use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class DefaultMultifactorAuthenticationProviderBypass method isAuthenticationRequestHonored.
@Override
public boolean isAuthenticationRequestHonored(final Authentication authentication, final RegisteredService registeredService, final MultifactorAuthenticationProvider provider) {
final Principal principal = authentication.getPrincipal();
final boolean bypassByPrincipal = locateMatchingAttributeBasedOnPrincipalAttributes(bypass, principal);
if (bypassByPrincipal) {
LOGGER.debug("Bypass rules for principal [{}] indicate the request may be ignored", principal.getId());
updateAuthenticationToRememberBypass(authentication, provider, principal);
return false;
}
final boolean bypassByAuthn = locateMatchingAttributeBasedOnAuthenticationAttributes(bypass, authentication);
if (bypassByAuthn) {
LOGGER.debug("Bypass rules for authentication [{}] indicate the request may be ignored", principal.getId());
updateAuthenticationToRememberBypass(authentication, provider, principal);
return false;
}
final boolean bypassByAuthnMethod = locateMatchingAttributeValue(AuthenticationManager.AUTHENTICATION_METHOD_ATTRIBUTE, bypass.getAuthenticationMethodName(), authentication.getAttributes(), false);
if (bypassByAuthnMethod) {
LOGGER.debug("Bypass rules for authentication method [{}] indicate the request may be ignored", principal.getId());
updateAuthenticationToRememberBypass(authentication, provider, principal);
return false;
}
final boolean bypassByHandlerName = locateMatchingAttributeValue(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS, bypass.getAuthenticationHandlerName(), authentication.getAttributes(), false);
if (bypassByHandlerName) {
LOGGER.debug("Bypass rules for authentication handlers [{}] indicate the request may be ignored", principal.getId());
updateAuthenticationToRememberBypass(authentication, provider, principal);
return false;
}
final boolean bypassByCredType = locateMatchingCredentialType(authentication, bypass.getCredentialClassType());
if (bypassByCredType) {
LOGGER.debug("Bypass rules for credential types [{}] indicate the request may be ignored", principal.getId());
updateAuthenticationToRememberBypass(authentication, provider, principal);
return false;
}
final boolean bypassByService = locateMatchingRegisteredServiceForBypass(authentication, registeredService);
if (bypassByService) {
updateAuthenticationToRememberBypass(authentication, provider, principal);
return false;
}
updateAuthenticationToForgetBypass(authentication, provider, principal);
return true;
}
use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class AbstractAuthenticationManager method authenticate.
@Override
@Audit(action = "AUTHENTICATION", actionResolverName = "AUTHENTICATION_RESOLVER", resourceResolverName = "AUTHENTICATION_RESOURCE_RESOLVER")
@Timed(name = "AUTHENTICATE_TIMER")
@Metered(name = "AUTHENTICATE_METER")
@Counted(name = "AUTHENTICATE_COUNT", monotonic = true)
public Authentication authenticate(final AuthenticationTransaction transaction) throws AuthenticationException {
AuthenticationCredentialsLocalBinder.bindCurrent(transaction.getCredentials());
final AuthenticationBuilder builder = authenticateInternal(transaction);
authenticationEventExecutionPlan.getAuthenticationPostProcessors().forEach(p -> {
LOGGER.info("Invoking authentication post processor [{}]", p);
p.process(transaction, builder);
});
final Authentication authentication = builder.build();
final Principal principal = authentication.getPrincipal();
if (principal instanceof NullPrincipal) {
throw new UnresolvedPrincipalException(authentication);
}
addAuthenticationMethodAttribute(builder, authentication);
LOGGER.info("Authenticated principal [{}] with attributes [{}] via credentials [{}].", principal.getId(), principal.getAttributes(), transaction.getCredentials());
populateAuthenticationMetadataAttributes(builder, transaction.getCredentials());
final Authentication a = builder.build();
AuthenticationCredentialsLocalBinder.bindCurrent(a);
return a;
}
use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class AbstractAuthenticationManager method authenticateAndResolvePrincipal.
/**
* Authenticate and resolve principal.
