Example 1 with GuestAuthenticationToken
use of org.codice.ddf.security.handler.api.GuestAuthenticationToken in project ddf by codice.
the class GuestHandler method getAuthToken.
/**
* Returns BSTAuthenticationToken for the HttpServletRequest
*
* @param request http request to obtain attributes from and to pass into any local filter chains required
* @return BSTAuthenticationToken
*/
private BaseAuthenticationToken getAuthToken(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {
//check for basic auth first
String realm = (String) request.getAttribute(ContextPolicy.ACTIVE_REALM);
BasicAuthenticationHandler basicAuthenticationHandler = new BasicAuthenticationHandler();
HandlerResult handlerResult = basicAuthenticationHandler.getNormalizedToken(request, response, chain, false);
if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
return handlerResult.getToken();
}
//if basic fails, check for PKI
PKIHandler pkiHandler = new PKIHandler();
pkiHandler.setTokenFactory(tokenFactory);
try {
handlerResult = pkiHandler.getNormalizedToken(request, response, chain, false);
if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
return handlerResult.getToken();
}
} catch (ServletException e) {
LOGGER.info("Encountered an exception while checking for PKI auth info.", e);
}
return new GuestAuthenticationToken(realm, request.getRemoteAddr());
}
Also used :
ServletException(javax.servlet.ServletException)
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
PKIHandler(org.codice.ddf.security.handler.pki.PKIHandler)
BasicAuthenticationHandler(org.codice.ddf.security.handler.basic.BasicAuthenticationHandler)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
Example 2 with GuestAuthenticationToken
use of org.codice.ddf.security.handler.api.GuestAuthenticationToken in project ddf by codice.
the class GuestHandlerTest method testGetNormalizedToken.
/**
* This test ensures the proper functionality of GuestHandler's method,
* getNormalizedToken().
*/
@Test
public void testGetNormalizedToken() throws WSSecurityException {
GuestHandler handler = new GuestHandler();
PKIAuthenticationTokenFactory tokenFactory = new PKIAuthenticationTokenFactory();
handler.setTokenFactory(tokenFactory);
HttpServletRequest request = mock(HttpServletRequest.class);
HttpServletResponse response = mock(HttpServletResponse.class);
FilterChain chain = mock(FilterChain.class);
/**
* Note that the parameters are insignificant as GuestHandler
* does not use them.
*/
HandlerResult result = handler.getNormalizedToken(request, response, chain, true);
assertNotNull(result);
assertEquals(HandlerResult.Status.COMPLETED, result.getStatus());
assertTrue(result.getToken() instanceof GuestAuthenticationToken);
assertEquals("Guest", result.getToken().getCredentials());
assertEquals(null, result.getToken().getRealm());
assertEquals("null-GuestHandler", result.getSource());
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
PKIAuthenticationTokenFactory(org.codice.ddf.security.handler.api.PKIAuthenticationTokenFactory)
FilterChain(javax.servlet.FilterChain)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
Test(org.junit.Test)
Example 3 with GuestAuthenticationToken
use of org.codice.ddf.security.handler.api.GuestAuthenticationToken in project ddf by codice.
the class GuestValidator method validateToken.
@Override
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(ReceivedToken.STATE.INVALID);
GuestAuthenticationToken guestToken = getGuestTokenFromTarget(validateTarget);
response.setToken(validateTarget);
if (guestToken != null) {
response.setPrincipal(new GuestPrincipal(guestToken.getIpAddress()));
if (guestToken.getRealm() != null) {
if ((supportedRealm.contains(guestToken.getRealm()) || "*".equals(guestToken.getRealm())) && guestToken.getCredentials().equals(GuestAuthenticationToken.GUEST_CREDENTIALS) && validIpAddress(guestToken.getIpAddress())) {
validateTarget.setState(ReceivedToken.STATE.VALID);
validateTarget.setPrincipal(new GuestPrincipal(guestToken.getIpAddress()));
}
} else if (guestToken.getCredentials().equals(GuestAuthenticationToken.GUEST_CREDENTIALS) && validIpAddress(guestToken.getIpAddress())) {
validateTarget.setState(ReceivedToken.STATE.VALID);
validateTarget.setPrincipal(new GuestPrincipal(guestToken.getIpAddress()));
}
}
return response;
}
Also used :
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
GuestPrincipal(ddf.security.principal.GuestPrincipal)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
Example 4 with GuestAuthenticationToken
use of org.codice.ddf.security.handler.api.GuestAuthenticationToken in project ddf by codice.
the class GuestValidatorTest method setup.
