Example 1 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project cxf by apache.
the class ClaimsAuthorizingInterceptor method handleMessage.
public void handleMessage(Message message) throws Fault {
SecurityContext sc = message.get(SecurityContext.class);
if (!(sc instanceof SAMLSecurityContext)) {
throw new AccessDeniedException("Security Context is unavailable or unrecognized");
}
Method method = getTargetMethod(message);
if (authorize((SAMLSecurityContext) sc, method)) {
return;
}
throw new AccessDeniedException("Unauthorized");
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
Method(java.lang.reflect.Method)
Example 2 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project cxf by apache.
the class ClaimsAuthorizingInterceptor method getTargetMethod.
protected Method getTargetMethod(Message m) {
BindingOperationInfo bop = m.getExchange().getBindingOperationInfo();
if (bop != null) {
MethodDispatcher md = (MethodDispatcher) m.getExchange().getService().get(MethodDispatcher.class.getName());
return md.getMethod(bop);
}
Method method = (Method) m.get("org.apache.cxf.resource.method");
if (method != null) {
return method;
}
throw new AccessDeniedException("Method is not available : Unauthorized");
}
Also used :
BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
MethodDispatcher(org.apache.cxf.service.invoker.MethodDispatcher)
Method(java.lang.reflect.Method)
Example 3 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project testcases by coheigea.
the class XACML3AuthorizingInterceptor method handleMessage.
public void handleMessage(Message message) throws Fault {
SecurityContext sc = message.get(SecurityContext.class);
if (sc instanceof LoginSecurityContext) {
Principal principal = sc.getUserPrincipal();
LoginSecurityContext loginSecurityContext = (LoginSecurityContext) sc;
Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
List<String> roles = new ArrayList<String>();
if (principalRoles != null) {
for (Principal p : principalRoles) {
if (p != principal) {
roles.add(p.getName());
}
}
}
try {
if (authorize(principal, roles, message)) {
return;
}
} catch (Exception e) {
LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
throw new AccessDeniedException("Unauthorized");
}
} else {
LOG.log(Level.FINE, "The SecurityContext was not an instance of LoginSecurityContext. No authorization " + "is possible as a result");
}
throw new AccessDeniedException("Unauthorized");
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
SecurityContext(org.apache.cxf.security.SecurityContext)
LoginSecurityContext(org.apache.cxf.security.LoginSecurityContext)
LoginSecurityContext(org.apache.cxf.security.LoginSecurityContext)
ArrayList(java.util.ArrayList)
Principal(java.security.Principal)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
Example 4 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project ddf by codice.
the class PaosInInterceptor method handleMessage.
@Override
public void handleMessage(Message message) throws Fault {
List authHeader = (List) ((Map) message.getExchange().getOutMessage().get(Message.PROTOCOL_HEADERS)).get("Authorization");
String authorization = null;
if (authHeader != null && authHeader.size() > 0) {
authorization = (String) authHeader.get(0);
}
InputStream content = message.getContent(InputStream.class);
String contentType = (String) message.get(Message.CONTENT_TYPE);
if (contentType == null || !contentType.contains(APPLICATION_VND_PAOS_XML)) {
return;
}
try {
SOAPPart soapMessage = SamlProtocol.parseSoapMessage(IOUtils.toString(content, StandardCharsets.UTF_8));
Iterator iterator = soapMessage.getEnvelope().getHeader().examineAllHeaderElements();
IDPEntry idpEntry = null;
String relayState = "";
String responseConsumerURL = "";
String messageId = "";
while (iterator.hasNext()) {
Element soapHeaderElement = (SOAPHeaderElement) iterator.next();
if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
relayState = DOM2Writer.nodeToString(soapHeaderElement);
