Example 21 with SecurityManager
use of ddf.security.service.SecurityManager in project ddf by codice.
the class IdpEndpointTest method testPassiveLoginPkiUnsupportedPost.
@Test
public void testPassiveLoginPkiUnsupportedPost() throws SecurityServiceException, WSSecurityException, CertificateEncodingException, IOException {
String samlRequest = authNRequestPassivePkiPost;
HttpServletRequest request = mock(HttpServletRequest.class);
X509Certificate x509Certificate = mock(X509Certificate.class);
Subject subject = mock(Subject.class);
PrincipalCollection principalCollection = mock(PrincipalCollection.class);
SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
SecurityToken securityToken = mock(SecurityToken.class);
SecurityManager securityManager = mock(SecurityManager.class);
when(subject.getPrincipals()).thenReturn(principalCollection);
when(principalCollection.asList()).thenReturn(Collections.singletonList(securityAssertion));
when(securityAssertion.getSecurityToken()).thenReturn(securityToken);
//this mock element is what will cause the signature error
when(securityToken.getToken()).thenReturn(mock(Element.class));
when(securityManager.getSubject(anyObject())).thenReturn(subject);
idpEndpoint.setSecurityManager(securityManager);
idpEndpoint.setStrictSignature(false);
when(request.isSecure()).thenReturn(true);
when(request.getRequestURL()).thenReturn(requestURL);
when(request.getAttribute(ContextPolicy.ACTIVE_REALM)).thenReturn("*");
//dummy cert
when((X509Certificate[]) request.getAttribute(requestCertificateAttributeName)).thenReturn(new X509Certificate[] { x509Certificate });
when(x509Certificate.getEncoded()).thenReturn(new byte[48]);
Response response = idpEndpoint.showPostLogin(samlRequest, relayState, request);
String responseStr = StringUtils.substringBetween(response.getEntity().toString(), "SAMLResponse\" value=\"", "\" />");
responseStr = new String(Base64.getDecoder().decode(responseStr));
//the only cookie that should exist is the "1" cookie so "2" should send us to the login webapp
assertThat(responseStr, containsString("status:RequestUnsupported"));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Response(javax.ws.rs.core.Response)
SecurityManager(ddf.security.service.SecurityManager)
Element(org.w3c.dom.Element)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Matchers.anyString(org.mockito.Matchers.anyString)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
X509Certificate(java.security.cert.X509Certificate)
Subject(ddf.security.Subject)
Test(org.junit.Test)
Example 22 with SecurityManager
use of ddf.security.service.SecurityManager in project ddf by codice.
the class IdpEndpointTest method testPassiveLoginPkiFail.
@Test
public void testPassiveLoginPkiFail() throws SecurityServiceException, WSSecurityException, CertificateEncodingException, IOException {
String samlRequest = authNRequestPassivePkiGet;
HttpServletRequest request = mock(HttpServletRequest.class);
X509Certificate x509Certificate = mock(X509Certificate.class);
SecurityManager securityManager = mock(SecurityManager.class);
when(securityManager.getSubject(anyObject())).thenThrow(new SecurityServiceException("test"));
idpEndpoint.setSecurityManager(securityManager);
idpEndpoint.setStrictSignature(false);
when(request.isSecure()).thenReturn(true);
when(request.getRequestURL()).thenReturn(requestURL);
when(request.getAttribute(ContextPolicy.ACTIVE_REALM)).thenReturn("*");
//dummy cert
when((X509Certificate[]) request.getAttribute(requestCertificateAttributeName)).thenReturn(new X509Certificate[] { x509Certificate });
when(x509Certificate.getEncoded()).thenReturn(new byte[48]);
Response response = idpEndpoint.showGetLogin(samlRequest, relayState, signatureAlgorithm, signature, request);
String responseStr = StringUtils.substringBetween(response.getEntity().toString(), "SAMLResponse=", "&RelayState");
responseStr = URLDecoder.decode(responseStr, "UTF-8");
responseStr = RestSecurity.inflateBase64(responseStr);
//the only cookie that should exist is the "1" cookie so "2" should send us to the login webapp
assertThat(responseStr, containsString("status:AuthnFailed"));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Response(javax.ws.rs.core.Response)
SecurityServiceException(ddf.security.service.SecurityServiceException)
SecurityManager(ddf.security.service.SecurityManager)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Matchers.anyString(org.mockito.Matchers.anyString)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 23 with SecurityManager
use of ddf.security.service.SecurityManager in project ddf by codice.
the class AuthenticationEndpointTest method setup.
