Example 1 with AuthenticationFailureException
use of org.codice.ddf.platform.filter.AuthenticationFailureException in project ddf by codice.
the class IdpHandler method serializeAndSign.
private String serializeAndSign(boolean isPost, boolean wantSigned, AuthnRequest authnRequest) throws AuthenticationFailureException {
try {
if (isPost && wantSigned) {
simpleSign.signSamlObject(authnRequest);
}
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
Element requestElement = OpenSAMLUtil.toDom(authnRequest, doc);
String requestMessage = DOM2Writer.nodeToString(requestElement);
LOGGER.trace(requestMessage);
return requestMessage;
} catch (WSSecurityException e) {
LOGGER.info(UNABLE_TO_ENCODE_SAML_AUTHN_REQUEST, e);
throw new AuthenticationFailureException(UNABLE_TO_ENCODE_SAML_AUTHN_REQUEST);
} catch (SignatureException e) {
LOGGER.info(UNABLE_TO_SIGN_SAML_AUTHN_REQUEST, e);
throw new AuthenticationFailureException(UNABLE_TO_SIGN_SAML_AUTHN_REQUEST);
}
}
Also used :
Element(org.w3c.dom.Element)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException)
SignatureException(ddf.security.samlp.SignatureException)
Document(org.w3c.dom.Document)
Example 2 with AuthenticationFailureException
use of org.codice.ddf.platform.filter.AuthenticationFailureException in project ddf by codice.
the class IdpHandler method doHttpRedirectBinding.
private void doHttpRedirectBinding(HttpServletRequest request, HttpServletResponse response) throws AuthenticationFailureException {
String redirectUrl;
String idpRequest = null;
String relayState = createRelayState(request);
try {
IDPSSODescriptor idpssoDescriptor = idpMetadata.getDescriptor();
if (idpssoDescriptor == null) {
throw new AuthenticationFailureException(IDP_METADATA_MISSING);
}
StringBuilder queryParams = new StringBuilder("SAMLRequest=").append(encodeAuthnRequest(createAndSignAuthnRequest(false, idpssoDescriptor.getWantAuthnRequestsSigned()), false));
if (relayState != null) {
queryParams.append("&RelayState=").append(URLEncoder.encode(relayState, "UTF-8"));
}
idpRequest = idpMetadata.getSingleSignOnLocation() + "?" + queryParams;
UriBuilder idpUri = new UriBuilderImpl(new URI(idpRequest));
simpleSign.signUriString(queryParams.toString(), idpUri);
redirectUrl = idpUri.build().toString();
} catch (UnsupportedEncodingException e) {
LOGGER.info("Unable to encode relay state: {}", relayState, e);
throw new AuthenticationFailureException("Unable to create return location");
} catch (SignatureException e) {
String msg = "Unable to sign request";
LOGGER.info(msg, e);
throw new AuthenticationFailureException(msg);
} catch (URISyntaxException e) {
LOGGER.info("Unable to parse IDP request location: {}", idpRequest, e);
throw new AuthenticationFailureException("Unable to determine IDP location.");
}
try {
response.sendRedirect(redirectUrl);
response.flushBuffer();
} catch (IOException e) {
LOGGER.info("Unable to redirect AuthnRequest to {}", redirectUrl, e);
throw new AuthenticationFailureException("Unable to redirect to IdP");
}
}
Also used :
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException)
SignatureException(ddf.security.samlp.SignatureException)
URISyntaxException(java.net.URISyntaxException)
IOException(java.io.IOException)
UriBuilder(javax.ws.rs.core.UriBuilder)
UriBuilderImpl(org.apache.cxf.jaxrs.impl.UriBuilderImpl)
URI(java.net.URI)
Example 3 with AuthenticationFailureException
use of org.codice.ddf.platform.filter.AuthenticationFailureException in project ddf by codice.
the class IdpHandler method doHttpPostBinding.
private void doHttpPostBinding(HttpServletRequest request, HttpServletResponse response) throws AuthenticationFailureException {
try {
IDPSSODescriptor idpssoDescriptor = idpMetadata.getDescriptor();
if (idpssoDescriptor == null) {
throw new AuthenticationFailureException(IDP_METADATA_MISSING);
}
response.getWriter().printf(postBindingTemplate, idpMetadata.getSingleSignOnLocation(), encodeAuthnRequest(createAndSignAuthnRequest(true, idpssoDescriptor.getWantAuthnRequestsSigned()), true), createRelayState(request));
response.setStatus(200);
response.flushBuffer();
} catch (IOException e) {
LOGGER.info("Unable to post AuthnRequest to IdP", e);
throw new AuthenticationFailureException("Unable to post to IdP");
}
}
Also used :
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException)
IOException(java.io.IOException)
Example 4 with AuthenticationFailureException
use of org.codice.ddf.platform.filter.AuthenticationFailureException in project ddf by codice.
the class WebSSOFilter method handleRequest.
