Example 1 with CallbackFilter
use of org.pac4j.jee.filter.CallbackFilter in project knox by apache.
the class Pac4jDispatcherFilter method init.
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// JWT service
final ServletContext context = filterConfig.getServletContext();
CryptoService cryptoService = null;
String clusterName = null;
if (context != null) {
GatewayServices services = (GatewayServices) context.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
clusterName = (String) context.getAttribute(GatewayServices.GATEWAY_CLUSTER_ATTRIBUTE);
if (services != null) {
keystoreService = services.getService(ServiceType.KEYSTORE_SERVICE);
cryptoService = services.getService(ServiceType.CRYPTO_SERVICE);
aliasService = services.getService(ServiceType.ALIAS_SERVICE);
masterService = services.getService(ServiceType.MASTER_SERVICE);
}
}
// crypto service, alias service and cluster name are mandatory
if (cryptoService == null || aliasService == null || clusterName == null) {
log.cryptoServiceAndAliasServiceAndClusterNameRequired();
throw new ServletException("The crypto service, alias service and cluster name are required.");
}
try {
aliasService.getPasswordFromAliasForCluster(clusterName, KnoxSessionStore.PAC4J_PASSWORD, true);
} catch (AliasServiceException e) {
log.unableToGenerateAPasswordForEncryption(e);
throw new ServletException("Unable to generate a password for encryption.");
}
// url to SSO authentication provider
String pac4jCallbackUrl = filterConfig.getInitParameter(PAC4J_CALLBACK_URL);
if (pac4jCallbackUrl == null) {
log.ssoAuthenticationProviderUrlRequired();
throw new ServletException("Required pac4j callback URL is missing.");
}
// client name from servlet parameter (mandatory)
final String clientNameParameter = filterConfig.getInitParameter(PAC4J_CLIENT_NAME_PARAM);
if (clientNameParameter == null) {
log.clientNameParameterRequired();
throw new ServletException("Required pac4j clientName parameter is missing.");
}
final String oidcType = filterConfig.getInitParameter(PAC4J_OIDC_TYPE);
/*
add the callback parameter to know it's a callback,
Azure AD does not honor query param so we add callback param as path element.
*/
if (AzureAdClient.class.getSimpleName().equals(clientNameParameter) || (!StringUtils.isBlank(oidcType) && PAC4J_OICD_TYPE_AZURE.equals(oidcType))) {
pac4jCallbackUrl = pac4jCallbackUrl + URL_PATH_SEPARATOR + PAC4J_CALLBACK_PARAMETER;
} else {
pac4jCallbackUrl = CommonHelper.addParameter(pac4jCallbackUrl, PAC4J_CALLBACK_PARAMETER, "true");
}
final Config config;
final String clientName;
if (TEST_BASIC_AUTH.equalsIgnoreCase(clientNameParameter)) {
// test configuration
final IndirectBasicAuthClient indirectBasicAuthClient = new IndirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());
indirectBasicAuthClient.setRealmName("Knox TEST");
config = new Config(pac4jCallbackUrl, indirectBasicAuthClient);
clientName = "IndirectBasicAuthClient";
} else {
// get clients from the init parameters
final Map<String, String> properties = new HashMap<>();
final Enumeration<String> names = filterConfig.getInitParameterNames();
addDefaultConfig(clientNameParameter, properties);
while (names.hasMoreElements()) {
final String key = names.nextElement();
properties.put(key, resolveAlias(clusterName, key, filterConfig.getInitParameter(key)));
}
final PropertiesConfigFactory propertiesConfigFactory = new PropertiesConfigFactory(pac4jCallbackUrl, properties);
config = propertiesConfigFactory.build();
final List<Client> clients = config.getClients().getClients();
if (clients == null || clients.isEmpty()) {
log.atLeastOnePac4jClientMustBeDefined();
throw new ServletException("At least one pac4j client must be defined.");
}
clientName = CommonHelper.isBlank(clientNameParameter) ? clients.get(0).getName() : clientNameParameter;
/* do we need to exclude groups? */
setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_GROUPS, PAC4J_SESSION_STORE_EXCLUDE_GROUPS_DEFAULT);
