Examples with SecurityAssertion ddf.security.assertion.SecurityAssertion used on opensource projects
Example 21 with SecurityAssertion
use of ddf.security.assertion.SecurityAssertion in project ddf by codice.
the class LoginFilter method renewSecurityToken.
private SAMLAuthenticationToken renewSecurityToken(HttpSession session, SAMLAuthenticationToken savedToken) throws ServletException, WSSecurityException {
if (session != null) {
SecurityAssertion savedAssertion = new SecurityAssertionImpl(((SecurityToken) savedToken.getCredentials()));
if (savedAssertion.getIssuer() != null && !savedAssertion.getIssuer().equals(SystemBaseUrl.getHost())) {
return null;
}
if (savedAssertion.getNotOnOrAfter() == null) {
return null;
}
long afterMil = savedAssertion.getNotOnOrAfter().getTime();
long timeoutMillis = (afterMil - System.currentTimeMillis());
if (timeoutMillis <= 0) {
throw new InvalidSAMLReceivedException("SAML assertion has expired.");
}
if (timeoutMillis <= 60000) {
// within 60 seconds
try {
LOGGER.debug("Attempting to refresh user's SAML assertion.");
Subject subject = securityManager.getSubject(savedToken);
LOGGER.debug("Refresh of user assertion successful");
for (Object principal : subject.getPrincipals()) {
if (principal instanceof SecurityAssertion) {
SecurityToken token = ((SecurityAssertion) principal).getSecurityToken();
SAMLAuthenticationToken samlAuthenticationToken = new SAMLAuthenticationToken((java.security.Principal) savedToken.getPrincipal(), token, savedToken.getRealm());
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Setting session token - class: {} classloader: {}", token.getClass().getName(), token.getClass().getClassLoader());
}
((SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION)).addSecurityToken(savedToken.getRealm(), token);
LOGGER.debug("Saved new user assertion to session.");
return samlAuthenticationToken;
}
}
} catch (SecurityServiceException e) {
LOGGER.debug("Unable to refresh user's SAML assertion. User will log out prematurely.", e);
session.invalidate();
} catch (Exception e) {
LOGGER.info("Unhandled exception occurred.", e);
session.invalidate();
}
}
}
return null;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
SecurityServiceException(ddf.security.service.SecurityServiceException)
InvalidSAMLReceivedException(org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
ServletException(javax.servlet.ServletException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SignatureException(java.security.SignatureException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
SecurityServiceException(ddf.security.service.SecurityServiceException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
InvalidSAMLReceivedException(org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
NoSuchProviderException(java.security.NoSuchProviderException)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Example 22 with SecurityAssertion
use of ddf.security.assertion.SecurityAssertion in project ddf by codice.
the class LoginFilter method handleAuthenticationToken.
private Subject handleAuthenticationToken(HttpServletRequest httpRequest, BaseAuthenticationToken token) throws ServletException {
Subject subject;
HttpSession session = sessionFactory.getOrCreateSession(httpRequest);
//if we already have an assertion inside the session and it has not expired, then use that instead
SecurityToken sessionToken = getSecurityToken(session, token.getRealm());
if (sessionToken == null) {
/*
* The user didn't have a SAML token from a previous authentication, but they do have the
* credentials to log in - perform that action here.
*/
try {
// login with the specified authentication credentials (AuthenticationToken)
subject = securityManager.getSubject(token);
for (Object principal : subject.getPrincipals().asList()) {
if (principal instanceof SecurityAssertion) {
if (LOGGER.isTraceEnabled()) {
Element samlToken = ((SecurityAssertion) principal).getSecurityToken().getToken();
LOGGER.trace("SAML Assertion returned: {}", XMLUtils.prettyFormat(samlToken));
}
SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
addSamlToSession(httpRequest, token.getRealm(), securityToken);
}
}
} catch (SecurityServiceException e) {
LOGGER.debug("Unable to get subject from auth request.", e);
throw new ServletException(e);
}
} else {
LOGGER.trace("Creating SAML authentication token with session.");
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, session.getId(), token.getRealm());
return handleAuthenticationToken(httpRequest, samlToken);
}
return subject;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
ServletException(javax.servlet.ServletException)
SecurityServiceException(ddf.security.service.SecurityServiceException)
HttpSession(javax.servlet.http.HttpSession)
Element(org.w3c.dom.Element)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
Example 23 with SecurityAssertion
use of ddf.security.assertion.SecurityAssertion in project ddf by codice.
the class LoginFilterTest method testValidUsernameToken.
@Test
public void testValidUsernameToken() throws IOException, XMLStreamException, ServletException, ParserConfigurationException, SAXException, SecurityServiceException {
FilterConfig filterConfig = mock(FilterConfig.class);
LoginFilter loginFilter = new LoginFilter();
loginFilter.setSessionFactory(sessionFactory);
ddf.security.service.SecurityManager securityManager = mock(ddf.security.service.SecurityManager.class);
loginFilter.setSecurityManager(securityManager);
loginFilter.init(filterConfig);
HttpServletRequest servletRequest = mock(HttpServletRequest.class);
HttpServletResponse servletResponse = mock(HttpServletResponse.class);
FilterChain filterChain = mock(FilterChain.class);
UPAuthenticationToken token = new UPAuthenticationToken("foo", "bar");
HandlerResult result = new HandlerResult(HandlerResult.Status.COMPLETED, token);
when(servletRequest.getAttribute("ddf.security.token")).thenReturn(result);
HttpSession session = mock(HttpSession.class);
when(servletRequest.getSession(true)).thenReturn(session);
when(session.getAttribute(SecurityConstants.SAML_ASSERTION)).thenReturn(new SecurityTokenHolder());
when(sessionFactory.getOrCreateSession(servletRequest)).thenReturn(session);
Subject subject = mock(Subject.class, RETURNS_DEEP_STUBS);
when(securityManager.getSubject(token)).thenReturn(subject);
SecurityAssertion assertion = mock(SecurityAssertion.class);
SecurityToken securityToken = mock(SecurityToken.class);
when(assertion.getSecurityToken()).thenReturn(securityToken);
when(subject.getPrincipals().asList()).thenReturn(Arrays.asList(assertion));
when(securityToken.getToken()).thenReturn(readDocument("/good_saml.xml").getDocumentElement());
loginFilter.doFilter(servletRequest, servletResponse, filterChain);
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
FilterChain(javax.servlet.FilterChain)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Subject(ddf.security.Subject)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken)
FilterConfig(javax.servlet.FilterConfig)
SecurityManager(ddf.security.service.SecurityManager)
Test(org.junit.Test)
Example 24 with SecurityAssertion
use of ddf.security.assertion.SecurityAssertion in project ddf by codice.
the class SecurityManagerImpl method createPrincipalFromToken.
/**
* Creates a new principal object from an incoming security token.
*
* @param token SecurityToken that contains the principals.
* @return new SimplePrincipalCollection
*/
private SimplePrincipalCollection createPrincipalFromToken(SecurityToken token) {
SimplePrincipalCollection principals = new SimplePrincipalCollection();
for (Realm curRealm : realms) {
LOGGER.debug("Configuring settings for realm name: {} type: {}", curRealm.getName(), curRealm.getClass().toString());
LOGGER.debug("Is authorizer: {}, is AuthorizingRealm: {}", curRealm instanceof Authorizer, curRealm instanceof AuthorizingRealm);
SecurityAssertion securityAssertion = null;
try {
securityAssertion = new SecurityAssertionImpl(token, usernameAttributeList);
Principal principal = securityAssertion.getPrincipal();
if (principal != null) {
principals.add(principal.getName(), curRealm.getName());
}
} catch (Exception e) {
LOGGER.warn("Encountered error while trying to get the Principal for the SecurityToken. Security functions may not work properly.", e);
}
if (securityAssertion != null) {
principals.add(securityAssertion, curRealm.getName());
}
}
return principals;
}
Also used :
Authorizer(org.apache.shiro.authz.Authorizer)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Realm(org.apache.shiro.realm.Realm)
AuthorizingRealm(org.apache.shiro.realm.AuthorizingRealm)
AuthorizingRealm(org.apache.shiro.realm.AuthorizingRealm)
Principal(java.security.Principal)
SecurityServiceException(ddf.security.service.SecurityServiceException)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Example 25 with SecurityAssertion
use of ddf.security.assertion.SecurityAssertion in project ddf by codice.
the class SubjectUtils method getName.
/**
* Retrieves the user name from a given subject.
*
* @param subject Subject to get the user name from.
* @param defaultName Name to send back if no user name was found.
* @param returnDisplayName return formatted user name for displaying
* @return String representation of the user name if available or
* defaultName if no user name could be found or incoming subject
* was null.
*/
public static String getName(Subject subject, String defaultName, boolean returnDisplayName) {
String name = defaultName;
if (subject != null) {
PrincipalCollection principals = subject.getPrincipals();
if (principals != null) {
SecurityAssertion assertion = principals.oneByType(SecurityAssertion.class);
if (assertion != null) {
Principal principal = assertion.getPrincipal();
if (principal instanceof KerberosPrincipal) {
StringTokenizer st = new StringTokenizer(principal.getName(), "@");
st = new StringTokenizer(st.nextToken(), "/");
name = st.nextToken();
} else {
name = principal.getName();
}
if (returnDisplayName) {
name = getDisplayName(principal, name);
}
} else {
// send back the primary principal as a string
name = principals.getPrimaryPrincipal().toString();
}
} else {
LOGGER.debug("No principals located in the incoming subject, cannot look up user name. Using default name of {}.", defaultName);
}
} else {
LOGGER.debug("Incoming subject was null, cannot look up user name. Using default name of {}.", defaultName);
}
LOGGER.debug("Sending back name {}.", name);
return name;
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
StringTokenizer(java.util.StringTokenizer)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
XSString(org.opensaml.core.xml.schema.XSString)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
X500Principal(javax.security.auth.x500.X500Principal)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
GuestPrincipal(ddf.security.principal.GuestPrincipal)
Principal(java.security.Principal)
Aggregations
SecurityAssertion (ddf.security.assertion.SecurityAssertion)35
Subject (ddf.security.Subject)23
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)23
Test (org.junit.Test)14
SecurityManager (ddf.security.service.SecurityManager)11
PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)11
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)9
CollectionPermission (ddf.security.permission.CollectionPermission)8
Message (org.apache.cxf.message.Message)8
SecurityServiceException (ddf.security.service.SecurityServiceException)6
Exchange (org.apache.cxf.message.Exchange)6
BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)6
Element (org.w3c.dom.Element)6
SecurityAssertionImpl (ddf.security.assertion.impl.SecurityAssertionImpl)5
Principal (java.security.Principal)5
HttpSession (javax.servlet.http.HttpSession)5
SecurityTokenHolder (ddf.security.common.SecurityTokenHolder)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
QName (javax.xml.namespace.QName)4
SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)4
