Examples with PwmSession password.pwm.http.PwmSession used on opensource projects

Search in sources :

Example 36 with PwmSession

use of password.pwm.http.PwmSession in project pwm by pwm-project.

the class Validator method validatePwmFormID.

public static void validatePwmFormID(final PwmRequest pwmRequest) throws PwmUnrecoverableException {
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final String submittedPwmFormID = pwmRequest.readParameterAsString(PwmConstants.PARAM_FORM_ID);
    if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.SECURITY_ENABLE_FORM_NONCE)) {
        final FormNonce formNonce = pwmRequest.getPwmApplication().getSecureService().decryptObject(submittedPwmFormID, FormNonce.class);
        if (formNonce == null) {
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_INVALID_FORMID, "form nonce missing"));
        }
        if (!pwmSession.getLoginInfoBean().getGuid().equals(formNonce.getSessionGUID())) {
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_INVALID_FORMID, "form nonce incorrect"));
        }
    }
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PwmApplication(password.pwm.PwmApplication) FormNonce(password.pwm.bean.FormNonce) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmSession(password.pwm.http.PwmSession)

Example 37 with PwmSession

use of password.pwm.http.PwmSession in project pwm by pwm-project.

the class Validator method validatePwmRequestCounter.

public static void validatePwmRequestCounter(final PwmRequest pwmRequest) throws PwmOperationalException, PwmUnrecoverableException {
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final boolean enforceRequestSequencing = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.SECURITY_HTTP_FORCE_REQUEST_SEQUENCING));
    if (enforceRequestSequencing) {
        final String requestVerificationKey = String.valueOf(pwmSession.getLoginInfoBean().getReqCounter());
        final String submittedPwmFormID = pwmRequest.readParameterAsString(PwmConstants.PARAM_FORM_ID);
        if (submittedPwmFormID == null || submittedPwmFormID.isEmpty()) {
            return;
        }
        try {
            final FormNonce formNonce = pwmRequest.getPwmApplication().getSecureService().decryptObject(submittedPwmFormID, FormNonce.class);
            final String submittedRequestVerificationKey = String.valueOf(formNonce.getReqCounter());
            if (!requestVerificationKey.equals(submittedRequestVerificationKey)) {
                final String debugMsg = "expectedPageID=" + requestVerificationKey + ", submittedPageID=" + submittedRequestVerificationKey + ", url=" + pwmRequest.getURL().toString();
                throw new PwmOperationalException(PwmError.ERROR_INCORRECT_REQ_SEQUENCE, debugMsg);
            }
        } catch (StringIndexOutOfBoundsException | NumberFormatException e) {
            throw new PwmOperationalException(PwmError.ERROR_INCORRECT_REQ_SEQUENCE);
        }
    }
}
Also used : FormNonce(password.pwm.bean.FormNonce) PwmSession(password.pwm.http.PwmSession) PwmOperationalException(password.pwm.error.PwmOperationalException)

Example 38 with PwmSession

use of password.pwm.http.PwmSession in project pwm by pwm-project.

the class CASFilterAuthenticationProvider method authUserUsingCASClearPass.

private static boolean authUserUsingCASClearPass(final PwmRequest pwmRequest) throws UnsupportedEncodingException, PwmUnrecoverableException, ChaiUnavailableException, PwmOperationalException {
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final HttpSession session = pwmRequest.getHttpServletRequest().getSession();
    // make sure user session isn't already authenticated
    if (pwmSession.isAuthenticated()) {
        return false;
    }
    // read CAS assertion out of the header (if it exists);
    final Assertion assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
    if (assertion == null) {
        LOGGER.trace(pwmSession, "no CAS assertion header present, skipping CAS authentication attempt");
        return false;
    }
    final String username = assertion.getPrincipal().getName();
    PasswordData password = null;
    final AttributePrincipal attributePrincipal = assertion.getPrincipal();
    final Map<String, Object> casAttributes = attributePrincipal.getAttributes();
    final String encodedPsw = (String) casAttributes.get("credential");
    if (encodedPsw == null) {
        LOGGER.trace("No credential");
    } else {
        final Map<FileInformation, FileContent> privatekey = pwmRequest.getConfig().readSettingAsFile(PwmSetting.CAS_CLEARPASS_KEY);
        final String alg = pwmRequest.getConfig().readSettingAsString(PwmSetting.CAS_CLEARPASS_ALGORITHM);
        password = decryptPassword(alg, privatekey, encodedPsw);
    }
    // If using the old method
    final String clearPassUrl = pwmRequest.getConfig().readSettingAsString(PwmSetting.CAS_CLEAR_PASS_URL);
    if ((clearPassUrl != null && clearPassUrl.length() > 0) && (password == null || password.getStringValue().length() < 1)) {
        LOGGER.trace(pwmSession, "Using CAS clearpass via proxy");
        // read cas proxy ticket
        final String proxyTicket = assertion.getPrincipal().getProxyTicketFor(clearPassUrl);
        if (proxyTicket == null) {
            LOGGER.trace(pwmSession, "no CAS proxy ticket available, skipping CAS authentication attempt");
            return false;
        }
        final String clearPassRequestUrl = clearPassUrl + "?" + "ticket=" + proxyTicket + "&" + "service=" + StringUtil.urlEncode(clearPassUrl);
        try {
            final String response = CommonUtils.getResponseFromServer(new URL(clearPassRequestUrl), new HttpsURLConnectionFactory(), "UTF-8");
            password = new PasswordData(XmlUtils.getTextForElement(response, "credentials"));
        } catch (MalformedURLException e) {
            LOGGER.error(pwmSession, "Invalid CAS clearPassUrl");
        }
    }
    if (password == null || password.getStringValue().length() < 1) {
        final String errorMsg = "CAS server did not return credentials for user '" + username + "'";
        LOGGER.trace(pwmSession, errorMsg);
        final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_WRONGPASSWORD, errorMsg);
        throw new PwmOperationalException(errorInformation);
    }
    // user isn't already authenticated and has CAS assertion and password, so try to auth them.
    LOGGER.debug(pwmSession, "attempting to authenticate user '" + username + "' using CAS assertion and password");
    final SessionAuthenticator sessionAuthenticator = new SessionAuthenticator(pwmApplication, pwmSession, PwmAuthenticationSource.CAS);
    sessionAuthenticator.searchAndAuthenticateUser(username, password, null, null);
    return true;
}
Also used : PwmApplication(password.pwm.PwmApplication) MalformedURLException(java.net.MalformedURLException) FileInformation(password.pwm.config.value.FileValue.FileInformation) SessionAuthenticator(password.pwm.ldap.auth.SessionAuthenticator) HttpSession(javax.servlet.http.HttpSession) Assertion(org.jasig.cas.client.validation.Assertion) URL(java.net.URL) PwmOperationalException(password.pwm.error.PwmOperationalException) FileContent(password.pwm.config.value.FileValue.FileContent) HttpsURLConnectionFactory(org.jasig.cas.client.ssl.HttpsURLConnectionFactory) ErrorInformation(password.pwm.error.ErrorInformation) PwmSession(password.pwm.http.PwmSession) AttributePrincipal(org.jasig.cas.client.authentication.AttributePrincipal)

Example 39 with PwmSession

use of password.pwm.http.PwmSession in project pwm by pwm-project.

the class SessionTrackService method getDebugData.

public Map<DebugKey, String> getDebugData() {
    try {
        final Collection<PwmSession> sessionCopy = copyOfSessionSet();
        int sessionCounter = 0;
        long sizeTotal = 0;
        for (final PwmSession pwmSession : sessionCopy) {
            try {
                sizeTotal += pwmSession.size();
                sessionCounter++;
            } catch (Exception e) {
                LOGGER.error("error during session size calculation: " + e.getMessage());
            }
        }
        final Map<DebugKey, String> returnMap = new HashMap<>();
        returnMap.put(DebugKey.HttpSessionCount, String.valueOf(sessionCounter));
        returnMap.put(DebugKey.HttpSessionTotalSize, String.valueOf(sizeTotal));
        returnMap.put(DebugKey.HttpSessionAvgSize, sessionCounter < 1 ? "0" : String.valueOf((int) (sizeTotal / sessionCounter)));
        return returnMap;
    } catch (Exception e) {
        LOGGER.error("error during session debug generation: " + e.getMessage());
    }
    return Collections.emptyMap();
}
Also used : ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) PwmSession(password.pwm.http.PwmSession) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) PwmException(password.pwm.error.PwmException)

Example 40 with PwmSession

use of password.pwm.http.PwmSession in project pwm by pwm-project.

the class UserInfoTag method doEndTag.

public int doEndTag() throws JspTagException {
    try {
        final PwmRequest pwmRequest = JspUtility.getPwmRequest(pageContext);
        final PwmSession pwmSession = pwmRequest.getPwmSession();
        if (pwmSession.isAuthenticated()) {
            final String ldapValue = pwmSession.getUserInfo().readStringAttribute(attribute);
            pageContext.getOut().write(StringUtil.escapeHtml(ldapValue == null ? "" : ldapValue));
        }
    } catch (Exception e) {
        throw new JspTagException(e.getMessage());
    }
    return EVAL_PAGE;
}
Also used : PwmRequest(password.pwm.http.PwmRequest) PwmSession(password.pwm.http.PwmSession) JspTagException(javax.servlet.jsp.JspTagException) JspTagException(javax.servlet.jsp.JspTagException)

Aggregations

PwmSession (password.pwm.http.PwmSession)74 PwmApplication (password.pwm.PwmApplication)55 ErrorInformation (password.pwm.error.ErrorInformation)38 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)30 PwmOperationalException (password.pwm.error.PwmOperationalException)29 Configuration (password.pwm.config.Configuration)21 UserIdentity (password.pwm.bean.UserIdentity)20 FormConfiguration (password.pwm.config.value.data.FormConfiguration)19 PwmException (password.pwm.error.PwmException)14 ChaiUser (com.novell.ldapchai.ChaiUser)12 ActionConfiguration (password.pwm.config.value.data.ActionConfiguration)12 UserInfo (password.pwm.ldap.UserInfo)12 SearchConfiguration (password.pwm.ldap.search.SearchConfiguration)11 ChaiOperationException (com.novell.ldapchai.exception.ChaiOperationException)9 ChaiUnavailableException (com.novell.ldapchai.exception.ChaiUnavailableException)9 IOException (java.io.IOException)9 Instant (java.time.Instant)9 RestResultBean (password.pwm.ws.server.RestResultBean)9 ServletException (javax.servlet.ServletException)8 MacroMachine (password.pwm.util.macro.MacroMachine)8
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial