Examples with SecurityAssertion ddf.security.assertion.SecurityAssertion used on opensource projects

Search in sources :

Example 31 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class AuthenticationEndpointTest method mockUser.

private void mockUser(String username, String password, String realm) throws SecurityServiceException {
    Subject subject = mock(Subject.class);
    SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
    SecurityToken securityToken = mock(SecurityToken.class);
    when(securityAssertion.getSecurityToken()).thenReturn(securityToken);
    PrincipalCollection collection = mock(PrincipalCollection.class);
    Iterator iter = mock(Iterator.class);
    when(iter.hasNext()).thenReturn(true, false);
    when(iter.next()).thenReturn(securityAssertion);
    when(collection.iterator()).thenReturn(iter);
    when(subject.getPrincipals()).thenReturn(collection);
    UPAuthenticationToken token = new UPAuthenticationToken(username, password, realm);
    when(securityManager.getSubject(argThat(new UsernamePasswordTokenMatcher(token)))).thenReturn(subject);
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Iterator(java.util.Iterator) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject)

Example 32 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class AuthenticationEndpoint method login.

@POST
public Response login(@Context HttpServletRequest request, @FormParam("username") String username, @FormParam("password") String password, @FormParam("prevurl") String prevurl) throws SecurityServiceException {
    // Make sure we're using HTTPS
    if (!request.isSecure()) {
        throw new IllegalArgumentException("Authentication request must use TLS.");
    }
    HttpSession session = request.getSession(false);
    if (session != null) {
        session.invalidate();
    }
    // Get the realm from the previous url
    String realm = BaseAuthenticationToken.DEFAULT_REALM;
    ContextPolicy policy = contextPolicyManager.getContextPolicy(prevurl);
    if (policy != null) {
        realm = policy.getRealm();
    }
    // Create an authentication token
    UPAuthenticationToken authenticationToken = new UPAuthenticationToken(username, password, realm);
    // Authenticate
    Subject subject = securityManager.getSubject(authenticationToken);
    if (subject == null) {
        throw new SecurityServiceException("Authentication failed");
    }
    for (Object principal : subject.getPrincipals()) {
        if (principal instanceof SecurityAssertion) {
            SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
            if (securityToken == null) {
                LOGGER.debug("Cannot add null security token to session");
                continue;
            }
            // Create a session and add the security token
            session = sessionFactory.getOrCreateSession(request);
            SecurityTokenHolder holder = (SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION);
            holder.addSecurityToken(realm, securityToken);
        }
    }
    // Redirect to the previous url
    URI redirect = uriInfo.getBaseUriBuilder().replacePath(prevurl).build();
    return Response.seeOther(redirect).build();
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SecurityServiceException(ddf.security.service.SecurityServiceException) SecurityTokenHolder(ddf.security.common.SecurityTokenHolder) HttpSession(javax.servlet.http.HttpSession) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) SecurityAssertion(ddf.security.assertion.SecurityAssertion) URI(java.net.URI) ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy) Subject(ddf.security.Subject) POST(javax.ws.rs.POST)

Example 33 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class SubjectUtilsTest method getSubjectWithAttributes.

private Subject getSubjectWithAttributes(Map<String, List<String>> attributes) {
    Subject subject = mock(Subject.class);
    PrincipalCollection pc = mock(PrincipalCollection.class);
    SecurityAssertion assertion = mock(SecurityAssertion.class);
    AttributeStatement as = mock(AttributeStatement.class);
    List<Attribute> attrs = attributes.entrySet().stream().map(this::getAttribute).collect(Collectors.toList());
    doReturn(pc).when(subject).getPrincipals();
    doReturn(assertion).when(pc).oneByType(SecurityAssertion.class);
    doReturn(ImmutableList.of(assertion)).when(pc).byType(SecurityAssertion.class);
    doReturn(Collections.singletonList(as)).when(assertion).getAttributeStatements();
    doReturn(attrs).when(as).getAttributes();
    return subject;
}
Also used : Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion)

Example 34 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class RestSecurity method createSamlHeader.

/**
     * Creates an authorization header to be returned to the browser if the token was successfully
     * exchanged for a SAML assertion
     *
     * @param subject - {@link ddf.security.Subject} to create the header from
     */
private static String createSamlHeader(Subject subject) {
    String encodedSamlHeader = null;
    org.w3c.dom.Element samlToken = null;
    try {
        for (Object principal : subject.getPrincipals().asList()) {
            if (principal instanceof SecurityAssertion) {
                SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
                samlToken = securityToken.getToken();
            }
        }
        if (samlToken != null) {
            SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlToken);
            String saml = assertion.assertionToString();
            encodedSamlHeader = SAML_HEADER_PREFIX + deflateAndBase64Encode(saml);
        }
    } catch (WSSecurityException | ArithmeticException | IOException e) {
        LOGGER.info("Unable to parse SAML assertion from subject.", e);
    }
    return encodedSamlHeader;
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) SecurityAssertion(ddf.security.assertion.SecurityAssertion)

Example 35 with SecurityAssertion

use of ddf.security.assertion.SecurityAssertion in project ddf by codice.

the class RestSecurityTest method testNotSetSubjectOnClient.

@Test
public void testNotSetSubjectOnClient() throws Exception {
    Element samlToken = readDocument("/saml.xml").getDocumentElement();
    Subject subject = mock(Subject.class);
    SecurityAssertion assertion = mock(SecurityAssertion.class);
    SecurityToken token = new SecurityToken(UUID.randomUUID().toString(), samlToken, new Date(), new Date());
    when(assertion.getSecurityToken()).thenReturn(token);
    when(subject.getPrincipals()).thenReturn(new SimplePrincipalCollection(assertion, "sts"));
    WebClient client = WebClient.create("http://example.org");
    RestSecurity.setSubjectOnClient(subject, client);
    assertNull(client.getHeaders().get(RestSecurity.AUTH_HEADER));
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Element(org.w3c.dom.Element) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) WebClient(org.apache.cxf.jaxrs.client.WebClient) Subject(ddf.security.Subject) Date(java.util.Date) Test(org.junit.Test)

Aggregations

SecurityAssertion (ddf.security.assertion.SecurityAssertion)35 Subject (ddf.security.Subject)23 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)23 Test (org.junit.Test)14 SecurityManager (ddf.security.service.SecurityManager)11 PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)11 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)9 CollectionPermission (ddf.security.permission.CollectionPermission)8 Message (org.apache.cxf.message.Message)8 SecurityServiceException (ddf.security.service.SecurityServiceException)6 Exchange (org.apache.cxf.message.Exchange)6 BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)6 Element (org.w3c.dom.Element)6 SecurityAssertionImpl (ddf.security.assertion.impl.SecurityAssertionImpl)5 Principal (java.security.Principal)5 HttpSession (javax.servlet.http.HttpSession)5 SecurityTokenHolder (ddf.security.common.SecurityTokenHolder)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 QName (javax.xml.namespace.QName)4 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial