Examples with SecurityAssertion ddf.security.assertion.SecurityAssertion used on opensource projects

Example 26 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class AuthenticationEndpoint method login.

@POST
public Response login(@Context HttpServletRequest request, @FormParam("username") String username, @FormParam("password") String password, @FormParam("prevurl") String prevurl) throws SecurityServiceException {
    // Make sure we're using HTTPS
    if (!request.isSecure()) {
        throw new IllegalArgumentException("Authentication request must use TLS.");
    }
    HttpSession session = request.getSession(false);
    if (session != null) {
        session.invalidate();
    }
    // Get the realm from the previous url
    String realm = BaseAuthenticationToken.DEFAULT_REALM;
    ContextPolicy policy = contextPolicyManager.getContextPolicy(prevurl);
    if (policy != null) {
        realm = policy.getRealm();
    }
    // Create an authentication token
    UPAuthenticationToken authenticationToken = new UPAuthenticationToken(username, password, realm);
    // Authenticate
    Subject subject = securityManager.getSubject(authenticationToken);
    if (subject == null) {
        throw new SecurityServiceException("Authentication failed");
    }
    for (Object principal : subject.getPrincipals()) {
        if (principal instanceof SecurityAssertion) {
            SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
            if (securityToken == null) {
                LOGGER.debug("Cannot add null security token to session");
                continue;
            }
            // Create a session and add the security token
            session = sessionFactory.getOrCreateSession(request);
            SecurityTokenHolder holder = (SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION);
            holder.addSecurityToken(realm, securityToken);
        }
    }
    // Redirect to the previous url
    URI redirect = uriInfo.getBaseUriBuilder().replacePath(prevurl).build();
    return Response.seeOther(redirect).build();
}

Example 27 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class SubjectUtilsTest method getSubjectWithAttributes.

private Subject getSubjectWithAttributes(Map<String, List<String>> attributes) {
    Subject subject = mock(Subject.class);
    PrincipalCollection pc = mock(PrincipalCollection.class);
    SecurityAssertion assertion = mock(SecurityAssertion.class);
    AttributeStatement as = mock(AttributeStatement.class);
    List<Attribute> attrs = attributes.entrySet().stream().map(this::getAttribute).collect(Collectors.toList());
    doReturn(pc).when(subject).getPrincipals();
    doReturn(assertion).when(pc).oneByType(SecurityAssertion.class);
    doReturn(ImmutableList.of(assertion)).when(pc).byType(SecurityAssertion.class);
    doReturn(Collections.singletonList(as)).when(assertion).getAttributeStatements();
    doReturn(attrs).when(as).getAttributes();
    return subject;
}

Example 28 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class LoginFilter method renewSecurityToken.

private SAMLAuthenticationToken renewSecurityToken(HttpSession session, SAMLAuthenticationToken savedToken) throws ServletException, WSSecurityException {
    if (session != null) {
        SecurityAssertion savedAssertion = new SecurityAssertionImpl(((SecurityToken) savedToken.getCredentials()));
        if (savedAssertion.getIssuer() != null && !savedAssertion.getIssuer().equals(SystemBaseUrl.getHost())) {
            return null;
        }
        if (savedAssertion.getNotOnOrAfter() == null) {
            return null;
        }
        long afterMil = savedAssertion.getNotOnOrAfter().getTime();
        long timeoutMillis = (afterMil - System.currentTimeMillis());
        if (timeoutMillis <= 0) {
            throw new InvalidSAMLReceivedException("SAML assertion has expired.");
        }
        if (timeoutMillis <= 60000) {
            // within 60 seconds
            try {
                LOGGER.debug("Attempting to refresh user's SAML assertion.");
                Subject subject = securityManager.getSubject(savedToken);
                LOGGER.debug("Refresh of user assertion successful");
                for (Object principal : subject.getPrincipals()) {
                    if (principal instanceof SecurityAssertion) {
                        SecurityToken token = ((SecurityAssertion) principal).getSecurityToken();
                        SAMLAuthenticationToken samlAuthenticationToken = new SAMLAuthenticationToken((java.security.Principal) savedToken.getPrincipal(), token, savedToken.getRealm());
                        if (LOGGER.isTraceEnabled()) {
                            LOGGER.trace("Setting session token - class: {}  classloader: {}", token.getClass().getName(), token.getClass().getClassLoader());
                        }
                        ((SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION)).addSecurityToken(savedToken.getRealm(), token);
                        LOGGER.debug("Saved new user assertion to session.");
                        return samlAuthenticationToken;
                    }
                }
            } catch (SecurityServiceException e) {
                LOGGER.debug("Unable to refresh user's SAML assertion. User will log out prematurely.", e);
                session.invalidate();
            } catch (Exception e) {
                LOGGER.info("Unhandled exception occurred.", e);
                session.invalidate();
            }
        }
    }
    return null;
}

