use of org.pac4j.core.context.WebContext in project cas by apereo.
the class OidcRequestSupport method isValidIssuerForEndpoint.
/**
* Is valid issuer for endpoint.
*
* @param webContext the web context
* @param endpoint the endpoint
* @return true /false
*/
public boolean isValidIssuerForEndpoint(final WebContext webContext, final String endpoint) {
val requestUrl = webContext.getRequestURL();
val issuerFromRequestUrl = StringUtils.removeEnd(StringUtils.remove(requestUrl, '/' + endpoint), "/");
val definedIssuer = oidcIssuerService.determineIssuer(Optional.empty());
val definedIssuerWithSlash = StringUtils.appendIfMissing(definedIssuer, "/");
val result = definedIssuer.equalsIgnoreCase(issuerFromRequestUrl) || issuerFromRequestUrl.startsWith(definedIssuerWithSlash);
FunctionUtils.doIf(!result, o -> LOGGER.trace("Configured issuer [{}] defined does not match the request issuer [{}]", o, issuerFromRequestUrl)).accept(definedIssuer);
return result;
}
use of org.pac4j.core.context.WebContext in project ddf by codice.
the class OidcLogoutActionProvider method getAction.
/**
* *
*
* @param <T> is a Map<String, Subject>
* @param subjectMap containing the corresponding subject
* @return OidcLogoutActionProvider containing the logout url
*/
@Override
public <T> Action getAction(T subjectMap) {
if (!canHandle(subjectMap)) {
return null;
}
String logoutUrlString = "";
URL logoutUrl = null;
try {
HttpServletRequest request = (HttpServletRequest) ((Map) subjectMap).get("http_request");
HttpServletResponse response = (HttpServletResponse) ((Map) subjectMap).get("http_response");
JEESessionStore sessionStore = new JEESessionStore();
JEEContext jeeContext = new JEEContext(request, response, sessionStore);
HttpSession session = request.getSession(false);
PrincipalHolder principalHolder = null;
if (session != null) {
principalHolder = (PrincipalHolder) session.getAttribute(SecurityConstants.SECURITY_TOKEN_KEY);
}
OidcProfile oidcProfile = null;
if (principalHolder != null && principalHolder.getPrincipals() != null) {
Collection<SecurityAssertion> securityAssertions = principalHolder.getPrincipals().byType(SecurityAssertion.class);
for (SecurityAssertion securityAssertion : securityAssertions) {
if (SecurityAssertionJwt.JWT_TOKEN_TYPE.equals(securityAssertion.getTokenType())) {
oidcProfile = (OidcProfile) securityAssertion.getToken();
break;
}
}
}
if (oidcProfile == null) {
throw new IllegalStateException("Unable to determine OIDC profile for logout");
}
OidcLogoutActionBuilder logoutActionBuilder = handlerConfiguration.getOidcLogoutActionBuilder();
logoutActionBuilder.setAjaxRequestResolver(new DefaultAjaxRequestResolver() {
@Override
public boolean isAjax(final WebContext context) {
return false;
}
});
URIBuilder urlBuilder = new URIBuilder(SystemBaseUrl.EXTERNAL.constructUrl("/oidc/logout", true));
String prevUrl = getPreviousUrl(request);
if (prevUrl != null) {
urlBuilder.addParameter(PREV_URL, prevUrl);
}
RedirectionAction logoutAction = logoutActionBuilder.getLogoutAction(jeeContext, oidcProfile, urlBuilder.build().toString()).orElse(null);
if (logoutAction instanceof WithLocationAction) {
logoutUrlString = ((WithLocationAction) logoutAction).getLocation();
}
logoutUrl = new URL(logoutUrlString);
} catch (MalformedURLException | URISyntaxException e) {
LOGGER.info("Unable to resolve logout URL: {}", logoutUrlString);
} catch (ClassCastException e) {
LOGGER.debug("Unable to cast parameter to Map<String, Object>, {}", subjectMap, e);
}
return new ActionImpl(ID, TITLE, DESCRIPTION, logoutUrl);
}
use of org.pac4j.core.context.WebContext in project knox by apache.
the class KnoxSessionStoreTest method filterConfigParamsTest.
/**
* Test exclusion of groups, roles and permissions
* from pac4j profile object that is saved as a cookie.
