Search in sources :

Example 6 with Authenticator

use of org.ldaptive.auth.Authenticator in project cas by apereo.

the class Beans method getSaslAuthenticator.

private static Authenticator getSaslAuthenticator(final AbstractLdapAuthenticationProperties l) {
    if (StringUtils.isBlank(l.getUserFilter())) {
        throw new IllegalArgumentException("User filter cannot be empty/blank for sasl authentication");
    }
    final PooledConnectionFactory connectionFactoryForSearch = Beans.newLdaptivePooledConnectionFactory(l);
    final PooledSearchDnResolver resolver = new PooledSearchDnResolver();
    resolver.setBaseDn(l.getBaseDn());
    resolver.setSubtreeSearch(l.isSubtreeSearch());
    resolver.setAllowMultipleDns(l.isAllowMultipleDns());
    resolver.setConnectionFactory(connectionFactoryForSearch);
    resolver.setUserFilter(l.getUserFilter());
    return new Authenticator(resolver, getPooledBindAuthenticationHandler(l, Beans.newLdaptivePooledConnectionFactory(l)));
}
Also used : PooledConnectionFactory(org.ldaptive.pool.PooledConnectionFactory) PooledSearchDnResolver(org.ldaptive.auth.PooledSearchDnResolver) Authenticator(org.ldaptive.auth.Authenticator)

Example 7 with Authenticator

use of org.ldaptive.auth.Authenticator in project cas by apereo.

the class Beans method getDirectBindAuthenticator.

private static Authenticator getDirectBindAuthenticator(final AbstractLdapAuthenticationProperties l) {
    if (StringUtils.isBlank(l.getDnFormat())) {
        throw new IllegalArgumentException("Dn format cannot be empty/blank for direct bind authentication");
    }
    final FormatDnResolver resolver = new FormatDnResolver(l.getDnFormat());
    final Authenticator authenticator = new Authenticator(resolver, getPooledBindAuthenticationHandler(l, Beans.newLdaptivePooledConnectionFactory(l)));
    if (l.isEnhanceWithEntryResolver()) {
        authenticator.setEntryResolver(Beans.newLdaptiveSearchEntryResolver(l, Beans.newLdaptivePooledConnectionFactory(l)));
    }
    return authenticator;
}
Also used : FormatDnResolver(org.ldaptive.auth.FormatDnResolver) Authenticator(org.ldaptive.auth.Authenticator)

Example 8 with Authenticator

use of org.ldaptive.auth.Authenticator in project cas by apereo.

the class LdapAuthenticationConfiguration method ldapAuthenticationHandlers.