Example 29 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class LoginFilter method handleAuthenticationToken.

private Subject handleAuthenticationToken(HttpServletRequest httpRequest, BaseAuthenticationToken token) throws ServletException {
    Subject subject;
    HttpSession session = sessionFactory.getOrCreateSession(httpRequest);
    //if we already have an assertion inside the session and it has not expired, then use that instead
    SecurityToken sessionToken = getSecurityToken(session, token.getRealm());
    if (sessionToken == null) {
        /*
             * The user didn't have a SAML token from a previous authentication, but they do have the
             * credentials to log in - perform that action here.
             */
        try {
            // login with the specified authentication credentials (AuthenticationToken)
            subject = securityManager.getSubject(token);
            for (Object principal : subject.getPrincipals().asList()) {
                if (principal instanceof SecurityAssertion) {
                    if (LOGGER.isTraceEnabled()) {
                        Element samlToken = ((SecurityAssertion) principal).getSecurityToken().getToken();
                        LOGGER.trace("SAML Assertion returned: {}", XMLUtils.prettyFormat(samlToken));
                    }
                    SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
                    addSamlToSession(httpRequest, token.getRealm(), securityToken);
                }
            }
        } catch (SecurityServiceException e) {
            LOGGER.debug("Unable to get subject from auth request.", e);
            throw new ServletException(e);
        }
    } else {
        LOGGER.trace("Creating SAML authentication token with session.");
        SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, session.getId(), token.getRealm());
        return handleAuthenticationToken(httpRequest, samlToken);
    }
    return subject;
}

Example 30 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class LoginFilterTest method testValidUsernameToken.

@Test
public void testValidUsernameToken() throws IOException, XMLStreamException, ServletException, ParserConfigurationException, SAXException, SecurityServiceException {
    FilterConfig filterConfig = mock(FilterConfig.class);
    LoginFilter loginFilter = new LoginFilter();
    loginFilter.setSessionFactory(sessionFactory);
    ddf.security.service.SecurityManager securityManager = mock(ddf.security.service.SecurityManager.class);
    loginFilter.setSecurityManager(securityManager);
    loginFilter.init(filterConfig);
    HttpServletRequest servletRequest = mock(HttpServletRequest.class);
    HttpServletResponse servletResponse = mock(HttpServletResponse.class);
    FilterChain filterChain = mock(FilterChain.class);
    UPAuthenticationToken token = new UPAuthenticationToken("foo", "bar");
    HandlerResult result = new HandlerResult(HandlerResult.Status.COMPLETED, token);
    when(servletRequest.getAttribute("ddf.security.token")).thenReturn(result);
    HttpSession session = mock(HttpSession.class);
    when(servletRequest.getSession(true)).thenReturn(session);
    when(session.getAttribute(SecurityConstants.SAML_ASSERTION)).thenReturn(new SecurityTokenHolder());
    when(sessionFactory.getOrCreateSession(servletRequest)).thenReturn(session);
    Subject subject = mock(Subject.class, RETURNS_DEEP_STUBS);
    when(securityManager.getSubject(token)).thenReturn(subject);
    SecurityAssertion assertion = mock(SecurityAssertion.class);
    SecurityToken securityToken = mock(SecurityToken.class);
    when(assertion.getSecurityToken()).thenReturn(securityToken);
    when(subject.getPrincipals().asList()).thenReturn(Arrays.asList(assertion));
    when(securityToken.getToken()).thenReturn(readDocument("/good_saml.xml").getDocumentElement());
    loginFilter.doFilter(servletRequest, servletResponse, filterChain);
}