Examples with PrincipalHolder ddf.security.common.PrincipalHolder used on opensource projects

Example 6 with PrincipalHolder

use of ddf.security.common.PrincipalHolder in project ddf by codice.

the class SessionManagementServiceImpl method getExpiry.

@Override
public String getExpiry(HttpServletRequest request) {
    long timeLeft = 0;
    if (sessionFactory == null) {
        return Long.toString(timeLeft);
    }
    HttpSession session = sessionFactory.getOrCreateSession(request);
    if (session == null) {
        return Long.toString(timeLeft);
    }
    Object principalHolder = session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY);
    if (!(principalHolder instanceof PrincipalHolder)) {
        return Long.toString(timeLeft);
    }
    timeLeft = session.getMaxInactiveInterval() * 1000L;
    return Long.toString(timeLeft);
}

Example 7 with PrincipalHolder

use of ddf.security.common.PrincipalHolder in project ddf by codice.

the class WebSSOFilter method checkForPreviousResultOnSession.

private HandlerResult checkForPreviousResultOnSession(HttpServletRequest httpRequest, String ip) {
    String requestedSessionId = httpRequest.getRequestedSessionId();
    if (requestedSessionId == null) {
        LOGGER.trace("No HTTP Session - returning with no results");
        return null;
    }
    HttpSession session = httpRequest.getSession(false);
    if (session == null) {
        // has not yet been created for them.
        if (sessionFactory == null) {
            throw new SessionException("Unable to verify user's session.");
        }
        session = sessionFactory.getOrCreateSession(httpRequest);
    }
    // See if principals exist for the requested session id
    HandlerResult result = null;
    PrincipalHolder principalHolder = (PrincipalHolder) session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY);
    if (principalHolder != null && principalHolder.getPrincipals() != null) {
        Collection<SecurityAssertion> assertions = principalHolder.getPrincipals().byType(SecurityAssertion.class);
        SessionToken sessionToken = null;
        if (!assertions.isEmpty()) {
            sessionToken = new SessionToken(principalHolder.getPrincipals(), session.getId(), ip);
        }
        if (sessionToken != null) {
            result = new HandlerResultImpl();
            result.setToken(sessionToken);
            result.setStatus(HandlerResult.Status.COMPLETED);
        } else {
            principalHolder.remove();
        }
    } else {
        securityLogger.audit("Request contained invalid or expired session id [{}]", Hashing.sha256().hashString(requestedSessionId, StandardCharsets.UTF_8).toString());
        LOGGER.trace("Request contained invalid or expired session - returning with no results");
    }
    return result;
}

Example 8 with PrincipalHolder

use of ddf.security.common.PrincipalHolder in project ddf by codice.

the class OidcLogoutActionProviderTest method setup.

@Before
public void setup() {
    oidcLogoutActionBuilder = mock(OidcLogoutActionBuilder.class);
    OidcHandlerConfiguration handlerConfiguration = mock(OidcHandlerConfiguration.class);
    when(handlerConfiguration.getOidcLogoutActionBuilder()).thenReturn(oidcLogoutActionBuilder);
    oidcLogoutActionProvider = new OidcLogoutActionProvider(handlerConfiguration);
    oidcLogoutActionProvider.setSubjectOperations(new SubjectUtils());
    request = mock(HttpServletRequest.class);
    response = mock(HttpServletResponse.class);
    subject = mock(Subject.class);
    HttpSession session = mock(HttpSession.class);
    PrincipalHolder principalHolderMock = mock(PrincipalHolder.class);
    SimplePrincipalCollection principalCollection = new SimplePrincipalCollection();
    SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
    OidcProfile profile = mock(OidcProfile.class);
    when(securityAssertion.getToken()).thenReturn(profile);
    when(securityAssertion.getTokenType()).thenReturn(SecurityAssertionJwt.JWT_TOKEN_TYPE);
    when(subject.getPrincipals()).thenReturn(principalCollection);
    when(principalHolderMock.getPrincipals()).thenReturn(principalCollection);
    principalCollection.add(securityAssertion, "oidc");
    when(session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY)).thenReturn(principalHolderMock);
    when(request.getSession(false)).thenReturn(session);
}

Example 9 with PrincipalHolder

use of ddf.security.common.PrincipalHolder in project ddf by codice.

the class LoginFilterTest method testValidReference.

@Test
public void testValidReference() throws Exception {
    HandlerResult result = new HandlerResultImpl(HandlerResult.Status.COMPLETED, referenceTokenMock);
    when(requestMock.getAttribute(AUTHENTICATION_TOKEN_KEY)).thenReturn(result);
    PrincipalHolder principalHolder = new PrincipalHolder();
    principalHolder.setPrincipals(principalCollectionMock);
    when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolder);
    when(securityManagerMock.getSubject(referenceTokenMock)).thenReturn(subject);
    loginFilter.doFilter(requestMock, responseMock, filterChainMock);
    verify(filterChainMock, times(1)).doFilter(any(), any());
}

Example 10 with PrincipalHolder

use of ddf.security.common.PrincipalHolder in project ddf by codice.

the class WebSSOFilterTest method testDoFilterSessionStorageDisabled.

@Test
public void testDoFilterSessionStorageDisabled() throws Exception {
    PrincipalCollection principalCollectionMock = mock(PrincipalCollection.class);
    PrincipalHolder principalHolderMock = mock(PrincipalHolder.class);
    when(principalHolderMock.getPrincipals()).thenReturn(principalCollectionMock);
    HttpSession sessionMock = mock(HttpSession.class);
    when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolderMock);
    HttpServletRequest requestMock = mock(HttpServletRequest.class);
    when(requestMock.getSession(any(Boolean.class))).thenReturn(sessionMock);
    when(requestMock.getRequestURI()).thenReturn(MOCK_CONTEXT);
    HttpServletResponse responseMock = mock(HttpServletResponse.class);
    ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
    when(policyManager.getSessionAccess()).thenReturn(false);
    when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
    ContextPolicy testPolicy = mock(ContextPolicy.class);
    when(testPolicy.getAuthenticationMethods()).thenReturn(Collections.singletonList("basic"));
    when(policyManager.getContextPolicy(MOCK_CONTEXT)).thenReturn(testPolicy);
    AuthenticationHandler handlerMock = mock(AuthenticationHandler.class);
    when(handlerMock.getAuthenticationType()).thenReturn("basic");
    HandlerResult completedResult = mock(HandlerResult.class);
    when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
    when(completedResult.getToken()).thenReturn(mock(BaseAuthenticationToken.class));
    when(handlerMock.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), anyBoolean())).thenReturn(completedResult);
    SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
    WebSSOFilter filter = new WebSSOFilter();
    filter.setContextPolicyManager(policyManager);
    filter.setHandlerList(Collections.singletonList(handlerMock));
    filter.doFilter(requestMock, responseMock, filterChain);
    verify(sessionMock, times(0)).getAttribute(SECURITY_TOKEN_KEY);
    verify(handlerMock, times(1)).getNormalizedToken(any(), any(), any(), anyBoolean());
    verify(requestMock, times(1)).setAttribute(eq(AUTHENTICATION_TOKEN_KEY), any());
}