Example 1 with SessionToken
use of org.codice.ddf.security.handler.SessionToken in project ddf by codice.
the class LogoutServiceImpl method getActionProviders.
@Override
public String getActionProviders(HttpServletRequest request, HttpServletResponse response) throws SecurityServiceException {
HttpSession session = httpSessionFactory.getOrCreateSession(request);
Object principalCollection = ((PrincipalHolder) session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY)).getPrincipals();
SessionToken sessionToken = new SessionToken(principalCollection, session.getId(), "127.0.0.1");
Subject subject = securityManager.getSubject(sessionToken);
Map<String, Object> subjectMap = new HashMap<>();
subjectMap.put("http_request", request);
subjectMap.put("http_response", response);
subjectMap.put(SecurityConstants.SECURITY_SUBJECT, subject);
Map<String, String> actionProperties = new HashMap<>();
for (ActionProvider actionProvider : logoutActionProviders) {
Action action = actionProvider.getAction(subjectMap);
if (action != null) {
String displayName = subjectOperations.getName(subject, "", true);
actionProperties.put("title", action.getTitle());
actionProperties.put("auth", displayName);
actionProperties.put("description", action.getDescription());
actionProperties.put("url", action.getUrl().toString());
}
}
return GSON.toJson(actionProperties);
}
Also used :
ActionProvider(ddf.action.ActionProvider)
Action(ddf.action.Action)
SessionToken(org.codice.ddf.security.handler.SessionToken)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
PrincipalHolder(ddf.security.common.PrincipalHolder)
Subject(org.apache.shiro.subject.Subject)
Example 2 with SessionToken
use of org.codice.ddf.security.handler.SessionToken in project ddf by codice.
the class WebSSOFilter method checkForPreviousResultOnSession.
private HandlerResult checkForPreviousResultOnSession(HttpServletRequest httpRequest, String ip) {
String requestedSessionId = httpRequest.getRequestedSessionId();
if (requestedSessionId == null) {
LOGGER.trace("No HTTP Session - returning with no results");
return null;
}
HttpSession session = httpRequest.getSession(false);
if (session == null) {
// has not yet been created for them.
if (sessionFactory == null) {
throw new SessionException("Unable to verify user's session.");
}
session = sessionFactory.getOrCreateSession(httpRequest);
}
// See if principals exist for the requested session id
HandlerResult result = null;
PrincipalHolder principalHolder = (PrincipalHolder) session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY);
if (principalHolder != null && principalHolder.getPrincipals() != null) {
Collection<SecurityAssertion> assertions = principalHolder.getPrincipals().byType(SecurityAssertion.class);
SessionToken sessionToken = null;
if (!assertions.isEmpty()) {
sessionToken = new SessionToken(principalHolder.getPrincipals(), session.getId(), ip);
}
if (sessionToken != null) {
result = new HandlerResultImpl();
result.setToken(sessionToken);
result.setStatus(HandlerResult.Status.COMPLETED);
} else {
principalHolder.remove();
}
} else {
securityLogger.audit("Request contained invalid or expired session id [{}]", Hashing.sha256().hashString(requestedSessionId, StandardCharsets.UTF_8).toString());
LOGGER.trace("Request contained invalid or expired session - returning with no results");
}
return result;
}
Also used :
SessionToken(org.codice.ddf.security.handler.SessionToken)
HttpSession(javax.servlet.http.HttpSession)
HandlerResultImpl(org.codice.ddf.security.handler.HandlerResultImpl)
SessionException(org.apache.shiro.session.SessionException)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
PrincipalHolder(ddf.security.common.PrincipalHolder)
Example 3 with SessionToken
use of org.codice.ddf.security.handler.SessionToken in project ddf by codice.
the class SecurityManagerImpl method getSubject.
@Override
public Subject getSubject(Object token) throws SecurityServiceException {
AuthenticationToken authenticationToken = null;
if (token instanceof SessionToken) {
SimpleSession session = new SimpleSession();
session.setId((String) ((SessionToken) token).getCredentials());
return new SubjectImpl(((PrincipalCollection) ((SessionToken) token).getPrincipal()), true, session, internalManager);
} else if (token instanceof AuthenticationToken) {
authenticationToken = (AuthenticationToken) token;
}
if (authenticationToken != null) {
Subject subject = getSubject(authenticationToken);
securityLogger.audit("Logged in", subject);
return subject;
} else {
throw new SecurityServiceException("Incoming token object NOT supported by security manager implementation. Currently supported types are AuthenticationToken and SecurityToken");
}
}
Also used :
SecurityServiceException(ddf.security.service.SecurityServiceException)
AuthenticationToken(org.apache.shiro.authc.AuthenticationToken)
SessionToken(org.codice.ddf.security.handler.SessionToken)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
SimpleSession(org.apache.shiro.session.mgt.SimpleSession)
SubjectImpl(ddf.security.impl.SubjectImpl)
Subject(ddf.security.Subject)
Aggregations
SessionToken (org.codice.ddf.security.handler.SessionToken)3
PrincipalHolder (ddf.security.common.PrincipalHolder)2
HttpSession (javax.servlet.http.HttpSession)2
Action (ddf.action.Action)1
ActionProvider (ddf.action.ActionProvider)1
Subject (ddf.security.Subject)1
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
SubjectImpl (ddf.security.impl.SubjectImpl)1
SecurityServiceException (ddf.security.service.SecurityServiceException)1
HashMap (java.util.HashMap)1
AuthenticationToken (org.apache.shiro.authc.AuthenticationToken)1
SessionException (org.apache.shiro.session.SessionException)1
SimpleSession (org.apache.shiro.session.mgt.SimpleSession)1
PrincipalCollection (org.apache.shiro.subject.PrincipalCollection)1
Subject (org.apache.shiro.subject.Subject)1
HandlerResultImpl (org.codice.ddf.security.handler.HandlerResultImpl)1
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)1