@Before
public void setup() {
validator = new GuestValidator();
validator.setSupportedRealm(Arrays.asList("DDF"));
GuestAuthenticationToken guestAuthenticationToken = new GuestAuthenticationToken("DDF", "127.0.0.1");
GuestAuthenticationToken guestAuthenticationTokenAnyRealm = new GuestAuthenticationToken("*", "127.0.0.1");
GuestAuthenticationToken guestAuthenticationTokenIpv6 = new GuestAuthenticationToken("*", "0:0:0:0:0:0:0:1");
GuestAuthenticationToken guestAuthenticationTokenIpv6Reachability = new GuestAuthenticationToken("*", "0:0:0:0:0:0:0:1%4");
BinarySecurityTokenType binarySecurityTokenType = new BinarySecurityTokenType();
binarySecurityTokenType.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenType.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenType.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenType.setValue(guestAuthenticationToken.getEncodedCredentials());
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElement = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenType);
BinarySecurityTokenType binarySecurityTokenTypeBadToken = new BinarySecurityTokenType();
binarySecurityTokenTypeBadToken.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenTypeBadToken.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenTypeBadToken.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenTypeBadToken.setValue(Base64.getEncoder().encodeToString("NotGuest".getBytes()));
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementBadToken = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeBadToken);
BinarySecurityTokenType binarySecurityTokenTypeAnyRealm = new BinarySecurityTokenType();
binarySecurityTokenTypeAnyRealm.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenTypeAnyRealm.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenTypeAnyRealm.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenTypeAnyRealm.setValue(guestAuthenticationTokenAnyRealm.getEncodedCredentials());
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementAnyRealm = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeAnyRealm);
BinarySecurityTokenType binarySecurityTokenTypeIpv6 = new BinarySecurityTokenType();
binarySecurityTokenTypeIpv6.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenTypeIpv6.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenTypeIpv6.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenTypeIpv6.setValue(guestAuthenticationTokenIpv6.getEncodedCredentials());
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementIpv6 = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeIpv6);
BinarySecurityTokenType binarySecurityTokenTypeIpv6Reachability = new BinarySecurityTokenType();
binarySecurityTokenTypeIpv6Reachability.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
binarySecurityTokenTypeIpv6Reachability.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
binarySecurityTokenTypeIpv6Reachability.setId(GuestAuthenticationToken.BST_GUEST_LN);
binarySecurityTokenTypeIpv6Reachability.setValue(guestAuthenticationTokenIpv6Reachability.getEncodedCredentials());
JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementIpv6Reachability = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeIpv6Reachability);
receivedToken = new ReceivedToken(binarySecurityTokenElement);
receivedAnyRealmToken = new ReceivedToken(binarySecurityTokenElementAnyRealm);
receivedBadToken = new ReceivedToken(binarySecurityTokenElementBadToken);
receivedTokenIpv6 = new ReceivedToken(binarySecurityTokenElementIpv6);
receivedTokenIpv6Reachability = new ReceivedToken(binarySecurityTokenElementIpv6Reachability);
parameters = new TokenValidatorParameters();
parameters.setToken(receivedToken);
}
Also used :
TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters)
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)
QName(javax.xml.namespace.QName)
JAXBElement(javax.xml.bind.JAXBElement)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
Before(org.junit.Before)
Example 5 with GuestAuthenticationToken
use of org.codice.ddf.security.handler.api.GuestAuthenticationToken in project ddf by codice.
the class IdpEndpoint method handleLogin.
