Example 21 with SecurityServiceException
use of ddf.security.service.SecurityServiceException in project ddf by codice.
the class ExportCommandTest method testExecuteWhenSecurityExceptionIsThrown.
@Test
public void testExecuteWhenSecurityExceptionIsThrown() throws Exception {
// Setup
when(security.runWithSubjectOrElevate(any(Callable.class))).thenThrow(new SecurityServiceException(INSUFFICIENT_PRIVILEGES_MESSAGE));
ExportCommand exportCommand = new ExportCommandUnderTest(mockConfigurationMigrationService, mockDefaultExportDirectory);
// Perform Test
exportCommand.execute();
// Verify
assertErrorMessage(INSUFFICIENT_PRIVILEGES_MESSAGE);
}
Also used :
SecurityServiceException(ddf.security.service.SecurityServiceException)
Callable(java.util.concurrent.Callable)
Test(org.junit.Test)
Example 22 with SecurityServiceException
use of ddf.security.service.SecurityServiceException in project ddf by codice.
the class IdpEndpoint method processLogin.
@GET
@Path("/login/sso")
public Response processLogin(@QueryParam(SAML_REQ) String samlRequest, @QueryParam(RELAY_STATE) String relayState, @QueryParam(AUTH_METHOD) String authMethod, @QueryParam(SSOConstants.SIG_ALG) String signatureAlgorithm, @QueryParam(SSOConstants.SIGNATURE) String signature, @QueryParam(ORIGINAL_BINDING) String originalBinding, @Context HttpServletRequest request) {
LOGGER.debug("Processing login request: [ authMethod {} ], [ sigAlg {} ], [ relayState {} ]", authMethod, signatureAlgorithm, relayState);
try {
Binding binding;
String template;
if (!request.isSecure()) {
throw new IllegalArgumentException("Authn Request must use TLS.");
}
//the authn request is always encoded as if it came in via redirect when coming from the web app
Binding redirectBinding = new RedirectBinding(systemCrypto, serviceProviders);
AuthnRequest authnRequest = redirectBinding.decoder().decodeRequest(samlRequest);
String assertionConsumerServiceBinding = ResponseCreator.getAssertionConsumerServiceBinding(authnRequest, serviceProviders);
if (HTTP_POST_BINDING.equals(originalBinding)) {
binding = new PostBinding(systemCrypto, serviceProviders);
template = submitForm;
} else if (HTTP_REDIRECT_BINDING.equals(originalBinding)) {
binding = redirectBinding;
template = redirectPage;
} else {
throw new IdpException(new UnsupportedOperationException("Must use HTTP POST or Redirect bindings."));
}
binding.validator().validateAuthnRequest(authnRequest, samlRequest, relayState, signatureAlgorithm, signature, strictSignature);
if (HTTP_POST_BINDING.equals(assertionConsumerServiceBinding)) {
if (!(binding instanceof PostBinding)) {
binding = new PostBinding(systemCrypto, serviceProviders);
}
} else if (HTTP_REDIRECT_BINDING.equals(assertionConsumerServiceBinding)) {
if (!(binding instanceof RedirectBinding)) {
binding = new RedirectBinding(systemCrypto, serviceProviders);
}
}
org.opensaml.saml.saml2.core.Response encodedSaml = handleLogin(authnRequest, authMethod, request, null, false, false);
LOGGER.debug("Returning SAML Response for relayState: {}" + relayState);
NewCookie newCookie = createCookie(request, encodedSaml);
Response response = binding.creator().getSamlpResponse(relayState, authnRequest, encodedSaml, newCookie, template);
if (newCookie != null) {
cookieCache.addActiveSp(newCookie.getValue(), authnRequest.getIssuer().getValue());
logAddedSp(authnRequest);
}
return response;
} catch (SecurityServiceException e) {
LOGGER.info("Unable to retrieve subject for user.", e);
return Response.status(Response.Status.UNAUTHORIZED).build();
} catch (WSSecurityException e) {
LOGGER.info("Unable to encode SAMLP response.", e);
} catch (SimpleSign.SignatureException e) {
LOGGER.info("Unable to sign SAML response.", e);
} catch (IllegalArgumentException e) {
LOGGER.info(e.getMessage(), e);
return Response.status(Response.Status.BAD_REQUEST).build();
} catch (ValidationException e) {
LOGGER.info("AuthnRequest schema validation failed.", e);
return Response.status(Response.Status.BAD_REQUEST).build();
} catch (IOException e) {
LOGGER.info("Unable to create SAML Response.", e);
} catch (IdpException e) {
LOGGER.info(e.getMessage(), e);
return Response.status(Response.Status.BAD_REQUEST).build();
}
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
}
Also used :
RedirectBinding(org.codice.ddf.security.idp.binding.redirect.RedirectBinding)
SoapBinding(org.codice.ddf.security.idp.binding.soap.SoapBinding)
Binding(org.codice.ddf.security.idp.binding.api.Binding)
PostBinding(org.codice.ddf.security.idp.binding.post.PostBinding)
RedirectBinding(org.codice.ddf.security.idp.binding.redirect.RedirectBinding)
SecurityServiceException(ddf.security.service.SecurityServiceException)
ValidationException(ddf.security.samlp.ValidationException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Response(javax.ws.rs.core.Response)
SimpleSign(ddf.security.samlp.SimpleSign)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
PostBinding(org.codice.ddf.security.idp.binding.post.PostBinding)
NewCookie(javax.ws.rs.core.NewCookie)
Path(javax.ws.rs.Path)
GET(javax.ws.rs.GET)
Example 23 with SecurityServiceException
use of ddf.security.service.SecurityServiceException in project ddf by codice.
the class IdpEndpoint method showLoginPage.
private Response showLoginPage(String samlRequest, String relayState, String signatureAlgorithm, String signature, HttpServletRequest request, Binding binding, String template, String originalBinding) throws WSSecurityException {
String responseStr;
AuthnRequest authnRequest = null;
try {
Map<String, Object> responseMap = new HashMap<>();
binding.validator().validateRelayState(relayState);
authnRequest = binding.decoder().decodeRequest(samlRequest);
authnRequest.getIssueInstant();
binding.validator().validateAuthnRequest(authnRequest, samlRequest, relayState, signatureAlgorithm, signature, strictSignature);
if (!request.isSecure()) {
throw new IllegalArgumentException("Authn Request must use TLS.");
}
X509Certificate[] certs = (X509Certificate[]) request.getAttribute(CERTIFICATES_ATTR);
boolean hasCerts = (certs != null && certs.length > 0);
boolean hasCookie = hasValidCookie(request, authnRequest.isForceAuthn());
if ((authnRequest.isPassive() && hasCerts) || hasCookie) {
LOGGER.debug("Received Passive & PKI AuthnRequest.");
org.opensaml.saml.saml2.core.Response samlpResponse;
try {
samlpResponse = handleLogin(authnRequest, PKI, request, null, authnRequest.isPassive(), hasCookie);
LOGGER.debug("Passive & PKI AuthnRequest logged in successfully.");
} catch (SecurityServiceException e) {
LOGGER.debug(e.getMessage(), e);
return getErrorResponse(relayState, authnRequest, StatusCode.AUTHN_FAILED, binding);
} catch (WSSecurityException e) {
LOGGER.debug(e.getMessage(), e);
return getErrorResponse(relayState, authnRequest, StatusCode.REQUEST_DENIED, binding);
} catch (SimpleSign.SignatureException | ConstraintViolationException e) {
LOGGER.debug(e.getMessage(), e);
return getErrorResponse(relayState, authnRequest, StatusCode.REQUEST_UNSUPPORTED, binding);
}
LOGGER.debug("Returning Passive & PKI SAML Response.");
NewCookie cookie = null;
if (hasCookie) {
cookieCache.addActiveSp(getCookie(request).getValue(), authnRequest.getIssuer().getValue());
} else {
cookie = createCookie(request, samlpResponse);
if (cookie != null) {
cookieCache.addActiveSp(cookie.getValue(), authnRequest.getIssuer().getValue());
}
}
logAddedSp(authnRequest);
return binding.creator().getSamlpResponse(relayState, authnRequest, samlpResponse, cookie, template);
} else {
LOGGER.debug("Building the JSON map to embed in the index.html page for login.");
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
String authn = DOM2Writer.nodeToString(OpenSAMLUtil.toDom(authnRequest, doc, false));
String encodedAuthn = RestSecurity.deflateAndBase64Encode(authn);
responseMap.put(PKI, hasCerts);
responseMap.put(GUEST, guestAccess);
responseMap.put(SAML_REQ, encodedAuthn);
responseMap.put(RELAY_STATE, relayState);
String assertionConsumerServiceURL = ((ResponseCreatorImpl) binding.creator()).getAssertionConsumerServiceURL(authnRequest);
responseMap.put(ACS_URL, assertionConsumerServiceURL);
responseMap.put(SSOConstants.SIG_ALG, signatureAlgorithm);
responseMap.put(SSOConstants.SIGNATURE, signature);
responseMap.put(ORIGINAL_BINDING, originalBinding);
}
String json = Boon.toJson(responseMap);
LOGGER.debug("Returning index.html page.");
responseStr = indexHtml.replace(IDP_STATE_OBJ, json);
return Response.ok(responseStr).build();
} catch (IllegalArgumentException e) {
LOGGER.debug(e.getMessage(), e);
if (authnRequest != null) {
try {
return getErrorResponse(relayState, authnRequest, StatusCode.REQUEST_UNSUPPORTED, binding);
} catch (IOException | SimpleSign.SignatureException e1) {
LOGGER.debug(e1.getMessage(), e1);
}
}
} catch (UnsupportedOperationException e) {
LOGGER.debug(e.getMessage(), e);
if (authnRequest != null) {
try {
return getErrorResponse(relayState, authnRequest, StatusCode.UNSUPPORTED_BINDING, binding);
} catch (IOException | SimpleSign.SignatureException e1) {
LOGGER.debug(e1.getMessage(), e1);
}
}
} catch (SimpleSign.SignatureException e) {
LOGGER.debug("Unable to validate AuthRequest Signature", e);
} catch (IOException e) {
LOGGER.debug("Unable to decode AuthRequest", e);
} catch (ValidationException e) {
LOGGER.debug("AuthnRequest schema validation failed.", e);
}
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
}
Also used :
SecurityServiceException(ddf.security.service.SecurityServiceException)
ValidationException(ddf.security.samlp.ValidationException)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashMap(java.util.HashMap)
Document(org.w3c.dom.Document)
SimpleSign(ddf.security.samlp.SimpleSign)
ConstraintViolationException(net.shibboleth.utilities.java.support.logic.ConstraintViolationException)
NewCookie(javax.ws.rs.core.NewCookie)
ResponseCreatorImpl(org.codice.ddf.security.idp.binding.api.impl.ResponseCreatorImpl)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
SignableXMLObject(org.opensaml.xmlsec.signature.SignableXMLObject)
XMLObject(org.opensaml.core.xml.XMLObject)
Example 24 with SecurityServiceException
use of ddf.security.service.SecurityServiceException in project ddf by codice.
