Search in sources :

Example 16 with HandlerResultImpl

use of org.codice.ddf.security.handler.HandlerResultImpl in project ddf by codice.

the class IdpHandler method getNormalizedToken.

/**
 * Handler implementing SAML 2.0 IdP authentication. Supports HTTP-Redirect and HTTP-POST
 * bindings.
 *
 * @param request http request to obtain attributes from and to pass into any local filter chains
 *     required
 * @param response http response to return http responses or redirects
 * @param chain original filter chain (should not be called from your handler)
 * @param resolve flag with true implying that credentials should be obtained, false implying
 *     return if no credentials are found.
 * @return result of handling this request - status and optional tokens
 * @throws AuthenticationFailureException
 */
@Override
public HandlerResult getNormalizedToken(ServletRequest request, ServletResponse response, SecurityFilterChain chain, boolean resolve) throws AuthenticationFailureException {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    if (httpRequest.getMethod().equals("HEAD")) {
        ((HttpServletResponse) response).setStatus(HttpServletResponse.SC_OK);
        try {
            response.flushBuffer();
        } catch (IOException e) {
            throw new AuthenticationFailureException("Unable to send response to HEAD message from IdP client.");
        }
        return new HandlerResultImpl(HandlerResult.Status.NO_ACTION, null);
    }
    LOGGER.trace("Checking for assertion in HTTP header.");
    HandlerResult samlResult = checkForAssertionInHttpHeader(request);
    if (samlResult != null && samlResult.getStatus() == HandlerResult.Status.COMPLETED) {
        return samlResult;
    }
    if (isEcpEnabled(request)) {
        return doPaosRequest(request, response);
    }
    if (userAgentCheck && userAgentIsNotBrowser(httpRequest)) {
        securityLogger.audit("Attempting to log client in as a legacy system.");
        return new HandlerResultImpl(HandlerResult.Status.NO_ACTION, null);
    }
    HandlerResult handlerResult = new HandlerResultImpl(HandlerResult.Status.REDIRECTED, null);
    handlerResult.setSource(SOURCE);
    String path = httpRequest.getServletPath();
    LOGGER.debug("Doing IdP authentication and authorization for path {}", path);
    // Default to HTTP-Redirect if binding is null
    if (idpMetadata.getSingleSignOnBinding() == null || idpMetadata.getSingleSignOnBinding().endsWith("Redirect")) {
        doHttpRedirectBinding((HttpServletRequest) request, (HttpServletResponse) response);
    } else {
        doHttpPostBinding((HttpServletRequest) request, (HttpServletResponse) response);
    }
    return handlerResult;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl) HttpServletResponse(javax.servlet.http.HttpServletResponse) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) IOException(java.io.IOException) AuthenticationFailureException(org.codice.ddf.platform.filter.AuthenticationFailureException)

Example 17 with HandlerResultImpl

use of org.codice.ddf.security.handler.HandlerResultImpl in project ddf by codice.

the class IdpHandler method checkForAssertionInHttpHeader.

private HandlerResult checkForAssertionInHttpHeader(ServletRequest request) {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    String authHeader = ((HttpServletRequest) request).getHeader(SecurityConstants.SAML_HEADER_NAME);
    HandlerResult handlerResult = new HandlerResultImpl();
    // check for full SAML assertions coming in (federated requests, etc.)
    if (authHeader != null) {
        String[] tokenizedAuthHeader = authHeader.split(" ");
        if (tokenizedAuthHeader.length == 2 && tokenizedAuthHeader[0].equals("SAML") && samlSecurity != null) {
            String encodedSamlAssertion = tokenizedAuthHeader[1];
            LOGGER.trace("Header retrieved");
            try {
                String tokenString = samlSecurity.inflateBase64(encodedSamlAssertion);
                LOGGER.trace("Header value: {}", LogSanitizer.sanitize(tokenString));
                SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
                simplePrincipalCollection.add(new SecurityAssertionSaml(SAMLUtils.getInstance().getSecurityTokenFromSAMLAssertion(tokenString)), "default");
                SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(simplePrincipalCollection, simplePrincipalCollection, request.getRemoteAddr());
                handlerResult.setToken(samlToken);
                handlerResult.setStatus(HandlerResult.Status.COMPLETED);
            } catch (IOException e) {
                LOGGER.info("Unexpected error converting header value to string", e);
            }
            return handlerResult;
        }
    }
    // Check for legacy SAML cookie
    Map<String, Cookie> cookies = HttpUtils.getCookieMap(httpRequest);
    Cookie samlCookie = cookies.get(SecurityConstants.SAML_COOKIE_NAME);
    if (samlCookie != null && samlSecurity != null) {
        String cookieValue = samlCookie.getValue();
        LOGGER.trace("Cookie retrieved");
        try {
            String tokenString = samlSecurity.inflateBase64(cookieValue);
            LOGGER.trace("Cookie value: {}", LogSanitizer.sanitize(tokenString));
            Element thisToken = StaxUtils.read(new StringReader(tokenString)).getDocumentElement();
            SimplePrincipalCollection simplePrincipalCollection = new SimplePrincipalCollection();
            simplePrincipalCollection.add(new SecurityAssertionSaml(thisToken), "default");
            SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, simplePrincipalCollection, request.getRemoteAddr());
            handlerResult.setToken(samlToken);
            handlerResult.setStatus(HandlerResult.Status.COMPLETED);
        } catch (IOException e) {
            LOGGER.info("Unexpected error converting cookie value to string - proceeding without SAML token.", e);
        } catch (XMLStreamException e) {
            LOGGER.info("Unexpected error converting XML string to element - proceeding without SAML token.", e);
        }
        return handlerResult;
    }
    return null;
}
Also used : Cookie(javax.servlet.http.Cookie) HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl) Element(org.w3c.dom.Element) SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) IOException(java.io.IOException) SAMLAuthenticationToken(org.codice.ddf.security.handler.SAMLAuthenticationToken) HttpServletRequest(javax.servlet.http.HttpServletRequest) XMLStreamException(javax.xml.stream.XMLStreamException) StringReader(java.io.StringReader) SecurityAssertionSaml(ddf.security.assertion.saml.impl.SecurityAssertionSaml)

