Example 1 with FileContent
use of password.pwm.config.value.FileValue.FileContent in project pwm by pwm-project.
the class CASFilterAuthenticationProvider method authUserUsingCASClearPass.
private static boolean authUserUsingCASClearPass(final PwmRequest pwmRequest) throws UnsupportedEncodingException, PwmUnrecoverableException, ChaiUnavailableException, PwmOperationalException {
final PwmSession pwmSession = pwmRequest.getPwmSession();
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final HttpSession session = pwmRequest.getHttpServletRequest().getSession();
// make sure user session isn't already authenticated
if (pwmSession.isAuthenticated()) {
return false;
}
// read CAS assertion out of the header (if it exists);
final Assertion assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
if (assertion == null) {
LOGGER.trace(pwmSession, "no CAS assertion header present, skipping CAS authentication attempt");
return false;
}
final String username = assertion.getPrincipal().getName();
PasswordData password = null;
final AttributePrincipal attributePrincipal = assertion.getPrincipal();
final Map<String, Object> casAttributes = attributePrincipal.getAttributes();
final String encodedPsw = (String) casAttributes.get("credential");
if (encodedPsw == null) {
LOGGER.trace("No credential");
} else {
final Map<FileInformation, FileContent> privatekey = pwmRequest.getConfig().readSettingAsFile(PwmSetting.CAS_CLEARPASS_KEY);
final String alg = pwmRequest.getConfig().readSettingAsString(PwmSetting.CAS_CLEARPASS_ALGORITHM);
password = decryptPassword(alg, privatekey, encodedPsw);
}
// If using the old method
final String clearPassUrl = pwmRequest.getConfig().readSettingAsString(PwmSetting.CAS_CLEAR_PASS_URL);
if ((clearPassUrl != null && clearPassUrl.length() > 0) && (password == null || password.getStringValue().length() < 1)) {
LOGGER.trace(pwmSession, "Using CAS clearpass via proxy");
// read cas proxy ticket
final String proxyTicket = assertion.getPrincipal().getProxyTicketFor(clearPassUrl);
if (proxyTicket == null) {
LOGGER.trace(pwmSession, "no CAS proxy ticket available, skipping CAS authentication attempt");
return false;
}
final String clearPassRequestUrl = clearPassUrl + "?" + "ticket=" + proxyTicket + "&" + "service=" + StringUtil.urlEncode(clearPassUrl);
try {
final String response = CommonUtils.getResponseFromServer(new URL(clearPassRequestUrl), new HttpsURLConnectionFactory(), "UTF-8");
password = new PasswordData(XmlUtils.getTextForElement(response, "credentials"));
} catch (MalformedURLException e) {
LOGGER.error(pwmSession, "Invalid CAS clearPassUrl");
}
}
if (password == null || password.getStringValue().length() < 1) {
final String errorMsg = "CAS server did not return credentials for user '" + username + "'";
LOGGER.trace(pwmSession, errorMsg);
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg);
throw new PwmOperationalException(errorInformation);
}
// user isn't already authenticated and has CAS assertion and password, so try to auth them.
LOGGER.debug(pwmSession, "attempting to authenticate user '" + username + "' using CAS assertion and password");
final SessionAuthenticator sessionAuthenticator = new SessionAuthenticator(pwmApplication, pwmSession, PwmAuthenticationSource.CAS);
sessionAuthenticator.searchAndAuthenticateUser(username, password, null, null);
return true;
}
Also used :
PwmApplication(password.pwm.PwmApplication)
MalformedURLException(java.net.MalformedURLException)
FileInformation(password.pwm.config.value.FileValue.FileInformation)
SessionAuthenticator(password.pwm.ldap.auth.SessionAuthenticator)
HttpSession(javax.servlet.http.HttpSession)
Assertion(org.jasig.cas.client.validation.Assertion)
URL(java.net.URL)
PwmOperationalException(password.pwm.error.PwmOperationalException)
FileContent(password.pwm.config.value.FileValue.FileContent)
HttpsURLConnectionFactory(org.jasig.cas.client.ssl.HttpsURLConnectionFactory)
ErrorInformation(password.pwm.error.ErrorInformation)
PwmSession(password.pwm.http.PwmSession)
AttributePrincipal(org.jasig.cas.client.authentication.AttributePrincipal)
Example 2 with FileContent
use of password.pwm.config.value.FileValue.FileContent in project pwm by pwm-project.
