Examples with RequestHolder com.tremolosecurity.proxy.auth.RequestHolder used on opensource projects
Example 6 with RequestHolder
use of com.tremolosecurity.proxy.auth.RequestHolder in project OpenUnison by TremoloSecurity.
the class U2fAuth method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("signResponse") == null) {
startAuthentication(request, response, as);
} else {
SignResponseHolder srh = gson.fromJson(request.getParameter("signResponse"), SignResponseHolder.class);
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
String workflowName = authParams.get("workflowName").getValues().get(0);
if (srh.getErrorCode() > 0) {
logger.warn("Browser could not validate u2f token for user '" + userData.getUserDN() + "' : " + srh.getErrorCode());
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
U2FServer u2f = (U2FServer) request.getSession().getAttribute(SERVER);
SignResponse sigResp = new SignResponse(srh.getKeyHandle(), srh.getSignatureData(), srh.getClientData(), srh.getSessionId());
try {
u2f.processSignResponse(sigResp);
} catch (U2FException e) {
logger.warn("Could not authenticate user : '" + e.getMessage() + "'");
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
String encrypted;
try {
encrypted = U2fUtil.encode(u2f.getAllSecurityKeys("doesntmatter"), encyrptionKeyName);
} catch (Exception e) {
throw new ServletException("Could not encrypt keys");
}
WFCall wc = new WFCall();
wc.setName(workflowName);
wc.setUidAttributeName(uidAttributeName);
TremoloUser tu = new TremoloUser();
tu.setUid(userData.getAttribs().get(uidAttributeName).getValues().get(0));
tu.getAttributes().add(new Attribute(uidAttributeName, userData.getAttribs().get(uidAttributeName).getValues().get(0)));
tu.getAttributes().add(new Attribute(challengeStoreAttribute, encrypted));
wc.setUser(tu);
Map<String, Object> req = new HashMap<String, Object>();
req.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
wc.setRequestParams(req);
try {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(workflowName).executeWorkflow(wc);
} catch (ProvisioningException e) {
throw new ServletException("Could not save keys", e);
}
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
U2FServer(com.google.u2f.server.U2FServer)
WFCall(com.tremolosecurity.provisioning.service.util.WFCall)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ServletException(javax.servlet.ServletException)
U2FException(com.google.u2f.U2FException)
MalformedURLException(java.net.MalformedURLException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
SignResponse(com.google.u2f.server.messages.SignResponse)
TremoloUser(com.tremolosecurity.provisioning.service.util.TremoloUser)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
U2FException(com.google.u2f.U2FException)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 7 with RequestHolder
use of com.tremolosecurity.proxy.auth.RequestHolder in project OpenUnison by TremoloSecurity.
the class OTPAuth method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("code") == null) {
this.doGet(request, response, as);
return;
}
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
Attribute attr = authParams.get("keyName");
if (attr == null) {
throw new ServletException("keyName not present");
}
SecretKey key = this.cfgMgr.getSecretKey(attr.getValues().get(0));
if (key == null) {
throw new ServletException("Key '" + attr.getValues().get(0) + "' does not exist");
}
int windowSize = 3;
attr = authParams.get("windowSize");
if (attr == null) {
logger.warn("No windowSize set");
} else {
windowSize = Integer.parseInt(attr.getValues().get(0));
}
attr = authParams.get("attributeName");
if (attr == null) {
throw new ServletException("attributeName not present");
}
String attributeName = attr.getValues().get(0);
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
attr = ac.getAuthInfo().getAttribs().get(attributeName);
if (attr == null) {
if (logger.isDebugEnabled()) {
logger.info("Attribute '" + attributeName + "' not present");
}
as.setSuccess(false);
} else {
try {
String keyjson = attr.getValues().get(0);
if (logger.isDebugEnabled()) {
logger.debug("token json : '" + keyjson + "'");
}
Gson gson = new Gson();
Token token = gson.fromJson(new String(Base64.decode(keyjson)), Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, spec);
byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
String totpJson = new String(cipher.doFinal(encBytes));
TOTPKey totp = gson.fromJson(totpJson, TOTPKey.class);