Example 18 with HandlerResultImpl

use of org.codice.ddf.security.handler.HandlerResultImpl in project ddf by codice.

the class PKIHandler method getNormalizedToken.

/**
 * Handler implementing PKI authentication. Returns the {@link
 * org.codice.ddf.security.handler.api.HandlerResult} containing a BinarySecurityToken if the
 * operation was successful.
 *
 * @param request http request to obtain attributes from and to pass into any local filter chains
 *     required
 * @param response http response to return http responses or redirects
 * @param chain original filter chain (should not be called from your handler)
 * @param resolve flag with true implying that credentials should be obtained, false implying
 *     return if no credentials are found.
 * @return result of handling this request - status and optional tokens
 */
@Override
public HandlerResult getNormalizedToken(ServletRequest request, ServletResponse response, SecurityFilterChain chain, boolean resolve) {
    HandlerResult handlerResult = new HandlerResultImpl(HandlerResult.Status.NO_ACTION, null);
    handlerResult.setSource(SOURCE);
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    String path = httpRequest.getServletPath();
    LOGGER.debug("Doing PKI authentication and authorization for path {}", path);
    // doesn't matter what the resolve flag is set to, we do the same action
    X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
    AuthenticationToken token = tokenFactory.fromCertificates(certs, request.getRemoteAddr());
    HttpServletResponse httpResponse = response instanceof HttpServletResponse ? (HttpServletResponse) response : null;
    // The httpResponse was null, return no action and try to process with other handlers
    if (httpResponse == null && resolve) {
        LOGGER.debug("HTTP Response was null for request {}", path);
        return handlerResult;
    }
    // No auth info was extracted, return NO_ACTION
    if (token == null) {
        return handlerResult;
    }
    // WebSSOFilter
    if (crlChecker == null) {
        crlChecker = new CrlChecker(securityLogger);
    }
    if (crlChecker.passesCrlCheck(certs) && ocspService.passesOcspCheck(certs)) {
        handlerResult.setToken(token);
        handlerResult.setStatus(HandlerResult.Status.COMPLETED);
    } else {
        if (httpResponse == null) {
            LOGGER.error("Error returning revoked certificate request because the HTTP response object is invalid.");
        } else {
            try {
                httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Your certificate is revoked.");
                httpResponse.flushBuffer();
                LOGGER.info("The certificate used to complete the request has been revoked.");
            } catch (Exception e) {
                LOGGER.error("Error returning revoked certificate request.");
            }
        }
        handlerResult.setStatus(HandlerResult.Status.REDIRECTED);
    }
    return handlerResult;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) AuthenticationToken(org.apache.shiro.authc.AuthenticationToken) HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl) HttpServletResponse(javax.servlet.http.HttpServletResponse) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) X509Certificate(java.security.cert.X509Certificate)

Aggregations

HandlerResultImpl (org.codice.ddf.security.handler.HandlerResultImpl)18 HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)17 HttpServletRequest (javax.servlet.http.HttpServletRequest)7 IOException (java.io.IOException)5 HttpServletResponse (javax.servlet.http.HttpServletResponse)5 AuthenticationFailureException (org.codice.ddf.platform.filter.AuthenticationFailureException)4 Test (org.junit.Test)4 SecurityAssertionSaml (ddf.security.assertion.saml.impl.SecurityAssertionSaml)2 PrincipalHolder (ddf.security.common.PrincipalHolder)2 Cookie (javax.servlet.http.Cookie)2 AuthenticationToken (org.apache.shiro.authc.AuthenticationToken)2 SessionException (org.apache.shiro.session.SessionException)2 SimplePrincipalCollection (org.apache.shiro.subject.SimplePrincipalCollection)2 AuthenticationChallengeException (org.codice.ddf.platform.filter.AuthenticationChallengeException)2 AuthenticationException (org.codice.ddf.platform.filter.AuthenticationException)2 BaseAuthenticationToken (org.codice.ddf.security.handler.BaseAuthenticationToken)2 OidcAuthenticationToken (org.codice.ddf.security.handler.OidcAuthenticationToken)2 SAMLAuthenticationToken (org.codice.ddf.security.handler.SAMLAuthenticationToken)2 JEEContext (org.pac4j.core.context.JEEContext)2 JEESessionStore (org.pac4j.core.context.session.JEESessionStore)2