Example 11 with PrincipalHolder
use of ddf.security.common.PrincipalHolder in project ddf by codice.
the class HttpSessionFactory method getOrCreateSession.
/**
* Synchronized method because of jettys getSession method is not thread safe. Additionally,
* assures a SAML {@link PrincipalHolder} has been set on the {@link
* SecurityConstants#SECURITY_TOKEN_KEY} attribute
*
* @param httpRequest
* @return
*/
@Override
public synchronized HttpSession getOrCreateSession(HttpServletRequest httpRequest) {
HttpSession session = getCachedSession(httpRequest);
if (session == null) {
session = httpRequest.getSession(true);
}
if (session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY) == null) {
session.setMaxInactiveInterval(Math.toIntExact(TimeUnit.MINUTES.toSeconds(expirationTime)));
session.setAttribute(SecurityConstants.SECURITY_TOKEN_KEY, new PrincipalHolder());
securityLogger.audit("Creating a new session with id {} for client {}.", Hashing.sha256().hashString(session.getId(), StandardCharsets.UTF_8).toString(), httpRequest.getRemoteAddr());
}
return session;
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
PrincipalHolder(ddf.security.common.PrincipalHolder)
Example 12 with PrincipalHolder
use of ddf.security.common.PrincipalHolder in project ddf by codice.
the class LocalLogoutServlet method invalidateSession.
private void invalidateSession(HttpServletRequest request, HttpServletResponse response) {
HttpSession session = request.getSession();
if (session != null) {
PrincipalHolder principalHolder = (PrincipalHolder) session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY);
if (principalHolder != null && principalHolder.getPrincipals() != null) {
securityLogger.audit("Subject {} logged out", getSubjectName(principalHolder.getPrincipals()));
principalHolder.remove();
}
removeTokens(session.getId());
session.invalidate();
deleteJSessionId(response);
}
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
PrincipalHolder(ddf.security.common.PrincipalHolder)
Example 13 with PrincipalHolder
use of ddf.security.common.PrincipalHolder in project ddf by codice.
the class LoginFilterTest method setup.
@Before
public void setup() throws Exception {
MockitoAnnotations.initMocks(this);
SimplePrincipalCollection principalCollection = new SimplePrincipalCollection();
principalHolder = new PrincipalHolder();
principalHolder.setPrincipals(principalCollection);
loginFilter = new LoginFilter();
loginFilter.setSecurityManager(securityManagerMock);
loginFilter.setSessionFactory(sessionFactory);
loginFilter.setContextPolicyManager(contextPolicyManager);
loginFilter.init();
subject = new SubjectImpl(principalCollectionMock, true, null, mock(org.apache.shiro.mgt.SecurityManager.class));
when(securityAssertionMock.getToken()).thenReturn(goodSecurityTokenMock);
when(principalCollectionMock.byType(SecurityAssertion.class)).thenReturn(Collections.singletonList(securityAssertionMock));
when(principalCollectionMock.asList()).thenReturn(Arrays.asList(goodSecurityTokenMock));
when(securityManagerMock.getSubject(goodAuthenticationTokenMock)).thenReturn(subject);
when(securityManagerMock.getSubject(badAuthenticationTokenMock)).thenReturn(null);
when(sessionMock.getId()).thenReturn("sessionId");
when(requestMock.getSession(any(boolean.class))).thenReturn(sessionMock);
when(sessionFactory.getOrCreateSession(any())).thenReturn(sessionMock);
when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolder);
when(sessionFactory.getOrCreateSession(any())).thenReturn(sessionMock);
when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolder);
when(contextPolicyManager.getSessionAccess()).thenReturn(true);
}
Also used :
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
SubjectImpl(ddf.security.impl.SubjectImpl)
PrincipalHolder(ddf.security.common.PrincipalHolder)
Before(org.junit.Before)
Example 14 with PrincipalHolder
use of ddf.security.common.PrincipalHolder in project ddf by codice.
the class WebSSOFilterTest method testDoFilterGetResultFromSession.
