Search in sources :

Example 21 with Authenticator

use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.

the class JITProvisioningPostAuthenticationHandler method handleRequestFlow.

/**
 * To handle the request flow of the post authentication handler.
 *
 * @param response       HttpServlet response.
 * @param context        Authentication context
 * @return Status of this post authentication handler flow.
 * @throws PostAuthenticationFailedException Exception that will be thrown in case of failure.
 */
@SuppressWarnings("unchecked")
private PostAuthnHandlerFlowStatus handleRequestFlow(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
    String retryURL = ConfigurationFacade.getInstance().getAuthenticationEndpointRetryURL();
    SequenceConfig sequenceConfig = context.getSequenceConfig();
    for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
        StepConfig stepConfig = entry.getValue();
        AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
        if (authenticatorConfig == null) {
            // ex: Different authentication sequences evaluated by the script
            continue;
        }
        ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
        if (authenticator instanceof FederatedApplicationAuthenticator) {
            String externalIdPConfigName = stepConfig.getAuthenticatedIdP();
            ExternalIdPConfig externalIdPConfig = getExternalIdpConfig(externalIdPConfigName, context);
            context.setExternalIdP(externalIdPConfig);
            Map<String, String> localClaimValues;
            if (stepConfig.isSubjectAttributeStep()) {
                localClaimValues = (Map<String, String>) context.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
            } else {
                localClaimValues = getLocalClaimValuesOfIDPInNonAttributeSelectionStep(context, stepConfig, externalIdPConfig);
            }
            if (localClaimValues == null || localClaimValues.size() == 0) {
                Map<ClaimMapping, String> userAttributes = stepConfig.getAuthenticatedUser().getUserAttributes();
                localClaimValues = FrameworkUtils.getClaimMappings(userAttributes, false);
            }
            if (externalIdPConfig != null && externalIdPConfig.isProvisioningEnabled()) {
                if (localClaimValues == null) {
                    localClaimValues = new HashMap<>();
                }
                String associatedLocalUser = getLocalUserAssociatedForFederatedIdentifier(stepConfig.getAuthenticatedIdP(), stepConfig.getAuthenticatedUser().getAuthenticatedSubjectIdentifier(), context.getTenantDomain());
                String username = associatedLocalUser;
                // If associatedLocalUser is null, that means relevant association not exist already.
                if (StringUtils.isEmpty(associatedLocalUser)) {
                    if (log.isDebugEnabled()) {
                        log.debug(sequenceConfig.getAuthenticatedUser().getLoggableUserId() + " coming from " + externalIdPConfig.getIdPName() + " do not have a local account, hence redirecting" + " to the UI to sign up.");
                    }
                    if (externalIdPConfig.isPromptConsentEnabled()) {
                        username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
                        redirectToAccountCreateUI(externalIdPConfig, context, localClaimValues, response, username, request);
                        // Set the property to make sure the request is a returning one.
                        context.setProperty(FrameworkConstants.PASSWORD_PROVISION_REDIRECTION_TRIGGERED, true);
                        return PostAuthnHandlerFlowStatus.INCOMPLETE;
                    }
                }
                if (StringUtils.isEmpty(username)) {
                    username = getUsernameFederatedUser(stepConfig, sequenceConfig, externalIdPConfigName, context, localClaimValues, externalIdPConfig);
                }
                if (StringUtils.isNotBlank(associatedLocalUser)) {
                    // Check if the associated local account is locked.
                    if (isAccountLocked(username, context.getTenantDomain())) {
                        if (log.isDebugEnabled()) {
                            log.debug(String.format("The account is locked for the user: %s in the " + "tenant domain: %s ", username, context.getTenantDomain()));
                        }
                        String retryParam = "&authFailure=true&authFailureMsg=error.user.account.locked&errorCode=" + UserCoreConstants.ErrorCode.USER_IS_LOCKED;
                        handleAccountLockLoginFailure(retryURL, context, response, retryParam);
                        return PostAuthnHandlerFlowStatus.INCOMPLETE;
                    }
                    // Check if the associated local account is disabled.
                    if (isAccountDisabled(associatedLocalUser, context.getTenantDomain())) {
                        if (log.isDebugEnabled()) {
                            log.debug(String.format("The account is disabled for the user: %s in the " + "tenant domain: %s ", username, context.getTenantDomain()));
                        }
                        String retryParam = "&authFailure=true&authFailureMsg=error.user.account.disabled&errorCode=" + IdentityCoreConstants.USER_ACCOUNT_DISABLED_ERROR_CODE;
                        handleAccountLockLoginFailure(retryURL, context, response, retryParam);
                        return PostAuthnHandlerFlowStatus.INCOMPLETE;
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("User : " + sequenceConfig.getAuthenticatedUser().getLoggableUserId() + " coming from " + externalIdPConfig.getIdPName() + " do have a local account, with the username " + username);
                }
                callDefaultProvisioningHandler(username, context, externalIdPConfig, localClaimValues, stepConfig);
            }
        }
    }
    return SUCCESS_COMPLETED;
}
Also used : AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig) StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator) ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator) ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator) SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig) ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig) Map(java.util.Map) HashMap(java.util.HashMap)

