Examples with HandlerResult org.codice.ddf.security.handler.api.HandlerResult used on opensource projects

Example 41 with HandlerResult

use of org.codice.ddf.security.handler.api.HandlerResult in project ddf by codice.

the class BasicAuthenticationHandlerTest method testGetNormalizedTokenResolveWithoutCredentials.

/**
     * This test case handles the scenario in which the credentials should be
     * obtained (i.e. resolve flag is set) - both requests without and with the
     * credentials are tested.
     */
@Test
public void testGetNormalizedTokenResolveWithoutCredentials() throws IOException {
    BasicAuthenticationHandler handler = new BasicAuthenticationHandler();
    HttpServletRequest request = mock(HttpServletRequest.class);
    HttpServletResponse response = mock(HttpServletResponse.class);
    FilterChain chain = mock(FilterChain.class);
    when(request.getAttribute(anyString())).thenReturn("karaf");
    HandlerResult result = handler.getNormalizedToken(request, response, chain, true);
    assertNotNull(result);
    assertEquals(HandlerResult.Status.REDIRECTED, result.getStatus());
    // confirm that the proper responses were sent through the HttpResponse
    Mockito.verify(response).setHeader(HttpHeaders.WWW_AUTHENTICATE, "Basic realm=\"karaf\"");
    Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    Mockito.verify(response).setContentLength(0);
    Mockito.verify(response).flushBuffer();
}

Example 42 with HandlerResult

use of org.codice.ddf.security.handler.api.HandlerResult in project ddf by codice.

the class WebSSOFilter method handleRequest.

private void handleRequest(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain filterChain, List<AuthenticationHandler> handlers) throws IOException, ServletException {
    if (handlers.size() == 0) {
        LOGGER.warn("Handlers not ready. Returning status code 503, Service Unavailable. Check system configuration and bundle state.");
        returnSimpleResponse(HttpServletResponse.SC_SERVICE_UNAVAILABLE, httpResponse);
        return;
    }
    // First pass, see if anyone can come up with proper security token from the get-go
    HandlerResult result = null;
    LOGGER.debug("Checking for existing tokens in request.");
    for (AuthenticationHandler auth : handlers) {
        result = auth.getNormalizedToken(httpRequest, httpResponse, filterChain, false);
        if (result.getStatus() != HandlerResult.Status.NO_ACTION) {
            LOGGER.debug("Handler {} set the result status to {}", auth.getAuthenticationType(), result.getStatus());
            break;
        }
    }
    // If we haven't received usable credentials yet, go get some
    if (result == null || result.getStatus() == HandlerResult.Status.NO_ACTION) {
        LOGGER.debug("First pass with no tokens found - requesting tokens");
        // This pass, tell each handler to do whatever it takes to get a SecurityToken
        for (AuthenticationHandler auth : handlers) {
            result = auth.getNormalizedToken(httpRequest, httpResponse, filterChain, true);
            if (result.getStatus() != HandlerResult.Status.NO_ACTION) {
                LOGGER.debug("Handler {} set the result status to {}", auth.getAuthenticationType(), result.getStatus());
                break;
            }
        }
    }
    final String path = httpRequest.getRequestURI();
    String ipAddress = httpRequest.getHeader("X-FORWARDED-FOR");
    if (ipAddress == null) {
        ipAddress = httpRequest.getRemoteAddr();
    }
    if (result != null) {
        switch(result.getStatus()) {
            case REDIRECTED:
                // handler handled the response - it is redirecting or whatever
                // necessary to get their tokens
                LOGGER.debug("Stopping filter chain - handled by plugins");
                return;
            case NO_ACTION:
                // should never occur - one of the handlers should have returned a token
                LOGGER.warn("No handlers were able to determine required credentials, returning bad request to {}. Check policy configuration for path: {}", ipAddress, path);
                returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
                return;
            case COMPLETED:
                if (result.getToken() == null) {
                    LOGGER.warn("Completed without credentials for {} - check context policy configuration for path: {}", ipAddress, path);
                    returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
                    return;
                }
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Attaching result handler to the http request - token is instance of {} from classloader {}", result.getToken().getClass().getName(), result.getToken().getClass().getClassLoader());
                }
                httpRequest.setAttribute(DDF_AUTHENTICATION_TOKEN, result);
                break;
            default:
                LOGGER.warn("Unexpected response from handler - ignoring. Remote IP: {}, Path: {}", ipAddress, path);
                return;
        }
    } else {
        LOGGER.warn("Expected login credentials from {} - didn't find any. Returning a bad request for path: {}", ipAddress, path);
        returnSimpleResponse(HttpServletResponse.SC_BAD_REQUEST, httpResponse);
        return;
    }
    // If we got here, we've received our tokens to continue
    LOGGER.debug("Invoking the rest of the filter chain");
    try {
        filterChain.doFilter(httpRequest, httpResponse);
    } catch (InvalidSAMLReceivedException e) {
        // we tried to process an invalid or missing SAML assertion
        returnSimpleResponse(HttpServletResponse.SC_UNAUTHORIZED, httpResponse);
    } catch (Exception e) {
        LOGGER.debug("Exception in filter chain - passing off to handlers. Msg: {}", e.getMessage(), e);
        // First pass, see if anyone can come up with proper security token
        // from the git-go
        result = null;
        for (AuthenticationHandler auth : handlers) {
            result = auth.handleError(httpRequest, httpResponse, filterChain);
            if (result.getStatus() != HandlerResult.Status.NO_ACTION) {
                LOGGER.debug("Handler {} set the status to {}", auth.getAuthenticationType(), result.getStatus());
                break;
            }
        }
        if (result == null || result.getStatus() == HandlerResult.Status.NO_ACTION) {
            LOGGER.debug("Error during authentication - no error recovery attempted - returning bad request.");
            httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
            httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST);
            httpResponse.flushBuffer();
        }
    }
}

Example 43 with HandlerResult

use of org.codice.ddf.security.handler.api.HandlerResult in project ddf by codice.

the class WebSSOFilterTest method testDoFilterWithRedirected.

