Examples with Principal org.apereo.cas.authentication.principal.Principal used on opensource projects

Example 81 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class PolicyBasedAuthenticationManager method resolvePrincipal.

/**
 * Resolve principal.
 *
 * @param handler    the handler name
 * @param resolver   the resolver
 * @param credential the credential
 * @param principal  the current authenticated principal from a handler, if any.
 * @return the principal
 */
protected Principal resolvePrincipal(final AuthenticationHandler handler, final PrincipalResolver resolver, final Credential credential, final Principal principal) {
    if (resolver.supports(credential)) {
        try {
            final Principal p = resolver.resolve(credential, principal, handler);
            LOGGER.debug("[{}] resolved [{}] from [{}]", resolver, p, credential);
            return p;
        } catch (final Exception e) {
            LOGGER.error("[{}] failed to resolve principal from [{}]", resolver, credential, e);
        }
    } else {
        LOGGER.warn("[{}] is configured to use [{}] but it does not support [{}], which suggests a configuration problem.", handler.getName(), resolver, credential);
    }
    return null;
}

Example 82 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class PolicyBasedAuthenticationManager method authenticateAndResolvePrincipal.

/**
 * Authenticate and resolve principal.
 *
 * @param builder    the builder
 * @param credential the credential
 * @param resolver   the resolver
 * @param handler    the handler
 * @throws GeneralSecurityException the general security exception
 * @throws PreventedException       the prevented exception
 */
protected void authenticateAndResolvePrincipal(final AuthenticationBuilder builder, final Credential credential, final PrincipalResolver resolver, final AuthenticationHandler handler) throws GeneralSecurityException, PreventedException {
    publishEvent(new CasAuthenticationTransactionStartedEvent(this, credential));
    final AuthenticationHandlerExecutionResult result = handler.authenticate(credential);
    builder.addSuccess(handler.getName(), result);
    LOGGER.debug("Authentication handler [{}] successfully authenticated [{}]", handler.getName(), credential);
    publishEvent(new CasAuthenticationTransactionSuccessfulEvent(this, credential));
    Principal principal = result.getPrincipal();
    final String resolverName = resolver != null ? resolver.getClass().getSimpleName() : "N/A";
    if (resolver == null) {
        LOGGER.debug("No principal resolution is configured for [{}]. Falling back to handler principal [{}]", handler.getName(), principal);
    } else {
        principal = resolvePrincipal(handler, resolver, credential, principal);
        if (principal == null) {
            if (this.principalResolutionFailureFatal) {
                LOGGER.warn("Principal resolution handled by [{}] produced a null principal for: [{}]" + "CAS is configured to treat principal resolution failures as fatal.", resolverName, credential);
                throw new UnresolvedPrincipalException();
            }
            LOGGER.warn("Principal resolution handled by [{}] produced a null principal. " + "This is likely due to misconfiguration or missing attributes; CAS will attempt to use the principal " + "produced by the authentication handler, if any.", resolver.getClass().getSimpleName());
        }
    }
    if (principal == null) {
        LOGGER.warn("Principal resolution for authentication by [{}] produced a null principal.", handler.getName());
    } else {
        builder.setPrincipal(principal);
    }
    LOGGER.debug("Final principal resolved for this authentication event is [{}]", principal);
    publishEvent(new CasAuthenticationPrincipalResolvedEvent(this, principal));
}

Example 83 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class ChainingPrincipalResolver method resolve.

/**
 * {@inheritDoc}
 * Resolves a credential by delegating to each of the configured resolvers in sequence. Note that the
 * final principal is taken from the first resolved principal in the chain, yet attributes are merged.
 *
 * @param credential Authenticated credential.
 * @param principal  Authenticated principal, if any.
 * @return The principal from the last configured resolver in the chain.
 */
@Override
public Principal resolve(final Credential credential, final Principal principal, final AuthenticationHandler handler) {
    final List<Principal> principals = new ArrayList<>();
    chain.stream().filter(resolver -> resolver.supports(credential)).forEach(resolver -> {
        LOGGER.debug("Invoking principal resolver [{}]", resolver);
        final Principal p = resolver.resolve(credential, principal, handler);
        if (p != null) {
            principals.add(p);
        }
    });
    if (principals.isEmpty()) {
        LOGGER.warn("None of the principal resolvers in the chain were able to produce a principal");
        return NullPrincipal.getInstance();
    }
    final Map<String, Object> attributes = new HashMap<>();
    principals.forEach(p -> {
        if (p != null) {
            LOGGER.debug("Resolved principal [{}]", p);
            if (p.getAttributes() != null && !p.getAttributes().isEmpty()) {
                LOGGER.debug("Adding attributes [{}] for the final principal", p.getAttributes());
                attributes.putAll(p.getAttributes());
            }
        }
    });
    final long count = principals.stream().map(p -> p.getId().trim().toLowerCase()).distinct().collect(Collectors.toSet()).size();
    if (count > 1) {
        throw new PrincipalException("Resolved principals by the chain are not unique because principal resolvers have produced CAS principals " + "with different identifiers which typically is the result of a configuration issue.", new HashMap<>(0), new HashMap<>(0));
    }
    final String principalId = principal != null ? principal.getId() : principals.get(0).getId();
    final Principal finalPrincipal = this.principalFactory.createPrincipal(principalId, attributes);
    LOGGER.debug("Final principal constructed by the chain of resolvers is [{}]", finalPrincipal);
    return finalPrincipal;
}