the class IdpEndpointTest method testExpiredLoginCookie.
@Test
public void testExpiredLoginCookie() throws SecurityServiceException, WSSecurityException {
String samlRequest = authNRequestGet;
HttpServletRequest request = mock(HttpServletRequest.class);
Cookie cookie = mock(Cookie.class);
SecurityManager securityManager = mock(SecurityManager.class);
when(securityManager.getSubject(anyObject())).thenThrow(new SecurityServiceException("test"));
idpEndpoint.setSecurityManager(securityManager);
when(request.isSecure()).thenReturn(true);
when(request.getRequestURL()).thenReturn(requestURL);
when(request.getAttribute(ContextPolicy.ACTIVE_REALM)).thenReturn("*");
when(request.getCookies()).thenReturn(new Cookie[] { cookie });
when(cookie.getName()).thenReturn(IdpEndpoint.COOKIE);
when(cookie.getValue()).thenReturn("2");
Response response = idpEndpoint.showGetLogin(samlRequest, relayState, signatureAlgorithm, signature, request);
//the only cookie that should exist is the "1" cookie so "2" should send us to the login webapp
assertThat(response.getEntity().toString(), containsString("<title>Login</title>"));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Cookie(javax.servlet.http.Cookie)
Response(javax.ws.rs.core.Response)
SecurityServiceException(ddf.security.service.SecurityServiceException)
SecurityManager(ddf.security.service.SecurityManager)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Matchers.anyString(org.mockito.Matchers.anyString)
Test(org.junit.Test)
Example 25 with SecurityServiceException
use of ddf.security.service.SecurityServiceException in project ddf by codice.
the class IdpEndpointTest method testPassiveLoginPkiSignatureErrorPost.
@Test
public void testPassiveLoginPkiSignatureErrorPost() throws SecurityServiceException, WSSecurityException, CertificateEncodingException, IOException {
String samlRequest = authNRequestPassivePkiPost;
HttpServletRequest request = mock(HttpServletRequest.class);
X509Certificate x509Certificate = mock(X509Certificate.class);
SecurityManager securityManager = mock(SecurityManager.class);
when(securityManager.getSubject(anyObject())).thenThrow(new SecurityServiceException("test"));
idpEndpoint.setSecurityManager(securityManager);
when(request.isSecure()).thenReturn(true);
when(request.getRequestURL()).thenReturn(requestURL);
when(request.getAttribute(ContextPolicy.ACTIVE_REALM)).thenReturn("*");
//dummy cert
when((X509Certificate[]) request.getAttribute(requestCertificateAttributeName)).thenReturn(new X509Certificate[] { x509Certificate });
when(x509Certificate.getEncoded()).thenReturn(new byte[48]);
Response response = idpEndpoint.showPostLogin(samlRequest, relayState, request);
assertThat(response.getStatus(), is(500));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Response(javax.ws.rs.core.Response)
SecurityServiceException(ddf.security.service.SecurityServiceException)
SecurityManager(ddf.security.service.SecurityManager)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Matchers.anyString(org.mockito.Matchers.anyString)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Aggregations
SecurityServiceException (ddf.security.service.SecurityServiceException)34
Subject (ddf.security.Subject)11
SecurityManager (ddf.security.service.SecurityManager)9
Test (org.junit.Test)9
IOException (java.io.IOException)8
InvocationTargetException (java.lang.reflect.InvocationTargetException)8
X509Certificate (java.security.cert.X509Certificate)6
Response (javax.ws.rs.core.Response)6
SecurityAssertion (ddf.security.assertion.SecurityAssertion)5
HashMap (java.util.HashMap)5
HttpServletRequest (javax.servlet.http.HttpServletRequest)5
Matchers.containsString (org.hamcrest.Matchers.containsString)5
Matchers.anyString (org.mockito.Matchers.anyString)5
CatalogTransformerException (ddf.catalog.transform.CatalogTransformerException)4
Serializable (java.io.Serializable)4
ServletException (javax.servlet.ServletException)4
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
Metacard (ddf.catalog.data.Metacard)3
Result (ddf.catalog.data.Result)3