@Before
public void setup() throws SecurityServiceException, URISyntaxException {
HttpSessionFactory sessionFactory = mock(HttpSessionFactory.class);
HttpSession session = mock(HttpSession.class);
when(session.getAttribute(SecurityConstants.SAML_ASSERTION)).thenReturn(mock(SecurityTokenHolder.class));
when(sessionFactory.getOrCreateSession(any())).thenReturn(session);
policyManager = mock(ContextPolicyManager.class);
securityManager = mock(SecurityManager.class);
authEndpoint = new AuthenticationEndpoint(policyManager, securityManager, sessionFactory);
UriInfo uriInfo = mock(UriInfo.class);
UriBuilder uriBuilder = mock(UriBuilder.class);
when(uriInfo.getBaseUriBuilder()).thenReturn(uriBuilder);
when(uriBuilder.replacePath(anyString())).thenReturn(uriBuilder);
when(uriBuilder.build()).thenReturn(new URI(URL));
authEndpoint.uriInfo = uriInfo;
mockUser(USER_NAME, PASSWORD, REALM);
}
Also used :
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
SecurityManager(ddf.security.service.SecurityManager)
HttpSession(javax.servlet.http.HttpSession)
HttpSessionFactory(ddf.security.http.impl.HttpSessionFactory)
UriBuilder(javax.ws.rs.core.UriBuilder)
URI(java.net.URI)
UriInfo(javax.ws.rs.core.UriInfo)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
Before(org.junit.Before)
Example 24 with SecurityManager
use of ddf.security.service.SecurityManager in project ddf by codice.
the class Security method getSystemSubject.
/**
* Gets the {@link Subject} associated with this system. Uses a cached subject since the subject
* will not change between calls.
*
* @return system's {@link Subject}
*/
public synchronized Subject getSystemSubject() {
if (!javaSubjectHasAdminRole()) {
SecurityLogger.audit("Unable to retrieve system subject.");
return null;
}
if (!tokenAboutToExpire(cachedSystemSubject)) {
return cachedSystemSubject;
}
KeyStore keyStore = getSystemKeyStore();
String alias = null;
Certificate cert = null;
try {
if (keyStore != null) {
if (keyStore.size() == 1) {
alias = keyStore.aliases().nextElement();
} else if (keyStore.size() > 1) {
alias = getCertificateAlias();
}
cert = keyStore.getCertificate(alias);
}
} catch (KeyStoreException e) {
LOGGER.warn("Unable to get certificate for alias [{}]", alias, e);
return null;
}
if (cert == null) {
LOGGER.warn("Unable to get certificate for alias [{}]", alias);
return null;
}
PKIAuthenticationTokenFactory pkiTokenFactory = createPKITokenFactory();
PKIAuthenticationToken pkiToken = pkiTokenFactory.getTokenFromCerts(new X509Certificate[] { (X509Certificate) cert }, PKIAuthenticationToken.DEFAULT_REALM);
if (pkiToken != null) {
SecurityManager securityManager = getSecurityManager();
if (securityManager != null) {
try {
cachedSystemSubject = securityManager.getSubject(pkiToken);
} catch (SecurityServiceException sse) {
LOGGER.warn("Unable to request subject for system user.", sse);
}
}
}
return cachedSystemSubject;
}
Also used :
PKIAuthenticationToken(org.codice.ddf.security.handler.api.PKIAuthenticationToken)
SecurityServiceException(ddf.security.service.SecurityServiceException)
SecurityManager(ddf.security.service.SecurityManager)
PKIAuthenticationTokenFactory(org.codice.ddf.security.handler.api.PKIAuthenticationTokenFactory)
KeyStoreException(java.security.KeyStoreException)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 25 with SecurityManager
use of ddf.security.service.SecurityManager in project ddf by codice.
the class Security method getGuestSubject.
/**
* Gets the guest {@link Subject} associated with the specified IP. Uses a cached subject when possible since the subject
* will not change between calls.
*
* @return system's {@link Subject}
*/
public Subject getGuestSubject(String ipAddress) {
Subject subject = null;
GuestAuthenticationToken token = new GuestAuthenticationToken(BaseAuthenticationToken.DEFAULT_REALM, ipAddress);
LOGGER.debug("Getting new Guest user token for {}", ipAddress);
try {
SecurityManager securityManager = getSecurityManager();
if (securityManager != null) {
subject = securityManager.getSubject(token);
}
} catch (SecurityServiceException sse) {
LOGGER.info("Unable to request subject for guest user.", sse);
}
return subject;
}
Also used :
SecurityServiceException(ddf.security.service.SecurityServiceException)
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
SecurityManager(ddf.security.service.SecurityManager)
Subject(ddf.security.Subject)
Aggregations
SecurityManager (ddf.security.service.SecurityManager)26
Test (org.junit.Test)19
Subject (ddf.security.Subject)14
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)13
SecurityAssertion (ddf.security.assertion.SecurityAssertion)11
HttpServletRequest (javax.servlet.http.HttpServletRequest)10
SecurityServiceException (ddf.security.service.SecurityServiceException)9
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)9
CollectionPermission (ddf.security.permission.CollectionPermission)7
Response (javax.ws.rs.core.Response)7
Message (org.apache.cxf.message.Message)7
Matchers.containsString (org.hamcrest.Matchers.containsString)7
Matchers.anyString (org.mockito.Matchers.anyString)7
Exchange (org.apache.cxf.message.Exchange)6
BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)6
X509Certificate (java.security.cert.X509Certificate)5
QName (javax.xml.namespace.QName)5
InvocationOnMock (org.mockito.invocation.InvocationOnMock)4
Element (org.w3c.dom.Element)4
FilterChain (javax.servlet.FilterChain)3
