Example 21 with Authenticator
use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.
the class JITProvisioningPostAuthenticationHandler method handleRequestFlow.
/**
* To handle the request flow of the post authentication handler.
*
* @param response HttpServlet response.
* @param context Authentication context
* @return Status of this post authentication handler flow.
* @throws PostAuthenticationFailedException Exception that will be thrown in case of failure.
*/
@SuppressWarnings("unchecked")
private PostAuthnHandlerFlowStatus handleRequestFlow(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
String retryURL = ConfigurationFacade.getInstance().getAuthenticationEndpointRetryURL();
SequenceConfig sequenceConfig = context.getSequenceConfig();
for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
StepConfig stepConfig = entry.getValue();
AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
if (authenticatorConfig == null) {
// ex: Different authentication sequences evaluated by the script
continue;
}
ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
if (authenticator instanceof FederatedApplicationAuthenticator) {
String externalIdPConfigName = stepConfig.getAuthenticatedIdP();
ExternalIdPConfig externalIdPConfig = getExternalIdpConfig(externalIdPConfigName, context);
context.setExternalIdP(externalIdPConfig);
Map<String, String> localClaimValues;
if (stepConfig.isSubjectAttributeStep()) {
localClaimValues = (Map<String, String>) context.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
} else {
localClaimValues = getLocalClaimValuesOfIDPInNonAttributeSelectionStep(context, stepConfig, externalIdPConfig);
}
if (localClaimValues == null || localClaimValues.size() == 0) {
Map<ClaimMapping, String> userAttributes = stepConfig.getAuthenticatedUser().getUserAttributes();
localClaimValues = FrameworkUtils.getClaimMappings(userAttributes, false);
}
if (externalIdPConfig != null && externalIdPConfig.isProvisioningEnabled()) {
if (localClaimValues == null) {
localClaimValues = new HashMap<>();
}
String associatedLocalUser = getLocalUserAssociatedForFederatedIdentifier(stepConfig.getAuthenticatedIdP(), stepConfig.getAuthenticatedUser().getAuthenticatedSubjectIdentifier(), context.getTenantDomain());
String username = associatedLocalUser;
// If associatedLocalUser is null, that means relevant association not exist already.
if (StringUtils.isEmpty(associatedLocalUser)) {
if (log.isDebugEnabled()) {
log.debug(sequenceConfig.getAuthenticatedUser().getLoggableUserId() + " coming from " + externalIdPConfig.getIdPName() + " do not have a local account, hence redirecting" + " to the UI to sign up.");
}
if (externalIdPConfig.isPromptConsentEnabled()) {
username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
redirectToAccountCreateUI(externalIdPConfig, context, localClaimValues, response, username, request);
// Set the property to make sure the request is a returning one.
context.setProperty(FrameworkConstants.PASSWORD_PROVISION_REDIRECTION_TRIGGERED, true);
return PostAuthnHandlerFlowStatus.INCOMPLETE;
}
}
if (StringUtils.isEmpty(username)) {
username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
}
if (StringUtils.isNotBlank(associatedLocalUser)) {
// Check if the associated local account is locked.
if (isAccountLocked(username, context.getTenantDomain())) {
if (log.isDebugEnabled()) {
log.debug(String.format("The account is locked for the user: %s in the " + "tenant domain: %s ", username, context.getTenantDomain()));
}
String retryParam = "&authFailure=true&authFailureMsg=error.user.account.locked&errorCode=" + UserCoreConstants.ErrorCode.USER_IS_LOCKED;
handleAccountLockLoginFailure(retryURL, context, response, retryParam);
return PostAuthnHandlerFlowStatus.INCOMPLETE;
}
// Check if the associated local account is disabled.
