Example 1 with RequireAnyRoleAuthorizer
use of org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer in project cas by apereo.
the class CasSecurityContextConfiguration method config.
@RefreshScope
@Bean
public Config config() {
try {
final AdminPagesSecurityProperties adminProps = casProperties.getAdminPagesSecurity();
if (StringUtils.isNotBlank(adminProps.getLoginUrl()) && StringUtils.isNotBlank(adminProps.getService())) {
final CasConfiguration casConfig = new CasConfiguration(adminProps.getLoginUrl());
final DirectCasClient client = new DirectCasClient(casConfig);
client.setName(CAS_CLIENT_NAME);
final Config cfg = new Config(adminProps.getService(), client);
if (adminProps.getUsers() == null) {
LOGGER.warn("List of authorized users for admin pages security is not defined. " + "Allowing access for all authenticated users");
client.setAuthorizationGenerator(new DefaultCasAuthorizationGenerator<>());
cfg.setAuthorizer(new IsAuthenticatedAuthorizer());
} else {
final Resource file = ResourceUtils.prepareClasspathResourceIfNeeded(adminProps.getUsers());
if (file != null && file.exists()) {
LOGGER.debug("Loading list of authorized users from [{}]", file);
final Properties properties = new Properties();
properties.load(file.getInputStream());
client.setAuthorizationGenerator(new SpringSecurityPropertiesAuthorizationGenerator(properties));
cfg.setAuthorizer(new RequireAnyRoleAuthorizer(adminProps.getAdminRoles()));
}
}
return cfg;
}
} catch (final Exception e) {
LOGGER.warn(e.getMessage(), e);
}
return new Config();
}
Also used :
DirectCasClient(org.pac4j.cas.client.direct.DirectCasClient)
IsAuthenticatedAuthorizer(org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer)
SpringSecurityPropertiesAuthorizationGenerator(org.pac4j.core.authorization.generator.SpringSecurityPropertiesAuthorizationGenerator)
CasConfiguration(org.pac4j.cas.config.CasConfiguration)
Config(org.pac4j.core.config.Config)
Resource(org.springframework.core.io.Resource)
AdminPagesSecurityProperties(org.apereo.cas.configuration.model.core.web.security.AdminPagesSecurityProperties)
CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties)
EnableConfigurationProperties(org.springframework.boot.context.properties.EnableConfigurationProperties)
Properties(java.util.Properties)
AdminPagesSecurityProperties(org.apereo.cas.configuration.model.core.web.security.AdminPagesSecurityProperties)
RequireAnyRoleAuthorizer(org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer)
RefreshScope(org.springframework.cloud.context.config.annotation.RefreshScope)
Bean(org.springframework.context.annotation.Bean)
Example 2 with RequireAnyRoleAuthorizer
use of org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer in project cas by apereo.
the class LdapAuthenticationProvider method authenticate.
@Override
public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
try {
final String username = authentication.getPrincipal().toString();
final Object credentials = authentication.getCredentials();
final String password = credentials == null ? null : credentials.toString();
LOGGER.debug("Preparing LDAP authentication request for user [{}]", username);
final AuthenticationRequest request = new AuthenticationRequest(username, new org.ldaptive.Credential(password), ReturnAttributes.ALL.value());
final Authenticator authenticator = Beans.newLdaptiveAuthenticator(adminPagesSecurityProperties.getLdap());
LOGGER.debug("Executing LDAP authentication request for user [{}]", username);
final AuthenticationResponse response = authenticator.authenticate(request);
LOGGER.debug("LDAP response: [{}]", response);
if (response.getResult()) {
final LdapEntry entry = response.getLdapEntry();
final CommonProfile profile = new CommonProfile();
profile.setId(username);
entry.getAttributes().forEach(a -> profile.addAttribute(a.getName(), a.getStringValues()));
LOGGER.debug("Collected user profile [{}]", profile);
this.authorizationGenerator.generate(WebUtils.getPac4jJ2EContext(), profile);
LOGGER.debug("Assembled user profile with roles after generating authorization claims [{}]", profile);
final Collection<GrantedAuthority> authorities = new ArrayList<>();
authorities.addAll(profile.getRoles().stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
LOGGER.debug("List of authorities remapped from profile roles are [{}]", authorities);
final RequireAnyRoleAuthorizer authorizer = new RequireAnyRoleAuthorizer(adminPagesSecurityProperties.getAdminRoles());
LOGGER.debug("Executing authorization for expected admin roles [{}]", authorizer.getElements());
final J2EContext context = WebUtils.getPac4jJ2EContext();
if (authorizer.isAllAuthorized(context, Arrays.asList(profile))) {
return new UsernamePasswordAuthenticationToken(username, password, authorities);
}
LOGGER.warn("User [{}] is not authorized to access the requested resource allowed to roles [{}]", username, authorizer.getElements());
} else {
LOGGER.warn("LDAP authentication response produced no results for [{}]", username);
}
} catch (final Exception e) {
LOGGER.error(e.getMessage(), e);
throw new InsufficientAuthenticationException("Unexpected LDAP error", e);
}
throw new BadCredentialsException("Could not authenticate provided credentials");
}
Also used :
SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority)
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
ArrayList(java.util.ArrayList)
LdapEntry(org.ldaptive.LdapEntry)
UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken)
J2EContext(org.pac4j.core.context.J2EContext)
InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException)
BadCredentialsException(org.springframework.security.authentication.BadCredentialsException)
AuthenticationResponse(org.ldaptive.auth.AuthenticationResponse)
BadCredentialsException(org.springframework.security.authentication.BadCredentialsException)
AuthenticationException(org.springframework.security.core.AuthenticationException)
InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException)
SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority)
CommonProfile(org.pac4j.core.profile.CommonProfile)
AuthenticationRequest(org.ldaptive.auth.AuthenticationRequest)
Authenticator(org.ldaptive.auth.Authenticator)
RequireAnyRoleAuthorizer(org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer)
Aggregations
RequireAnyRoleAuthorizer (org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer)2
ArrayList (java.util.ArrayList)1
Properties (java.util.Properties)1
CasConfigurationProperties (org.apereo.cas.configuration.CasConfigurationProperties)1
AdminPagesSecurityProperties (org.apereo.cas.configuration.model.core.web.security.AdminPagesSecurityProperties)1
LdapEntry (org.ldaptive.LdapEntry)1
AuthenticationRequest (org.ldaptive.auth.AuthenticationRequest)1
AuthenticationResponse (org.ldaptive.auth.AuthenticationResponse)1
Authenticator (org.ldaptive.auth.Authenticator)1
DirectCasClient (org.pac4j.cas.client.direct.DirectCasClient)1
CasConfiguration (org.pac4j.cas.config.CasConfiguration)1
IsAuthenticatedAuthorizer (org.pac4j.core.authorization.authorizer.IsAuthenticatedAuthorizer)1
SpringSecurityPropertiesAuthorizationGenerator (org.pac4j.core.authorization.generator.SpringSecurityPropertiesAuthorizationGenerator)1
Config (org.pac4j.core.config.Config)1
J2EContext (org.pac4j.core.context.J2EContext)1
CommonProfile (org.pac4j.core.profile.CommonProfile)1
EnableConfigurationProperties (org.springframework.boot.context.properties.EnableConfigurationProperties)1
RefreshScope (org.springframework.cloud.context.config.annotation.RefreshScope)1
Bean (org.springframework.context.annotation.Bean)1
Resource (org.springframework.core.io.Resource)1