} else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_OASIS_NAMES_TC_SAML_2_0_PROFILES_SSO_ECP)) {
try {
soapHeaderElement = SamlProtocol.convertDomImplementation(soapHeaderElement);
Request ecpRequest = (Request) OpenSAMLUtil.fromDom(soapHeaderElement);
IDPList idpList = ecpRequest.getIDPList();
if (idpList == null) {
throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
}
List<IDPEntry> idpEntrys = idpList.getIDPEntrys();
if (idpEntrys == null || idpEntrys.size() == 0) {
throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
}
// choose the right entry, probably need to do something better than select the first
// one
// but the spec doesn't specify how this is supposed to be done
idpEntry = idpEntrys.get(0);
} catch (WSSecurityException e) {
// TODO figure out IdP alternatively
LOGGER.info("Unable to determine IdP appropriately. ECP connection will fail. SP may be incorrectly configured. Contact the administrator for the remote system.");
}
} else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_LIBERTY_PAOS_2003_08)) {
responseConsumerURL = soapHeaderElement.getAttribute(RESPONSE_CONSUMER_URL);
messageId = soapHeaderElement.getAttribute(MESSAGE_ID);
}
}
if (idpEntry == null) {
throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
}
String token = createToken(authorization);
checkAuthnRequest(soapMessage);
Element authnRequestElement = SamlProtocol.getDomElement(soapMessage.getEnvelope().getBody().getFirstChild());
String loc = idpEntry.getLoc();
String soapRequest = buildSoapMessage(token, relayState, authnRequestElement, null);
HttpResponseWrapper httpResponse = getHttpResponse(loc, soapRequest, null);
InputStream httpResponseContent = httpResponse.content;
SOAPPart idpSoapResponse = SamlProtocol.parseSoapMessage(IOUtils.toString(httpResponseContent, StandardCharsets.UTF_8));
Iterator responseHeaderElements = idpSoapResponse.getEnvelope().getHeader().examineAllHeaderElements();
String newRelayState = "";
while (responseHeaderElements.hasNext()) {
SOAPHeaderElement soapHeaderElement = (SOAPHeaderElement) responseHeaderElements.next();
if (RESPONSE.equals(soapHeaderElement.getLocalName())) {
String assertionConsumerServiceURL = soapHeaderElement.getAttribute(ASSERTION_CONSUMER_SERVICE_URL);
if (!responseConsumerURL.equals(assertionConsumerServiceURL)) {
String soapFault = buildSoapFault(ECP_RESPONSE, "The responseConsumerURL does not match the assertionConsumerServiceURL.");
httpResponse = getHttpResponse(responseConsumerURL, soapFault, null);
message.setContent(InputStream.class, httpResponse.content);
return;
}
} else if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
newRelayState = DOM2Writer.nodeToString(soapHeaderElement);
if (StringUtils.isNotEmpty(relayState) && !relayState.equals(newRelayState)) {
LOGGER.debug("RelayState does not match between ECP request and response");
}
if (StringUtils.isNotEmpty(relayState)) {
newRelayState = relayState;
}
}
}
checkSamlpResponse(idpSoapResponse);
Element samlpResponseElement = SamlProtocol.getDomElement(idpSoapResponse.getEnvelope().getBody().getFirstChild());
XMLObject paosResponse = null;
if (StringUtils.isNotEmpty(messageId)) {
paosResponse = getPaosResponse(messageId);
}
String soapResponse = buildSoapMessage(null, newRelayState, samlpResponseElement, paosResponse);
httpResponse = getHttpResponse(responseConsumerURL, soapResponse, message.getExchange().getOutMessage());
if (httpResponse.statusCode < 400) {
httpResponseContent = httpResponse.content;
message.setContent(InputStream.class, httpResponseContent);
Map<String, List<String>> headers = new HashMap<>();
message.put(Message.PROTOCOL_HEADERS, headers);
httpResponse.headers.forEach((entry) -> headers.put(entry.getKey(), // CXF Expects pairs of <String, List<String>>
entry.getValue() instanceof List ? ((List<Object>) entry.getValue()).stream().map(String::valueOf).collect(Collectors.toList()) : Lists.newArrayList(String.valueOf(entry.getValue()))));