GoogleAuthenticatorConfigBuilder b = new GoogleAuthenticatorConfigBuilder();
b.setWindowSize(windowSize);
GoogleAuthenticatorConfig cfg = b.build();
GoogleAuthenticator ga = new GoogleAuthenticator(cfg);
String code = request.getParameter("code");
if (code == null) {
as.setSuccess(false);
} else {
as.setSuccess(ga.authorize(totp.getSecretKey(), Integer.parseInt(code)));
}
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
} catch (Exception e) {
as.setSuccess(false);
logger.error("Could not decrypt key", e);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
Also used :
GoogleAuthenticator(com.warrenstrange.googleauth.GoogleAuthenticator)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
GoogleAuthenticatorConfig(com.warrenstrange.googleauth.GoogleAuthenticatorConfig)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
Gson(com.google.gson.Gson)
Token(com.tremolosecurity.json.Token)
GoogleAuthenticatorConfigBuilder(com.warrenstrange.googleauth.GoogleAuthenticatorConfig.GoogleAuthenticatorConfigBuilder)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
SecretKey(javax.crypto.SecretKey)
IvParameterSpec(javax.crypto.spec.IvParameterSpec)
Cipher(javax.crypto.Cipher)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 8 with RequestHolder
use of com.tremolosecurity.proxy.auth.RequestHolder in project OpenUnison by TremoloSecurity.
the class AuthManagerImpl method nextAuth.
/* (non-Javadoc)
* @see com.tremolosecurity.proxy.auth.sys.AuthManager#nextAuth(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession, boolean, com.tremolosecurity.proxy.util.NextSys)
*/
@Override
public boolean nextAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, NextSys next) throws ServletException, IOException {
if (next == null) {
next = (NextSys) req.getAttribute(NEXT_SYS);
if (next == null) {
throw new ServletException("Unknown state");
}
}
// HttpSession session = req.getSession(true);
AuthController actl = (AuthController) req.getSession().getAttribute(ProxyConstants.AUTH_CTL);
RequestHolder reqHolder = actl.getHolder();
String actName = "";
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (reqHolder != null) {
actName = reqHolder.getAuthChainName();
} else {
actName = holder.getUrl().getAuthChain();
}
AuthChainType act = holder.getConfig().getAuthChains().get(actName);
if (act == null) {
act = holder.getConfig().getAuthFailChain();
}
return execAuth(req, resp, session, jsRedirect, holder, act, req.getRequestURL().toString(), next);
}
Also used :
ServletException(javax.servlet.ServletException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 9 with RequestHolder
use of com.tremolosecurity.proxy.auth.RequestHolder in project OpenUnison by TremoloSecurity.
the class PersistentCookie method doWork.
private void doWork(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
as.setExecuted(true);
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
Attribute attr = authParams.get("cookieName");
if (attr == null) {
throw new ServletException("No cookie name specified");
}
String cookieName = attr.getValues().get(0);
boolean useSSLSessionID;
attr = authParams.get("useSSLSessionID");
if (attr == null) {
useSSLSessionID = false;
} else {
useSSLSessionID = attr.getValues().get(0).equalsIgnoreCase("true");
}
attr = authParams.get("millisToLive");
if (attr == null) {
throw new ServletException("No milliseconds to live specified");
}
long millisToLive = Long.parseLong(attr.getValues().get(0));
attr = authParams.get("keyAlias");
if (attr == null) {
throw new ServletException("No key name specified");
}
String keyAlias = attr.getValues().get(0);
Cookie authCookie = null;
if (request.getCookies() == null) {
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
for (Cookie cookie : request.getCookies()) {
if (cookie.getName().equalsIgnoreCase(cookieName)) {
authCookie = cookie;
break;
}
}
if (authCookie == null) {
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
com.tremolosecurity.lastmile.LastMile lastmile = new com.tremolosecurity.lastmile.LastMile();
SecretKey key = this.cfgMgr.getSecretKey(keyAlias);
if (key == null) {
throw new ServletException("Secret key '" + keyAlias + "' does not exist");
}
try {
String cookieVal = authCookie.getValue();
if (cookieVal.startsWith("\"")) {
cookieVal = cookieVal.substring(1, cookieVal.length() - 1);
}
lastmile.loadLastMielToken(cookieVal, key);
} catch (Exception e) {
logger.warn("Could not decrypt cookie", e);
