Example 1 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class LoginFilterTest method testExpiredSamlCookie.
@Test(expected = ServletException.class)
public void testExpiredSamlCookie() throws IOException, XMLStreamException, ServletException, ParserConfigurationException, SAXException, SecurityServiceException {
FilterConfig filterConfig = mock(FilterConfig.class);
LoginFilter loginFilter = new LoginFilter();
loginFilter.setSessionFactory(sessionFactory);
ddf.security.service.SecurityManager securityManager = mock(ddf.security.service.SecurityManager.class);
loginFilter.setSecurityManager(securityManager);
loginFilter.setSignaturePropertiesFile("signature.properties");
try {
loginFilter.init(filterConfig);
} catch (ServletException e) {
fail(e.getMessage());
}
HttpServletRequest servletRequest = new TestHttpServletRequest();
HttpServletResponse servletResponse = mock(HttpServletResponse.class);
FilterChain filterChain = mock(FilterChain.class);
SecurityToken securityToken = new SecurityToken();
Element thisToken = readDocument("/good_saml.xml").getDocumentElement();
securityToken.setToken(thisToken);
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, securityToken, "karaf");
HandlerResult result = new HandlerResult(HandlerResult.Status.COMPLETED, samlToken);
servletRequest.setAttribute("ddf.security.token", result);
loginFilter.doFilter(servletRequest, servletResponse, filterChain);
}
Also used :
FilterChain(javax.servlet.FilterChain)
Element(org.w3c.dom.Element)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
ServletException(javax.servlet.ServletException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
FilterConfig(javax.servlet.FilterConfig)
SecurityManager(ddf.security.service.SecurityManager)
Test(org.junit.Test)
Example 2 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class IdpEndpoint method handleLogin.
protected org.opensaml.saml.saml2.core.Response handleLogin(AuthnRequest authnRequest, String authMethod, HttpServletRequest request, AuthObj authObj, boolean passive, boolean hasCookie) throws SecurityServiceException, WSSecurityException, SimpleSign.SignatureException, ConstraintViolationException {
LOGGER.debug("Performing login for user. passive: {}, cookie: {}", passive, hasCookie);
BaseAuthenticationToken token = null;
request.setAttribute(ContextPolicy.ACTIVE_REALM, BaseAuthenticationToken.ALL_REALM);
if (PKI.equals(authMethod)) {
LOGGER.debug("Logging user in via PKI.");
PKIHandler pkiHandler = new PKIHandler();
pkiHandler.setTokenFactory(tokenFactory);
try {
HandlerResult handlerResult = pkiHandler.getNormalizedToken(request, null, null, false);
if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
token = handlerResult.getToken();
}
} catch (ServletException e) {
LOGGER.info("Encountered an exception while checking for PKI auth info.", e);
}
} else if (USER_PASS.equals(authMethod)) {
LOGGER.debug("Logging user in via BASIC auth.");
if (authObj != null && authObj.username != null && authObj.password != null) {
token = new UPAuthenticationToken(authObj.username, authObj.password, BaseAuthenticationToken.ALL_REALM);
} else {
BasicAuthenticationHandler basicAuthenticationHandler = new BasicAuthenticationHandler();
HandlerResult handlerResult = basicAuthenticationHandler.getNormalizedToken(request, null, null, false);
if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
token = handlerResult.getToken();
}
}
} else if (SAML.equals(authMethod)) {
LOGGER.debug("Logging user in via SAML assertion.");
token = new SAMLAuthenticationToken(null, authObj.assertion, BaseAuthenticationToken.ALL_REALM);
} else if (GUEST.equals(authMethod) && guestAccess) {
LOGGER.debug("Logging user in as Guest.");
token = new GuestAuthenticationToken(BaseAuthenticationToken.ALL_REALM, request.getRemoteAddr());
} else {
throw new IllegalArgumentException("Auth method is not supported.");
}
org.w3c.dom.Element samlToken = null;
String statusCode;
if (hasCookie) {
samlToken = getSamlAssertion(request);
statusCode = StatusCode.SUCCESS;
} else {
try {
statusCode = StatusCode.AUTHN_FAILED;
Subject subject = securityManager.getSubject(token);
