Example 1 with SecurityAssertionImpl
use of ddf.security.assertion.impl.SecurityAssertionImpl in project ddf by codice.
the class LogoutRequestService method logout.
private void logout() {
HttpSession session = sessionFactory.getOrCreateSession(request);
SecurityTokenHolder tokenHolder = ((SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION));
SecurityAssertion securityAssertion = new SecurityAssertionImpl(tokenHolder.getSecurityToken("idp"));
boolean hasSecurityAuditRole = Arrays.stream(System.getProperty("security.audit.roles").split(",")).filter(role -> securityAssertion.getPrincipals().contains(new RolePrincipal(role))).findFirst().isPresent();
if (hasSecurityAuditRole) {
SecurityLogger.audit("Subject with admin privileges has logged out: {}", securityAssertion.getPrincipal().getName());
}
tokenHolder.remove("idp");
}
Also used :
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
HttpSession(javax.servlet.http.HttpSession)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Example 2 with SecurityAssertionImpl
use of ddf.security.assertion.impl.SecurityAssertionImpl in project ddf by codice.
the class LoginFilter method addSamlToSession.
/**
* Adds SAML assertion to HTTP session.
*
* @param httpRequest the http request object for this request
* @param securityToken the SecurityToken object representing the SAML assertion
*/
private void addSamlToSession(HttpServletRequest httpRequest, String realm, SecurityToken securityToken) {
if (securityToken == null) {
LOGGER.debug("Cannot add null security token to session.");
return;
}
HttpSession session = sessionFactory.getOrCreateSession(httpRequest);
SecurityToken sessionToken = getSecurityToken(session, realm);
if (sessionToken == null) {
addSecurityToken(session, realm, securityToken);
}
SecurityAssertion securityAssertion = new SecurityAssertionImpl(securityToken);
SecurityLogger.audit("Added SAML for user [{}] to session [{}]", securityAssertion.getPrincipal().getName(), session.getId());
int minutes = getExpirationTime();
//we just want to set this to some non-zero value if the configuration is messed up
int seconds = 60;
if (minutes > 0) {
seconds = minutes * 60;
}
session.setMaxInactiveInterval(seconds);
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
HttpSession(javax.servlet.http.HttpSession)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Example 3 with SecurityAssertionImpl
use of ddf.security.assertion.impl.SecurityAssertionImpl in project ddf by codice.
the class SecurityAssertionStore method getSecurityAssertion.
/**
* Return the SecurityAssertion wrapper associated with the provided message
*
* @param message Message
* @return SecurityAssertion
*/
public static SecurityAssertion getSecurityAssertion(Message message) {
if (message != null) {
TokenStore tokenStore = getTokenStore(message);
Principal principal = null;
SecurityContext context = message.get(SecurityContext.class);
if (context != null) {
principal = context.getUserPrincipal();
}
if (!(principal instanceof SAMLTokenPrincipal)) {
// Try to find the SAMLTokenPrincipal if it exists
List<?> wsResults = List.class.cast(message.get(WSHandlerConstants.RECV_RESULTS));
if (wsResults != null) {
for (Object wsResult : wsResults) {
if (wsResult instanceof WSHandlerResult) {
List<WSSecurityEngineResult> wsseResults = ((WSHandlerResult) wsResult).getResults();
for (WSSecurityEngineResult wsseResult : wsseResults) {
Object principalResult = wsseResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if (principalResult instanceof SAMLTokenPrincipal) {
principal = (SAMLTokenPrincipal) principalResult;
break;
}
}
}
}
}
}
if (tokenStore != null && principal != null && principal instanceof SAMLTokenPrincipal) {
String id = ((SAMLTokenPrincipal) principal).getId();
SamlAssertionWrapper samlAssertionWrapper = ((SAMLTokenPrincipal) principal).getToken();
SecurityToken token = tokenStore.getToken(id);
if (token == null) {
if (samlAssertionWrapper.getSaml2().getIssueInstant() != null && samlAssertionWrapper.getSaml2().getConditions() != null && samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter() != null) {
token = new SecurityToken(id, samlAssertionWrapper.getElement(), samlAssertionWrapper.getSaml2().getIssueInstant().toDate(), samlAssertionWrapper.getSaml2().getConditions().getNotOnOrAfter().toDate());
} else {
// we don't know how long this should last or when it was created, so just
// set it to 1 minute
// This shouldn't happen unless someone sets up a third party STS with weird
// settings.
