Example 1 with AuthenticationProfile
use of org.ovirt.engine.core.aaa.AuthenticationProfile in project ovirt-engine by oVirt.
the class NegotiationFilter method cacheNegotiatingProfiles.
private synchronized void cacheNegotiatingProfiles() {
schemes = new ArrayList<>();
profiles = new ArrayList<>();
for (AuthenticationProfile profile : AuthenticationProfileRepository.getInstance().getProfiles()) {
ExtMap authnContext = profile.getAuthn().getContext();
if ((authnContext.<Long>get(Authn.ContextKeys.CAPABILITIES).longValue() & caps) != 0) {
profiles.add(profile);
schemes.addAll(authnContext.<Collection<String>>get(Authn.ContextKeys.HTTP_AUTHENTICATION_SCHEME, Collections.<String>emptyList()));
}
}
Collections.sort(profiles, Comparator.comparing(AuthenticationProfile::getNegotiationPriority));
}
Also used :
ExtMap(org.ovirt.engine.api.extensions.ExtMap)
AuthenticationProfile(org.ovirt.engine.core.aaa.AuthenticationProfile)
Example 2 with AuthenticationProfile
use of org.ovirt.engine.core.aaa.AuthenticationProfile in project ovirt-engine by oVirt.
the class NegotiationFilter method doFilter.
@SuppressWarnings("unchecked")
@Override
public void doFilter(ServletRequest req, ServletResponse rsp, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpreq = (HttpServletRequest) req;
if (FiltersHelper.isAuthenticated(httpreq) || httpreq.getAttribute(FiltersHelper.Constants.REQUEST_AUTH_RECORD_KEY) != null) {
chain.doFilter(req, rsp);
} else {
req.setAttribute(FiltersHelper.Constants.REQUEST_SCHEMES_KEY, schemes);
HttpSession session = httpreq.getSession(false);
Deque<AuthenticationProfile> stack = null;
if (session != null) {
stack = (Deque<AuthenticationProfile>) session.getAttribute(STACK_ATTR);
}
if (stack == null) {
stack = new ArrayDeque<>();
stack.addAll(profiles);
}
doAuth(httpreq, (HttpServletResponse) rsp, stack);
if (!stack.isEmpty()) {
httpreq.getSession(true).setAttribute(STACK_ATTR, stack);
} else {
if (session != null) {
session.removeAttribute(STACK_ATTR);
}
chain.doFilter(req, rsp);
}
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpSession(javax.servlet.http.HttpSession)
AuthenticationProfile(org.ovirt.engine.core.aaa.AuthenticationProfile)
Example 3 with AuthenticationProfile
use of org.ovirt.engine.core.aaa.AuthenticationProfile in project ovirt-engine by oVirt.
the class CreateUserSessionCommand method executeCommand.
@Override
protected void executeCommand() {
final AuthenticationProfile profile = AuthenticationProfileRepository.getInstance().getProfile(getParameters().getProfileName());
sourceIp = getParameters().getSourceIp();
if (profile == null) {
setSucceeded(false);
} else {
final DbUser user = buildUser(getParameters(), profile.getAuthzName());
boolean isAdmin = !roleDao.getAnyAdminRoleForUserAndGroups(user.getId(), StringUtils.join(user.getGroupIds(), ",")).isEmpty();
user.setAdmin(isAdmin);
setCurrentUser(user);
setUserName(String.format("%s@%s", getCurrentUser().getLoginName(), getCurrentUser().getDomain()));
if (getParameters().isAdminRequired() && !isAdmin) {
setSucceeded(false);
} else if (permissionDao.getEntityPermissionsForUserAndGroups(user.getId(), StringUtils.join(user.getGroupIds(), ","), ActionGroup.LOGIN, BOTTOM_OBJECT_ID, VdcObjectType.Bottom, true) == null) {
setSucceeded(false);
} else {
String engineSessionId = sessionDataContainer.generateEngineSessionId();
sessionDataContainer.setSourceIp(engineSessionId, getParameters().getSourceIp());
sessionDataContainer.setUser(engineSessionId, user);
sessionDataContainer.refresh(engineSessionId);
sessionDataContainer.setProfile(engineSessionId, profile);
sessionDataContainer.setPrincipalName(engineSessionId, getParameters().getPrincipalName());
sessionDataContainer.setSsoAccessToken(engineSessionId, getParameters().getSsoToken());
sessionDataContainer.setSsoOvirtAppApiScope(engineSessionId, getParameters().getAppScope());
getReturnValue().setActionReturnValue(engineSessionId);
setSucceeded(true);
sessionId = engineSessionId;
}
}
}
Also used :
AuthenticationProfile(org.ovirt.engine.core.aaa.AuthenticationProfile)
DbUser(org.ovirt.engine.core.common.businessentities.aaa.DbUser)
Example 4 with AuthenticationProfile
use of org.ovirt.engine.core.aaa.AuthenticationProfile in project ovirt-engine by oVirt.