Example 84 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class DefaultMultifactorAuthenticationProviderBypass method shouldMultifactorAuthenticationProviderExecute.

@Override
public boolean shouldMultifactorAuthenticationProviderExecute(final Authentication authentication, final RegisteredService registeredService, final MultifactorAuthenticationProvider provider, final HttpServletRequest request) {
    final Principal principal = authentication.getPrincipal();
    LOGGER.debug("Evaluating multifactor authentication bypass properties for principal [{}], service [{}] and provider [{}]", principal.getId(), registeredService, provider);
    final boolean bypassByPrincipal = locateMatchingAttributeBasedOnPrincipalAttributes(bypassProperties, principal);
    if (bypassByPrincipal) {
        LOGGER.debug("Bypass rules for principal [{}] indicate the request may be ignored", principal.getId());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByAuthn = locateMatchingAttributeBasedOnAuthenticationAttributes(bypassProperties, authentication);
    if (bypassByAuthn) {
        LOGGER.debug("Bypass rules for authentication for principal [{}] indicate the request may be ignored", principal.getId());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByAuthnMethod = locateMatchingAttributeValue(AuthenticationManager.AUTHENTICATION_METHOD_ATTRIBUTE, bypassProperties.getAuthenticationMethodName(), authentication.getAttributes(), false);
    if (bypassByAuthnMethod) {
        LOGGER.debug("Bypass rules for authentication method [{}] indicate the request may be ignored", bypassProperties.getAuthenticationMethodName());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByHandlerName = locateMatchingAttributeValue(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS, bypassProperties.getAuthenticationHandlerName(), authentication.getAttributes(), false);
    if (bypassByHandlerName) {
        LOGGER.debug("Bypass rules for authentication handlers [{}] indicate the request may be ignored", bypassProperties.getAuthenticationHandlerName());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByCredType = locateMatchingCredentialType(authentication, bypassProperties.getCredentialClassType());
    if (bypassByCredType) {
        LOGGER.debug("Bypass rules for credential types [{}] indicate the request may be ignored", bypassProperties.getCredentialClassType());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByHttpRequest = locateMatchingHttpRequest(authentication, request);
    if (bypassByHttpRequest) {
        LOGGER.debug("Bypass rules for http request indicate the request may be ignored for [{}]", principal.getId());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByService = locateMatchingRegisteredServiceForBypass(authentication, registeredService);
    if (bypassByService) {
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    updateAuthenticationToForgetBypass(authentication, provider, principal);
    return true;
}

Example 85 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class GroovyMultifactorAuthenticationProviderBypass method shouldMultifactorAuthenticationProviderExecute.

@Override
public boolean shouldMultifactorAuthenticationProviderExecute(final Authentication authentication, final RegisteredService registeredService, final MultifactorAuthenticationProvider provider, final HttpServletRequest request) {
    try {
        final Principal principal = authentication.getPrincipal();
        LOGGER.debug("Evaluating multifactor authentication bypass properties for principal [{}], " + "service [{}] and provider [{}] via Groovy script [{}]", principal.getId(), registeredService, provider, this.groovyScript);
        return ScriptingUtils.executeGroovyScript(this.groovyScript, new Object[] { authentication, principal, registeredService, provider, LOGGER, request }, Boolean.class);
    } catch (final Exception e) {
        LOGGER.error(e.getMessage(), e);
    }
    return super.shouldMultifactorAuthenticationProviderExecute(authentication, registeredService, provider, request);
}