Example 6 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class LoginFilter method renewSecurityToken.
private SAMLAuthenticationToken renewSecurityToken(HttpSession session, SAMLAuthenticationToken savedToken) throws ServletException, WSSecurityException {
if (session != null) {
SecurityAssertion savedAssertion = new SecurityAssertionImpl(((SecurityToken) savedToken.getCredentials()));
if (savedAssertion.getIssuer() != null && !savedAssertion.getIssuer().equals(SystemBaseUrl.getHost())) {
return null;
}
if (savedAssertion.getNotOnOrAfter() == null) {
return null;
}
long afterMil = savedAssertion.getNotOnOrAfter().getTime();
long timeoutMillis = (afterMil - System.currentTimeMillis());
if (timeoutMillis <= 0) {
throw new InvalidSAMLReceivedException("SAML assertion has expired.");
}
if (timeoutMillis <= 60000) {
// within 60 seconds
try {
LOGGER.debug("Attempting to refresh user's SAML assertion.");
Subject subject = securityManager.getSubject(savedToken);
LOGGER.debug("Refresh of user assertion successful");
for (Object principal : subject.getPrincipals()) {
if (principal instanceof SecurityAssertion) {
SecurityToken token = ((SecurityAssertion) principal).getSecurityToken();
SAMLAuthenticationToken samlAuthenticationToken = new SAMLAuthenticationToken((java.security.Principal) savedToken.getPrincipal(), token, savedToken.getRealm());
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Setting session token - class: {} classloader: {}", token.getClass().getName(), token.getClass().getClassLoader());
}
((SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION)).addSecurityToken(savedToken.getRealm(), token);
LOGGER.debug("Saved new user assertion to session.");
return samlAuthenticationToken;
}
}
} catch (SecurityServiceException e) {
LOGGER.debug("Unable to refresh user's SAML assertion. User will log out prematurely.", e);
session.invalidate();
} catch (Exception e) {
LOGGER.info("Unhandled exception occurred.", e);
session.invalidate();
}
}
}
return null;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
SecurityServiceException(ddf.security.service.SecurityServiceException)
InvalidSAMLReceivedException(org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
ServletException(javax.servlet.ServletException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SignatureException(java.security.SignatureException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
SecurityServiceException(ddf.security.service.SecurityServiceException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
InvalidSAMLReceivedException(org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
NoSuchProviderException(java.security.NoSuchProviderException)
SecurityAssertionImpl(ddf.security.assertion.impl.SecurityAssertionImpl)
Example 7 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class LoginFilter method handleAuthenticationToken.
private Subject handleAuthenticationToken(HttpServletRequest httpRequest, BaseAuthenticationToken token) throws ServletException {
Subject subject;
HttpSession session = sessionFactory.getOrCreateSession(httpRequest);
//if we already have an assertion inside the session and it has not expired, then use that instead
SecurityToken sessionToken = getSecurityToken(session, token.getRealm());
if (sessionToken == null) {
/*
* The user didn't have a SAML token from a previous authentication, but they do have the
* credentials to log in - perform that action here.
*/
try {
// login with the specified authentication credentials (AuthenticationToken)
subject = securityManager.getSubject(token);
for (Object principal : subject.getPrincipals().asList()) {
if (principal instanceof SecurityAssertion) {
if (LOGGER.isTraceEnabled()) {
Element samlToken = ((SecurityAssertion) principal).getSecurityToken().getToken();
LOGGER.trace("SAML Assertion returned: {}", XMLUtils.prettyFormat(samlToken));
}
SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
addSamlToSession(httpRequest, token.getRealm(), securityToken);
}
}
} catch (SecurityServiceException e) {
LOGGER.debug("Unable to get subject from auth request.", e);
throw new ServletException(e);
}
} else {
LOGGER.trace("Creating SAML authentication token with session.");
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, session.getId(), token.getRealm());
return handleAuthenticationToken(httpRequest, samlToken);
}
return subject;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
ServletException(javax.servlet.ServletException)
SecurityServiceException(ddf.security.service.SecurityServiceException)
HttpSession(javax.servlet.http.HttpSession)
Element(org.w3c.dom.Element)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
Example 8 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class LoginFilter method validateRequest.