if (isAccountDisabled(associatedLocalUser, context.getTenantDomain())) {
if (log.isDebugEnabled()) {
log.debug(String.format("The account is disabled for the user: %s in the " + "tenant domain: %s ", username, context.getTenantDomain()));
}
String retryParam = "&authFailure=true&authFailureMsg=error.user.account.disabled&errorCode=" + IdentityCoreConstants.USER_ACCOUNT_DISABLED_ERROR_CODE;
handleAccountLockLoginFailure(retryURL, context, response, retryParam);
return PostAuthnHandlerFlowStatus.INCOMPLETE;
}
}
if (log.isDebugEnabled()) {
log.debug("User : " + sequenceConfig.getAuthenticatedUser().getLoggableUserId() + " coming from " + externalIdPConfig.getIdPName() + " do have a local account, with the username " + username);
}
callDefaultProvisioningHandler(username, context, externalIdPConfig, localClaimValues, stepConfig);
}
}
}
return SUCCESS_COMPLETED;
}
Also used :
AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)
StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)
FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)
ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping)
FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)
ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)
SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)
ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 22 with Authenticator
use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.
the class DefaultAuthenticationRequestHandler method concludeFlow.
/**
* Sends the response to the servlet that initiated the authentication flow
*
* @param request
* @param response
* @throws ServletException
* @throws IOException
*/
protected void concludeFlow(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
if (log.isDebugEnabled()) {
log.debug("Concluding the Authentication Flow");
}
SequenceConfig sequenceConfig = context.getSequenceConfig();
sequenceConfig.setCompleted(false);
AuthenticationResult authenticationResult = new AuthenticationResult();
boolean isAuthenticated = context.isRequestAuthenticated();
authenticationResult.setAuthenticated(isAuthenticated);
String authenticatedUserTenantDomain = getAuthenticatedUserTenantDomain(context, authenticationResult);
authenticationResult.setSaaSApp(sequenceConfig.getApplicationConfig().isSaaSApp());
if (isAuthenticated) {
if (!sequenceConfig.getApplicationConfig().isSaaSApp()) {
String spTenantDomain = context.getTenantDomain();
String userTenantDomain = sequenceConfig.getAuthenticatedUser().getTenantDomain();
if (StringUtils.isNotEmpty(userTenantDomain)) {
if (StringUtils.isNotEmpty(spTenantDomain) && !spTenantDomain.equals(userTenantDomain)) {
throw new FrameworkException("Service Provider tenant domain must be equal to user tenant " + "domain for non-SaaS applications");
}
}
}
authenticationResult.setSubject(new AuthenticatedUser(sequenceConfig.getAuthenticatedUser()));
ApplicationConfig appConfig = sequenceConfig.getApplicationConfig();
if (appConfig.getServiceProvider().getLocalAndOutBoundAuthenticationConfig().isAlwaysSendBackAuthenticatedListOfIdPs()) {
authenticationResult.setAuthenticatedIdPs(sequenceConfig.getAuthenticatedIdPs());
}
// SessionContext is retained across different SP requests in the same browser session.
// it is tracked by a cookie
SessionContext sessionContext = null;
String commonAuthCookie = null;
String sessionContextKey = null;
String analyticsSessionAction = null;
// When getting the cookie, it will not give the path. When paths are tenant qualified, it will only give
// the cookies matching that path.
Cookie authCookie = FrameworkUtils.getAuthCookie(request);
// Force authentication requires the creation of a new session. Therefore skip using the existing session
if (authCookie != null && !context.isForceAuthenticate()) {
commonAuthCookie = authCookie.getValue();
if (commonAuthCookie != null) {
sessionContextKey = DigestUtils.sha256Hex(commonAuthCookie);
sessionContext = FrameworkUtils.getSessionContextFromCache(sessionContextKey, context.getLoginTenantDomain());
}
}
String applicationTenantDomain = getApplicationTenantDomain(context);
// session context may be null when cache expires therefore creating new cookie as well.