@Test
public void testDoFilterWithRedirected() throws ServletException, IOException {
    ContextPolicy testPolicy = mock(ContextPolicy.class);
    when(testPolicy.getRealm()).thenReturn("TestRealm");
    ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
    when(policyManager.getContextPolicy(anyString())).thenReturn(testPolicy);
    when(policyManager.isWhiteListed(anyString())).thenReturn(false);
    WebSSOFilter filter = new WebSSOFilter();
    // set handlers
    AuthenticationHandler handler1 = mock(AuthenticationHandler.class);
    HandlerResult noActionResult = mock(HandlerResult.class);
    when(noActionResult.getStatus()).thenReturn(Status.NO_ACTION);
    HandlerResult redirectedResult = mock(HandlerResult.class);
    when(redirectedResult.getStatus()).thenReturn(Status.REDIRECTED);
    when(redirectedResult.getToken()).thenReturn(null);
    when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(FilterChain.class), eq(false))).thenReturn(noActionResult);
    when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(FilterChain.class), eq(true))).thenReturn(redirectedResult);
    filter.setHandlerList(Collections.singletonList(handler1));
    FilterChain filterChain = mock(FilterChain.class);
    HttpServletRequest request = mock(HttpServletRequest.class);
    when(request.getContextPath()).thenReturn(MOCK_CONTEXT);
    HttpServletResponse response = mock(HttpServletResponse.class);
    filter.doFilter(request, response, filterChain);
    // the next filter should NOT be called
    verify(filterChain, never()).doFilter(request, response);
    verify(request, never()).setAttribute(eq(DDF_AUTHENTICATION_TOKEN), any(HandlerResult.class));
}

Example 44 with HandlerResult

use of org.codice.ddf.security.handler.api.HandlerResult in project ddf by codice.

the class WebSSOFilterTest method testDoFilterResolvingOnSecondCall.

@Test
public void testDoFilterResolvingOnSecondCall() throws IOException, ServletException {
    ContextPolicy testPolicy = mock(ContextPolicy.class);
    when(testPolicy.getRealm()).thenReturn("TestRealm");
    ContextPolicyManager policyManager = mock(ContextPolicyManager.class);
    when(policyManager.getContextPolicy(anyString())).thenReturn(testPolicy);
    when(policyManager.isWhiteListed(anyString())).thenReturn(false);
    WebSSOFilter filter = new WebSSOFilter();
    // set handlers
    AuthenticationHandler handler1 = mock(AuthenticationHandler.class);
    HandlerResult noActionResult = mock(HandlerResult.class);
    when(noActionResult.getStatus()).thenReturn(Status.NO_ACTION);
    HandlerResult completedResult = mock(HandlerResult.class);
    when(completedResult.getStatus()).thenReturn(Status.COMPLETED);
    when(completedResult.getToken()).thenReturn(null);
    when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(FilterChain.class), eq(true))).thenReturn(completedResult);
    when(handler1.getNormalizedToken(any(ServletRequest.class), any(ServletResponse.class), any(FilterChain.class), eq(false))).thenReturn(noActionResult);
    filter.setHandlerList(Collections.singletonList(handler1));
    FilterChain filterChain = mock(FilterChain.class);
    HttpServletRequest request = mock(HttpServletRequest.class);
    when(request.getContextPath()).thenReturn(MOCK_CONTEXT);
    HttpServletResponse response = mock(HttpServletResponse.class);
    filter.doFilter(request, response, filterChain);
    verify(handler1, times(2)).getNormalizedToken(any(HttpServletRequest.class), any(HttpServletResponse.class), any(FilterChain.class), anyBoolean());
    // the next filter should NOT be called
    verify(filterChain, never()).doFilter(request, response);
    verify(request, never()).setAttribute(eq(DDF_AUTHENTICATION_TOKEN), any(HandlerResult.class));
}

Example 45 with HandlerResult

use of org.codice.ddf.security.handler.api.HandlerResult in project ddf by codice.

the class LoginFilter method validateRequest.

private Subject validateRequest(final HttpServletRequest httpRequest) throws IOException, ServletException {
    Subject subject = null;
    Object ddfAuthToken = httpRequest.getAttribute(DDF_AUTHENTICATION_TOKEN);
    if (ddfAuthToken instanceof HandlerResult) {
        HandlerResult result = (HandlerResult) ddfAuthToken;
        BaseAuthenticationToken thisToken = result.getToken();
        /*
             * If the user has already authenticated they will have a valid SAML token. Validate
             * that here and create the subject from the token.
             */
        if (thisToken instanceof SAMLAuthenticationToken) {
            subject = handleAuthenticationToken(httpRequest, (SAMLAuthenticationToken) thisToken);
        } else if (thisToken != null) {
            subject = handleAuthenticationToken(httpRequest, thisToken);
        }
    }
    return subject;
}