use of org.codice.ddf.security.handler.api.AuthenticationHandler in project ddf by codice.
the class WebSSOFilter method handleRequest.
private void handleRequest(HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityFilterChain filterChain, List<AuthenticationHandler> handlers) throws AuthenticationException, IOException {
HandlerResult result = null;
// First pass, see if anyone can come up with proper security token from the get-go
LOGGER.debug("Checking for existing tokens in request.");
final String path = httpRequest.getRequestURI();
String ipAddress = httpRequest.getHeader("X-FORWARDED-FOR");
if (ipAddress == null) {
ipAddress = httpRequest.getRemoteAddr();
}
if (contextPolicyManager.getSessionAccess()) {
result = checkForPreviousResultOnSession(httpRequest, ipAddress);
}
// no result found on session, try and get result from handlers
if (result == null) {
if (!handlers.isEmpty()) {
result = getResultFromHandlers(httpRequest, httpResponse, filterChain, handlers);
} else {
// no configured handlers
if (contextPolicyManager.getGuestAccess()) {
LOGGER.trace("No configured handlers found, but guest access is enabled. Continuing with an empty handler result for guest login.");
result = new HandlerResultImpl(Status.NO_ACTION, null);
result.setSource("default");
} else {
LOGGER.warn("No configured handler found and guest access is disabled. Returning status code 503, Service Unavailable. Check system configuration and bundle state.");
returnSimpleResponse(HttpServletResponse.SC_SERVICE_UNAVAILABLE, httpResponse);
return;
}
}
}
handleResultStatus(httpRequest, httpResponse, result, path, ipAddress);
// If we got here, we've received our tokens to continue
LOGGER.debug("Invoking the rest of the filter chain");
try {
filterChain.doFilter(httpRequest, httpResponse);
} catch (Exception e) {
LOGGER.debug("Exception in filter chain - passing off to handlers. Msg: {}", e.getMessage(), e);
// First pass, see if anyone can come up with proper security token
// from the git-go
result = null;
for (AuthenticationHandler auth : handlers) {
result = auth.handleError(httpRequest, httpResponse, filterChain);
if (result.getStatus() != HandlerResult.Status.NO_ACTION) {
LOGGER.debug("Handler {} set the status to {}", auth.getAuthenticationType(), result.getStatus());
break;
}
}
if (result == null || result.getStatus() == HandlerResult.Status.NO_ACTION) {
LOGGER.debug("Error during authentication - no error recovery attempted - returning bad request.");
httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
httpResponse.flushBuffer();
}
throw new AuthenticationFailureException(e);
}
}
use of org.codice.ddf.security.handler.api.AuthenticationHandler in project ddf by codice.
the class WebSSOFilterTest method testDoFilterWhiteListed.
@Test
public void testDoFilterWhiteListed() throws IOException, AuthenticationException {
ContextPolicy testPolicy = mock(ContextPolicy.class);
ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
when(policyManager.getContextPolicy(anyString())).thenReturn(testPolicy);
when(policyManager.isWhiteListed(anyString())).thenReturn(true);
when(policyManager.getSessionAccess()).thenReturn(false);
WebSSOFilter filter = new WebSSOFilter();
// set handlers
AuthenticationHandler handler1 = mock(AuthenticationHandler.class);
HandlerResult noActionResult = mock(HandlerResult.class);
when(noActionResult.getStatus()).thenReturn(Status.NO_ACTION);
HandlerResult completedResult = mock(HandlerResult.class);
when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
when(completedResult.getToken()).thenReturn(null);
when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), eq(true))).thenReturn(completedResult);
when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), eq(false))).thenReturn(noActionResult);
filter.setHandlerList(Collections.singletonList(handler1));
filter.setContextPolicyManager(policyManager);
SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getRequestURI()).thenReturn(MOCK_CONTEXT);
HttpServletResponse response = mock(HttpServletResponse.class);
filter.doFilter(request, response, filterChain);
verify(request, times(1)).setAttribute(ContextPolicy.NO_AUTH_POLICY, true);
verify(filterChain).doFilter(request, response);
verify(handler1, never()).getNormalizedToken(any(HttpServletRequest.class), any(HttpServletResponse.class), any(SecurityFilterChain.class), anyBoolean());
}
use of org.codice.ddf.security.handler.api.AuthenticationHandler in project ddf by codice.
the class WebSSOFilterTest method testDoFilterSessionStorageDisabled.