Example 22 with Authenticator

use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.

the class DefaultAuthenticationRequestHandler method concludeFlow.

/**
 * Sends the response to the servlet that initiated the authentication flow
 *
 * @param request
 * @param response
 * @throws ServletException
 * @throws IOException
 */
protected void concludeFlow(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
    if (log.isDebugEnabled()) {
        log.debug("Concluding the Authentication Flow");
    }
    SequenceConfig sequenceConfig = context.getSequenceConfig();
    sequenceConfig.setCompleted(false);
    AuthenticationResult authenticationResult = new AuthenticationResult();
    boolean isAuthenticated = context.isRequestAuthenticated();
    authenticationResult.setAuthenticated(isAuthenticated);
    String authenticatedUserTenantDomain = getAuthenticatedUserTenantDomain(context, authenticationResult);
    authenticationResult.setSaaSApp(sequenceConfig.getApplicationConfig().isSaaSApp());
    if (isAuthenticated) {
        if (!sequenceConfig.getApplicationConfig().isSaaSApp()) {
            String spTenantDomain = context.getTenantDomain();
            String userTenantDomain = sequenceConfig.getAuthenticatedUser().getTenantDomain();
            if (StringUtils.isNotEmpty(userTenantDomain)) {
                if (StringUtils.isNotEmpty(spTenantDomain) && !spTenantDomain.equals(userTenantDomain)) {
                    throw new FrameworkException("Service Provider tenant domain must be equal to user tenant " + "domain for non-SaaS applications");
                }
            }
        }
        authenticationResult.setSubject(new AuthenticatedUser(sequenceConfig.getAuthenticatedUser()));
        ApplicationConfig appConfig = sequenceConfig.getApplicationConfig();
        if (appConfig.getServiceProvider().getLocalAndOutBoundAuthenticationConfig().isAlwaysSendBackAuthenticatedListOfIdPs()) {
            authenticationResult.setAuthenticatedIdPs(sequenceConfig.getAuthenticatedIdPs());
        }
        // SessionContext is retained across different SP requests in the same browser session.
        // it is tracked by a cookie
        SessionContext sessionContext = null;
        String commonAuthCookie = null;
        String sessionContextKey = null;
        String analyticsSessionAction = null;
        // When getting the cookie, it will not give the path. When paths are tenant qualified, it will only give
        // the cookies matching that path.
        Cookie authCookie = FrameworkUtils.getAuthCookie(request);
        // Force authentication requires the creation of a new session. Therefore skip using the existing session
        if (authCookie != null && !context.isForceAuthenticate()) {
            commonAuthCookie = authCookie.getValue();
            if (commonAuthCookie != null) {
                sessionContextKey = DigestUtils.sha256Hex(commonAuthCookie);
                sessionContext = FrameworkUtils.getSessionContextFromCache(sessionContextKey, context.getLoginTenantDomain());
            }
        }
        String applicationTenantDomain = getApplicationTenantDomain(context);
        // session context may be null when cache expires therefore creating new cookie as well.
        if (sessionContext != null) {
            analyticsSessionAction = FrameworkConstants.AnalyticsAttributes.SESSION_UPDATE;
            sessionContext.getAuthenticatedSequences().put(appConfig.getApplicationName(), sequenceConfig);
            sessionContext.getAuthenticatedIdPs().putAll(context.getCurrentAuthenticatedIdPs());
            if (!context.isPassiveAuthenticate()) {
                setAuthenticatedIDPsOfApp(sessionContext, context.getCurrentAuthenticatedIdPs(), appConfig.getApplicationName());
            }
            sessionContext.getSessionAuthHistory().resetHistory(AuthHistory.merge(sessionContext.getSessionAuthHistory().getHistory(), context.getAuthenticationStepHistory()));
            populateAuthenticationContextHistory(authenticationResult, context, sessionContext);
            long updatedSessionTime = System.currentTimeMillis();
            if (!context.isPreviousAuthTime()) {
                sessionContext.addProperty(FrameworkConstants.UPDATED_TIMESTAMP, updatedSessionTime);
            }
            authenticationResult.addProperty(FrameworkConstants.AnalyticsAttributes.SESSION_ID, sessionContextKey);
            List<AuthenticationContextProperty> authenticationContextProperties = new ArrayList<>();
            // Authentication context properties from already authenticated IdPs
            if (sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
                List<AuthenticationContextProperty> existingAuthenticationContextProperties = (List<AuthenticationContextProperty>) sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES);
                for (AuthenticationContextProperty contextProperty : existingAuthenticationContextProperties) {
                    for (StepConfig stepConfig : context.getSequenceConfig().getStepMap().values()) {
                        if (stepConfig.getAuthenticatedIdP().equals(contextProperty.getIdPName())) {
                            authenticationContextProperties.add(contextProperty);
                            break;
                        }
                    }
                }
            }
            Long createdTime = (Long) sessionContext.getProperty(FrameworkConstants.CREATED_TIMESTAMP);
            if (createdTime != null) {
                authenticationResult.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTime);
            }
            // Authentication context properties received from newly authenticated IdPs
            if (context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
                authenticationContextProperties.addAll((List<AuthenticationContextProperty>) context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
                if (sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) == null) {
                    sessionContext.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, authenticationContextProperties);
                } else {
                    List<AuthenticationContextProperty> existingAuthenticationContextProperties = (List<AuthenticationContextProperty>) sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES);
                    existingAuthenticationContextProperties.addAll((List<AuthenticationContextProperty>) context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
                }
            }
            if (!authenticationContextProperties.isEmpty()) {
                if (log.isDebugEnabled()) {
                    log.debug("AuthenticationContextProperties are available.");
                }
                authenticationResult.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, authenticationContextProperties);
            }
            FrameworkUtils.updateSessionLastAccessTimeMetadata(sessionContextKey, updatedSessionTime);
            /*
                 * In the default configuration, the expiry time of the commonAuthCookie is fixed when rememberMe
                 * option is selected. With this config, the expiry time will increase at every authentication.
                 */
            if (sessionContext.isRememberMe() && Boolean.parseBoolean(IdentityUtil.getProperty(IdentityConstants.ServerConfig.EXTEND_REMEMBER_ME_SESSION_ON_AUTH))) {
                context.setRememberMe(sessionContext.isRememberMe());
                setAuthCookie(request, response, context, commonAuthCookie, applicationTenantDomain);
            }
            if (context.getRuntimeClaims().size() > 0) {
                sessionContext.addProperty(FrameworkConstants.RUNTIME_CLAIMS, context.getRuntimeClaims());
            }
            handleSessionContextUpdate(context.getRequestType(), sessionContextKey, sessionContext, request, response, context);
            // TODO add to cache?
            // store again. when replicate  cache is used. this may be needed.
            FrameworkUtils.addSessionContextToCache(sessionContextKey, sessionContext, applicationTenantDomain, context.getLoginTenantDomain());
        } else {
            analyticsSessionAction = FrameworkConstants.AnalyticsAttributes.SESSION_CREATE;
            sessionContext = new SessionContext();
            // To identify first login
            context.setProperty(FrameworkConstants.AnalyticsAttributes.IS_INITIAL_LOGIN, true);
            sessionContext.getAuthenticatedSequences().put(appConfig.getApplicationName(), sequenceConfig);
            sessionContext.setAuthenticatedIdPs(context.getCurrentAuthenticatedIdPs());
            setAuthenticatedIDPsOfApp(sessionContext, context.getCurrentAuthenticatedIdPs(), appConfig.getApplicationName());
            sessionContext.setRememberMe(context.isRememberMe());
            if (context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
                if (log.isDebugEnabled()) {
                    log.debug("AuthenticationContextProperties are available.");
                }
                authenticationResult.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
                // Add to session context
                sessionContext.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
            }
            String sessionKey = UUIDGenerator.generateUUID();
            sessionContextKey = DigestUtils.sha256Hex(sessionKey);
            sessionContext.addProperty(FrameworkConstants.AUTHENTICATED_USER, authenticationResult.getSubject());
            sessionContext.addProperty(FrameworkUtils.TENANT_DOMAIN, context.getLoginTenantDomain());
            Long createdTimeMillis = System.currentTimeMillis();
            sessionContext.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTimeMillis);
            authenticationResult.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTimeMillis);
            authenticationResult.addProperty(FrameworkConstants.AnalyticsAttributes.SESSION_ID, sessionContextKey);
            sessionContext.getSessionAuthHistory().resetHistory(AuthHistory.merge(sessionContext.getSessionAuthHistory().getHistory(), context.getAuthenticationStepHistory()));
            populateAuthenticationContextHistory(authenticationResult, context, sessionContext);
            if (context.getRuntimeClaims().size() > 0) {
                sessionContext.addProperty(FrameworkConstants.RUNTIME_CLAIMS, context.getRuntimeClaims());