for (Object principal : subject.getPrincipals().asList()) {
if (principal instanceof SecurityAssertion) {
SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
samlToken = securityToken.getToken();
}
}
if (samlToken != null) {
statusCode = StatusCode.SUCCESS;
}
} catch (SecurityServiceException e) {
if (!passive) {
throw e;
} else {
statusCode = StatusCode.AUTHN_FAILED;
}
}
}
LOGGER.debug("User log in successful.");
return SamlProtocol.createResponse(SamlProtocol.createIssuer(SystemBaseUrl.constructUrl("/idp/login", true)), SamlProtocol.createStatus(statusCode), authnRequest.getID(), samlToken);
}
Also used :
SecurityServiceException(ddf.security.service.SecurityServiceException)
GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken)
PKIHandler(org.codice.ddf.security.handler.pki.PKIHandler)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
ServletException(javax.servlet.ServletException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Element(org.w3c.dom.Element)
BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken)
UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken)
BasicAuthenticationHandler(org.codice.ddf.security.handler.basic.BasicAuthenticationHandler)
SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)
SignableXMLObject(org.opensaml.xmlsec.signature.SignableXMLObject)
XMLObject(org.opensaml.core.xml.XMLObject)
Example 3 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class AbstractStsRealm method doGetAuthenticationInfo.
/**
* Perform authentication based on the supplied token.
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) {
String method = "doGetAuthenticationInfo( AuthenticationToken token )";
Object credential;
if (token instanceof SAMLAuthenticationToken) {
credential = token.getCredentials();
} else if (token instanceof BaseAuthenticationToken) {
credential = ((BaseAuthenticationToken) token).getCredentialsAsXMLString();
} else {
credential = token.getCredentials().toString();
}
if (credential == null) {
String msg = "Unable to authenticate credential. A NULL credential was provided in the supplied authentication token. This may be due to an error with the SSO server that created the token.";
LOGGER.info(msg);
throw new AuthenticationException(msg);
} else {
//removed the credentials from the log message for now, I don't think we should be dumping user/pass into log
LOGGER.debug("Received credentials.");
}
SecurityToken securityToken;
if (token instanceof SAMLAuthenticationToken && credential instanceof SecurityToken) {
securityToken = renewSecurityToken((SecurityToken) credential);
} else {
securityToken = requestSecurityToken(credential);
}
LOGGER.debug("Creating token authentication information with SAML.");
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo();
SimplePrincipalCollection principals = new SimplePrincipalCollection();
SecurityAssertion assertion = new SecurityAssertionImpl(securityToken);
principals.add(assertion.getPrincipal(), NAME);
principals.add(assertion, NAME);
simpleAuthenticationInfo.setPrincipals(principals);
simpleAuthenticationInfo.setCredentials(credential);
return simpleAuthenticationInfo;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SimpleAuthenticationInfo(org.apache.shiro.authc.SimpleAuthenticationInfo)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken)
SimplePrincipalCollection(org.apache.shiro.subject.SimplePrincipalCollection)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Example 4 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class SAMLAssertionHandler method getNormalizedToken.
@Override
public HandlerResult getNormalizedToken(ServletRequest request, ServletResponse response, FilterChain chain, boolean resolve) {
HandlerResult handlerResult = new HandlerResult();
String realm = (String) request.getAttribute(ContextPolicy.ACTIVE_REALM);
SecurityToken securityToken;
HttpServletRequest httpRequest = (HttpServletRequest) request;
String authHeader = ((HttpServletRequest) request).getHeader(SecurityConstants.SAML_HEADER_NAME);
// check for full SAML assertions coming in (federated requests, etc.)
