Search in sources :

Example 36 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class SecureCxfClientFactoryTest method setupMockSubject.

private Subject setupMockSubject() throws Exception {
    Subject mockSubject = mock(Subject.class);
    PrincipalCollection mockPrincipals = mock(PrincipalCollection.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockToken = mock(SecurityToken.class);
    when(mockSubject.getPrincipals()).thenReturn(mockPrincipals);
    when(mockPrincipals.asList()).thenReturn(Arrays.asList(mockSecurityAssertion));
    when(mockSecurityAssertion.getToken()).thenReturn(mockToken);
    when(mockToken.getToken()).thenReturn(getAssertionElement());
    return mockSubject;
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) DelegatingSubject(org.apache.shiro.subject.support.DelegatingSubject) Subject(ddf.security.Subject)

Example 37 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class SamlAssertionValidatorImpl method validate.

/**
 * Validates a SAMLAuthenticationToken by checking it's signature against the configured system
 * certs.
 *
 * @param token token to validate
 * @throws AuthenticationFailureException thrown when the cert fails to validate
 */
@Override
public void validate(SAMLAuthenticationToken token) throws AuthenticationFailureException {
    try {
        LOGGER.debug("Validation received SAML Assertion");
        PrincipalCollection principalCollection = (PrincipalCollection) token.getCredentials();
        Collection<SecurityAssertion> securityAssertions = principalCollection.byType(SecurityAssertion.class);
        SecurityAssertion securityAssertion = null;
        for (SecurityAssertion assertion : securityAssertions) {
            if (SecurityAssertionSaml.SAML2_TOKEN_TYPE.equals(assertion.getTokenType())) {
                securityAssertion = assertion;
                break;
            }
        }
        if (securityAssertion == null) {
            throw new AuthenticationFailureException("Unable to validate SAML token. Token is not SAML.");
        }
        SamlAssertionWrapper assertion = new SamlAssertionWrapper((Element) securityAssertion.getToken());
        // get the crypto junk
        Crypto crypto = getSignatureCrypto();
        Response samlResponse = createSamlResponse(token.getRequestURI(), assertion.getIssuerString(), createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null));
        BUILDER.get().reset();
        Document doc = BUILDER.get().newDocument();
        Element policyElement = OpenSAMLUtil.toDom(samlResponse, doc);
        doc.appendChild(policyElement);
        Credential credential = new Credential();
        credential.setSamlAssertion(assertion);
        RequestData requestData = new RequestData();
        requestData.setWsDocInfo(new WSDocInfo(samlResponse.getDOM().getOwnerDocument()));
        requestData.setSigVerCrypto(crypto);
        WSSConfig wssConfig = WSSConfig.getNewInstance();
        requestData.setWssConfig(wssConfig);
        X509Certificate[] x509Certs = token.getX509Certs();
        requestData.setTlsCerts(x509Certs);
        validateHolderOfKeyConfirmation(assertion, x509Certs);
        if (assertion.isSigned()) {
            // Verify the signature
            WSSSAMLKeyInfoProcessor wsssamlKeyInfoProcessor = new WSSSAMLKeyInfoProcessor(requestData);
            assertion.verifySignature(wsssamlKeyInfoProcessor, crypto);
            assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
        }
        assertionValidator.validate(credential, requestData);
    } catch (SecurityServiceException e) {
        LOGGER.debug("Unable to get subject from SAML request.", e);
        throw new AuthenticationFailureException(e);
    } catch (WSSecurityException e) {
        LOGGER.debug("Unable to read/validate security token from request.", e);
        throw new AuthenticationFailureException(e);
    }
}
Also used : WSDocInfo(org.apache.wss4j.dom.WSDocInfo) Credential(org.apache.wss4j.dom.validate.Credential) SecurityServiceException(ddf.security.service.SecurityServiceException) Element(org.w3c.dom.Element) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Document(org.w3c.dom.Document) X509Certificate(java.security.cert.X509Certificate) Response(org.opensaml.saml.saml2.core.Response) Crypto(org.apache.wss4j.common.crypto.Crypto) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) RequestData(org.apache.wss4j.dom.handler.RequestData) WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)

Example 38 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project neo4j by neo4j.

the class ShiroSubjectFactory method createSubject.

@Override
public Subject createSubject(SubjectContext context) {
    SecurityManager securityManager = context.resolveSecurityManager();
    Session session = context.resolveSession();
    boolean sessionCreationEnabled = context.isSessionCreationEnabled();
    PrincipalCollection principals = context.resolvePrincipals();
    boolean authenticated = context.resolveAuthenticated();
    String host = context.resolveHost();
    ShiroAuthenticationInfo authcInfo = (ShiroAuthenticationInfo) context.getAuthenticationInfo();
    return new ShiroSubject(principals, authenticated, host, session, sessionCreationEnabled, securityManager, authcInfo.getAuthenticationResult());
}
Also used : SecurityManager(org.apache.shiro.mgt.SecurityManager) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) Session(org.apache.shiro.session.Session)

Example 39 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class IdpEndpointTest method testPassiveLoginPkiUnsupportedPost.

