use of org.codice.ddf.security.handler.HandlerResultImpl in project ddf by codice.
the class IdpHandler method getNormalizedToken.
/**
* Handler implementing SAML 2.0 IdP authentication. Supports HTTP-Redirect and HTTP-POST
* bindings.
*
* @param request http request to obtain attributes from and to pass into any local filter chains
* required
* @param response http response to return http responses or redirects
* @param chain original filter chain (should not be called from your handler)
* @param resolve flag with true implying that credentials should be obtained, false implying
* return if no credentials are found.
* @return result of handling this request - status and optional tokens
* @throws AuthenticationFailureException
*/
@Override
public HandlerResult getNormalizedToken(ServletRequest request, ServletResponse response, SecurityFilterChain chain, boolean resolve) throws AuthenticationFailureException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (httpRequest.getMethod().equals("HEAD")) {
((HttpServletResponse) response).setStatus(HttpServletResponse.SC_OK);
try {
response.flushBuffer();
} catch (IOException e) {
throw new AuthenticationFailureException("Unable to send response to HEAD message from IdP client.");
}
return new HandlerResultImpl(HandlerResult.Status.NO_ACTION, null);
}
LOGGER.trace("Checking for assertion in HTTP header.");
HandlerResult samlResult = checkForAssertionInHttpHeader(request);
if (samlResult != null && samlResult.getStatus() == HandlerResult.Status.COMPLETED) {
return samlResult;
}
if (isEcpEnabled(request)) {
return doPaosRequest(request, response);
}
if (userAgentCheck && userAgentIsNotBrowser(httpRequest)) {
securityLogger.audit("Attempting to log client in as a legacy system.");
return new HandlerResultImpl(HandlerResult.Status.NO_ACTION, null);
}
HandlerResult handlerResult = new HandlerResultImpl(HandlerResult.Status.REDIRECTED, null);
handlerResult.setSource(SOURCE);
String path = httpRequest.getServletPath();
LOGGER.debug("Doing IdP authentication and authorization for path {}", path);
// Default to HTTP-Redirect if binding is null
if (idpMetadata.getSingleSignOnBinding() == null || idpMetadata.getSingleSignOnBinding().endsWith("Redirect")) {
doHttpRedirectBinding((HttpServletRequest) request, (HttpServletResponse) response);
} else {
doHttpPostBinding((HttpServletRequest) request, (HttpServletResponse) response);
}
return handlerResult;
}
use of org.codice.ddf.security.handler.HandlerResultImpl in project ddf by codice.
the class IdpHandler method checkForAssertionInHttpHeader.
private HandlerResult checkForAssertionInHttpHeader(ServletRequest request) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String authHeader = ((HttpServletRequest) request).getHeader(SecurityConstants.SAML_HEADER_NAME);
HandlerResult handlerResult = new HandlerResultImpl();
// check for full SAML assertions coming in (federated requests, etc.)
if (authHeader != null) {
String[] tokenizedAuthHeader = authHeader.split(" ");
if (tokenizedAuthHeader.length == 2 && tokenizedAuthHeader[0].equals("SAML") && samlSecurity != null) {
String encodedSamlAssertion = tokenizedAuthHeader[1];
LOGGER.trace("Header retrieved");
try {
String tokenString = samlSecurity.inflateBase64(encodedSamlAssertion);
LOGGER.trace("Header value: {}", LogSanitizer.sanitize(tokenString));
SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
simplePrincipalCollection.add(new SecurityAssertionSaml(SAMLUtils.getInstance().getSecurityTokenFromSAMLAssertion(tokenString)), "default");
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(simplePrincipalCollection, simplePrincipalCollection, request.getRemoteAddr());
handlerResult.setToken(samlToken);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
} catch (IOException e) {
LOGGER.info("Unexpected error converting header value to string", e);
}
return handlerResult;
}
}
// Check for legacy SAML cookie
Map<String, Cookie> cookies = HttpUtils.getCookieMap(httpRequest);
Cookie samlCookie = cookies.get(SecurityConstants.SAML_COOKIE_NAME);
if (samlCookie != null && samlSecurity != null) {
String cookieValue = samlCookie.getValue();
LOGGER.trace("Cookie retrieved");
try {
String tokenString = samlSecurity.inflateBase64(cookieValue);
LOGGER.trace("Cookie value: {}", LogSanitizer.sanitize(tokenString));
Element thisToken = StaxUtils.read(new StringReader(tokenString)).getDocumentElement();
SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
simplePrincipalCollection.add(new SecurityAssertionSaml(thisToken), "default");
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, simplePrincipalCollection, request.getRemoteAddr());
handlerResult.setToken(samlToken);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
} catch (IOException e) {
LOGGER.info("Unexpected error converting cookie value to string - proceeding without SAML token.", e);
} catch (XMLStreamException e) {
LOGGER.info("Unexpected error converting XML string to element - proceeding without SAML token.", e);
}
return handlerResult;
}
return null;
}
use of org.codice.ddf.security.handler.HandlerResultImpl in project ddf by codice.
the class PKIHandler method getNormalizedToken.
/**
* Handler implementing PKI authentication. Returns the {@link
* org.codice.ddf.security.handler.api.HandlerResult} containing a BinarySecurityToken if the
* operation was successful.
*
* @param request http request to obtain attributes from and to pass into any local filter chains
* required
* @param response http response to return http responses or redirects
* @param chain original filter chain (should not be called from your handler)
* @param resolve flag with true implying that credentials should be obtained, false implying
* return if no credentials are found.
* @return result of handling this request - status and optional tokens
*/
@Override
public HandlerResult getNormalizedToken(ServletRequest request, ServletResponse response, SecurityFilterChain chain, boolean resolve) {
HandlerResult handlerResult = new HandlerResultImpl(HandlerResult.Status.NO_ACTION, null);
handlerResult.setSource(SOURCE);
HttpServletRequest httpRequest = (HttpServletRequest) request;
String path = httpRequest.getServletPath();
LOGGER.debug("Doing PKI authentication and authorization for path {}", path);
// doesn't matter what the resolve flag is set to, we do the same action
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
AuthenticationToken token = tokenFactory.fromCertificates(certs, request.getRemoteAddr());
HttpServletResponse httpResponse = response instanceof HttpServletResponse ? (HttpServletResponse) response : null;
// The httpResponse was null, return no action and try to process with other handlers
if (httpResponse == null && resolve) {
LOGGER.debug("HTTP Response was null for request {}", path);
return handlerResult;
}
// No auth info was extracted, return NO_ACTION
if (token == null) {
return handlerResult;
}
// WebSSOFilter
if (crlChecker == null) {
crlChecker = new CrlChecker(securityLogger);
}
if (crlChecker.passesCrlCheck(certs) && ocspService.passesOcspCheck(certs)) {
handlerResult.setToken(token);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
} else {
if (httpResponse == null) {
LOGGER.error("Error returning revoked certificate request because the HTTP response object is invalid.");
} else {
try {
httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Your certificate is revoked.");
httpResponse.flushBuffer();
LOGGER.info("The certificate used to complete the request has been revoked.");
} catch (Exception e) {
LOGGER.error("Error returning revoked certificate request.");
}
}
handlerResult.setStatus(HandlerResult.Status.REDIRECTED);
}
return handlerResult;
}
Aggregations