            }
            handleInboundSessionCreate(context.getRequestType(), sessionContextKey, sessionContext, request, response, context);
            FrameworkUtils.addSessionContextToCache(sessionContextKey, sessionContext, applicationTenantDomain, context.getLoginTenantDomain());
            setAuthCookie(request, response, context, sessionKey, applicationTenantDomain);
            if (FrameworkServiceDataHolder.getInstance().isUserSessionMappingEnabled()) {
                try {
                    storeSessionMetaData(sessionContextKey, request);
                } catch (UserSessionException e) {
                    log.error("Storing session meta data failed.", e);
                }
            }
        }
        if (authenticatedUserTenantDomain == null) {
            PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        }
        if (FrameworkServiceDataHolder.getInstance().isUserSessionMappingEnabled()) {
            try {
                storeSessionData(context, sessionContextKey);
            } catch (UserSessionException e) {
                throw new FrameworkException("Error while storing session details of the authenticated user to " + "the database", e);
            }
        }
        // store the saml index with the session context key for the single logout.
        if (context.getAuthenticationStepHistory() != null) {
            UserSessionStore userSessionStore = UserSessionStore.getInstance();
            for (AuthHistory authHistory : context.getAuthenticationStepHistory()) {
                if (StringUtils.isNotBlank(authHistory.getIdpSessionIndex()) && StringUtils.isNotBlank(authHistory.getIdpName())) {
                    try {
                        if (!userSessionStore.hasExistingFederatedAuthSession(authHistory.getIdpSessionIndex())) {
                            userSessionStore.storeFederatedAuthSessionInfo(sessionContextKey, authHistory);
                        } else {
                            if (log.isDebugEnabled()) {
                                log.debug(String.format("Federated auth session with the id: %s already exists", authHistory.getIdpSessionIndex()));
                            }
                            userSessionStore.updateFederatedAuthSessionInfo(sessionContextKey, authHistory);
                        }
                    } catch (UserSessionException e) {
                        throw new FrameworkException("Error while storing federated authentication session details " + "of the authenticated user to the database", e);
                    }
                }
            }
        }
        FrameworkUtils.publishSessionEvent(sessionContextKey, request, context, sessionContext, sequenceConfig.getAuthenticatedUser(), analyticsSessionAction);
        publishAuthenticationSuccess(request, context, sequenceConfig.getAuthenticatedUser());
    }
    // authenticator in multi steps scenario. Ex. Fido
    if (FrameworkUtils.getCacheDisabledAuthenticators().contains(context.getRequestType()) && (response instanceof CommonAuthResponseWrapper) && !((CommonAuthResponseWrapper) response).isWrappedByFramework()) {
        // Set the result as request attribute
        request.setAttribute("sessionDataKey", context.getCallerSessionKey());
        addAuthenticationResultToRequest(request, authenticationResult);
    } else {
        FrameworkUtils.addAuthenticationResultToCache(context.getCallerSessionKey(), authenticationResult);
    }
    /*
         * TODO Cache retaining is a temporary fix. Remove after Google fixes
         * http://code.google.com/p/gdata-issues/issues/detail?id=6628
         */
    String retainCache = System.getProperty("retainCache");
    if (retainCache == null) {
        FrameworkUtils.removeAuthenticationContextFromCache(context.getContextIdentifier());
    }
    sendResponse(request, response, context);
}
Also used : SessionNonceCookieUtil.removeNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.removeNonceCookie) SessionNonceCookieUtil.addNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.addNonceCookie) SessionNonceCookieUtil.validateNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.validateNonceCookie) Cookie(javax.servlet.http.Cookie) FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException) UserSessionStore(org.wso2.carbon.identity.application.authentication.framework.store.UserSessionStore) ArrayList(java.util.ArrayList) StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser) UserSessionException(org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException) AuthenticationResult(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult) ApplicationConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig) SessionContext(org.wso2.carbon.identity.application.authentication.framework.context.SessionContext) SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig) List(java.util.List) ArrayList(java.util.ArrayList) AuthHistory(org.wso2.carbon.identity.application.authentication.framework.context.AuthHistory) AuthenticationContextProperty(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationContextProperty) CommonAuthResponseWrapper(org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper)