@Test
public void testPassiveLoginPkiUnsupportedPost() throws SecurityServiceException, WSSecurityException, CertificateEncodingException, IOException {
    String samlRequest = authNRequestPassivePkiPost;
    HttpServletRequest request = mock(HttpServletRequest.class);
    X509Certificate x509Certificate = mock(X509Certificate.class);
    Subject subject = mock(Subject.class);
    PrincipalCollection principalCollection = mock(PrincipalCollection.class);
    SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
    SecurityToken securityToken = mock(SecurityToken.class);
    SecurityManager securityManager = mock(SecurityManager.class);
    when(subject.getPrincipals()).thenReturn(principalCollection);
    when(principalCollection.asList()).thenReturn(Collections.singletonList(securityAssertion));
    when(securityAssertion.getSecurityToken()).thenReturn(securityToken);
    //this mock element is what will cause the signature error
    when(securityToken.getToken()).thenReturn(mock(Element.class));
    when(securityManager.getSubject(anyObject())).thenReturn(subject);
    idpEndpoint.setSecurityManager(securityManager);
    idpEndpoint.setStrictSignature(false);
    when(request.isSecure()).thenReturn(true);
    when(request.getRequestURL()).thenReturn(requestURL);
    when(request.getAttribute(ContextPolicy.ACTIVE_REALM)).thenReturn("*");
    //dummy cert
    when((X509Certificate[]) request.getAttribute(requestCertificateAttributeName)).thenReturn(new X509Certificate[] { x509Certificate });
    when(x509Certificate.getEncoded()).thenReturn(new byte[48]);
    Response response = idpEndpoint.showPostLogin(samlRequest, relayState, request);
    String responseStr = StringUtils.substringBetween(response.getEntity().toString(), "SAMLResponse\" value=\"", "\" />");
    responseStr = new String(Base64.getDecoder().decode(responseStr));
    //the only cookie that should exist is the "1" cookie so "2" should send us to the login webapp
    assertThat(responseStr, containsString("status:RequestUnsupported"));
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Response(javax.ws.rs.core.Response) SecurityManager(ddf.security.service.SecurityManager) Element(org.w3c.dom.Element) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) Matchers.containsString(org.hamcrest.Matchers.containsString) Matchers.anyString(org.mockito.Matchers.anyString) SecurityAssertion(ddf.security.assertion.SecurityAssertion) X509Certificate(java.security.cert.X509Certificate) Subject(ddf.security.Subject) Test(org.junit.Test)

Example 40 with PrincipalCollection

use of org.apache.shiro.subject.PrincipalCollection in project ddf by codice.

the class AuthenticationEndpointTest method mockUser.

private void mockUser(String username, String password, String realm) throws SecurityServiceException {
    Subject subject = mock(Subject.class);
    SecurityAssertion securityAssertion = mock(SecurityAssertion.class);
    SecurityToken securityToken = mock(SecurityToken.class);
    when(securityAssertion.getSecurityToken()).thenReturn(securityToken);
    PrincipalCollection collection = mock(PrincipalCollection.class);
    Iterator iter = mock(Iterator.class);
    when(iter.hasNext()).thenReturn(true, false);
    when(iter.next()).thenReturn(securityAssertion);
    when(collection.iterator()).thenReturn(iter);
    when(subject.getPrincipals()).thenReturn(collection);
    UPAuthenticationToken token = new UPAuthenticationToken(username, password, realm);
    when(securityManager.getSubject(argThat(new UsernamePasswordTokenMatcher(token)))).thenReturn(subject);
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Iterator(java.util.Iterator) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject)

Aggregations

PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)87 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)40 Test (org.junit.Test)36 SecurityAssertion (ddf.security.assertion.SecurityAssertion)23 Subject (ddf.security.Subject)15 Principal (java.security.Principal)14 Subject (org.apache.shiro.subject.Subject)14 ArrayList (java.util.ArrayList)10 DefaultSecurityManager (org.apache.shiro.mgt.DefaultSecurityManager)10 AuthorizationInfo (org.apache.shiro.authz.AuthorizationInfo)9 Permission (org.apache.shiro.authz.Permission)8 Session (org.apache.shiro.session.Session)8 SimpleSession (org.apache.shiro.session.mgt.SimpleSession)8 HttpServletRequest (javax.servlet.http.HttpServletRequest)7 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)7 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)6 Attribute (ddf.security.assertion.Attribute)5 AuthenticationToken (org.apache.shiro.authc.AuthenticationToken)5 CollectionPermission (ddf.security.permission.CollectionPermission)4 KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)4