if (sessionContext != null) {
analyticsSessionAction = FrameworkConstants.AnalyticsAttributes.SESSION_UPDATE;
sessionContext.getAuthenticatedSequences().put(appConfig.getApplicationName(), sequenceConfig);
sessionContext.getAuthenticatedIdPs().putAll(context.getCurrentAuthenticatedIdPs());
if (!context.isPassiveAuthenticate()) {
setAuthenticatedIDPsOfApp(sessionContext, context.getCurrentAuthenticatedIdPs(), appConfig.getApplicationName());
}
sessionContext.getSessionAuthHistory().resetHistory(AuthHistory.merge(sessionContext.getSessionAuthHistory().getHistory(), context.getAuthenticationStepHistory()));
populateAuthenticationContextHistory(authenticationResult, context, sessionContext);
long updatedSessionTime = System.currentTimeMillis();
if (!context.isPreviousAuthTime()) {
sessionContext.addProperty(FrameworkConstants.UPDATED_TIMESTAMP, updatedSessionTime);
}
authenticationResult.addProperty(FrameworkConstants.AnalyticsAttributes.SESSION_ID, sessionContextKey);
List<AuthenticationContextProperty> authenticationContextProperties = new ArrayList<>();
// Authentication context properties from already authenticated IdPs
if (sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
List<AuthenticationContextProperty> existingAuthenticationContextProperties = (List<AuthenticationContextProperty>) sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES);
for (AuthenticationContextProperty contextProperty : existingAuthenticationContextProperties) {
for (StepConfig stepConfig : context.getSequenceConfig().getStepMap().values()) {
if (stepConfig.getAuthenticatedIdP().equals(contextProperty.getIdPName())) {
authenticationContextProperties.add(contextProperty);
break;
}
}
}
}
Long createdTime = (Long) sessionContext.getProperty(FrameworkConstants.CREATED_TIMESTAMP);
if (createdTime != null) {
authenticationResult.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTime);
}
// Authentication context properties received from newly authenticated IdPs
if (context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
authenticationContextProperties.addAll((List<AuthenticationContextProperty>) context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
if (sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) == null) {
sessionContext.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, authenticationContextProperties);
} else {
List<AuthenticationContextProperty> existingAuthenticationContextProperties = (List<AuthenticationContextProperty>) sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES);
existingAuthenticationContextProperties.addAll((List<AuthenticationContextProperty>) context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
}
}
if (!authenticationContextProperties.isEmpty()) {
if (log.isDebugEnabled()) {
log.debug("AuthenticationContextProperties are available.");
}
authenticationResult.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, authenticationContextProperties);
}
FrameworkUtils.updateSessionLastAccessTimeMetadata(sessionContextKey, updatedSessionTime);
/*
* In the default configuration, the expiry time of the commonAuthCookie is fixed when rememberMe
* option is selected. With this config, the expiry time will increase at every authentication.
*/
if (sessionContext.isRememberMe() && Boolean.parseBoolean(IdentityUtil.getProperty(IdentityConstants.ServerConfig.EXTEND_REMEMBER_ME_SESSION_ON_AUTH))) {
context.setRememberMe(sessionContext.isRememberMe());
setAuthCookie(request, response, context, commonAuthCookie, applicationTenantDomain);
}
if (context.getRuntimeClaims().size() > 0) {
sessionContext.addProperty(FrameworkConstants.RUNTIME_CLAIMS, context.getRuntimeClaims());
}
handleSessionContextUpdate(context.getRequestType(), sessionContextKey, sessionContext, request, response, context);
// TODO add to cache?
// store again. when replicate cache is used. this may be needed.