Example 23 with Authenticator

use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.

the class DefaultAuthenticationRequestHandler method sendResponse.

protected void sendResponse(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
    if (log.isDebugEnabled()) {
        StringBuilder debugMessage = new StringBuilder();
        debugMessage.append("Sending response back to: ");
        debugMessage.append(context.getCallerPath()).append("...\n");
        debugMessage.append(FrameworkConstants.ResponseParams.AUTHENTICATED).append(": ");
        debugMessage.append(String.valueOf(context.isRequestAuthenticated())).append("\n");
        debugMessage.append(FrameworkConstants.ResponseParams.AUTHENTICATED_USER).append(": ");
        if (context.getSequenceConfig().getAuthenticatedUser() != null) {
            debugMessage.append(context.getSequenceConfig().getAuthenticatedUser().getAuthenticatedSubjectIdentifier()).append("\n");
        } else {
            debugMessage.append("No Authenticated User").append("\n");
        }
        debugMessage.append(FrameworkConstants.ResponseParams.AUTHENTICATED_IDPS).append(": ");
        debugMessage.append(context.getSequenceConfig().getAuthenticatedIdPs()).append("\n");
        debugMessage.append(FrameworkConstants.SESSION_DATA_KEY).append(": ");
        debugMessage.append(context.getCallerSessionKey());
        log.debug(debugMessage);
    }
    // TODO rememberMe should be handled by a cookie authenticator. For now rememberMe flag that
    // was set in the login page will be sent as a query param to the calling servlet so it will
    // handle rememberMe as usual.
    String rememberMeParam = "";
    if (context.isRequestAuthenticated() && context.isRememberMe()) {
        rememberMeParam = rememberMeParam + "chkRemember=on";
    }
    // if request is not authenticated populate error information sent from authenticators/handlers
    if (!context.isRequestAuthenticated()) {
        populateErrorInformation(request, response, context);
    }
    // redirect to the caller
    String redirectURL;
    String commonauthCallerPath = context.getCallerPath();
    try {
        String queryParamsString = "";
        if (context.getCallerSessionKey() != null) {
            queryParamsString = FrameworkConstants.SESSION_DATA_KEY + "=" + URLEncoder.encode(context.getCallerSessionKey(), "UTF-8");
        }
        if (StringUtils.isNotEmpty(rememberMeParam)) {
            queryParamsString += "&" + rememberMeParam;
        }
        redirectURL = FrameworkUtils.appendQueryParamsStringToUrl(commonauthCallerPath, queryParamsString);
        response.sendRedirect(redirectURL);
    } catch (IOException e) {
        throw new FrameworkException(e.getMessage(), e);
    }
}
Also used : FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException) IOException(java.io.IOException)

Example 24 with Authenticator

use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.

the class DefaultLogoutRequestHandler method handle.