if (authHeader != null) {
String[] tokenizedAuthHeader = authHeader.split(" ");
if (tokenizedAuthHeader.length == 2 && tokenizedAuthHeader[0].equals("SAML")) {
String encodedSamlAssertion = tokenizedAuthHeader[1];
LOGGER.trace("Header retrieved");
try {
String tokenString = RestSecurity.inflateBase64(encodedSamlAssertion);
LOGGER.trace("Header value: {}", tokenString);
securityToken = new SecurityToken();
Element thisToken = null;
if (tokenString.contains(SAML_NAMESPACE)) {
try {
thisToken = StaxUtils.read(new StringReader(tokenString)).getDocumentElement();
} catch (XMLStreamException e) {
LOGGER.info("Unexpected error converting XML string to element - proceeding without SAML token.", e);
}
} else {
thisToken = parseAssertionWithoutNamespace(tokenString);
}
securityToken.setToken(thisToken);
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, securityToken, realm);
handlerResult.setToken(samlToken);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
} catch (IOException e) {
LOGGER.info("Unexpected error converting header value to string", e);
}
return handlerResult;
}
}
// Check for legacy SAML cookie
Map<String, Cookie> cookies = HttpUtils.getCookieMap(httpRequest);
Cookie samlCookie = cookies.get(SecurityConstants.SAML_COOKIE_NAME);
if (samlCookie != null) {
String cookieValue = samlCookie.getValue();
LOGGER.trace("Cookie retrieved");
try {
String tokenString = RestSecurity.inflateBase64(cookieValue);
LOGGER.trace("Cookie value: {}", tokenString);
securityToken = new SecurityToken();
Element thisToken = StaxUtils.read(new StringReader(tokenString)).getDocumentElement();
securityToken.setToken(thisToken);
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, securityToken, realm);
handlerResult.setToken(samlToken);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
} catch (IOException e) {
LOGGER.info("Unexpected error converting cookie value to string - proceeding without SAML token.", e);
} catch (XMLStreamException e) {
LOGGER.info("Unexpected error converting XML string to element - proceeding without SAML token.", e);
}
return handlerResult;
}
HttpSession session = httpRequest.getSession(false);
if (session == null && httpRequest.getRequestedSessionId() != null) {
session = sessionFactory.getOrCreateSession(httpRequest);
}
if (session != null) {
//Check if there is a SAML Assertion in the session
//If so, create a SAMLAuthenticationToken using the sessionId
SecurityTokenHolder savedToken = (SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION);
if (savedToken != null && savedToken.getSecurityToken(realm) != null) {
SecurityAssertionImpl assertion = new SecurityAssertionImpl(savedToken.getSecurityToken(realm));
if (assertion.isPresentlyValid()) {
LOGGER.trace("Creating SAML authentication token with session.");
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, session.getId(), realm);
handlerResult.setToken(samlToken);
handlerResult.setStatus(HandlerResult.Status.COMPLETED);
return handlerResult;
} else {
LOGGER.trace("SAML token in session has expired - removing from session and returning with no results");
savedToken.remove(realm);
}
} else {
LOGGER.trace("No SAML token located in session - returning with no results");
}
} else {
LOGGER.trace("No HTTP Session - returning with no results");
}
return handlerResult;
}
Also used :
Cookie(javax.servlet.http.Cookie)
HttpSession(javax.servlet.http.HttpSession)
Element(org.w3c.dom.Element)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
IOException(java.io.IOException)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
XMLStreamException(javax.xml.stream.XMLStreamException)
StringReader(java.io.StringReader)
Example 5 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class LoginFilter method handleAuthenticationToken.