@Test
public void testDoFilterSessionStorageDisabled() throws Exception {
PrincipalCollection principalCollectionMock = mock(PrincipalCollection.class);
PrincipalHolder principalHolderMock = mock(PrincipalHolder.class);
when(principalHolderMock.getPrincipals()).thenReturn(principalCollectionMock);
HttpSession sessionMock = mock(HttpSession.class);
when(sessionMock.getAttribute(SECURITY_TOKEN_KEY)).thenReturn(principalHolderMock);
HttpServletRequest requestMock = mock(HttpServletRequest.class);
when(requestMock.getSession(any(Boolean.class))).thenReturn(sessionMock);
when(requestMock.getRequestURI()).thenReturn(MOCK_CONTEXT);
HttpServletResponse responseMock = mock(HttpServletResponse.class);
ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
when(policyManager.getSessionAccess()).thenReturn(false);
when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
ContextPolicy testPolicy = mock(ContextPolicy.class);
when(testPolicy.getAuthenticationMethods()).thenReturn(Collections.singletonList("basic"));
when(policyManager.getContextPolicy(MOCK_CONTEXT)).thenReturn(testPolicy);
AuthenticationHandler handlerMock = mock(AuthenticationHandler.class);
when(handlerMock.getAuthenticationType()).thenReturn("basic");
HandlerResult completedResult = mock(HandlerResult.class);
when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
when(completedResult.getToken()).thenReturn(mock(BaseAuthenticationToken.class));
when(handlerMock.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), anyBoolean())).thenReturn(completedResult);
SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
WebSSOFilter filter = new WebSSOFilter();
filter.setContextPolicyManager(policyManager);
filter.setHandlerList(Collections.singletonList(handlerMock));
filter.doFilter(requestMock, responseMock, filterChain);
verify(sessionMock, times(0)).getAttribute(SECURITY_TOKEN_KEY);
verify(handlerMock, times(1)).getNormalizedToken(any(), any(), any(), anyBoolean());
verify(requestMock, times(1)).setAttribute(eq(AUTHENTICATION_TOKEN_KEY), any());
}
use of org.codice.ddf.security.handler.api.AuthenticationHandler in project ddf by codice.
the class WebSSOFilter method handleRequest.
private void handleRequest(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain filterChain, List<AuthenticationHandler> handlers) throws IOException, ServletException {
if (handlers.size() == 0) {
LOGGER.warn("Handlers not ready. Returning status code 503, Service Unavailable. Check system configuration and bundle state.");
returnSimpleResponse(HttpServletResponse.SC_SERVICE_UNAVAILABLE, httpResponse);
return;
}
// First pass, see if anyone can come up with proper security token from the get-go
HandlerResult result = null;
LOGGER.debug("Checking for existing tokens in request.");
for (AuthenticationHandler auth : handlers) {
result = auth.getNormalizedToken(httpRequest, httpResponse, filterChain, false);
if (result.getStatus() != HandlerResult.Status.NO_ACTION) {
LOGGER.debug("Handler {} set the result status to {}", auth.getAuthenticationType(), result.getStatus());
break;
}
}
// If we haven't received usable credentials yet, go get some
if (result == null || result.getStatus() == HandlerResult.Status.NO_ACTION) {
LOGGER.debug("First pass with no tokens found - requesting tokens");
// This pass, tell each handler to do whatever it takes to get a SecurityToken
for (AuthenticationHandler auth : handlers) {
result = auth.getNormalizedToken(httpRequest, httpResponse, filterChain, true);
if (result.getStatus() != HandlerResult.Status.NO_ACTION) {
LOGGER.debug("Handler {} set the result status to {}", auth.getAuthenticationType(), result.getStatus());
break;
}
}
}
final String path = httpRequest.getRequestURI();
String ipAddress = httpRequest.getHeader("X-FORWARDED-FOR");
if (ipAddress == null) {
ipAddress = httpRequest.getRemoteAddr();
}
if (result != null) {
switch(result.getStatus()) {
case REDIRECTED:
// handler handled the response - it is redirecting or whatever
// necessary to get their tokens
LOGGER.debug("Stopping filter chain - handled by plugins");
return;
case NO_ACTION:
