Examples with SecurityAssertion ddf.security.assertion.SecurityAssertion used on opensource projects

Search in sources :

Example 11 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class LoginFilter method addSamlToSession.

/**
     * Adds SAML assertion to HTTP session.
     *
     * @param httpRequest   the http request object for this request
     * @param securityToken the SecurityToken object representing the SAML assertion
     */
private void addSamlToSession(HttpServletRequest httpRequest, String realm, SecurityToken securityToken) {
    if (securityToken == null) {
        LOGGER.debug("Cannot add null security token to session.");
        return;
    }
    HttpSession session = sessionFactory.getOrCreateSession(httpRequest);
    SecurityToken sessionToken = getSecurityToken(session, realm);
    if (sessionToken == null) {
        addSecurityToken(session, realm, securityToken);
    }
    SecurityAssertion securityAssertion = new SecurityAssertionImpl(securityToken);
    SecurityLogger.audit("Added SAML for user [{}] to session [{}]", securityAssertion.getPrincipal().getName(), session.getId());
    int minutes = getExpirationTime();
    //we just want to set this to some non-zero value if the configuration is messed up
    int seconds = 60;
    if (minutes > 0) {
        seconds = minutes * 60;
    }
    session.setMaxInactiveInterval(seconds);
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) HttpSession(javax.servlet.http.HttpSession) SecurityAssertion(ddf.security.assertion.SecurityAssertion) SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)

Example 12 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class GuestInterceptor method createSecurityToken.

private SecurityToken createSecurityToken(String ipAddress) {
    SecurityToken securityToken = null;
    Subject subject = getSubject(ipAddress);
    LOGGER.trace("Attempting to create Security token.");
    if (subject != null) {
        PrincipalCollection principals = subject.getPrincipals();
        if (principals != null) {
            SecurityAssertion securityAssertion = principals.oneByType(SecurityAssertion.class);
            if (securityAssertion != null) {
                securityToken = securityAssertion.getSecurityToken();
            } else {
                LOGGER.info("Subject did not contain a security assertion, could not add assertion to the security header.");
            }
        } else {
            LOGGER.info("Subject did not contain any principals, could not create security token.");
        }
    }
    return securityToken;
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject)

Example 13 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class TestPepInterceptorActions method testMessageWithMessageAction.

@Test
public void testMessageWithMessageAction() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithAction = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    MessageInfo mockMessageInfo = mock(MessageInfo.class);
    when(messageWithAction.get(MessageInfo.class.getName())).thenReturn(mockMessageInfo);
    when(mockMessageInfo.getExtensionAttribute(new QName(Names.WSA_NAMESPACE_WSDL_METADATA, Names.WSAW_ACTION_NAME))).thenReturn("urn:catalog:query:query-port:search");
    doAnswer(new Answer<Boolean>() {

        @Override
        public Boolean answer(InvocationOnMock invocation) throws Throwable {
            CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
            assertEquals("urn:catalog:query:query-port:search", perm.getAction());
            return true;
        }
    }).when(mockSubject).isPermitted(isA(CollectionPermission.class));
    // This should work.
    interceptor.handleMessage(messageWithAction);
    PowerMockito.verifyStatic();
}
Also used : SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) QName(javax.xml.namespace.QName) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) MessageInfo(org.apache.cxf.service.model.MessageInfo) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) InvocationOnMock(org.mockito.invocation.InvocationOnMock) CollectionPermission(ddf.security.permission.CollectionPermission) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Example 14 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class TestPepInterceptorActions method testMessageWithDefaultUriAction.

@Test
public void testMessageWithDefaultUriAction() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithAction = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    QName op = new QName("urn:catalog:query", "search", "ns1");
    QName port = new QName("urn:catalog:query", "query-port", "ns1");
    when(messageWithAction.get(MessageContext.WSDL_OPERATION)).thenReturn(op);
    when(messageWithAction.get(MessageContext.WSDL_PORT)).thenReturn(port);
    Exchange mockExchange = mock(Exchange.class);
    BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
    when(messageWithAction.getExchange()).thenReturn(mockExchange);
    when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
    when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(null);
    doAnswer(new Answer<Boolean>() {

        @Override
        public Boolean answer(InvocationOnMock invocation) throws Throwable {
            CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
            assertEquals("urn:catalog:query:query-port:searchRequest", perm.getAction());
            return true;
        }
    }).when(mockSubject).isPermitted(isA(CollectionPermission.class));
    // This should work.
    interceptor.handleMessage(messageWithAction);
    PowerMockito.verifyStatic();
}
Also used : BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo) SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) QName(javax.xml.namespace.QName) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Exchange(org.apache.cxf.message.Exchange) InvocationOnMock(org.mockito.invocation.InvocationOnMock) CollectionPermission(ddf.security.permission.CollectionPermission) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Example 15 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class TestPepInterceptorNullAssertionToken method testMessageNullSecurityAssertionToken.

@Test
public void testMessageNullSecurityAssertionToken() {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    Message messageWithNullSecurityAssertion = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithNullSecurityAssertion)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(null);
    expectedExForNullMessage.expect(AccessDeniedException.class);
    expectedExForNullMessage.expectMessage("Unauthorized");
    interceptor.handleMessage(messageWithNullSecurityAssertion);
    PowerMockito.verifyStatic();
}
Also used : Message(org.apache.cxf.message.Message) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Test(org.junit.Test) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)

Aggregations

SecurityAssertion (ddf.security.assertion.SecurityAssertion)35 Subject (ddf.security.Subject)23 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)23 Test (org.junit.Test)14 SecurityManager (ddf.security.service.SecurityManager)11 PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)11 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)9 CollectionPermission (ddf.security.permission.CollectionPermission)8 Message (org.apache.cxf.message.Message)8 SecurityServiceException (ddf.security.service.SecurityServiceException)6 Exchange (org.apache.cxf.message.Exchange)6 BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)6 Element (org.w3c.dom.Element)6 SecurityAssertionImpl (ddf.security.assertion.impl.SecurityAssertionImpl)5 Principal (java.security.Principal)5 HttpSession (javax.servlet.http.HttpSession)5 SecurityTokenHolder (ddf.security.common.SecurityTokenHolder)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 QName (javax.xml.namespace.QName)4 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial