Example 11 with BaseAuthenticationToken
use of org.codice.ddf.security.handler.BaseAuthenticationToken in project ddf by codice.
the class Security method getSystemSubject.
/**
* Gets the {@link Subject} associated with this system. Uses a cached subject since the subject
* will not change between calls.
*
* @return system's {@link Subject} or {@code null} if unable to get the system's {@link Subject}
* @throws SecurityException if a security manager exists and the {@link
* javax.security.auth.AuthPermission AuthPermission("getSystemSubject")} or {@link
* javax.security.auth.AuthPermission AuthPermission("getSubject")} permissions are not
* authorized
*/
@Override
@Nullable
public final synchronized Subject getSystemSubject() {
auditSystemSubjectAccess();
final java.lang.SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkPermission(Security.GET_SYSTEM_SUBJECT_PERMISSION);
}
if (!javaSubjectHasAdminRole()) {
securityLogger.audit("Unable to retrieve system subject.");
return null;
}
if (cachedSystemSubject != null) {
return cachedSystemSubject;
}
KeyStore keyStore = AccessController.doPrivileged((PrivilegedAction<KeyStore>) this::getSystemKeyStore);
String alias = null;
Certificate cert = null;
try {
if (keyStore != null) {
if (keyStore.size() == 1) {
alias = keyStore.aliases().nextElement();
} else if (keyStore.size() > 1) {
alias = getCertificateAlias();
}
cert = keyStore.getCertificate(alias);
}
} catch (KeyStoreException e) {
LOGGER.warn("Unable to get certificate for alias [{}]", alias, e);
return null;
}
if (cert == null) {
LOGGER.warn("Unable to get certificate for alias [{}]", alias);
return null;
}
AuthenticationTokenFactory tokenFactory = createBasicTokenFactory();
AuthenticationToken token = tokenFactory.fromCertificates(new X509Certificate[] { (X509Certificate) cert }, "127.0.0.1");
if (token != null) {
if (token instanceof BaseAuthenticationToken) {
((BaseAuthenticationToken) token).setAllowGuest(true);
}
SecurityManager securityManager = getSecurityManager();
if (securityManager != null) {
try {
cachedSystemSubject = securityManager.getSubject(token);
} catch (SecurityServiceException sse) {
LOGGER.warn("Unable to request subject for system user.", sse);
}
}
}
return cachedSystemSubject;
}
Also used :
SecurityServiceException(ddf.security.service.SecurityServiceException)
AuthenticationToken(org.apache.shiro.authc.AuthenticationToken)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
GuestAuthenticationToken(org.codice.ddf.security.handler.GuestAuthenticationToken)
SecurityManager(ddf.security.service.SecurityManager)
PrivilegedAction(java.security.PrivilegedAction)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
AuthenticationTokenFactory(org.codice.ddf.security.handler.AuthenticationTokenFactory)
KeyStoreException(java.security.KeyStoreException)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Nullable(javax.annotation.Nullable)
Example 12 with BaseAuthenticationToken
use of org.codice.ddf.security.handler.BaseAuthenticationToken in project ddf by codice.
the class GuestRealm method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
BaseAuthenticationToken baseAuthenticationToken = (BaseAuthenticationToken) authenticationToken;
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo();
SimplePrincipalCollection principals = createPrincipalFromToken(baseAuthenticationToken);
simpleAuthenticationInfo.setPrincipals(principals);
simpleAuthenticationInfo.setCredentials(authenticationToken.getCredentials());
securityLogger.audit("Guest assertion generated for IP address: " + baseAuthenticationToken.getIpAddress());
return simpleAuthenticationInfo;
}
Also used :
SimpleAuthenticationInfo(org.apache.shiro.authc.SimpleAuthenticationInfo)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
Example 13 with BaseAuthenticationToken
use of org.codice.ddf.security.handler.BaseAuthenticationToken in project ddf by codice.
the class GuestRealmTest method testSupportsBaseGuestAllowed.
@Test
public void testSupportsBaseGuestAllowed() {
BaseAuthenticationToken baseAuthenticationToken = new MockBaseAuthenticationToken("principal", "credentials", "0.0.0.0");
baseAuthenticationToken.setAllowGuest(true);
boolean supports = guestRealm.supports(baseAuthenticationToken);
assertTrue(supports);
}
Also used :
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
Test(org.junit.Test)
Example 14 with BaseAuthenticationToken
use of org.codice.ddf.security.handler.BaseAuthenticationToken in project ddf by codice.
the class GuestRealmTest method testDoGetAuthenticationInfo.
@Test
public void testDoGetAuthenticationInfo() {
BaseAuthenticationToken baseAuthenticationToken = new MockBaseAuthenticationToken("principal", "credentials", "0.0.0.0");
baseAuthenticationToken.setAllowGuest(true);
AuthenticationInfo authenticationInfo = guestRealm.doGetAuthenticationInfo(baseAuthenticationToken);
assertEquals(baseAuthenticationToken.getCredentials(), authenticationInfo.getCredentials());
PrincipalCollection principals = authenticationInfo.getPrincipals();
assertEquals(2, principals.asList().size());
Iterator iterator = principals.iterator();
assertEquals("Guest@0.0.0.0", iterator.next());
Object next = iterator.next();
assertTrue(next instanceof SecurityAssertion);
SecurityAssertion securityAssertion = (SecurityAssertion) next;
assertEquals(2, securityAssertion.getAttributeStatements().get(0).getAttributes().size());
boolean claim1 = false;
boolean claim2 = false;
boolean claim3 = false;
boolean claim4 = false;
for (Attribute attribute : securityAssertion.getAttributeStatements().get(0).getAttributes()) {
if (attribute.getName().equals("claim1")) {
claim1 = true;
assertEquals("value1", attribute.getValues().get(0));
}
if (attribute.getName().equals("claim2")) {
claim2 = true;
assertTrue(attribute.getValues().stream().anyMatch(v -> v.equals("value2")));
assertTrue(attribute.getValues().stream().anyMatch(v -> v.equals("value3")));
}
if (attribute.getName().equals(":")) {
claim3 = true;
}
if (attribute.getName().equals("bad")) {
claim4 = true;
}
}
assertTrue(claim1);
assertTrue(claim2);
assertFalse(claim3);
assertFalse(claim4);
AuthenticationInfo newAuthenticationInfo = guestRealm.doGetAuthenticationInfo(baseAuthenticationToken);
assertNotSame(authenticationInfo, newAuthenticationInfo);
}
Also used :
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
AuthenticationInfo(org.apache.shiro.authc.AuthenticationInfo)
Arrays(java.util.Arrays)
Attribute(ddf.security.assertion.Attribute)
Iterator(java.util.Iterator)
BeforeClass(org.junit.BeforeClass)
SecurityLogger(ddf.security.audit.SecurityLogger)
Assert.assertNotSame(org.junit.Assert.assertNotSame)
Assert.assertTrue(org.junit.Assert.assertTrue)
AuthenticationToken(org.apache.shiro.authc.AuthenticationToken)
Test(org.junit.Test)
Assert.assertFalse(org.junit.Assert.assertFalse)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
Assert.assertEquals(org.junit.Assert.assertEquals)
Mockito.mock(org.mockito.Mockito.mock)
Attribute(ddf.security.assertion.Attribute)
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
Iterator(java.util.Iterator)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
AuthenticationInfo(org.apache.shiro.authc.AuthenticationInfo)
Test(org.junit.Test)
Example 15 with BaseAuthenticationToken
use of org.codice.ddf.security.handler.BaseAuthenticationToken in project ddf by codice.
the class PKIRealmTest method testSupportsGood.
@Test
public void testSupportsGood() {
BaseAuthenticationToken authenticationToken = mock(BaseAuthenticationToken.class);
when(authenticationToken.getCredentials()).thenReturn(new X509Certificate[1]);
when(authenticationToken.getPrincipal()).thenReturn(new X500Principal("cn=test"));
when(authenticationToken.getType()).thenReturn(AuthenticationTokenType.PKI);
boolean supports = pkiRealm.supports(authenticationToken);
assertTrue(supports);
}
Also used :
BaseAuthenticationToken(org.codice.ddf.security.handler.BaseAuthenticationToken)
X500Principal(javax.security.auth.x500.X500Principal)
Test(org.junit.Test)
Aggregations
BaseAuthenticationToken (org.codice.ddf.security.handler.BaseAuthenticationToken)17
Test (org.junit.Test)9
X509Certificate (java.security.cert.X509Certificate)4
X500Principal (javax.security.auth.x500.X500Principal)4
SecurityAssertion (ddf.security.assertion.SecurityAssertion)3
SecurityServiceException (ddf.security.service.SecurityServiceException)3
AuthenticationInfo (org.apache.shiro.authc.AuthenticationInfo)3
AuthenticationToken (org.apache.shiro.authc.AuthenticationToken)3
GuestAuthenticationToken (org.codice.ddf.security.handler.GuestAuthenticationToken)3
Attribute (ddf.security.assertion.Attribute)2
SecurityManager (ddf.security.service.SecurityManager)2
PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)2
SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)2
AuthenticationException (org.codice.ddf.platform.filter.AuthenticationException)2
AuthenticationTokenFactory (org.codice.ddf.security.handler.AuthenticationTokenFactory)2
HandlerResultImpl (org.codice.ddf.security.handler.HandlerResultImpl)2
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)2
Subject (ddf.security.Subject)1
AttributeStatement (ddf.security.assertion.AttributeStatement)1
SecurityAssertionSaml (ddf.security.assertion.saml.impl.SecurityAssertionSaml)1