private Subject validateRequest(final HttpServletRequest httpRequest) throws IOException, ServletException {
Subject subject = null;
Object ddfAuthToken = httpRequest.getAttribute(DDF_AUTHENTICATION_TOKEN);
if (ddfAuthToken instanceof HandlerResult) {
HandlerResult result = (HandlerResult) ddfAuthToken;
BaseAuthenticationToken thisToken = result.getToken();
/*
* If the user has already authenticated they will have a valid SAML token. Validate
* that here and create the subject from the token.
*/
if (thisToken instanceof SAMLAuthenticationToken) {
subject = handleAuthenticationToken(httpRequest, (SAMLAuthenticationToken) thisToken);
} else if (thisToken != null) {
subject = handleAuthenticationToken(httpRequest, thisToken);
}
}
return subject;
}
Also used :
BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
Subject(ddf.security.Subject)
Example 9 with SAMLAuthenticationToken
use of org.codice.ddf.security.handler.api.SAMLAuthenticationToken in project ddf by codice.
the class LoginFilterTest method testBadSigSamlCookie.
@Test(expected = ServletException.class)
public void testBadSigSamlCookie() throws IOException, XMLStreamException, ServletException, ParserConfigurationException, SAXException, SecurityServiceException {
FilterConfig filterConfig = mock(FilterConfig.class);
LoginFilter loginFilter = new LoginFilter();
loginFilter.setSessionFactory(sessionFactory);
ddf.security.service.SecurityManager securityManager = mock(SecurityManager.class);
loginFilter.setSecurityManager(securityManager);
loginFilter.setSignaturePropertiesFile("signature.properties");
try {
loginFilter.init(filterConfig);
} catch (ServletException e) {
fail(e.getMessage());
}
HttpServletRequest servletRequest = new TestHttpServletRequest();
HttpServletResponse servletResponse = mock(HttpServletResponse.class);
FilterChain filterChain = mock(FilterChain.class);
SecurityToken securityToken = new SecurityToken();
Element thisToken = readDocument("/bad_saml.xml").getDocumentElement();
securityToken.setToken(thisToken);
SAMLAuthenticationToken samlToken = new SAMLAuthenticationToken(null, securityToken, "karaf");
HandlerResult result = new HandlerResult(HandlerResult.Status.COMPLETED, samlToken);
servletRequest.setAttribute("ddf.security.token", result);
loginFilter.doFilter(servletRequest, servletResponse, filterChain);
}
Also used :
FilterChain(javax.servlet.FilterChain)
Element(org.w3c.dom.Element)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)
SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken)
ServletException(javax.servlet.ServletException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
FilterConfig(javax.servlet.FilterConfig)
SecurityManager(ddf.security.service.SecurityManager)
Test(org.junit.Test)
Aggregations
SAMLAuthenticationToken (org.codice.ddf.security.handler.api.SAMLAuthenticationToken)9
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8
ServletException (javax.servlet.ServletException)6
Element (org.w3c.dom.Element)6
Subject (ddf.security.Subject)5
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)4
SecurityServiceException (ddf.security.service.SecurityServiceException)4
SecurityAssertionImpl (ddf.security.assertion.impl.SecurityAssertionImpl)3
HttpServletRequest (javax.servlet.http.HttpServletRequest)3
BaseAuthenticationToken (org.codice.ddf.security.handler.api.BaseAuthenticationToken)3
SecurityTokenHolder (ddf.security.common.SecurityTokenHolder)2
SecurityManager (ddf.security.service.SecurityManager)2
IOException (java.io.IOException)2
FilterChain (javax.servlet.FilterChain)2
FilterConfig (javax.servlet.FilterConfig)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
HttpSession (javax.servlet.http.HttpSession)2
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2
InvalidSAMLReceivedException (org.codice.ddf.security.handler.api.InvalidSAMLReceivedException)2
