Search in sources :

Example 1 with PKIHandler

use of org.codice.ddf.security.handler.pki.PKIHandler in project ddf by codice.

the class IdpEndpoint method handleLogin.

protected org.opensaml.saml.saml2.core.Response handleLogin(AuthnRequest authnRequest, String authMethod, HttpServletRequest request, AuthObj authObj, boolean passive, boolean hasCookie) throws SecurityServiceException, WSSecurityException, SimpleSign.SignatureException, ConstraintViolationException {
    LOGGER.debug("Performing login for user. passive: {}, cookie: {}", passive, hasCookie);
    BaseAuthenticationToken token = null;
    request.setAttribute(ContextPolicy.ACTIVE_REALM, BaseAuthenticationToken.ALL_REALM);
    if (PKI.equals(authMethod)) {
        LOGGER.debug("Logging user in via PKI.");
        PKIHandler pkiHandler = new PKIHandler();
        pkiHandler.setTokenFactory(tokenFactory);
        try {
            HandlerResult handlerResult = pkiHandler.getNormalizedToken(request, null, null, false);
            if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
                token = handlerResult.getToken();
            }
        } catch (ServletException e) {
            LOGGER.info("Encountered an exception while checking for PKI auth info.", e);
        }
    } else if (USER_PASS.equals(authMethod)) {
        LOGGER.debug("Logging user in via BASIC auth.");
        if (authObj != null && authObj.username != null && authObj.password != null) {
            token = new UPAuthenticationToken(authObj.username, authObj.password, BaseAuthenticationToken.ALL_REALM);
        } else {
            BasicAuthenticationHandler basicAuthenticationHandler = new BasicAuthenticationHandler();
            HandlerResult handlerResult = basicAuthenticationHandler.getNormalizedToken(request, null, null, false);
            if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
                token = handlerResult.getToken();
            }
        }
    } else if (SAML.equals(authMethod)) {
        LOGGER.debug("Logging user in via SAML assertion.");
        token = new SAMLAuthenticationToken(null, authObj.assertion, BaseAuthenticationToken.ALL_REALM);
    } else if (GUEST.equals(authMethod) && guestAccess) {
        LOGGER.debug("Logging user in as Guest.");
        token = new GuestAuthenticationToken(BaseAuthenticationToken.ALL_REALM, request.getRemoteAddr());
    } else {
        throw new IllegalArgumentException("Auth method is not supported.");
    }
    org.w3c.dom.Element samlToken = null;
    String statusCode;
    if (hasCookie) {
        samlToken = getSamlAssertion(request);
        statusCode = StatusCode.SUCCESS;
    } else {
        try {
            statusCode = StatusCode.AUTHN_FAILED;
            Subject subject = securityManager.getSubject(token);
            for (Object principal : subject.getPrincipals().asList()) {
                if (principal instanceof SecurityAssertion) {
                    SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
                    samlToken = securityToken.getToken();
                }
            }
            if (samlToken != null) {
                statusCode = StatusCode.SUCCESS;
            }
        } catch (SecurityServiceException e) {
            if (!passive) {
                throw e;
            } else {
                statusCode = StatusCode.AUTHN_FAILED;
            }
        }
    }
    LOGGER.debug("User log in successful.");
    return SamlProtocol.createResponse(SamlProtocol.createIssuer(SystemBaseUrl.constructUrl("/idp/login", true)), SamlProtocol.createStatus(statusCode), authnRequest.getID(), samlToken);
}
Also used : SecurityServiceException(ddf.security.service.SecurityServiceException) GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken) PKIHandler(org.codice.ddf.security.handler.pki.PKIHandler) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult) SecurityAssertion(ddf.security.assertion.SecurityAssertion) SAMLAuthenticationToken(org.codice.ddf.security.handler.api.SAMLAuthenticationToken) Subject(ddf.security.Subject) ServletException(javax.servlet.ServletException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Element(org.w3c.dom.Element) BaseAuthenticationToken(org.codice.ddf.security.handler.api.BaseAuthenticationToken) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) BasicAuthenticationHandler(org.codice.ddf.security.handler.basic.BasicAuthenticationHandler) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) SignableXMLObject(org.opensaml.xmlsec.signature.SignableXMLObject) XMLObject(org.opensaml.core.xml.XMLObject)

Example 2 with PKIHandler

use of org.codice.ddf.security.handler.pki.PKIHandler in project ddf by codice.

the class GuestHandler method getAuthToken.

/**
     * Returns BSTAuthenticationToken for the HttpServletRequest
     *
     * @param request http request to obtain attributes from and to pass into any local filter chains required
     * @return BSTAuthenticationToken
     */
private BaseAuthenticationToken getAuthToken(HttpServletRequest request, HttpServletResponse response, FilterChain chain) {
    //check for basic auth first
    String realm = (String) request.getAttribute(ContextPolicy.ACTIVE_REALM);
    BasicAuthenticationHandler basicAuthenticationHandler = new BasicAuthenticationHandler();
    HandlerResult handlerResult = basicAuthenticationHandler.getNormalizedToken(request, response, chain, false);
    if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
        return handlerResult.getToken();
    }
    //if basic fails, check for PKI
    PKIHandler pkiHandler = new PKIHandler();
    pkiHandler.setTokenFactory(tokenFactory);
    try {
        handlerResult = pkiHandler.getNormalizedToken(request, response, chain, false);
        if (handlerResult.getStatus().equals(HandlerResult.Status.COMPLETED)) {
            return handlerResult.getToken();
        }
    } catch (ServletException e) {
        LOGGER.info("Encountered an exception while checking for PKI auth info.", e);
    }
    return new GuestAuthenticationToken(realm, request.getRemoteAddr());
}
Also used : ServletException(javax.servlet.ServletException) GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken) PKIHandler(org.codice.ddf.security.handler.pki.PKIHandler) BasicAuthenticationHandler(org.codice.ddf.security.handler.basic.BasicAuthenticationHandler) HandlerResult(org.codice.ddf.security.handler.api.HandlerResult)

Aggregations

ServletException (javax.servlet.ServletException)2 GuestAuthenticationToken (org.codice.ddf.security.handler.api.GuestAuthenticationToken)2 HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)2 BasicAuthenticationHandler (org.codice.ddf.security.handler.basic.BasicAuthenticationHandler)2 PKIHandler (org.codice.ddf.security.handler.pki.PKIHandler)2 Subject (ddf.security.Subject)1 SecurityAssertion (ddf.security.assertion.SecurityAssertion)1 SecurityServiceException (ddf.security.service.SecurityServiceException)1 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)1 BaseAuthenticationToken (org.codice.ddf.security.handler.api.BaseAuthenticationToken)1 SAMLAuthenticationToken (org.codice.ddf.security.handler.api.SAMLAuthenticationToken)1 UPAuthenticationToken (org.codice.ddf.security.handler.api.UPAuthenticationToken)1 XMLObject (org.opensaml.core.xml.XMLObject)1 SignableSAMLObject (org.opensaml.saml.common.SignableSAMLObject)1 SignableXMLObject (org.opensaml.xmlsec.signature.SignableXMLObject)1 Element (org.w3c.dom.Element)1