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
if (!lastmile.isValid()) {
logger.warn("Cookie no longer valid");
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
boolean found = false;
boolean validip = false;
boolean validSslSessionId = !useSSLSessionID;
String dn = null;
for (Attribute attrib : lastmile.getAttributes()) {
if (attrib.getName().equalsIgnoreCase("CLIENT_IP")) {
validip = attrib.getValues().get(0).equals(request.getRemoteAddr());
} else if (attrib.getName().equalsIgnoreCase("DN")) {
dn = attrib.getValues().get(0);
} else if (attrib.getName().equalsIgnoreCase("SSL_SESSION_ID")) {
Object sessionID = request.getAttribute("javax.servlet.request.ssl_session_id");
if (sessionID instanceof byte[]) {
sessionID = new String(Base64.encodeBase64((byte[]) sessionID));
}
validSslSessionId = attrib.getValues().get(0).equals(sessionID);
}
}
if (dn != null && validip && validSslSessionId) {
try {
LDAPSearchResults res = myvd.search(dn, 0, "(objectClass=*)", new ArrayList<String>());
if (res.hasMore()) {
LDAPEntry entry = res.next();
Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
while (it.hasNext()) {
LDAPAttribute ldapattr = it.next();
attr = new Attribute(ldapattr.getName());
String[] vals = ldapattr.getStringValueArray();
for (int i = 0; i < vals.length; i++) {
attr.getValues().add(vals[i]);
}
authInfo.getAttribs().put(attr.getName(), attr);
}
as.setSuccess(true);
} else {
as.setSuccess(false);
}
} catch (LDAPException e) {
if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
logger.error("Could not authenticate user", e);
}
as.setSuccess(false);
}
} else {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used :
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
LDAPEntry(com.novell.ldap.LDAPEntry)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection)
Cookie(javax.servlet.http.Cookie)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
HttpSession(javax.servlet.http.HttpSession)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
LDAPException(com.novell.ldap.LDAPException)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
SecretKey(javax.crypto.SecretKey)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
LDAPException(com.novell.ldap.LDAPException)
Example 10 with RequestHolder
use of com.tremolosecurity.proxy.auth.RequestHolder in project OpenUnison by TremoloSecurity.
the class SecretQuestionAuth method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
MyVDConnection myvd = cfgMgr.getMyVD();
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String alg = authParams.get("alg").getValues().get(0);
String salt = authParams.get("salt").getValues().get(0);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
ArrayList<SecretQuestion> questions = (ArrayList<SecretQuestion>) request.getSession(true).getAttribute("TREMOLO_SECRET_ANSWERS");
if (questions == null) {
this.doGet(request, response, as);
return;
}
int i = 0;
StringBuffer b = new StringBuffer();
for (SecretQuestion sq : questions) {
b.setLength(0);
b.append("answer").append(i);
String answer = request.getParameter(b.toString());
if (!sq.checkAnswer(alg, answer, salt)) {
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
}
i++;
}
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used :
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
ArrayList(java.util.ArrayList)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection)
Aggregations
RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)20
UrlHolder (com.tremolosecurity.config.util.UrlHolder)18
AuthController (com.tremolosecurity.proxy.auth.AuthController)17
ServletException (javax.servlet.ServletException)14
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)13
HashMap (java.util.HashMap)12
HttpServletRequest (javax.servlet.http.HttpServletRequest)12
HttpSession (javax.servlet.http.HttpSession)12
Attribute (com.tremolosecurity.saml.Attribute)11
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)10
IOException (java.io.IOException)10
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)7
LDAPAttribute (com.novell.ldap.LDAPAttribute)5
LDAPException (com.novell.ldap.LDAPException)5
ConfigManager (com.tremolosecurity.config.util.ConfigManager)5
Gson (com.google.gson.Gson)4
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)4
MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)4
JSONParser (org.json.simple.parser.JSONParser)4
ParseException (org.json.simple.parser.ParseException)4
