Example 16 with ContextPolicy
use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.
the class PolicyManagerTest method testBadTraversal.
@Test
public void testBadTraversal() {
//test that we can still resolve policies for paths larger than the limit
ContextPolicy contextPolicy = manager.getContextPolicy("/1/2/3/4/5/6/7/8/9/10/11/12/13/14/15");
assertThat("/1/2/3/4/5/6/7/8/9/10/11/12/13/14", is(contextPolicy.getContextPath()));
//test that extra /s are removed from the end
ContextPolicy contextPolicy1 = manager.getContextPolicy("/1/2/3/4/5/6/7/8/9/10/11/12/13/14////////////////");
assertThat("/1/2/3/4/5/6/7/8/9/10/11/12/13/14", is(contextPolicy1.getContextPath()));
//test that all slashes resolves to just /
ContextPolicy contextPolicy2 = manager.getContextPolicy("///////////////////////////////////////////////////////////////////////////");
assertThat("/", is(contextPolicy2.getContextPath()));
//test that we can remove slashes within paths and still resolve a policy
ContextPolicy contextPolicy3 = manager.getContextPolicy("/1/2/3/////////////////////////////////////4/5//6/7////////////////");
assertThat("/1/2", is(contextPolicy3.getContextPath()));
//test same as above but with a path that is too long so it resolves to /
ContextPolicy contextPolicy4 = manager.getContextPolicy("/1/2/3////////4/5//////////6/7/8//////////9/10//////////11/12/13/14////////////////");
assertThat("/", is(contextPolicy4.getContextPath()));
//test two slashes
ContextPolicy contextPolicy5 = manager.getContextPolicy("//");
assertThat("/", is(contextPolicy5.getContextPath()));
//test one slash
ContextPolicy contextPolicy6 = manager.getContextPolicy("/");
assertThat("/", is(contextPolicy6.getContextPath()));
}
Also used :
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
Test(org.junit.Test)
Example 17 with ContextPolicy
use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.
the class PolicyManagerTest method testAllPolicies.
private void testAllPolicies() {
//check search policy
ContextPolicy policy = manager.getContextPolicy("/search");
assertThat("/search", is(policy.getContextPath()));
Iterator<String> authIter = policy.getAuthenticationMethods().iterator();
int i = 0;
while (authIter.hasNext()) {
if (i == 0) {
assertThat("SAML", is(authIter.next()));
} else if (i == 1) {
assertThat("BASIC", is(authIter.next()));
} else if (i == 2) {
assertThat("GUEST", is(authIter.next()));
}
i++;
}
List<Permission> permissionList = policy.getAllowedAttributePermissions().getPermissionList();
assertThat("role : user", is(permissionList.get(0).toString()));
assertThat("control : foo", is(permissionList.get(1).toString()));
assertThat("control : bar", is(permissionList.get(2).toString()));
//check admin policy
policy = manager.getContextPolicy("/admin");
assertThat("/admin", is(policy.getContextPath()));
authIter = policy.getAuthenticationMethods().iterator();
i = 0;
while (authIter.hasNext()) {
if (i == 0) {
assertThat("SAML", is(authIter.next()));
} else if (i == 1) {
assertThat("BASIC", is(authIter.next()));
}
i++;
}
//check foo policy
policy = manager.getContextPolicy("/foo");
assertThat("/foo", is(policy.getContextPath()));
authIter = policy.getAuthenticationMethods().iterator();
i = 0;
while (authIter.hasNext()) {
if (i == 0) {
assertThat("BASIC", is(authIter.next()));
}
i++;
}
//make sure some random context points to /
policy = manager.getContextPolicy("/random");
assertThat("/", is(policy.getContextPath()));
authIter = policy.getAuthenticationMethods().iterator();
i = 0;
while (authIter.hasNext()) {
if (i == 0) {
assertThat("SAML", is(authIter.next()));
} else if (i == 1) {
assertThat("BASIC", is(authIter.next()));
}
i++;
}
//check unprotected contexts
policy = manager.getContextPolicy("/unprotected");
assertThat("/unprotected", is(policy.getContextPath()));
authIter = policy.getAuthenticationMethods().iterator();
assertThat(false, is(authIter.hasNext()));
policy = manager.getContextPolicy("/unprotected2");
assertThat("/unprotected2", is(policy.getContextPath()));
authIter = policy.getAuthenticationMethods().iterator();
assertThat(authIter.hasNext(), is(false));
}
Also used :
CollectionPermission(ddf.security.permission.CollectionPermission)
Permission(org.apache.shiro.authz.Permission)
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
Example 18 with ContextPolicy
use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.
the class PolicyManagerTest method testFindContextPaths.
@Test
public void testFindContextPaths() {
ContextPolicy policy = manager.getContextPolicy("/search/standard/user");
assertThat("/search/standard", is(policy.getContextPath()));
policy = manager.getContextPolicy("/search/standard");
assertThat("/search/standard", is(policy.getContextPath()));
policy = manager.getContextPolicy("/search/endpoint");
assertThat("/search", is(policy.getContextPath()));
policy = manager.getContextPolicy("/random/other/endpoint");
assertThat("/", is(policy.getContextPath()));
policy = manager.getContextPolicy("/aaaaab");
assertThat("/", is(policy.getContextPath()));
policy = manager.getContextPolicy("/aaa/aab");
assertThat("/aaa", is(policy.getContextPath()));
policy = manager.getContextPolicy("/");
assertThat("/", is(policy.getContextPath()));
policy = manager.getContextPolicy("blah");
assertThat("/", is(policy.getContextPath()));
policy = manager.getContextPolicy("/foo/bar");
assertThat("/foo/bar", is(policy.getContextPath()));
policy = manager.getContextPolicy("/foo/bar/foobar");
assertThat("/foo/bar", is(policy.getContextPath()));
policy = manager.getContextPolicy("/foo");
assertThat(policy, is(nullValue()));
assertThat(manager.isWhiteListed("/foo"), is(true));
assertThat(manager.isWhiteListed("/foo/bar"), is(false));
}
Also used :
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
Test(org.junit.Test)
Example 19 with ContextPolicy
use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.
the class AuthenticationEndpoint method login.