@Bean
public Collection<AuthenticationHandler> ldapAuthenticationHandlers() {
    final Collection<AuthenticationHandler> handlers = new HashSet<>();
    casProperties.getAuthn().getLdap().stream().filter(ldapInstanceConfigurationPredicate()).forEach(l -> {
        final Multimap<String, Object> multiMapAttributes = CoreAuthenticationUtils.transformPrincipalAttributesListIntoMultiMap(l.getPrincipalAttributeList());
        LOGGER.debug("Created and mapped principal attributes [{}] for [{}]...", multiMapAttributes, l.getLdapUrl());
        LOGGER.debug("Creating LDAP authenticator for [{}] and baseDn [{}]", l.getLdapUrl(), l.getBaseDn());
        final Authenticator authenticator = LdapUtils.newLdaptiveAuthenticator(l);
        LOGGER.debug("Ldap authenticator configured with return attributes [{}] for [{}] and baseDn [{}]", multiMapAttributes.keySet(), l.getLdapUrl(), l.getBaseDn());
        LOGGER.debug("Creating LDAP password policy handling strategy for [{}]", l.getLdapUrl());
        final LdapPasswordPolicyHandlingStrategy strategy = createLdapPasswordPolicyHandlingStrategy(l);
        LOGGER.debug("Creating LDAP authentication handler for [{}]", l.getLdapUrl());
        final LdapAuthenticationHandler handler = new LdapAuthenticationHandler(l.getName(), servicesManager, ldapPrincipalFactory(), l.getOrder(), authenticator, strategy);
        handler.setCollectDnAttribute(l.isCollectDnAttribute());
        final List<String> additionalAttributes = l.getAdditionalAttributes();
        if (StringUtils.isNotBlank(l.getPrincipalAttributeId())) {
            additionalAttributes.add(l.getPrincipalAttributeId());
        }
        if (StringUtils.isNotBlank(l.getPrincipalDnAttributeName())) {
            handler.setPrincipalDnAttributeName(l.getPrincipalDnAttributeName());
        }
        handler.setAllowMultiplePrincipalAttributeValues(l.isAllowMultiplePrincipalAttributeValues());
        handler.setAllowMissingPrincipalAttributeValue(l.isAllowMissingPrincipalAttributeValue());
        handler.setPasswordEncoder(PasswordEncoderUtils.newPasswordEncoder(l.getPasswordEncoder()));
        handler.setPrincipalNameTransformer(PrincipalNameTransformerUtils.newPrincipalNameTransformer(l.getPrincipalTransformation()));
        if (StringUtils.isNotBlank(l.getCredentialCriteria())) {
            LOGGER.debug("Ldap authentication for [{}] is filtering credentials by [{}]", l.getLdapUrl(), l.getCredentialCriteria());
            handler.setCredentialSelectionPredicate(CoreAuthenticationUtils.newCredentialSelectionPredicate(l.getCredentialCriteria()));
        }
        if (StringUtils.isBlank(l.getPrincipalAttributeId())) {
            LOGGER.debug("No principal id attribute is found for LDAP authentication via [{}]", l.getLdapUrl());
        } else {
            handler.setPrincipalIdAttribute(l.getPrincipalAttributeId());
            LOGGER.debug("Using principal id attribute [{}] for LDAP authentication via [{}]", l.getPrincipalAttributeId(), l.getLdapUrl());
        }
        if (l.getPasswordPolicy().isEnabled()) {
            LOGGER.debug("Password policy is enabled for [{}]. Constructing password policy configuration", l.getLdapUrl());
            final LdapPasswordPolicyConfiguration cfg = createLdapPasswordPolicyConfiguration(l, authenticator, multiMapAttributes);
            handler.setPasswordPolicyConfiguration(cfg);
        }
        final Map<String, Object> attributes = CollectionUtils.wrap(multiMapAttributes);
        handler.setPrincipalAttributeMap(attributes);
        LOGGER.debug("Initializing LDAP authentication handler for [{}]", l.getLdapUrl());
        handler.initialize();
        handlers.add(handler);
    });
    return handlers;
}
Also used : AuthenticationHandler(org.apereo.cas.authentication.AuthenticationHandler) LdapAuthenticationHandler(org.apereo.cas.authentication.LdapAuthenticationHandler) GroovyLdapPasswordPolicyHandlingStrategy(org.apereo.cas.authentication.support.GroovyLdapPasswordPolicyHandlingStrategy) LdapPasswordPolicyHandlingStrategy(org.apereo.cas.authentication.support.LdapPasswordPolicyHandlingStrategy) RejectResultCodeLdapPasswordPolicyHandlingStrategy(org.apereo.cas.authentication.support.RejectResultCodeLdapPasswordPolicyHandlingStrategy) DefaultLdapPasswordPolicyHandlingStrategy(org.apereo.cas.authentication.support.DefaultLdapPasswordPolicyHandlingStrategy) LdapPasswordPolicyConfiguration(org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration) LdapAuthenticationHandler(org.apereo.cas.authentication.LdapAuthenticationHandler) Authenticator(org.ldaptive.auth.Authenticator) HashSet(java.util.HashSet) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) Bean(org.springframework.context.annotation.Bean)

Example 9 with Authenticator

use of org.ldaptive.auth.Authenticator in project cas by apereo.

the class LdapUtils method getActiveDirectoryAuthenticator.

private static Authenticator getActiveDirectoryAuthenticator(final AbstractLdapAuthenticationProperties l) {
    if (StringUtils.isBlank(l.getDnFormat())) {
        throw new IllegalArgumentException("Dn format cannot be empty/blank for active directory authentication");
    }
    final FormatDnResolver resolver = new FormatDnResolver(l.getDnFormat());
    final Authenticator authn = new Authenticator(resolver, getPooledBindAuthenticationHandler(l, newLdaptivePooledConnectionFactory(l)));
    if (l.isEnhanceWithEntryResolver()) {
        authn.setEntryResolver(newLdaptiveSearchEntryResolver(l, newLdaptivePooledConnectionFactory(l)));
    }
    return authn;
}
Also used : FormatDnResolver(org.ldaptive.auth.FormatDnResolver) Authenticator(org.ldaptive.auth.Authenticator)

Example 10 with Authenticator

use of org.ldaptive.auth.Authenticator in project cas by apereo.

the class LdapAuthenticationProvider method authenticate.