@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
    if (log.isTraceEnabled()) {
        log.trace("Inside handle()");
    }
    SequenceConfig sequenceConfig = context.getSequenceConfig();
    // Retrieve session information from cache.
    SessionContext sessionContext = FrameworkUtils.getSessionContextFromCache(context.getSessionIdentifier(), context.getLoginTenantDomain());
    ExternalIdPConfig externalIdPConfig = null;
    // Remove the session related information from the session tables.
    clearUserSessionData(request);
    if (FrameworkServiceDataHolder.getInstance().getAuthnDataPublisherProxy() != null && FrameworkServiceDataHolder.getInstance().getAuthnDataPublisherProxy().isEnabled(context) && sessionContext != null) {
        Object authenticatedUserObj = sessionContext.getProperty(FrameworkConstants.AUTHENTICATED_USER);
        AuthenticatedUser authenticatedUser = new AuthenticatedUser();
        if (authenticatedUserObj instanceof AuthenticatedUser) {
            authenticatedUser = (AuthenticatedUser) authenticatedUserObj;
        }
        FrameworkUtils.publishSessionEvent(context.getSessionIdentifier(), request, context, sessionContext, authenticatedUser, FrameworkConstants.AnalyticsAttributes.SESSION_TERMINATE);
    }
    // Remove federated authentication session details from the database.
    if (sessionContext != null && StringUtils.isNotBlank(context.getSessionIdentifier()) && sessionContext.getSessionAuthHistory() != null && sessionContext.getSessionAuthHistory().getHistory() != null) {
        for (AuthHistory authHistory : sessionContext.getSessionAuthHistory().getHistory()) {
            if (FED_AUTH_NAME.equals(authHistory.getAuthenticatorName())) {
                try {
                    UserSessionStore.getInstance().removeFederatedAuthSessionInfo(context.getSessionIdentifier());
                    break;
                } catch (UserSessionException e) {
                    throw new FrameworkException("Error while deleting federated authentication session details for" + " the session context key :" + context.getSessionIdentifier(), e);
                }
            }
        }
    }
    // remove SessionContext from the cache and auth cookie before sending logout request to federated IDP,
    // without waiting till a logout response is received from federated IDP.
    // remove the SessionContext from the cache
    FrameworkUtils.removeSessionContextFromCache(context.getSessionIdentifier(), context.getLoginTenantDomain());
    // remove the cookie
    if (IdentityTenantUtil.isTenantedSessionsEnabled()) {
        FrameworkUtils.removeAuthCookie(request, response, context.getLoginTenantDomain());
    } else {
        FrameworkUtils.removeAuthCookie(request, response);
    }
    if (context.isPreviousSessionFound()) {
        // if this is the start of the logout sequence
        if (context.getCurrentStep() == 0) {
            context.setCurrentStep(1);
        }
        int stepCount = sequenceConfig.getStepMap().size();
        while (context.getCurrentStep() <= stepCount) {
            int currentStep = context.getCurrentStep();
            StepConfig stepConfig = sequenceConfig.getStepMap().get(currentStep);
            AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
            if (authenticatorConfig == null) {
                authenticatorConfig = sequenceConfig.getAuthenticatedReqPathAuthenticator();
            }
            ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
            String idpName = stepConfig.getAuthenticatedIdP();
            // TODO: Need to fix occurrences where idPName becomes "null"
            if ((idpName == null || "null".equalsIgnoreCase(idpName) || idpName.isEmpty()) && sequenceConfig.getAuthenticatedReqPathAuthenticator() != null) {
                idpName = FrameworkConstants.LOCAL_IDP_NAME;
            }
            try {
                externalIdPConfig = ConfigurationFacade.getInstance().getIdPConfigByName(idpName, context.getTenantDomain());
                context.setExternalIdP(externalIdPConfig);
                context.setAuthenticatorProperties(FrameworkUtils.getAuthenticatorPropertyMapFromIdP(externalIdPConfig, authenticator.getName()));
                if (authenticatorConfig.getAuthenticatorStateInfo() != null) {
                    context.setStateInfo(authenticatorConfig.getAuthenticatorStateInfo());
                } else {
                    context.setStateInfo(getStateInfoFromPreviousAuthenticatedIdPs(idpName, authenticatorConfig.getName(), context));
                }
                AuthenticatorFlowStatus status = authenticator.process(request, response, context);
                request.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, status);
                if (!status.equals(AuthenticatorFlowStatus.INCOMPLETE)) {
                    // TODO what if logout fails. this is an edge case
                    currentStep++;
                    context.setCurrentStep(currentStep);
                    continue;
                }
                // sends the logout request to the external IdP
                return;
            } catch (AuthenticationFailedException | LogoutFailedException e) {
                throw new FrameworkException("Exception while handling logout request", e);
            } catch (IdentityProviderManagementException e) {
                log.error("Exception while getting IdP by name", e);
            }
        }
    }
    try {
        sendResponse(request, response, context, true);
    } catch (ServletException | IOException e) {
        throw new FrameworkException(e.getMessage(), e);
    }
}
Also used : AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig) FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException) AuthenticationFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException) StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig) LogoutFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.LogoutFailedException) IOException(java.io.IOException) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser) UserSessionException(org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException) ServletException(javax.servlet.ServletException) ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator) SessionContext(org.wso2.carbon.identity.application.authentication.framework.context.SessionContext) SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig) ExternalIdPConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig) AuthHistory(org.wso2.carbon.identity.application.authentication.framework.context.AuthHistory) AuthenticatorFlowStatus(org.wso2.carbon.identity.application.authentication.framework.AuthenticatorFlowStatus) IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)