FrameworkUtils.addSessionContextToCache(sessionContextKey, sessionContext, applicationTenantDomain, context.getLoginTenantDomain());
} else {
analyticsSessionAction = FrameworkConstants.AnalyticsAttributes.SESSION_CREATE;
sessionContext = new SessionContext();
// To identify first login
context.setProperty(FrameworkConstants.AnalyticsAttributes.IS_INITIAL_LOGIN, true);
sessionContext.getAuthenticatedSequences().put(appConfig.getApplicationName(), sequenceConfig);
sessionContext.setAuthenticatedIdPs(context.getCurrentAuthenticatedIdPs());
setAuthenticatedIDPsOfApp(sessionContext, context.getCurrentAuthenticatedIdPs(), appConfig.getApplicationName());
sessionContext.setRememberMe(context.isRememberMe());
if (context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
if (log.isDebugEnabled()) {
log.debug("AuthenticationContextProperties are available.");
}
authenticationResult.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
// Add to session context
sessionContext.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
}
String sessionKey = UUIDGenerator.generateUUID();
sessionContextKey = DigestUtils.sha256Hex(sessionKey);
sessionContext.addProperty(FrameworkConstants.AUTHENTICATED_USER, authenticationResult.getSubject());
sessionContext.addProperty(FrameworkUtils.TENANT_DOMAIN, context.getLoginTenantDomain());
Long createdTimeMillis = System.currentTimeMillis();
sessionContext.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTimeMillis);
authenticationResult.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTimeMillis);
authenticationResult.addProperty(FrameworkConstants.AnalyticsAttributes.SESSION_ID, sessionContextKey);
sessionContext.getSessionAuthHistory().resetHistory(AuthHistory.merge(sessionContext.getSessionAuthHistory().getHistory(), context.getAuthenticationStepHistory()));
populateAuthenticationContextHistory(authenticationResult, context, sessionContext);
if (context.getRuntimeClaims().size() > 0) {
sessionContext.addProperty(FrameworkConstants.RUNTIME_CLAIMS, context.getRuntimeClaims());
}
handleInboundSessionCreate(context.getRequestType(), sessionContextKey, sessionContext, request, response, context);
FrameworkUtils.addSessionContextToCache(sessionContextKey, sessionContext, applicationTenantDomain, context.getLoginTenantDomain());
setAuthCookie(request, response, context, sessionKey, applicationTenantDomain);
if (FrameworkServiceDataHolder.getInstance().isUserSessionMappingEnabled()) {
try {
storeSessionMetaData(sessionContextKey, request);
} catch (UserSessionException e) {
log.error("Storing session meta data failed.", e);
}
}
}
if (authenticatedUserTenantDomain == null) {
PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
}
if (FrameworkServiceDataHolder.getInstance().isUserSessionMappingEnabled()) {
try {
storeSessionData(context, sessionContextKey);
} catch (UserSessionException e) {
throw new FrameworkException("Error while storing session details of the authenticated user to " + "the database", e);
}
}
// store the saml index with the session context key for the single logout.
if (context.getAuthenticationStepHistory() != null) {
UserSessionStore userSessionStore = UserSessionStore.getInstance();
for (AuthHistory authHistory : context.getAuthenticationStepHistory()) {
if (StringUtils.isNotBlank(authHistory.getIdpSessionIndex()) && StringUtils.isNotBlank(authHistory.getIdpName())) {
try {
if (!userSessionStore.hasExistingFederatedAuthSession(authHistory.getIdpSessionIndex())) {
userSessionStore.storeFederatedAuthSessionInfo(sessionContextKey, authHistory);
} else {
if (log.isDebugEnabled()) {
log.debug(String.format("Federated auth session with the id: %s already exists", authHistory.getIdpSessionIndex()));
}
userSessionStore.updateFederatedAuthSessionInfo(sessionContextKey, authHistory);
}
} catch (UserSessionException e) {
throw new FrameworkException("Error while storing federated authentication session details " + "of the authenticated user to the database", e);
}
}
}
}
FrameworkUtils.publishSessionEvent(sessionContextKey, request, context, sessionContext, sequenceConfig.getAuthenticatedUser(), analyticsSessionAction);
publishAuthenticationSuccess(request, context, sequenceConfig.getAuthenticatedUser());
}
// authenticator in multi steps scenario. Ex. Fido
if (FrameworkUtils.getCacheDisabledAuthenticators().contains(context.getRequestType()) && (response instanceof CommonAuthResponseWrapper) && !((CommonAuthResponseWrapper) response).isWrappedByFramework()) {
// Set the result as request attribute
request.setAttribute("sessionDataKey", context.getCallerSessionKey());
addAuthenticationResultToRequest(request, authenticationResult);
} else {