the class CASFilterAuthenticationProvider method decryptPassword.
private static PasswordData decryptPassword(final String alg, final Map<FileInformation, FileContent> privatekey, final String encodedPsw) {
PasswordData password = null;
if (alg == null || alg.trim().isEmpty()) {
return password;
}
final byte[] privateKeyBytes;
if (privatekey != null && !privatekey.isEmpty()) {
final FileValue.FileContent fileContent = privatekey.values().iterator().next();
privateKeyBytes = fileContent.getContents().getBytes();
} else {
privateKeyBytes = null;
}
if (privateKeyBytes != null) {
final PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(privateKeyBytes);
try {
final KeyFactory kf = KeyFactory.getInstance(alg);
final PrivateKey privateKey = kf.generatePrivate(spec);
final Cipher cipher = Cipher.getInstance(privateKey.getAlgorithm());
final byte[] cred64 = StringUtil.base64Decode(encodedPsw);
cipher.init(Cipher.DECRYPT_MODE, privateKey);
final byte[] cipherData = cipher.doFinal(cred64);
if (cipherData != null) {
try {
password = new PasswordData(new String(cipherData, PwmConstants.DEFAULT_CHARSET));
} catch (PwmUnrecoverableException e) {
LOGGER.error("Decryption failed", e);
return password;
}
}
} catch (NoSuchAlgorithmException e1) {
LOGGER.error("Decryption failed", e1);
return password;
} catch (InvalidKeySpecException e1) {
LOGGER.error("Decryption failed", e1);
return password;
} catch (NoSuchPaddingException e1) {
LOGGER.error("Decryption failed", e1);
return password;
} catch (IOException e1) {
LOGGER.error("Decryption failed", e1);
return password;
} catch (InvalidKeyException e1) {
LOGGER.error("Decryption failed", e1);
return password;
} catch (IllegalBlockSizeException e) {
LOGGER.error("Decryption failed", e);
return password;
} catch (BadPaddingException e) {
LOGGER.error("Decryption failed", e);
return password;
}
}
return password;
}
Also used :
FileValue(password.pwm.config.value.FileValue)
PrivateKey(java.security.PrivateKey)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException)
PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
BadPaddingException(javax.crypto.BadPaddingException)
InvalidKeyException(java.security.InvalidKeyException)
FileContent(password.pwm.config.value.FileValue.FileContent)
PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec)
Cipher(javax.crypto.Cipher)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
KeyFactory(java.security.KeyFactory)
Aggregations
FileContent (password.pwm.config.value.FileValue.FileContent)2
IOException (java.io.IOException)1
MalformedURLException (java.net.MalformedURLException)1
URL (java.net.URL)1
InvalidKeyException (java.security.InvalidKeyException)1
KeyFactory (java.security.KeyFactory)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
PrivateKey (java.security.PrivateKey)1
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)1
PKCS8EncodedKeySpec (java.security.spec.PKCS8EncodedKeySpec)1
BadPaddingException (javax.crypto.BadPaddingException)1
Cipher (javax.crypto.Cipher)1
IllegalBlockSizeException (javax.crypto.IllegalBlockSizeException)1
NoSuchPaddingException (javax.crypto.NoSuchPaddingException)1
HttpSession (javax.servlet.http.HttpSession)1
AttributePrincipal (org.jasig.cas.client.authentication.AttributePrincipal)1
HttpsURLConnectionFactory (org.jasig.cas.client.ssl.HttpsURLConnectionFactory)1
Assertion (org.jasig.cas.client.validation.Assertion)1
PwmApplication (password.pwm.PwmApplication)1
FileValue (password.pwm.config.value.FileValue)1
