Example 1 with SecurityTokenHolder
use of ddf.security.common.SecurityTokenHolder in project ddf by codice.
the class SAMLAssertionHandlerTest method testGetNormalizedTokenFromSession.
@Test
public void testGetNormalizedTokenFromSession() throws Exception {
SAMLAssertionHandler handler = new SAMLAssertionHandler();
HttpServletRequest request = mock(HttpServletRequest.class);
HttpServletResponse response = mock(HttpServletResponse.class);
FilterChain chain = mock(FilterChain.class);
when(request.getCookies()).thenReturn(null);
HttpSession session = mock(HttpSession.class);
when(request.getSession(false)).thenReturn(session);
when(request.getAttribute(ContextPolicy.ACTIVE_REALM)).thenReturn("foo");
SecurityTokenHolder tokenHolder = mock(SecurityTokenHolder.class);
when(session.getAttribute(SecurityConstants.SAML_ASSERTION)).thenReturn(tokenHolder);
SecurityToken securityToken = mock(SecurityToken.class);
when(tokenHolder.getSecurityToken("foo")).thenReturn(securityToken);
when(securityToken.getToken()).thenReturn(readDocument("/saml.xml").getDocumentElement());
HandlerResult result = handler.getNormalizedToken(request, response, chain, true);
assertNotNull(result);
assertEquals(HandlerResult.Status.COMPLETED, result.getStatus());
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
HttpSession(javax.servlet.http.HttpSession)
FilterChain(javax.servlet.FilterChain)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
Test(org.junit.Test)
Example 2 with SecurityTokenHolder
use of ddf.security.common.SecurityTokenHolder in project ddf by codice.
the class LogoutRequestService method logout.
private void logout() {
HttpSession session = sessionFactory.getOrCreateSession(request);
SecurityTokenHolder tokenHolder = ((SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION));
SecurityAssertion securityAssertion = new SecurityAssertionImpl(tokenHolder.getSecurityToken("idp"));
boolean hasSecurityAuditRole = Arrays.stream(System.getProperty("security.audit.roles").split(",")).filter(role -> securityAssertion.getPrincipals().contains(new RolePrincipal(role))).findFirst().isPresent();
if (hasSecurityAuditRole) {
SecurityLogger.audit("Subject with admin privileges has logged out: {}", securityAssertion.getPrincipal().getName());
}
tokenHolder.remove("idp");
}
Also used :
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
HttpSession(javax.servlet.http.HttpSession)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
RolePrincipal(org.apache.karaf.jaas.boot.principal.RolePrincipal)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Example 3 with SecurityTokenHolder
use of ddf.security.common.SecurityTokenHolder in project ddf by codice.
the class LoginFilter method addSecurityToken.
private void addSecurityToken(HttpSession session, String realm, SecurityToken token) {
SecurityTokenHolder holder = (SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION);
holder.addSecurityToken(realm, token);
}
Also used :
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
Example 4 with SecurityTokenHolder
use of ddf.security.common.SecurityTokenHolder in project ddf by codice.
the class HttpSessionFactory method getOrCreateSession.
/**
* Synchronized method because of jettys getSession method is not thread safe. Additionally,
* assures a SAML {@link SecurityTokenHolder} has been set on the {@link SecurityConstants#SAML_ASSERTION} attribute
*
* @param httpRequest
* @return
*/
@Override
public synchronized HttpSession getOrCreateSession(HttpServletRequest httpRequest) {
HttpSession session = httpRequest.getSession(true);
if (session.getAttribute(SecurityConstants.SAML_ASSERTION) == null) {
session.setAttribute(SecurityConstants.SAML_ASSERTION, new SecurityTokenHolder());
SecurityLogger.audit("Creating a new session with id {} for client {}.", session.getId(), httpRequest.getRemoteAddr());
}
return session;
}
Also used :
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
HttpSession(javax.servlet.http.HttpSession)
Example 5 with SecurityTokenHolder
use of ddf.security.common.SecurityTokenHolder in project ddf by codice.
the class LocalLogoutServlet method doGet.
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setHeader("Cache-Control", "no-cache, no-store");
response.setHeader("Pragma", "no-cache");
response.setContentType("text/html");
URIBuilder redirectUrlBuilder = null;
List<NameValuePair> params = new ArrayList<>();
try {
redirectUrlBuilder = new URIBuilder("/logout/logout-response.html");
HttpSession session = request.getSession();
if (session != null) {
SecurityTokenHolder savedToken = (SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION);
if (savedToken != null) {
Subject subject = ThreadContext.getSubject();
boolean hasSecurityAuditRole = Arrays.stream(System.getProperty("security.audit.roles").split(",")).anyMatch(subject::hasRole);
if (hasSecurityAuditRole) {
SecurityLogger.audit("Subject with admin privileges has logged out", subject);
}
savedToken.removeAll();
}
session.invalidate();
deleteJSessionId(response);
}
//Check for pki
if (request.getAttribute("javax.servlet.request.X509Certificate") != null && ((X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate")).length > 0) {
params.add(new BasicNameValuePair("msg", "Please close your browser to finish logging out"));
}
//Check for basic
Enumeration authHeaders = request.getHeaders(javax.ws.rs.core.HttpHeaders.AUTHORIZATION);
while (authHeaders.hasMoreElements()) {
if (((String) authHeaders.nextElement()).contains("Basic")) {
params.add(new BasicNameValuePair("msg", "Please close your browser to finish logging out"));
break;
}
}
redirectUrlBuilder.addParameters(params);
response.sendRedirect(redirectUrlBuilder.build().toString());
} catch (URISyntaxException e) {
LOGGER.debug("Invalid URI", e);
}
}
Also used :
BasicNameValuePair(org.apache.http.message.BasicNameValuePair)
NameValuePair(org.apache.http.NameValuePair)
Enumeration(java.util.Enumeration)
HttpSession(javax.servlet.http.HttpSession)
ArrayList(java.util.ArrayList)
URISyntaxException(java.net.URISyntaxException)
Subject(org.apache.shiro.subject.Subject)
URIBuilder(org.apache.http.client.utils.URIBuilder)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
BasicNameValuePair(org.apache.http.message.BasicNameValuePair)
Aggregations
SecurityTokenHolder (ddf.security.common.SecurityTokenHolder)14
HttpSession (javax.servlet.http.HttpSession)11
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)9
HttpServletRequest (javax.servlet.http.HttpServletRequest)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)4
SecurityAssertionImpl (ddf.security.assertion.impl.SecurityAssertionImpl)4
Subject (ddf.security.Subject)3
IOException (java.io.IOException)3
HttpServletResponse (javax.servlet.http.HttpServletResponse)3
Subject (org.apache.shiro.subject.Subject)3
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)3
Test (org.junit.Test)3
SessionFactory (ddf.security.http.SessionFactory)2
SecurityManager (ddf.security.service.SecurityManager)2
SecurityServiceException (ddf.security.service.SecurityServiceException)2
ArrayList (java.util.ArrayList)2
Enumeration (java.util.Enumeration)2
HashMap (java.util.HashMap)2
FilterChain (javax.servlet.FilterChain)2
ServletException (javax.servlet.ServletException)2