FrameworkUtils.addAuthenticationResultToCache(context.getCallerSessionKey(), authenticationResult);
}
/*
* TODO Cache retaining is a temporary fix. Remove after Google fixes
* http://code.google.com/p/gdata-issues/issues/detail?id=6628
*/
String retainCache = System.getProperty("retainCache");
if (retainCache == null) {
FrameworkUtils.removeAuthenticationContextFromCache(context.getContextIdentifier());
}
sendResponse(request, response, context);
}
Also used :
SessionNonceCookieUtil.removeNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.removeNonceCookie)
SessionNonceCookieUtil.addNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.addNonceCookie)
SessionNonceCookieUtil.validateNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.validateNonceCookie)
Cookie(javax.servlet.http.Cookie)
FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)
UserSessionStore(org.wso2.carbon.identity.application.authentication.framework.store.UserSessionStore)
ArrayList(java.util.ArrayList)
StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
UserSessionException(org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException)
AuthenticationResult(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult)
ApplicationConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig)
SessionContext(org.wso2.carbon.identity.application.authentication.framework.context.SessionContext)
SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)
List(java.util.List)
ArrayList(java.util.ArrayList)
AuthHistory(org.wso2.carbon.identity.application.authentication.framework.context.AuthHistory)
AuthenticationContextProperty(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationContextProperty)
CommonAuthResponseWrapper(org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper)
Example 23 with Authenticator
use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.
the class DefaultAuthenticationRequestHandler method sendResponse.
protected void sendResponse(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
if (log.isDebugEnabled()) {
StringBuilder debugMessage = new StringBuilder();
debugMessage.append("Sending response back to: ");
debugMessage.append(context.getCallerPath()).append("...\n");
debugMessage.append(FrameworkConstants.ResponseParams.AUTHENTICATED).append(": ");
debugMessage.append(String.valueOf(context.isRequestAuthenticated())).append("\n");
debugMessage.append(FrameworkConstants.ResponseParams.AUTHENTICATED_USER).append(": ");
if (context.getSequenceConfig().getAuthenticatedUser() != null) {
debugMessage.append(context.getSequenceConfig().getAuthenticatedUser().getAuthenticatedSubjectIdentifier()).append("\n");
} else {
debugMessage.append("No Authenticated User").append("\n");
}
debugMessage.append(FrameworkConstants.ResponseParams.AUTHENTICATED_IDPS).append(": ");
debugMessage.append(context.getSequenceConfig().getAuthenticatedIdPs()).append("\n");
debugMessage.append(FrameworkConstants.SESSION_DATA_KEY).append(": ");
debugMessage.append(context.getCallerSessionKey());
log.debug(debugMessage);
}
// TODO rememberMe should be handled by a cookie authenticator. For now rememberMe flag that
// was set in the login page will be sent as a query param to the calling servlet so it will
// handle rememberMe as usual.
String rememberMeParam = "";
if (context.isRequestAuthenticated() && context.isRememberMe()) {
rememberMeParam = rememberMeParam + "chkRemember=on";
}
// if request is not authenticated populate error information sent from authenticators/handlers
if (!context.isRequestAuthenticated()) {
populateErrorInformation(request, response, context);
}
// redirect to the caller
String redirectURL;
String commonauthCallerPath = context.getCallerPath();
try {
String queryParamsString = "";
if (context.getCallerSessionKey() != null) {
queryParamsString = FrameworkConstants.SESSION_DATA_KEY + "=" + URLEncoder.encode(context.getCallerSessionKey(), "UTF-8");
}
if (StringUtils.isNotEmpty(rememberMeParam)) {
queryParamsString += "&" + rememberMeParam;
}
redirectURL = FrameworkUtils.appendQueryParamsStringToUrl(commonauthCallerPath, queryParamsString);
response.sendRedirect(redirectURL);
} catch (IOException e) {
throw new FrameworkException(e.getMessage(), e);
}
}
Also used :
FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)
IOException(java.io.IOException)
Example 24 with Authenticator
use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.
the class DefaultLogoutRequestHandler method handle.
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
if (log.isTraceEnabled()) {
log.trace("Inside handle()");
}
SequenceConfig sequenceConfig = context.getSequenceConfig();
// Retrieve session information from cache.
