Example 1 with FormNonce
use of password.pwm.bean.FormNonce in project pwm by pwm-project.
the class CryptoRequestBeanImpl method getSessionBean.
@Override
public <E extends PwmSessionBean> E getSessionBean(final PwmRequest pwmRequest, final Class<E> theClass) throws PwmUnrecoverableException {
final Map<Class<E>, E> cachedMap = getBeanMap(pwmRequest);
if (cachedMap.containsKey(theClass)) {
return cachedMap.get(theClass);
}
final String submittedPwmFormID = pwmRequest.readParameterAsString(PwmConstants.PARAM_FORM_ID);
if (submittedPwmFormID != null && submittedPwmFormID.length() > 0) {
final FormNonce formNonce = pwmRequest.getPwmApplication().getSecureService().decryptObject(submittedPwmFormID, FormNonce.class);
final SecureService secureService = pwmRequest.getPwmApplication().getSecureService();
final E bean = secureService.decryptObject(formNonce.getPayload(), theClass);
cachedMap.put(theClass, bean);
return bean;
}
final String sessionGuid = pwmRequest.getPwmSession().getLoginInfoBean().getGuid();
final E newBean = SessionStateService.newBean(sessionGuid, theClass);
cachedMap.put(theClass, newBean);
return newBean;
}
Also used :
SecureService(password.pwm.util.secure.SecureService)
FormNonce(password.pwm.bean.FormNonce)
Example 2 with FormNonce
use of password.pwm.bean.FormNonce in project pwm by pwm-project.
the class Validator method validatePwmFormID.
public static void validatePwmFormID(final PwmRequest pwmRequest) throws PwmUnrecoverableException {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final String submittedPwmFormID = pwmRequest.readParameterAsString(PwmConstants.PARAM_FORM_ID);
if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.SECURITY_ENABLE_FORM_NONCE)) {
final FormNonce formNonce = pwmRequest.getPwmApplication().getSecureService().decryptObject(submittedPwmFormID, FormNonce.class);
if (formNonce == null) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_INVALID_FORMID, "form nonce missing"));
}
if (!pwmSession.getLoginInfoBean().getGuid().equals(formNonce.getSessionGUID())) {
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_INVALID_FORMID, "form nonce incorrect"));
}
}
}
Also used :
ErrorInformation(password.pwm.error.ErrorInformation)
PwmApplication(password.pwm.PwmApplication)
FormNonce(password.pwm.bean.FormNonce)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
PwmSession(password.pwm.http.PwmSession)
Example 3 with FormNonce
use of password.pwm.bean.FormNonce in project pwm by pwm-project.
the class Validator method validatePwmRequestCounter.
public static void validatePwmRequestCounter(final PwmRequest pwmRequest) throws PwmOperationalException, PwmUnrecoverableException {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final boolean enforceRequestSequencing = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.SECURITY_HTTP_FORCE_REQUEST_SEQUENCING));
if (enforceRequestSequencing) {
final String requestVerificationKey = String.valueOf(pwmSession.getLoginInfoBean().getReqCounter());
final String submittedPwmFormID = pwmRequest.readParameterAsString(PwmConstants.PARAM_FORM_ID);
if (submittedPwmFormID == null || submittedPwmFormID.isEmpty()) {
return;
}
try {
final FormNonce formNonce = pwmRequest.getPwmApplication().getSecureService().decryptObject(submittedPwmFormID, FormNonce.class);
final String submittedRequestVerificationKey = String.valueOf(formNonce.getReqCounter());
if (!requestVerificationKey.equals(submittedRequestVerificationKey)) {
final String debugMsg = "expectedPageID=" + requestVerificationKey + ", submittedPageID=" + submittedRequestVerificationKey + ", url=" + pwmRequest.getURL().toString();
throw new PwmOperationalException(PwmError.ERROR_INCORRECT_REQ_SEQUENCE, debugMsg);
}
} catch (StringIndexOutOfBoundsException | NumberFormatException e) {
throw new PwmOperationalException(PwmError.ERROR_INCORRECT_REQ_SEQUENCE);
}
}
}
Also used :
FormNonce(password.pwm.bean.FormNonce)
PwmSession(password.pwm.http.PwmSession)
PwmOperationalException(password.pwm.error.PwmOperationalException)
Example 4 with FormNonce
use of password.pwm.bean.FormNonce in project pwm by pwm-project.
the class PwmFormIDTag method buildPwmFormID.
private static String buildPwmFormID(final PwmRequest pwmRequest) throws PwmUnrecoverableException {
if (pwmRequest == null || pwmRequest.getPwmApplication() == null) {
return "";
}
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
if (pwmApplication == null) {
return "";
}
final SessionStateService sessionStateService = pwmApplication.getSessionStateService();
final String value = sessionStateService.getSessionStateInfo(pwmRequest);
final FormNonce formID = new FormNonce(pwmRequest.getPwmSession().getLoginInfoBean().getGuid(), Instant.now(), pwmRequest.getPwmSession().getLoginInfoBean().getReqCounter(), value);
return pwmRequest.getPwmApplication().getSecureService().encryptObjectToString(formID);
}
Also used :
PwmApplication(password.pwm.PwmApplication)
SessionStateService(password.pwm.http.state.SessionStateService)
FormNonce(password.pwm.bean.FormNonce)
Aggregations
FormNonce (password.pwm.bean.FormNonce)4
PwmApplication (password.pwm.PwmApplication)2
PwmSession (password.pwm.http.PwmSession)2
ErrorInformation (password.pwm.error.ErrorInformation)1
PwmOperationalException (password.pwm.error.PwmOperationalException)1
PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)1
SessionStateService (password.pwm.http.state.SessionStateService)1
SecureService (password.pwm.util.secure.SecureService)1