@Test
public void testDoFilterGetResultFromSession() throws Exception {
PrincipalCollection principalCollectionMock = mock(PrincipalCollection.class);
when(principalCollectionMock.byType(any())).thenReturn(Collections.singletonList("principal"));
PrincipalHolder principalHolderMock = mock(PrincipalHolder.class);
when(principalHolderMock.getPrincipals()).thenReturn(principalCollectionMock);
HttpSession sessionMock = mock(HttpSession.class);
when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolderMock);
HttpServletRequest requestMock = mock(HttpServletRequest.class);
when(requestMock.getSession(any(Boolean.class))).thenReturn(sessionMock);
when(requestMock.getRequestURI()).thenReturn(MOCK_CONTEXT);
when(requestMock.getRequestedSessionId()).thenReturn("JSESSIONID");
HttpServletResponse responseMock = mock(HttpServletResponse.class);
ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
when(policyManager.getSessionAccess()).thenReturn(true);
when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
ContextPolicy testPolicy = mock(ContextPolicy.class);
when(testPolicy.getAuthenticationMethods()).thenReturn(Collections.singletonList("basic"));
when(policyManager.getContextPolicy(MOCK_CONTEXT)).thenReturn(testPolicy);
AuthenticationHandler handlerMock = mock(AuthenticationHandler.class);
when(handlerMock.getAuthenticationType()).thenReturn("basic");
HandlerResult completedResult = mock(HandlerResult.class);
when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
when(completedResult.getToken()).thenReturn(mock(BaseAuthenticationToken.class));
when(handlerMock.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), anyBoolean())).thenReturn(completedResult);
SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
WebSSOFilter filter = new WebSSOFilter();
filter.setContextPolicyManager(policyManager);
filter.setHandlerList(Collections.singletonList(handlerMock));
filter.doFilter(requestMock, responseMock, filterChain);
verify(sessionMock, times(1)).getAttribute(SECURITY_TOKEN_KEY);
verify(handlerMock, times(0)).getNormalizedToken(any(), any(), any(), anyBoolean());
verify(requestMock, times(1)).setAttribute(eq(AUTHENTICATION_TOKEN_KEY), any());
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletRequest(javax.servlet.ServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ServletResponse(javax.servlet.ServletResponse)
HttpSession(javax.servlet.http.HttpSession)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityFilterChain(org.codice.ddf.platform.filter.SecurityFilterChain)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
AuthenticationHandler(org.codice.ddf.security.handler.api.AuthenticationHandler)
Mockito.anyBoolean(org.mockito.Mockito.anyBoolean)
PrincipalHolder(ddf.security.common.PrincipalHolder)
Test(org.junit.Test)
Example 15 with PrincipalHolder
use of ddf.security.common.PrincipalHolder in project ddf by codice.
the class LoginFilter method addToSession.
/**
* Attaches a subject to the HttpSession associated with an HttpRequest. If a session does not
* already exist, one will be created.
*
* @param httpRequest HttpRequest associated with an HttpSession to attach the Subject to
* @param subject Subject to attach to request
*/
private void addToSession(HttpServletRequest httpRequest, Subject subject) {
HttpSession session = getSession(httpRequest);
PrincipalCollection principals = subject.getPrincipals();
PrincipalHolder principalHolder = (PrincipalHolder) session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY);
PrincipalCollection oldPrincipals = principalHolder.getPrincipals();
if (!principals.equals(oldPrincipals)) {
principalHolder.setPrincipals(principals);
}
}
Also used :
HttpSession(javax.servlet.http.HttpSession)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
PrincipalHolder(ddf.security.common.PrincipalHolder)
Aggregations
PrincipalHolder (ddf.security.common.PrincipalHolder)17
HttpSession (javax.servlet.http.HttpSession)12
Test (org.junit.Test)6
HttpServletRequest (javax.servlet.http.HttpServletRequest)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)4
SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)4
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)4
Before (org.junit.Before)3
SessionFactory (ddf.security.http.SessionFactory)2
X509Certificate (java.security.cert.X509Certificate)2
ServletRequest (javax.servlet.ServletRequest)2
ServletResponse (javax.servlet.ServletResponse)2
SecurityFilterChain (org.codice.ddf.platform.filter.SecurityFilterChain)2
BaseAuthenticationToken (org.codice.ddf.security.handler.BaseAuthenticationToken)2
HandlerResultImpl (org.codice.ddf.security.handler.HandlerResultImpl)2
SessionToken (org.codice.ddf.security.handler.SessionToken)2
AuthenticationHandler (org.codice.ddf.security.handler.api.AuthenticationHandler)2
ContextPolicy (org.codice.ddf.security.policy.context.ContextPolicy)2