private Subject handleAuthenticationToken(HttpServletRequest httpRequest, SAMLAuthenticationToken token) throws ServletException {
Subject subject;
try {
LOGGER.debug("Validating received SAML assertion.");
boolean wasReference = false;
boolean firstLogin = true;
if (token.isReference()) {
wasReference = true;
LOGGER.trace("Converting SAML reference to assertion");
Object sessionToken = httpRequest.getSession(false).getAttribute(SecurityConstants.SAML_ASSERTION);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Http Session assertion - class: {} loader: {}", sessionToken.getClass().getName(), sessionToken.getClass().getClassLoader());
LOGGER.trace("SecurityToken class: {} loader: {}", SecurityToken.class.getName(), SecurityToken.class.getClassLoader());
}
SecurityToken savedToken = null;
try {
savedToken = ((SecurityTokenHolder) sessionToken).getSecurityToken(token.getRealm());
} catch (ClassCastException e) {
httpRequest.getSession(false).invalidate();
}
if (savedToken != null) {
firstLogin = false;
token.replaceReferenece(savedToken);
}
if (token.isReference()) {
String msg = "Missing or invalid SAML assertion for provided reference.";
LOGGER.debug(msg);
throw new InvalidSAMLReceivedException(msg);
}
}
SAMLAuthenticationToken newToken = renewSecurityToken(httpRequest.getSession(false), token);
SecurityToken securityToken;
if (newToken != null) {
firstLogin = false;
securityToken = (SecurityToken) newToken.getCredentials();
} else {
securityToken = (SecurityToken) token.getCredentials();
}
if (!wasReference) {
// wrap the token
SamlAssertionWrapper assertion = new SamlAssertionWrapper(securityToken.getToken());
// get the crypto junk
Crypto crypto = getSignatureCrypto();
Response samlResponse = createSamlResponse(httpRequest.getRequestURI(), assertion.getIssuerString(), createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null));
BUILDER.get().reset();
Document doc = BUILDER.get().newDocument();
Element policyElement = OpenSAMLUtil.toDom(samlResponse, doc);
doc.appendChild(policyElement);
Credential credential = new Credential();
credential.setSamlAssertion(assertion);
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(crypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
X509Certificate[] x509Certs = (X509Certificate[]) httpRequest.getAttribute("javax.servlet.request.X509Certificate");
requestData.setTlsCerts(x509Certs);
validateHolderOfKeyConfirmation(assertion, x509Certs);
if (assertion.isSigned()) {
// Verify the signature
WSSSAMLKeyInfoProcessor wsssamlKeyInfoProcessor = new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(samlResponse.getDOM().getOwnerDocument()));
assertion.verifySignature(wsssamlKeyInfoProcessor, crypto);
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(samlResponse.getDOM().getOwnerDocument())), requestData.getSigVerCrypto(), requestData.getCallbackHandler());
}
// Validate the Assertion & verify trust in the signature
assertionValidator.validate(credential, requestData);
}
// if it is all good, then we'll create our subject
subject = securityManager.getSubject(securityToken);
if (firstLogin) {
boolean hasSecurityAuditRole = Arrays.stream(System.getProperty("security.audit.roles").split(",")).filter(subject::hasRole).findFirst().isPresent();
if (hasSecurityAuditRole) {
SecurityLogger.audit("Subject has logged in with admin privileges", subject);
}
}
if (!wasReference && firstLogin) {
addSamlToSession(httpRequest, token.getRealm(), securityToken);
}
} catch (SecurityServiceException e) {
LOGGER.debug("Unable to get subject from SAML request.", e);
throw new ServletException(e);
} catch (WSSecurityException e) {
LOGGER.debug("Unable to read/validate security token from request.", e);
throw new ServletException(e);
}
return subject;
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
Credential(org.apache.wss4j.dom.validate.Credential)
SecurityServiceException(ddf.security.service.SecurityServiceException)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
InvalidSAMLReceivedException(org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)
Document(org.w3c.dom.Document)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
X509Certificate(java.security.cert.X509Certificate)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Response(org.opensaml.saml.saml2.core.Response)
ServletResponse(javax.servlet.ServletResponse)
ServletException(javax.servlet.ServletException)
Crypto(org.apache.wss4j.common.crypto.Crypto)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
RequestData(org.apache.wss4j.dom.handler.RequestData)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Aggregations
SAMLAuthenticationToken (org.codice.ddf.security.handler.api.SAMLAuthenticationToken)9
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8
ServletException (javax.servlet.ServletException)6
Element (org.w3c.dom.Element)6
Subject (ddf.security.Subject)5
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)4
SecurityServiceException (ddf.security.service.SecurityServiceException)4
SecurityAssertionImpl (ddf.security.assertion.impl.SecurityAssertionImpl)3
HttpServletRequest (javax.servlet.http.HttpServletRequest)3
BaseAuthenticationToken (org.codice.ddf.security.handler.api.BaseAuthenticationToken)3
SecurityTokenHolder (ddf.security.common.SecurityTokenHolder)2
SecurityManager (ddf.security.service.SecurityManager)2
IOException (java.io.IOException)2
FilterChain (javax.servlet.FilterChain)2
FilterConfig (javax.servlet.FilterConfig)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
HttpSession (javax.servlet.http.HttpSession)2
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2
InvalidSAMLReceivedException (org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)2
