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)14
ArrayList (java.util.ArrayList)14
AzSys (com.tremolosecurity.proxy.auth.AzSys)12
UnsupportedEncodingException (java.io.UnsupportedEncodingException)11
HttpServletRequest (javax.servlet.http.HttpServletRequest)11