@POST
public Response login(@Context HttpServletRequest request, @FormParam("username") String username, @FormParam("password") String password, @FormParam("prevurl") String prevurl) throws SecurityServiceException {
// Make sure we're using HTTPS
if (!request.isSecure()) {
throw new IllegalArgumentException("Authentication request must use TLS.");
}
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
// Get the realm from the previous url
String realm = BaseAuthenticationToken.DEFAULT_REALM;
ContextPolicy policy = contextPolicyManager.getContextPolicy(prevurl);
if (policy != null) {
realm = policy.getRealm();
}
// Create an authentication token
UPAuthenticationToken authenticationToken = new UPAuthenticationToken(username, password, realm);
// Authenticate
Subject subject = securityManager.getSubject(authenticationToken);
if (subject == null) {
throw new SecurityServiceException("Authentication failed");
}
for (Object principal : subject.getPrincipals()) {
if (principal instanceof SecurityAssertion) {
SecurityToken securityToken = ((SecurityAssertion) principal).getSecurityToken();
if (securityToken == null) {
LOGGER.debug("Cannot add null security token to session");
continue;
}
// Create a session and add the security token
session = sessionFactory.getOrCreateSession(request);
SecurityTokenHolder holder = (SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION);
holder.addSecurityToken(realm, securityToken);
}
}
// Redirect to the previous url
URI redirect = uriInfo.getBaseUriBuilder().replacePath(prevurl).build();
return Response.seeOther(redirect).build();
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityServiceException(ddf.security.service.SecurityServiceException)
SecurityTokenHolder(ddf.security.common.SecurityTokenHolder)
HttpSession(javax.servlet.http.HttpSession)
UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
URI(java.net.URI)
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
Subject(ddf.security.Subject)
POST(javax.ws.rs.POST)
Example 20 with ContextPolicy
use of org.codice.ddf.security.policy.context.ContextPolicy in project ddf by codice.
the class WebSSOFilter method doFilter.
/**
* Provides filtering for every registered http context. Checks for an
* existing session (via the SAML assertion included as a cookie). If it
* doesn't exist, it then looks up the current context and determines the
* proper handlers to include in the chain. Each handler is given the
* opportunity to locate their specific tokens if they exist or to go off
* and obtain them. Once a token has been received that we know how to
* convert to a SAML assertion, we attach them to the request and continue
* down the chain.
*
* @param servletRequest incoming http request
* @param servletResponse response stream for returning the response
* @param filterChain chain of filters to be invoked following this filter
* @throws IOException
* @throws ServletException
*/
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
LOGGER.debug("Performing doFilter() on WebSSOFilter");
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
final String path = httpRequest.getRequestURI();
LOGGER.debug("Handling request for path {}", path);
String realm = BaseAuthenticationToken.DEFAULT_REALM;
boolean isWhiteListed = false;
if (contextPolicyManager != null) {
ContextPolicy policy = contextPolicyManager.getContextPolicy(path);
if (policy != null) {
realm = policy.getRealm();
}
isWhiteListed = contextPolicyManager.isWhiteListed(path);
}
// set this so the login filter can easily determine the realm
servletRequest.setAttribute(ContextPolicy.ACTIVE_REALM, realm);
if (isWhiteListed) {
LOGGER.debug("Context of {} has been whitelisted, adding a NO_AUTH_POLICY attribute to the header.", path);
servletRequest.setAttribute(ContextPolicy.NO_AUTH_POLICY, true);
filterChain.doFilter(httpRequest, httpResponse);
} else {
// make sure request didn't come in with NO_AUTH_POLICY set
servletRequest.setAttribute(ContextPolicy.NO_AUTH_POLICY, null);
// now handle the request and set the authentication token
LOGGER.debug("Handling request for {} in security realm {}.", path, realm);
handleRequest(httpRequest, httpResponse, filterChain, getHandlerList(path));
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ContextPolicy(org.codice.ddf.security.policy.context.ContextPolicy)
Aggregations
ContextPolicy (org.codice.ddf.security.policy.context.ContextPolicy)29
Test (org.junit.Test)12
HttpServletRequest (javax.servlet.http.HttpServletRequest)11
ContextPolicyManager (org.codice.ddf.security.policy.context.ContextPolicyManager)10
ArrayList (java.util.ArrayList)8
HttpServletResponse (javax.servlet.http.HttpServletResponse)8
AuthenticationHandler (org.codice.ddf.security.handler.api.AuthenticationHandler)6
ServletRequest (javax.servlet.ServletRequest)5
ServletResponse (javax.servlet.ServletResponse)5
SecurityFilterChain (org.codice.ddf.platform.filter.SecurityFilterChain)5
HandlerResult (org.codice.ddf.security.handler.api.HandlerResult)5
CollectionPermission (ddf.security.permission.CollectionPermission)4
HashMap (java.util.HashMap)4
List (java.util.List)4
ContextAttributeMapping (org.codice.ddf.security.policy.context.attributes.ContextAttributeMapping)4
DefaultContextAttributeMapping (org.codice.ddf.security.policy.context.attributes.DefaultContextAttributeMapping)4
Map (java.util.Map)3
HttpSession (javax.servlet.http.HttpSession)3
AuthenticationException (org.codice.ddf.platform.filter.AuthenticationException)3
ImmutableMap (com.google.common.collect.ImmutableMap)2