protected org.opensaml.saml.saml2.core.Response handleLogin(AuthnRequest authnRequest, String authMethod, HttpServletRequest request, AuthObj authObj, boolean passive, boolean hasCookie) throws SecurityServiceException, WSSecurityException, SimpleSign.SignatureException, ConstraintViolationException {
LOGGER.debug("Performing login for user. passive: {}, cookie: {}", passive, hasCookie);
BaseAuthenticationToken token = null;
request.setAttribute(ContextPolicy.ACTIVE_REALM, BaseAuthenticationToken.ALL_REALM);
if (PKI.equals(authMethod)) {
LOGGER.debug("Logging user in via PKI.");
PKIHandler pkiHandler = new PKIHandler();
pkiHandler.setTokenFactory(tokenFactory);
try {
HandlerResult handlerResult = pkiHandler.getNormalizedToken(request, null, null, false);
if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
token = handlerResult.getToken();
}
} catch (ServletException e) {
LOGGER.info("Encountered an exception while checking for PKI auth info.", e);
}
} else if (USER_PASS.equals(authMethod)) {
LOGGER.debug("Logging user in via BASIC auth.");
if (authObj != null && authObj.username != null && authObj.password != null) {
token = new UPAuthenticationToken(authObj.username, authObj.password, BaseAuthenticationToken.ALL_REALM);
} else {
BasicAuthenticationHandler basicAuthenticationHandler = new BasicAuthenticationHandler();
HandlerResult handlerResult = basicAuthenticationHandler.getNormalizedToken(request, null, null, false);
if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
token = handlerResult.getToken();
}
}
} else if (SAML.equals(authMethod)) {
LOGGER.debug("Logging user in via SAML assertion.");
token = new SAMLAuthenticationToken(null, authObj.assertion, BaseAuthenticationToken.ALL_REALM);
} else if (GUEST.equals(authMethod) && guestAccess) {
LOGGER.debug("Logging user in as Guest.");
token = new GuestAuthenticationToken(BaseAuthenticationToken.ALL_REALM, request.getRemoteAddr());
} else {
throw new IllegalArgumentException("Auth method is not supported.");
}
org.w3c.dom.Element samlToken = null;
String statusCode;
if (hasCookie) {
samlToken = getSamlAssertion(request);
statusCode = StatusCode.SUCCESS;
} else {
try {
statusCode = StatusCode.AUTHN_FAILED;
Subject subject = securityManager.getSubject(token);
for (Object principal : subject.getPrincipals().asList()) {
if (principal instanceof SecurityAssertion) {
SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
samlToken = securityToken.getToken();
}
}
if (samlToken != null) {
statusCode = StatusCode.SUCCESS;
}
} catch (SecurityServiceException e) {
if (!passive) {
throw e;
} else {
statusCode = StatusCode.AUTHN_FAILED;
}
}
}
LOGGER.debug("User log in successful.");
return SamlProtocol.createResponse(SamlProtocol.createIssuer(SystemBaseUrl.constructUrl("/idp/login", true)), SamlProtocol.createStatus(statusCode), authnRequest.getID(), samlToken);
}
Also used :
SecurityServiceException(ddf.security.service.SecurityServiceException)
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
PKIHandler(org.codice.ddf.security.handler.pki.PKIHandler)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
ServletException(javax.servlet.ServletException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Element(org.w3c.dom.Element)
BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken)
UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken)
BasicAuthenticationHandler(org.codice.ddf.security.handler.basic.BasicAuthenticationHandler)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
SignableXMLObject(org.opensaml.xmlsec.signature.SignableXMLObject)
XMLObject(org.opensaml.core.xml.XMLObject)
Aggregations
GuestAuthenticationToken (org.codice.ddf.security.handler.api.GuestAuthenticationToken)7
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)3
Subject (ddf.security.Subject)2
SecurityServiceException (ddf.security.service.SecurityServiceException)2
ServletException (javax.servlet.ServletException)2
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)2
BasicAuthenticationHandler (org.codice.ddf.security.handler.basic.BasicAuthenticationHandler)2
PKIHandler (org.codice.ddf.security.handler.pki.PKIHandler)2
SecurityAssertion (ddf.security.assertion.SecurityAssertion)1
GuestPrincipal (ddf.security.principal.GuestPrincipal)1
SecurityManager (ddf.security.service.SecurityManager)1
UnknownHostException (java.net.UnknownHostException)1
FilterChain (javax.servlet.FilterChain)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
JAXBElement (javax.xml.bind.JAXBElement)1
QName (javax.xml.namespace.QName)1
TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)1
TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)1
BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)1