Date date = new Date();
token = new SecurityToken(id, samlAssertionWrapper.getElement(), date, new Date(date.getTime() + TimeUnit.MINUTES.toMillis(1)));
}
tokenStore.add(token);
}
return new SecurityAssertionImpl(token);
}
}
return new SecurityAssertionImpl();
}
Also used :
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Date(java.util.Date)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityContext(org.apache.cxf.security.SecurityContext)
TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Principal(java.security.Principal)
Example 4 with SecurityAssertionImpl
use of ddf.security.assertion.impl.SecurityAssertionImpl in project ddf by codice.
the class LoginFilter method renewSecurityToken.
private SAMLAuthenticationToken renewSecurityToken(HttpSession session, SAMLAuthenticationToken savedToken) throws ServletException, WSSecurityException {
if (session != null) {
SecurityAssertion savedAssertion = new SecurityAssertionImpl(((SecurityToken) savedToken.getCredentials()));
if (savedAssertion.getIssuer() != null && !savedAssertion.getIssuer().equals(SystemBaseUrl.getHost())) {
return null;
}
if (savedAssertion.getNotOnOrAfter() == null) {
return null;
}
long afterMil = savedAssertion.getNotOnOrAfter().getTime();
long timeoutMillis = (afterMil - System.currentTimeMillis());
if (timeoutMillis <= 0) {
throw new InvalidSAMLReceivedException("SAML assertion has expired.");
}
if (timeoutMillis <= 60000) {
// within 60 seconds
try {
LOGGER.debug("Attempting to refresh user's SAML assertion.");
Subject subject = securityManager.getSubject(savedToken);
LOGGER.debug("Refresh of user assertion successful");
for (Object principal : subject.getPrincipals()) {
if (principal instanceof SecurityAssertion) {
SecurityToken token = ((SecurityAssertion) principal).getSecurityToken();
SAMLAuthenticationToken samlAuthenticationToken = new SAMLAuthenticationToken((java.security.Principal) savedToken.getPrincipal(), token, savedToken.getRealm());
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Setting session token - class: {} classloader: {}", token.getClass().getName(), token.getClass().getClassLoader());
}
((SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION)).addSecurityToken(savedToken.getRealm(), token);
LOGGER.debug("Saved new user assertion to session.");
return samlAuthenticationToken;
}
}
} catch (SecurityServiceException e) {
LOGGER.debug("Unable to refresh user's SAML assertion. User will log out prematurely.", e);
session.invalidate();
} catch (Exception e) {
LOGGER.info("Unhandled exception occurred.", e);
session.invalidate();
}
}
}
return null;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
SecurityServiceException(ddf.security.service.SecurityServiceException)
InvalidSAMLReceivedException(org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
ServletException(javax.servlet.ServletException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SignatureException(java.security.SignatureException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
SecurityServiceException(ddf.security.service.SecurityServiceException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
InvalidSAMLReceivedException(org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
NoSuchProviderException(java.security.NoSuchProviderException)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Example 5 with SecurityAssertionImpl
use of ddf.security.assertion.impl.SecurityAssertionImpl in project ddf by codice.
the class LoginFilter method getSecurityToken.
private SecurityToken getSecurityToken(HttpSession session, String realm) {
if (session.getAttribute(SecurityConstants.SAML_ASSERTION) == null) {
LOGGER.debug("Security token holder missing from session. New session created improperly.");
return null;
}
SecurityTokenHolder tokenHolder = ((SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION));
SecurityToken token = tokenHolder.getSecurityToken(realm);
if (token != null) {
SecurityAssertionImpl assertion = new SecurityAssertionImpl(token);
if (!assertion.isPresentlyValid()) {
LOGGER.debug("Session SAML token is invalid. Removing from session.");
tokenHolder.remove(realm);
return null;
}
}
return token;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Aggregations
SecurityAssertionImpl (ddf.security.assertion.impl.SecurityAssertionImpl)9
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)7
SecurityAssertion (ddf.security.assertion.SecurityAssertion)5
SecurityTokenHolder (ddf.security.common.SecurityTokenHolder)4
HttpSession (javax.servlet.http.HttpSession)3
SAMLAuthenticationToken (org.codice.ddf.security.handler.api.SAMLAuthenticationToken)3
SecurityServiceException (ddf.security.service.SecurityServiceException)2
IOException (java.io.IOException)2
Principal (java.security.Principal)2
Cookie (javax.servlet.http.Cookie)2
SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)2
Element (org.w3c.dom.Element)2
Subject (ddf.security.Subject)1
StringReader (java.io.StringReader)1
InvalidKeyException (java.security.InvalidKeyException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
NoSuchProviderException (java.security.NoSuchProviderException)1
SignatureException (java.security.SignatureException)1
CertificateException (java.security.cert.CertificateException)1
Date (java.util.Date)1