/* do we need to exclude roles? */
setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_ROLES, PAC4J_SESSION_STORE_EXCLUDE_ROLES_DEFAULT);
/* do we need to exclude permissions? */
setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS, PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS_DEFAULT);
/* do we need to exclude custom attributes? */
setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_CUSTOM_ATTRIBUTES, PAC4J_SESSION_STORE_EXCLUDE_CUSTOM_ATTRIBUTES_DEFAULT);
// decorating client configuration (if needed)
PAC4J_CLIENT_CONFIGURATION_DECORATOR.decorateClients(clients, properties);
}
callbackFilter = new CallbackFilter();
callbackFilter.init(filterConfig);
callbackFilter.setConfigOnly(config);
securityFilter = new SecurityFilter();
securityFilter.setClients(clientName);
securityFilter.setConfigOnly(config);
final String domainSuffix = filterConfig.getInitParameter(PAC4J_COOKIE_DOMAIN_SUFFIX_PARAM);
final String sessionStoreVar = filterConfig.getInitParameter(PAC4J_SESSION_STORE);
SessionStore sessionStore;
if (!StringUtils.isBlank(sessionStoreVar) && JEESessionStore.class.getName().contains(sessionStoreVar)) {
sessionStore = new JEESessionStore();
} else {
sessionStore = new KnoxSessionStore(cryptoService, clusterName, domainSuffix, sessionStoreConfigs);
}
config.setSessionStore(sessionStore);
}
Also used :
GatewayServices(org.apache.knox.gateway.services.GatewayServices)
KnoxSessionStore(org.apache.knox.gateway.pac4j.session.KnoxSessionStore)
HashMap(java.util.HashMap)
FilterConfig(javax.servlet.FilterConfig)
Config(org.pac4j.core.config.Config)
AliasServiceException(org.apache.knox.gateway.services.security.AliasServiceException)
JEESessionStore(org.pac4j.core.context.session.JEESessionStore)
ServletException(javax.servlet.ServletException)
KnoxSessionStore(org.apache.knox.gateway.pac4j.session.KnoxSessionStore)
SessionStore(org.pac4j.core.context.session.SessionStore)
JEESessionStore(org.pac4j.core.context.session.JEESessionStore)
CryptoService(org.apache.knox.gateway.services.security.CryptoService)
PropertiesConfigFactory(org.pac4j.config.client.PropertiesConfigFactory)
SecurityFilter(org.pac4j.jee.filter.SecurityFilter)
ServletContext(javax.servlet.ServletContext)
CallbackFilter(org.pac4j.jee.filter.CallbackFilter)
AzureAdClient(org.pac4j.oidc.client.AzureAdClient)
SAML2Client(org.pac4j.saml.client.SAML2Client)
Client(org.pac4j.core.client.Client)
IndirectBasicAuthClient(org.pac4j.http.client.indirect.IndirectBasicAuthClient)
IndirectBasicAuthClient(org.pac4j.http.client.indirect.IndirectBasicAuthClient)
SimpleTestUsernamePasswordAuthenticator(org.pac4j.http.credentials.authenticator.test.SimpleTestUsernamePasswordAuthenticator)
Aggregations
HashMap (java.util.HashMap)1
FilterConfig (javax.servlet.FilterConfig)1
ServletContext (javax.servlet.ServletContext)1
ServletException (javax.servlet.ServletException)1
KnoxSessionStore (org.apache.knox.gateway.pac4j.session.KnoxSessionStore)1
GatewayServices (org.apache.knox.gateway.services.GatewayServices)1
AliasServiceException (org.apache.knox.gateway.services.security.AliasServiceException)1
CryptoService (org.apache.knox.gateway.services.security.CryptoService)1
PropertiesConfigFactory (org.pac4j.config.client.PropertiesConfigFactory)1
Client (org.pac4j.core.client.Client)1
Config (org.pac4j.core.config.Config)1
JEESessionStore (org.pac4j.core.context.session.JEESessionStore)1
SessionStore (org.pac4j.core.context.session.SessionStore)1
IndirectBasicAuthClient (org.pac4j.http.client.indirect.IndirectBasicAuthClient)1
SimpleTestUsernamePasswordAuthenticator (org.pac4j.http.credentials.authenticator.test.SimpleTestUsernamePasswordAuthenticator)1
CallbackFilter (org.pac4j.jee.filter.CallbackFilter)1
SecurityFilter (org.pac4j.jee.filter.SecurityFilter)1
AzureAdClient (org.pac4j.oidc.client.AzureAdClient)1
SAML2Client (org.pac4j.saml.client.SAML2Client)1