*
* @param builder the builder
* @param credential the credential
* @param resolver the resolver
* @param handler the handler
* @throws GeneralSecurityException the general security exception
* @throws PreventedException the prevented exception
*/
protected void authenticateAndResolvePrincipal(final AuthenticationBuilder builder, final Credential credential, final PrincipalResolver resolver, final AuthenticationHandler handler) throws GeneralSecurityException, PreventedException {
Principal principal;
publishEvent(new CasAuthenticationTransactionStartedEvent(this, credential));
final HandlerResult result = handler.authenticate(credential);
builder.addSuccess(handler.getName(), result);
LOGGER.debug("Authentication handler [{}] successfully authenticated [{}]", handler.getName(), credential);
publishEvent(new CasAuthenticationTransactionSuccessfulEvent(this, credential));
principal = result.getPrincipal();
if (resolver == null) {
LOGGER.debug("No principal resolution is configured for [{}]. Falling back to handler principal [{}]", handler.getName(), principal);
} else {
principal = resolvePrincipal(handler, resolver, credential, principal);
if (principal == null) {
if (this.principalResolutionFailureFatal) {
LOGGER.warn("Principal resolution handled by [{}] produced a null principal for: [{}]" + "CAS is configured to treat principal resolution failures as fatal.", resolver.getClass().getSimpleName(), credential);
throw new UnresolvedPrincipalException();
}
LOGGER.warn("Principal resolution handled by [{}] produced a null principal. " + "This is likely due to misconfiguration or missing attributes; CAS will attempt to use the principal " + "produced by the authentication handler, if any.", resolver.getClass().getSimpleName());
}
}
if (principal != null) {
builder.setPrincipal(principal);
}
LOGGER.debug("Final principal resolved for this authentication event is [{}]", principal);
publishEvent(new CasAuthenticationPrincipalResolvedEvent(this, principal));
}
use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class RegisteredServiceAccessStrategyUtils method ensurePrincipalAccessIsAllowedForService.
/**
* Ensure service access is allowed.
*
* @param service the service
* @param registeredService the registered service
* @param authentication the authentication
* @throws UnauthorizedServiceException the unauthorized service exception
* @throws PrincipalException the principal exception
*/
public static void ensurePrincipalAccessIsAllowedForService(final Service service, final RegisteredService registeredService, final Authentication authentication) throws UnauthorizedServiceException, PrincipalException {
ensureServiceAccessIsAllowed(service, registeredService);
final Principal principal = authentication.getPrincipal();
final Map<String, Object> principalAttrs = registeredService.getAttributeReleasePolicy().getAttributes(principal, registeredService);
if (!registeredService.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(principal.getId(), principalAttrs)) {
LOGGER.warn("Cannot grant access to service [{}] because it is not authorized for use by [{}].", service.getId(), principal);
final Map<String, Class<? extends Exception>> handlerErrors = new HashMap<>();
handlerErrors.put(UnauthorizedServiceForPrincipalException.class.getSimpleName(), UnauthorizedServiceForPrincipalException.class);
throw new PrincipalException(UnauthorizedServiceForPrincipalException.CODE_UNAUTHZ_SERVICE, handlerErrors, new HashMap<>());
}
}
use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class RegisteredServicePrincipalAttributeMultifactorAuthenticationPolicyEventResolver method resolveInternal.
@Override
public Set<Event> resolveInternal(final RequestContext context) {
final RegisteredService service = resolveRegisteredServiceInRequestContext(context);
final Authentication authentication = WebUtils.getAuthentication(context);
final RegisteredServiceMultifactorPolicy policy = service != null ? service.getMultifactorPolicy() : null;
if (policy == null || service.getMultifactorPolicy().getMultifactorAuthenticationProviders().isEmpty()) {
LOGGER.debug("Authentication policy is absent or does not contain any multifactor authentication providers");
return null;
}
if (StringUtils.isBlank(policy.getPrincipalAttributeNameTrigger()) || StringUtils.isBlank(policy.getPrincipalAttributeValueToMatch())) {
LOGGER.debug("Authentication policy does not define a principal attribute and/or value to trigger multifactor authentication");
return null;
}
final Principal principal = authentication.getPrincipal();
final Collection<MultifactorAuthenticationProvider> providers = flattenProviders(getAuthenticationProviderForService(service));
return resolveEventViaPrincipalAttribute(principal, org.springframework.util.StringUtils.commaDelimitedListToSet(policy.getPrincipalAttributeNameTrigger()), service, context, providers, Pattern.compile(policy.getPrincipalAttributeValueToMatch()).asPredicate());
}
Aggregations