@Override
public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
    try {
        final String username = authentication.getPrincipal().toString();
        final Object credentials = authentication.getCredentials();
        final String password = credentials == null ? null : credentials.toString();
        LOGGER.debug("Preparing LDAP authentication request for user [{}]", username);
        final AuthenticationRequest request = new AuthenticationRequest(username, new org.ldaptive.Credential(password), ReturnAttributes.ALL.value());
        final Authenticator authenticator = LdapUtils.newLdaptiveAuthenticator(adminPagesSecurityProperties.getLdap());
        LOGGER.debug("Executing LDAP authentication request for user [{}]", username);
        final AuthenticationResponse response = authenticator.authenticate(request);
        LOGGER.debug("LDAP response: [{}]", response);
        if (response.getResult()) {
            final LdapEntry entry = response.getLdapEntry();
            final CommonProfile profile = new CommonProfile();
            profile.setId(username);
            entry.getAttributes().forEach(a -> profile.addAttribute(a.getName(), a.getStringValues()));
            LOGGER.debug("Collected user profile [{}]", profile);
            this.authorizationGenerator.generate(Pac4jUtils.getPac4jJ2EContext(), profile);
            LOGGER.debug("Assembled user profile with roles after generating authorization claims [{}]", profile);
            final Collection<GrantedAuthority> authorities = new ArrayList<>();
            authorities.addAll(profile.getRoles().stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
            LOGGER.debug("List of authorities remapped from profile roles are [{}]", authorities);
            final RequireAnyRoleAuthorizer authorizer = new RequireAnyRoleAuthorizer(adminPagesSecurityProperties.getAdminRoles());
            LOGGER.debug("Executing authorization for expected admin roles [{}]", authorizer.getElements());
            final J2EContext context = Pac4jUtils.getPac4jJ2EContext();
            if (authorizer.isAllAuthorized(context, CollectionUtils.wrap(profile))) {
                return new UsernamePasswordAuthenticationToken(username, password, authorities);
            }
            LOGGER.warn("User [{}] is not authorized to access the requested resource allowed to roles [{}]", username, authorizer.getElements());
        } else {
            LOGGER.warn("LDAP authentication response produced no results for [{}]", username);
        }
    } catch (final Exception e) {
        LOGGER.error(e.getMessage(), e);
        throw new InsufficientAuthenticationException("Unexpected LDAP error", e);
    }
    throw new BadCredentialsException("Could not authenticate provided credentials");
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) ArrayList(java.util.ArrayList) LdapEntry(org.ldaptive.LdapEntry) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) J2EContext(org.pac4j.core.context.J2EContext) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) AuthenticationResponse(org.ldaptive.auth.AuthenticationResponse) BadCredentialsException(org.springframework.security.authentication.BadCredentialsException) AuthenticationException(org.springframework.security.core.AuthenticationException) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) CommonProfile(org.pac4j.core.profile.CommonProfile) AuthenticationRequest(org.ldaptive.auth.AuthenticationRequest) Authenticator(org.ldaptive.auth.Authenticator) RequireAnyRoleAuthorizer(org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer)

Aggregations

Authenticator (org.ldaptive.auth.Authenticator)10 FormatDnResolver (org.ldaptive.auth.FormatDnResolver)5 lombok.val (lombok.val)2 PooledSearchDnResolver (org.ldaptive.auth.PooledSearchDnResolver)2 PooledConnectionFactory (org.ldaptive.pool.PooledConnectionFactory)2 ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 AuthenticationHandler (org.apereo.cas.authentication.AuthenticationHandler)1 LdapAuthenticationHandler (org.apereo.cas.authentication.LdapAuthenticationHandler)1 DefaultLdapPasswordPolicyHandlingStrategy (org.apereo.cas.authentication.support.DefaultLdapPasswordPolicyHandlingStrategy)1 GroovyLdapPasswordPolicyHandlingStrategy (org.apereo.cas.authentication.support.GroovyLdapPasswordPolicyHandlingStrategy)1 LdapPasswordPolicyConfiguration (org.apereo.cas.authentication.support.LdapPasswordPolicyConfiguration)1 LdapPasswordPolicyHandlingStrategy (org.apereo.cas.authentication.support.LdapPasswordPolicyHandlingStrategy)1 RejectResultCodeLdapPasswordPolicyHandlingStrategy (org.apereo.cas.authentication.support.RejectResultCodeLdapPasswordPolicyHandlingStrategy)1 LdapEntry (org.ldaptive.LdapEntry)1 AuthenticationRequest (org.ldaptive.auth.AuthenticationRequest)1 AuthenticationResponse (org.ldaptive.auth.AuthenticationResponse)1 RequireAnyRoleAuthorizer (org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer)1 J2EContext (org.pac4j.core.context.J2EContext)1 CommonProfile (org.pac4j.core.profile.CommonProfile)1