SessionContext sessionContext = FrameworkUtils.getSessionContextFromCache(context.getSessionIdentifier(), context.getLoginTenantDomain());
ExternalIdPConfig externalIdPConfig = null;
// Remove the session related information from the session tables.
clearUserSessionData(request);
if (FrameworkServiceDataHolder.getInstance().getAuthnDataPublisherProxy() != null && FrameworkServiceDataHolder.getInstance().getAuthnDataPublisherProxy().isEnabled(context) && sessionContext != null) {
Object authenticatedUserObj = sessionContext.getProperty(FrameworkConstants.AUTHENTICATED_USER);
AuthenticatedUser authenticatedUser = new AuthenticatedUser();
if (authenticatedUserObj instanceof AuthenticatedUser) {
authenticatedUser = (AuthenticatedUser) authenticatedUserObj;
}
FrameworkUtils.publishSessionEvent(context.getSessionIdentifier(), request, context, sessionContext, authenticatedUser, FrameworkConstants.AnalyticsAttributes.SESSION_TERMINATE);
}
// Remove federated authentication session details from the database.
if (sessionContext != null && StringUtils.isNotBlank(context.getSessionIdentifier()) && sessionContext.getSessionAuthHistory() != null && sessionContext.getSessionAuthHistory().getHistory() != null) {
for (AuthHistory authHistory : sessionContext.getSessionAuthHistory().getHistory()) {
if (FED_AUTH_NAME.equals(authHistory.getAuthenticatorName())) {
try {
UserSessionStore.getInstance().removeFederatedAuthSessionInfo(context.getSessionIdentifier());
break;
} catch (UserSessionException e) {
throw new FrameworkException("Error while deleting federated authentication session details for" + " the session context key :" + context.getSessionIdentifier(), e);
}
}
}
}
// remove SessionContext from the cache and auth cookie before sending logout request to federated IDP,
// without waiting till a logout response is received from federated IDP.
// remove the SessionContext from the cache
FrameworkUtils.removeSessionContextFromCache(context.getSessionIdentifier(), context.getLoginTenantDomain());
// remove the cookie
if (IdentityTenantUtil.isTenantedSessionsEnabled()) {
FrameworkUtils.removeAuthCookie(request, response, context.getLoginTenantDomain());
} else {
FrameworkUtils.removeAuthCookie(request, response);
}
if (context.isPreviousSessionFound()) {
// if this is the start of the logout sequence
if (context.getCurrentStep() == 0) {
context.setCurrentStep(1);
}
int stepCount = sequenceConfig.getStepMap().size();
while (context.getCurrentStep() <= stepCount) {
int currentStep = context.getCurrentStep();
StepConfig stepConfig = sequenceConfig.getStepMap().get(currentStep);
AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
if (authenticatorConfig == null) {
authenticatorConfig = sequenceConfig.getAuthenticatedReqPathAuthenticator();
}
ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
String idpName = stepConfig.getAuthenticatedIdP();
// TODO: Need to fix occurrences where idPName becomes "null"
if ((idpName == null || "null".equalsIgnoreCase(idpName) || idpName.isEmpty()) && sequenceConfig.getAuthenticatedReqPathAuthenticator() != null) {
idpName = FrameworkConstants.LOCAL_IDP_NAME;
}
try {
externalIdPConfig = ConfigurationFacade.getInstance().getIdPConfigByName(idpName, context.getTenantDomain());
context.setExternalIdP(externalIdPConfig);
context.setAuthenticatorProperties(FrameworkUtils.getAuthenticatorPropertyMapFromIdP(externalIdPConfig, authenticator.getName()));
if (authenticatorConfig.getAuthenticatorStateInfo() != null) {
context.setStateInfo(authenticatorConfig.getAuthenticatorStateInfo());
} else {
context.setStateInfo(getStateInfoFromPreviousAuthenticatedIdPs(idpName, authenticatorConfig.getName(), context));
}
AuthenticatorFlowStatus status = authenticator.process(request, response, context);
request.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, status);
if (!status.equals(AuthenticatorFlowStatus.INCOMPLETE)) {
// TODO what if logout fails. this is an edge case
currentStep++;
context.setCurrentStep(currentStep);
continue;
}
// sends the logout request to the external IdP
return;
} catch (AuthenticationFailedException | LogoutFailedException e) {
throw new FrameworkException("Exception while handling logout request", e);
} catch (IdentityProviderManagementException e) {
log.error("Exception while getting IdP by name", e);
}
}
}
try {
sendResponse(request, response, context, true);
} catch (ServletException | IOException e) {
throw new FrameworkException(e.getMessage(), e);
}
}
