use of org.codice.ddf.security.handler.OidcAuthenticationToken in project ddf by codice.
the class OidcHandler method getNormalizedToken.
/**
* Handler implementing OIDC authentication.
*
* @param request http request to obtain attributes from and to pass into any local filter chains
* required
* @param response http response to return http responses or redirects
* @param chain original filter chain (should not be called from your handler)
* @param resolve flag with true implying that credentials should be obtained, false implying
* return if no credentials are found.
* @return result of handling this request - status and optional tokens
* @throws AuthenticationFailureException
*/
@Override
public HandlerResult getNormalizedToken(ServletRequest request, ServletResponse response, SecurityFilterChain chain, boolean resolve) throws AuthenticationFailureException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
if (httpRequest.getMethod().equals("HEAD")) {
return processHeadRequest(httpResponse);
}
LOGGER.debug("Doing Oidc authentication and authorization for path {}.", httpRequest.getContextPath());
JEESessionStore sessionStore = new JEESessionStore();
JEEContext jeeContext = new JEEContext(httpRequest, httpResponse, sessionStore);
StringBuffer requestUrlBuffer = httpRequest.getRequestURL();
requestUrlBuffer.append(httpRequest.getQueryString() == null ? "" : "?" + httpRequest.getQueryString());
String requestUrl = requestUrlBuffer.toString();
String ipAddress = httpRequest.getRemoteAddr();
OidcClient<OidcConfiguration> oidcClient = configuration.getOidcClient(requestUrl);
OidcCredentials credentials;
boolean isMachine = userAgentIsNotBrowser(httpRequest);
if (isMachine) {
LOGGER.debug("The Oidc Handler does not handle machine to machine requests. Continuing to other handlers.");
return noActionResult;
} else {
// check for Authorization Code Flow, Implicit Flow, or Hybrid Flow credentials
try {
credentials = getCredentialsFromRequest(oidcClient, jeeContext);
} catch (IllegalArgumentException e) {
LOGGER.debug(e.getMessage(), e);
LOGGER.error("Problem with the Oidc Handler's configuration. " + "Check the Oidc Handler configuration in the admin console.");
return noActionResult;
} catch (TechnicalException e) {
LOGGER.debug("Problem extracting Oidc credentials from incoming user request.", e);
return redirectForCredentials(oidcClient, jeeContext, requestUrl);
}
}
// if the request has credentials, process it
if (credentials != null && (credentials.getCode() != null || credentials.getAccessToken() != null || credentials.getIdToken() != null)) {
LOGGER.info("Oidc credentials found/retrieved. Saving to session and continuing filter chain.");
OidcAuthenticationToken token = new OidcAuthenticationToken(credentials, jeeContext, ipAddress);
HandlerResult handlerResult = new HandlerResultImpl(Status.COMPLETED, token);
handlerResult.setSource(SOURCE);
return handlerResult;
} else {
// the user agent request didn't have credentials, redirect and go get some
LOGGER.info("No credentials found on user-agent request. " + "Redirecting user-agent to IdP for credentials.");
return redirectForCredentials(oidcClient, jeeContext, requestUrl);
}
}
use of org.codice.ddf.security.handler.OidcAuthenticationToken in project ddf by codice.
the class OidcRealm method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
// token is guaranteed to be of type OidcAuthenticationToken by the supports() method
OidcAuthenticationToken oidcAuthenticationToken = (OidcAuthenticationToken) authenticationToken;
OidcCredentials credentials = (OidcCredentials) oidcAuthenticationToken.getCredentials();
OidcConfiguration oidcConfiguration = oidcHandlerConfiguration.getOidcConfiguration();
OIDCProviderMetadata oidcProviderMetadata = oidcConfiguration.findProviderMetadata();
WebContext webContext = (WebContext) oidcAuthenticationToken.getContext();
OidcClient<OidcConfiguration> oidcClient = oidcHandlerConfiguration.getOidcClient(webContext.getFullRequestURL());
int connectTimeout = oidcHandlerConfiguration.getConnectTimeout();
int readTimeout = oidcHandlerConfiguration.getReadTimeout();
try {
OidcCredentialsResolver oidcCredentialsResolver = new OidcCredentialsResolver(oidcConfiguration, oidcClient, oidcProviderMetadata, connectTimeout, readTimeout);
oidcCredentialsResolver.resolveIdToken(credentials, webContext);
} catch (TechnicalException e) {
throw new AuthenticationException(e);
}
// problem getting id token, invalidate credentials
if (credentials.getIdToken() == null) {
webContext.getSessionStore().destroySession(webContext);
String msg = String.format("Could not fetch id token with Oidc credentials (%s). " + "This may be due to the credentials expiring. " + "Invalidating session in order to acquire valid credentials.", credentials);
LOGGER.warn(msg);
throw new AuthenticationException(msg);
}
OidcProfileCreator oidcProfileCreator = new CustomOidcProfileCreator(oidcConfiguration, oidcClient);
Optional<UserProfile> userProfile = oidcProfileCreator.create(credentials, webContext);
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo();
simpleAuthenticationInfo.setCredentials(credentials);
if (userProfile.isPresent()) {
OidcProfile oidcProfile = (OidcProfile) userProfile.get();
simpleAuthenticationInfo.setPrincipals(createPrincipalCollectionFromCredentials(oidcProfile));
} else {
simpleAuthenticationInfo.setPrincipals(new SimplePrincipalCollection());
}
return simpleAuthenticationInfo;
}
use of org.codice.ddf.security.handler.OidcAuthenticationToken in project ddf by codice.