} else {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection due to an error."));
}
} catch (IOException e) {
LOGGER.debug("Error encountered while performing ECP handshake.", e);
} catch (XMLStreamException | SOAPException e) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. The server's response was not in the correct format."));
} catch (WSSecurityException e) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to send SOAP request messages."));
}
}
Also used :
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
HashMap(java.util.HashMap)
InputStream(java.io.InputStream)
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
Element(org.w3c.dom.Element)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
Request(org.opensaml.saml.saml2.ecp.Request)
HttpRequest(com.google.api.client.http.HttpRequest)
IDPList(org.opensaml.saml.saml2.core.IDPList)
XMLObject(org.opensaml.core.xml.XMLObject)
Fault(org.apache.cxf.interceptor.Fault)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
XMLStreamException(javax.xml.stream.XMLStreamException)
SOAPException(javax.xml.soap.SOAPException)
SOAPPart(javax.xml.soap.SOAPPart)
Iterator(java.util.Iterator)
IDPList(org.opensaml.saml.saml2.core.IDPList)
List(java.util.List)
XMLObject(org.opensaml.core.xml.XMLObject)
IDPEntry(org.opensaml.saml.saml2.core.IDPEntry)
Example 5 with AccessDeniedException
use of org.apache.cxf.interceptor.security.AccessDeniedException in project cxf by apache.
the class AbstractXACMLAuthorizingInterceptor method handleMessage.
public void handleMessage(Message message) throws Fault {
SecurityContext sc = message.get(SecurityContext.class);
if (sc instanceof LoginSecurityContext) {
Principal principal = sc.getUserPrincipal();
String principalName = null;
if (principal != null) {
principalName = principal.getName();
}
LoginSecurityContext loginSecurityContext = (LoginSecurityContext) sc;
Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
List<String> roles = new ArrayList<>();
if (principalRoles != null) {
for (Principal p : principalRoles) {
if (p != null && p.getName() != null && !p.getName().equals(principalName)) {
roles.add(p.getName());
}
}
}
try {
if (authorize(principal, roles, message)) {
return;
}
} catch (Exception e) {
LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
throw new AccessDeniedException("Unauthorized");
}
} else {
LOG.log(Level.FINE, "The SecurityContext was not an instance of LoginSecurityContext. No authorization " + "is possible as a result");
}
throw new AccessDeniedException("Unauthorized");
}
Also used :
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
SecurityContext(org.apache.cxf.security.SecurityContext)
LoginSecurityContext(org.apache.cxf.security.LoginSecurityContext)
LoginSecurityContext(org.apache.cxf.security.LoginSecurityContext)
ArrayList(java.util.ArrayList)
Principal(java.security.Principal)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
Aggregations
AccessDeniedException (org.apache.cxf.interceptor.security.AccessDeniedException)12
SecurityContext (org.apache.cxf.security.SecurityContext)4
Method (java.lang.reflect.Method)3
Message (org.apache.cxf.message.Message)3
Test (org.junit.Test)3
IOException (java.io.IOException)2
Principal (java.security.Principal)2
ArrayList (java.util.ArrayList)2
Fault (org.apache.cxf.interceptor.Fault)2
SecureAnnotationsInterceptor (org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor)2
SAMLClaim (org.apache.cxf.rt.security.claims.SAMLClaim)2
LoginSecurityContext (org.apache.cxf.security.LoginSecurityContext)2
HttpRequest (com.google.api.client.http.HttpRequest)1
Subject (ddf.security.Subject)1
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
CollectionPermission (ddf.security.permission.CollectionPermission)1
KeyValueCollectionPermissionImpl (ddf.security.permission.impl.KeyValueCollectionPermissionImpl)1
SecurityServiceException (ddf.security.service.SecurityServiceException)1
InputStream (java.io.InputStream)1
X509Certificate (java.security.cert.X509Certificate)1