Example 25 with Authenticator

use of org.wso2.carbon.identity.api.server.authenticators.v1.model.Authenticator in project carbon-identity-framework by wso2.

the class PostAuthAssociationHandler method handle.

@Override
@SuppressWarnings("unchecked")
public PostAuthnHandlerFlowStatus handle(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
    if (!FrameworkUtils.isStepBasedSequenceHandlerExecuted(context)) {
        return SUCCESS_COMPLETED;
    }
    SequenceConfig sequenceConfig = context.getSequenceConfig();
    for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
        StepConfig stepConfig = entry.getValue();
        AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
        if (authenticatorConfig == null) {
            // ex: Different authentication sequences evaluated by the script
            continue;
        }
        ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
        if (authenticator instanceof FederatedApplicationAuthenticator) {
            if (stepConfig.isSubjectIdentifierStep()) {
                if (log.isDebugEnabled()) {
                    log.debug(authenticator.getName() + " has been set up for subject identifier step.");
                }
                /*
                    If AlwaysSendMappedLocalSubjectId is selected, need to get the local user associated with the
                    federated idp.
                     */
                String associatedLocalUserName = null;
                if (sequenceConfig.getApplicationConfig().isAlwaysSendMappedLocalSubjectId()) {
                    associatedLocalUserName = getUserNameAssociatedWith(context, stepConfig);
                }
                if (StringUtils.isNotEmpty(associatedLocalUserName)) {
                    if (log.isDebugEnabled()) {
                        log.debug("AlwaysSendMappedLocalSubjectID is selected in service provider level, " + "equavlent local user : " + associatedLocalUserName);
                    }
                    setAssociatedLocalUserToContext(associatedLocalUserName, context, stepConfig);
                }
            }
        }
    }
    return SUCCESS_COMPLETED;
}
Also used : AuthenticatorConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator) ApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator) StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig) SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig) HashMap(java.util.HashMap) Map(java.util.Map) FederatedApplicationAuthenticator(org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)

Aggregations

FederatedAuthenticatorConfig (org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig)27 IdentityProvider (org.wso2.carbon.identity.application.common.model.IdentityProvider)25 Test (org.testng.annotations.Test)23 IdentityProviderManagementException (org.wso2.carbon.idp.mgt.IdentityProviderManagementException)23 ArrayList (java.util.ArrayList)22 HashMap (java.util.HashMap)22 AuthenticatorConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig)22 ApplicationAuthenticator (org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator)19 StepConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig)19 SequenceConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig)16 FrameworkException (org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException)15 LocalAuthenticatorConfig (org.wso2.carbon.identity.application.common.model.LocalAuthenticatorConfig)15 ISIntegrationTest (org.wso2.identity.integration.common.utils.ISIntegrationTest)15 IOException (java.io.IOException)12 Map (java.util.Map)12 FederatedApplicationAuthenticator (org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator)12 AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)11 RequestPathAuthenticatorConfig (org.wso2.carbon.identity.application.common.model.RequestPathAuthenticatorConfig)11 Property (org.wso2.carbon.identity.application.common.model.Property)10 HttpResponse (org.apache.http.HttpResponse)8