private void handleRequest(HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityFilterChain filterChain, List<AuthenticationHandler> handlers) throws AuthenticationException, IOException {
HandlerResult result = null;
// First pass, see if anyone can come up with proper security token from the get-go
LOGGER.debug("Checking for existing tokens in request.");
final String path = httpRequest.getRequestURI();
String ipAddress = httpRequest.getHeader("X-FORWARDED-FOR");
if (ipAddress == null) {
ipAddress = httpRequest.getRemoteAddr();
}
if (contextPolicyManager.getSessionAccess()) {
result = checkForPreviousResultOnSession(httpRequest, ipAddress);
}
// no result found on session, try and get result from handlers
if (result == null) {
if (!handlers.isEmpty()) {
result = getResultFromHandlers(httpRequest, httpResponse, filterChain, handlers);
} else {
// no configured handlers
if (contextPolicyManager.getGuestAccess()) {
LOGGER.trace("No configured handlers found, but guest access is enabled. Continuing with an empty handler result for guest login.");
result = new HandlerResultImpl(Status.NO_ACTION, null);
result.setSource("default");
} else {
LOGGER.warn("No configured handler found and guest access is disabled. Returning status code 503, Service Unavailable. Check system configuration and bundle state.");
returnSimpleResponse(HttpServletResponse.SC_SERVICE_UNAVAILABLE, httpResponse);
return;
}
}
}
handleResultStatus(httpRequest, httpResponse, result, path, ipAddress);
// If we got here, we've received our tokens to continue
LOGGER.debug("Invoking the rest of the filter chain");
try {
filterChain.doFilter(httpRequest, httpResponse);
} catch (Exception e) {
LOGGER.debug("Exception in filter chain - passing off to handlers. Msg: {}", e.getMessage(), e);
// First pass, see if anyone can come up with proper security token
// from the git-go
result = null;
for (AuthenticationHandler auth : handlers) {
result = auth.handleError(httpRequest, httpResponse, filterChain);
if (result.getStatus() != HandlerResult.Status.NO_ACTION) {
LOGGER.debug("Handler {} set the status to {}", auth.getAuthenticationType(), result.getStatus());
break;
}
}
if (result == null || result.getStatus() == HandlerResult.Status.NO_ACTION) {
LOGGER.debug("Error during authentication - no error recovery attempted - returning bad request.");
httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
httpResponse.flushBuffer();
}
throw new AuthenticationFailureException(e);
}
}
Also used :
HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
AuthenticationHandler(org.codice.ddf.security.handler.api.AuthenticationHandler)
AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException)
AuthenticationChallengeException(org.codice.ddf.platform.filter.AuthenticationChallengeException)
AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException)
SessionException(org.apache.shiro.session.SessionException)
IOException(java.io.IOException)
AuthenticationException(org.codice.ddf.platform.filter.AuthenticationException)
Example 5 with AuthenticationFailureException
use of org.codice.ddf.platform.filter.AuthenticationFailureException in project ddf by codice.
the class WebSSOFilter method handleResultStatus.
private void handleResultStatus(HttpServletRequest httpRequest, HttpServletResponse httpResponse, HandlerResult result, String path, String ipAddress) throws AuthenticationChallengeException, AuthenticationFailureException {
if (result != null) {
switch(result.getStatus()) {
case REDIRECTED:
// handler handled the response - it is redirecting or whatever
// necessary to get their tokens
LOGGER.debug("Stopping filter chain - handled by plugins");
throw new AuthenticationChallengeException("Stopping filter chain - handled by plugins");
case NO_ACTION:
if (!contextPolicyManager.getGuestAccess()) {
LOGGER.warn("No handlers were able to determine required credentials, returning bad request to {}. Check policy configuration for path: {}", ipAddress, path);
returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
throw new AuthenticationFailureException("No handlers were able to determine required credentials");
}
result = new HandlerResultImpl(Status.COMPLETED, new GuestAuthenticationToken(ipAddress, securityLogger));
result.setSource("default");
// fall through
case COMPLETED:
if (result.getToken() == null) {
LOGGER.warn("Completed without credentials for {} - check context policy configuration for path: {}", ipAddress, path);
returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
throw new AuthenticationFailureException("Completed without credentials");
}
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Attaching result handler to the http request - token is instance of {} from classloader {}", result.getToken().getClass().getName(), result.getToken().getClass().getClassLoader());
}
if (result.getToken() instanceof BaseAuthenticationToken) {
((BaseAuthenticationToken) result.getToken()).setAllowGuest(contextPolicyManager.getGuestAccess());
}
httpRequest.setAttribute(AUTHENTICATION_TOKEN_KEY, result);
break;
default:
LOGGER.warn("Unexpected response from handler - ignoring. Remote IP: {}, Path: {}", ipAddress, path);
throw new AuthenticationFailureException("Unexpected response from handler");
}
} else {
LOGGER.warn("Expected login credentials from {} - didn't find any. Returning a bad request for path: {}", ipAddress, path);
returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
throw new AuthenticationFailureException("Didn't find any login credentials");
}
}
Also used :
AuthenticationChallengeException(org.codice.ddf.platform.filter.AuthenticationChallengeException)
GuestAuthenticationToken(org.codice.ddf.security.handler.GuestAuthenticationToken)
HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException)
Aggregations
AuthenticationFailureException (org.codice.ddf.platform.filter.AuthenticationFailureException)11
IOException (java.io.IOException)5
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
HandlerResultImpl (org.codice.ddf.security.handler.HandlerResultImpl)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)3
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)3
IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)3
Document (org.w3c.dom.Document)3
Element (org.w3c.dom.Element)3
SignatureException (ddf.security.samlp.SignatureException)2
AuthenticationChallengeException (org.codice.ddf.platform.filter.AuthenticationChallengeException)2
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
SecurityServiceException (ddf.security.service.SecurityServiceException)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
X509Certificate (java.security.cert.X509Certificate)1
UriBuilder (javax.ws.rs.core.UriBuilder)1
UriBuilderImpl (org.apache.cxf.jaxrs.impl.UriBuilderImpl)1