the class OidcRealm method supports.
/**
* Determine if the supplied token is supported by this realm.
*/
@Override
public boolean supports(AuthenticationToken token) {
if (!(token instanceof OidcAuthenticationToken)) {
LOGGER.debug("The supplied authentication token is not an instance of SessionToken or OidcAuthenticationToken. Sending back not supported.");
return false;
}
OidcAuthenticationToken oidcToken = (OidcAuthenticationToken) token;
OidcCredentials credentials = (OidcCredentials) oidcToken.getCredentials();
if (credentials == null || (credentials.getCode() == null && credentials.getAccessToken() == null && credentials.getIdToken() == null)) {
LOGGER.debug("The supplied authentication token has null/empty credentials. Sending back no supported.");
return false;
}
WebContext webContext = (WebContext) oidcToken.getContext();
if (webContext == null) {
LOGGER.debug("The supplied authentication token has null web context. Sending back not supported.");
return false;
}
LOGGER.debug("Token {} is supported by {}.", token.getClass(), OidcRealm.class.getName());
return true;
}
use of org.codice.ddf.security.handler.OidcAuthenticationToken in project ddf by codice.
the class OAuthHandler method getNormalizedToken.
@Override
public HandlerResult getNormalizedToken(ServletRequest request, ServletResponse response, SecurityFilterChain chain, boolean resolve) throws AuthenticationFailureException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
if (httpRequest.getMethod().equals("HEAD")) {
return processHeadRequest(httpResponse);
}
JEESessionStore sessionStore = new JEESessionStore();
JEEContext jeeContext = new JEEContext(httpRequest, httpResponse, sessionStore);
// time to try and pull credentials off of the request
LOGGER.debug("Doing OAuth authentication and authorization for path {}.", httpRequest.getContextPath());
OidcCredentials credentials;
StringBuffer requestUrlBuffer = httpRequest.getRequestURL();
requestUrlBuffer.append(httpRequest.getQueryString() == null ? "" : "?" + httpRequest.getQueryString());
String ipAddress = httpRequest.getRemoteAddr();
boolean isMachine = userAgentIsNotBrowser(httpRequest);
// machine to machine, check for Client Credentials Flow credentials
if (isMachine) {
try {
credentials = getCredentialsFromRequest(jeeContext);
} catch (IllegalArgumentException e) {
LOGGER.error("Problem with the OAuth Handler's OAuthHandlerConfiguration. " + "Check the OAuth Handler Configuration in the admin console.", e);
return noActionResult;
} catch (OAuthCredentialsException e) {
LOGGER.error("Problem extracting credentials from machine to machine request. " + "See OAuth2's \"Client Credential Flow\" for more information.", e);
return noActionResult;
}
} else {
LOGGER.info("The OAuth Handler does not handle user agent requests. Continuing to other handlers.");
return noActionResult;
}
// if the request has credentials, process it
if (credentials.getCode() != null || credentials.getAccessToken() != null || credentials.getIdToken() != null) {
LOGGER.info("Oidc credentials found/retrieved. Saving to session and continuing filter chain.");
OidcAuthenticationToken token = new OidcAuthenticationToken(credentials, jeeContext, ipAddress);
HandlerResult handlerResult = new HandlerResultImpl(Status.COMPLETED, token);
handlerResult.setSource(SOURCE);
return handlerResult;
} else {
LOGGER.info("No credentials found on user-agent request. " + "This handler does not support the acquisition of user agent credentials. Continuing to other handlers.");
return noActionResult;
}
}
Aggregations