Also used :
AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)
FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)
AuthenticationFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException)
StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)
LogoutFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException)
IOException(java.io.IOException)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
UserSessionException(org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException)
ServletException(javax.servlet.ServletException)
ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)
SessionContext(org.wso2.carbon.identity.application.authentication.framework.context.SessionContext)
SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)
ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig)
AuthHistory(org.wso2.carbon.identity.application.authentication.framework.context.AuthHistory)
AuthenticatorFlowStatus(org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus)
IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)
Example 25 with Authenticator
use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.
the class PostAuthAssociationHandler method handle.
@Override
@SuppressWarnings("unchecked")
public PostAuthnHandlerFlowStatus handle(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
if (!FrameworkUtils.isStepBasedSequenceHandlerExecuted(context)) {
return SUCCESS_COMPLETED;
}
SequenceConfig sequenceConfig = context.getSequenceConfig();
for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
StepConfig stepConfig = entry.getValue();
AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
if (authenticatorConfig == null) {
// ex: Different authentication sequences evaluated by the script
continue;
}
ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
if (authenticator instanceof FederatedApplicationAuthenticator) {
if (stepConfig.isSubjectIdentifierStep()) {
if (log.isDebugEnabled()) {
log.debug(authenticator.getName() + " has been set up for subject identifier step.");
}
/*
If AlwaysSendMappedLocalSubjectId is selected, need to get the local user associated with the
federated idp.
*/
String associatedLocalUserName = null;
if (sequenceConfig.getApplicationConfig().isAlwaysSendMappedLocalSubjectId()) {
associatedLocalUserName = getUserNameAssociatedWith(context, stepConfig);
}
if (StringUtils.isNotEmpty(associatedLocalUserName)) {
if (log.isDebugEnabled()) {
log.debug("AlwaysSendMappedLocalSubjectID is selected in service provider level, " + "equavlent local user : " + associatedLocalUserName);
}
setAssociatedLocalUserToContext(associatedLocalUserName, context, stepConfig);
}
}
}
}
return SUCCESS_COMPLETED;
}
Also used :
AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)
FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)
ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)
StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)
SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)
HashMap(java.util.HashMap)
Map(java.util.Map)
FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)
Aggregations
FederatedAuthenticatorConfig (org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig)27
IdentityProvider (org.wso2.carbon.identity.application.common.model.IdentityProvider)25
Test (org.testng.annotations.Test)23
IdentityProviderManagementException (org.wso2.carbon.idp.mgt.IdentityProviderManagementException)23
ArrayList (java.util.ArrayList)22
HashMap (java.util.HashMap)22
AuthenticatorConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)22
ApplicationAuthenticator (org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)19
StepConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)19
SequenceConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)16
FrameworkException (org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)15
LocalAuthenticatorConfig (org.wso2.carbon.identity.application.common.model.LocalAuthenticatorConfig)15
ISIntegrationTest (org.wso2.identity.integration.common.utils.ISIntegrationTest)15
IOException (java.io.IOException)12
Map (java.util.Map)12
FederatedApplicationAuthenticator (org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)12
AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)11
RequestPathAuthenticatorConfig (org.wso2.carbon.identity.application.common.model.RequestPathAuthenticatorConfig)11
Property (org.wso2.carbon.identity.application.common.model.Property)10
HttpResponse (org.apache.http.HttpResponse)8