* @throws AliasServiceException
*/
@Test
public void filterConfigParamsTest() throws AliasServiceException {
final AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(aliasService.getPasswordFromAliasForCluster(CLUSTER_NAME, PAC4J_PASSWORD, true)).andReturn(PAC4J_PASSWORD.toCharArray()).anyTimes();
EasyMock.expect(aliasService.getPasswordFromAliasForCluster(CLUSTER_NAME, PAC4J_PASSWORD)).andReturn(PAC4J_PASSWORD.toCharArray()).anyTimes();
EasyMock.replay(aliasService);
final DefaultCryptoService cryptoService = new DefaultCryptoService();
cryptoService.setAliasService(aliasService);
final Map<String, String> sessionStoreConfigs = new HashMap();
final Capture<org.pac4j.core.context.Cookie> captureCookieValue = EasyMock.newCapture();
final WebContext mockContext = EasyMock.createNiceMock(WebContext.class);
EasyMock.expect(mockContext.getFullRequestURL()).andReturn("https://local.com/gateway/knoxsso/").anyTimes();
mockContext.addResponseCookie(EasyMock.capture(captureCookieValue));
EasyMock.replay(mockContext);
final SAML2Profile samlProfile = new SAML2Profile();
Set<String> groups = new HashSet<>(Arrays.asList("admin_2", "admin_1", "admin"));
Set<String> roles = new HashSet<>(Arrays.asList("roles_2", "roles_1", "roles"));
Set<String> permissions = new HashSet<>(Arrays.asList("permissions_2", "permissions_1", "permissions"));
Map<String, Object> attributes = new HashMap<>();
attributes.put("groups", groups);
attributes.put("permissions", permissions);
attributes.put("roles", roles);
attributes.put("https://knox.apache.org/SAML/Attributes/groups", groups);
attributes.put("https://knox.apache.org/SAML/Attributes/groups2", groups);
samlProfile.addAttributes(attributes);
/*
* Test the default behavior where groups, roles and permissions are
* excluded from the cookie.
*/
/* Make sure groups are present */
Assert.assertNotNull(samlProfile.getAttribute("groups"));
Assert.assertNotNull(samlProfile.getAttribute("roles"));
Assert.assertNotNull(samlProfile.getAttribute("permissions"));
Assert.assertNotNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups"));
Assert.assertNotNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups2"));
sessionStoreConfigs.put(PAC4J_SESSION_STORE_EXCLUDE_GROUPS, PAC4J_SESSION_STORE_EXCLUDE_GROUPS_DEFAULT);
sessionStoreConfigs.put(PAC4J_SESSION_STORE_EXCLUDE_ROLES, PAC4J_SESSION_STORE_EXCLUDE_ROLES_DEFAULT);
sessionStoreConfigs.put(PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS, PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS_DEFAULT);
sessionStoreConfigs.put(PAC4J_SESSION_STORE_EXCLUDE_CUSTOM_ATTRIBUTES, "https://knox.apache.org/SAML/Attributes/groups, https://knox.apache.org/SAML/Attributes/groups2");
final Map<String, CommonProfile> profile = new HashMap<>();
profile.put("SAML2Client", samlProfile);
final KnoxSessionStore sessionStore = new KnoxSessionStore(cryptoService, CLUSTER_NAME, null, sessionStoreConfigs);
sessionStore.set(mockContext, Pac4jConstants.USER_PROFILES, profile);
/* Make sure groups are removed */
Assert.assertNull(samlProfile.getAttribute("groups"));
Assert.assertNull(samlProfile.getAttribute("roles"));
Assert.assertNull(samlProfile.getAttribute("permissions"));
Assert.assertNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups"));
Assert.assertNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups2"));
/*
* Test the override behavior where groups, roles and permissions are
* not-excluded from the cookie.
*/
attributes.put("groups", groups);
attributes.put("permissions", permissions);
attributes.put("roles", roles);
attributes.put("https://knox.apache.org/SAML/Attributes/groups", groups);
attributes.put("https://knox.apache.org/SAML/Attributes/groups2", groups);
samlProfile.addAttributes(attributes);
/* Make sure groups are present */
Assert.assertNotNull(samlProfile.getAttribute("groups"));
Assert.assertNotNull(samlProfile.getAttribute("roles"));
Assert.assertNotNull(samlProfile.getAttribute("permissions"));
Assert.assertNotNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups"));
Assert.assertNotNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups2"));
sessionStoreConfigs.put(PAC4J_SESSION_STORE_EXCLUDE_GROUPS, "false");
sessionStoreConfigs.put(PAC4J_SESSION_STORE_EXCLUDE_ROLES, "false");
sessionStoreConfigs.put(PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS, "false");
sessionStoreConfigs.put(PAC4J_SESSION_STORE_EXCLUDE_CUSTOM_ATTRIBUTES, "");
profile.put("SAML2Client", samlProfile);
sessionStore.set(mockContext, Pac4jConstants.USER_PROFILES, profile);
/* Make sure attributes are not removed */
Assert.assertNotNull(samlProfile.getAttribute("groups"));
Assert.assertNotNull(samlProfile.getAttribute("roles"));
Assert.assertNotNull(samlProfile.getAttribute("permissions"));
Assert.assertNotNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups"));
Assert.assertNotNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups2"));
}
Aggregations