the class LogoutSessionCommand method executeCommand.
@Override
protected void executeCommand() {
AuthenticationProfile profile = sessionDataContainer.getProfile(getParameters().getSessionId());
sessionId = getParameters().getSessionId();
sourceIp = sessionDataContainer.getSourceIp(getParameters().getSessionId());
if (profile == null) {
setSucceeded(false);
} else {
sessionDataContainer.setSessionValid(getParameters().getSessionId(), false);
setSucceeded(true);
}
}
Also used :
AuthenticationProfile(org.ovirt.engine.core.aaa.AuthenticationProfile)
Example 5 with AuthenticationProfile
use of org.ovirt.engine.core.aaa.AuthenticationProfile in project ovirt-engine by oVirt.
the class SsoRestApiNegotiationFilter method doFilter.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
log.debug("Entered SsoRestApiNegotiationFilter");
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
if ((FiltersHelper.isAuthenticated(req) && FiltersHelper.isSessionValid((HttpServletRequest) request)) || !EngineLocalConfig.getInstance().getBoolean("ENGINE_RESTAPI_NEGO")) {
log.debug("SsoRestApiNegotiationFilter Not performing Negotiate Auth");
chain.doFilter(request, response);
} else {
log.debug("SsoRestApiNegotiationFilter performing Negotiate Auth");
try {
req.setAttribute(FiltersHelper.Constants.REQUEST_SCHEMES_KEY, schemes);
HttpSession session = req.getSession(false);
Deque<AuthenticationProfile> stack = null;
if (session != null) {
stack = (Deque<AuthenticationProfile>) session.getAttribute(STACK_ATTR);
}
if (stack == null) {
stack = new ArrayDeque<>();
stack.addAll(profiles);
}
AuthResult authResult = doAuth(req, resp, stack);
if (!stack.isEmpty()) {
req.getSession(true).setAttribute(STACK_ATTR, stack);
} else {
if (session != null) {
session.removeAttribute(STACK_ATTR);
}
if (authResult.username != null) {
log.debug("SsoRestApiNegotiationFilter invoking SsoAuthServiceUtils.loginOnBehalf for : {}", authResult.username);
Map<String, Object> jsonResponse = SsoOAuthServiceUtils.loginOnBehalf(authResult.username, scope, authResult.authRecord);
FiltersHelper.isStatusOk(jsonResponse);
log.debug("SsoRestApiNegotiationFilter creating user session");
SsoUtils.createUserSession(req, FiltersHelper.getPayloadForToken((String) jsonResponse.get("access_token")), false);
}
chain.doFilter(req, resp);
}
} catch (Exception e) {
req.setAttribute(SessionConstants.SSO_AUTHENTICATION_ERR_MSG, e.getMessage());
log.error("Cannot authenticate using External Authentication: {}", e.getMessage());
log.debug("Cannot authenticate using External Authentication", e);
chain.doFilter(req, resp);
}
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpSession(javax.servlet.http.HttpSession)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthenticationProfile(org.ovirt.engine.core.aaa.AuthenticationProfile)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
Aggregations
AuthenticationProfile (org.ovirt.engine.core.aaa.AuthenticationProfile)8
ExtMap (org.ovirt.engine.api.extensions.ExtMap)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
HttpSession (javax.servlet.http.HttpSession)2
IOException (java.io.IOException)1
ServletException (javax.servlet.ServletException)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
DbUser (org.ovirt.engine.core.common.businessentities.aaa.DbUser)1