// should never occur - one of the handlers should have returned a token
LOGGER.warn("No handlers were able to determine required credentials, returning bad request to {}. Check policy configuration for path: {}", ipAddress, path);
returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
return;
case COMPLETED:
if (result.getToken() == null) {
LOGGER.warn("Completed without credentials for {} - check context policy configuration for path: {}", ipAddress, path);
returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
return;
}
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Attaching result handler to the http request - token is instance of {} from classloader {}", result.getToken().getClass().getName(), result.getToken().getClass().getClassLoader());
}
httpRequest.setAttribute(DDF_AUTHENTICATION_TOKEN, result);
break;
default:
LOGGER.warn("Unexpected response from handler - ignoring. Remote IP: {}, Path: {}", ipAddress, path);
return;
}
} else {
LOGGER.warn("Expected login credentials from {} - didn't find any. Returning a bad request for path: {}", ipAddress, path);
returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
return;
}
// If we got here, we've received our tokens to continue
LOGGER.debug("Invoking the rest of the filter chain");
try {
filterChain.doFilter(httpRequest, httpResponse);
} catch (InvalidSAMLReceivedException e) {
// we tried to process an invalid or missing SAML assertion
returnSimpleResponse(HttpServletResponse.SC_UNAUTHORIZED, httpResponse);
} catch (Exception e) {
LOGGER.debug("Exception in filter chain - passing off to handlers. Msg: {}", e.getMessage(), e);
// First pass, see if anyone can come up with proper security token
// from the git-go
result = null;
for (AuthenticationHandler auth : handlers) {
result = auth.handleError(httpRequest, httpResponse, filterChain);
if (result.getStatus() != HandlerResult.Status.NO_ACTION) {
LOGGER.debug("Handler {} set the status to {}", auth.getAuthenticationType(), result.getStatus());
break;
}
}
if (result == null || result.getStatus() == HandlerResult.Status.NO_ACTION) {
LOGGER.debug("Error during authentication - no error recovery attempted - returning bad request.");
httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
httpResponse.flushBuffer();
}
}
}
use of org.codice.ddf.security.handler.api.AuthenticationHandler in project ddf by codice.
the class WebSSOFilterTest method testDoFilterWithRedirected.
@Test
public void testDoFilterWithRedirected() throws AuthenticationException, IOException {
ContextPolicy testPolicy = mock(ContextPolicy.class);
ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
when(policyManager.getContextPolicy(MOCK_CONTEXT)).thenReturn(testPolicy);
when(policyManager.isWhiteListed(MOCK_CONTEXT)).thenReturn(false);
when(policyManager.getSessionAccess()).thenReturn(false);
WebSSOFilter filter = new WebSSOFilter();
// set handlers
AuthenticationHandler handler1 = mock(AuthenticationHandler.class);
HandlerResult noActionResult = mock(HandlerResult.class);
when(noActionResult.getStatus()).thenReturn(Status.NO_ACTION);
HandlerResult redirectedResult = mock(HandlerResult.class);
when(redirectedResult.getStatus()).thenReturn(Status.REDIRECTED);
when(redirectedResult.getToken()).thenReturn(null);
when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), eq(false))).thenReturn(noActionResult);
when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(SecurityFilterChain.class), eq(true))).thenReturn(redirectedResult);
filter.setContextPolicyManager(policyManager);
filter.setHandlerList(Collections.singletonList(handler1));
SecurityFilterChain filterChain = mock(SecurityFilterChain.class);
HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getRequestURI()).thenReturn(MOCK_CONTEXT);
HttpServletResponse response = mock(HttpServletResponse.class);
try {
filter.doFilter(request, response, filterChain);
} catch (AuthenticationException e) {
}
// the next filter should NOT be called
verify(filterChain, never()).doFilter(request, response);
verify(request, never()).setAttribute(eq(DDF_AUTHENTICATION_TOKEN), any(HandlerResult.class));
}
Aggregations