Search in sources :

Example 1 with OAuthMachine

use of password.pwm.http.servlet.oauth.OAuthMachine in project pwm by pwm-project.

the class AuthenticationFilter method processAuthenticatedSession.

private void processAuthenticatedSession(final PwmRequest pwmRequest, final PwmFilterChain chain) throws IOException, ServletException, PwmUnrecoverableException {
    final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
    final PwmSession pwmSession = pwmRequest.getPwmSession();
    // read the basic auth info out of the header (if it exists);
    if (pwmRequest.getConfig().readSettingAsBoolean(PwmSetting.BASIC_AUTH_ENABLED)) {
        final BasicAuthInfo basicAuthInfo = BasicAuthInfo.parseAuthHeader(pwmApplication, pwmRequest);
        final BasicAuthInfo originalBasicAuthInfo = pwmSession.getLoginInfoBean().getBasicAuth();
        // check to make sure basic auth info is same as currently known user in session.
        if (basicAuthInfo != null && originalBasicAuthInfo != null && !(originalBasicAuthInfo.equals(basicAuthInfo))) {
            // if we read here then user is using basic auth, and header has changed since last request
            // this means something is screwy, so log out the session
            // read the current user info for logging
            final UserInfo userInfo = pwmSession.getUserInfo();
            final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_BAD_SESSION, "basic auth header user '" + basicAuthInfo.getUsername() + "' does not match currently logged in user '" + userInfo.getUserIdentity() + "', session will be logged out");
            LOGGER.info(pwmRequest, errorInformation);
            // log out their user
            pwmSession.unauthenticateUser(pwmRequest);
            // send en error to user.
            pwmRequest.respondWithError(errorInformation, true);
            return;
        }
    }
    // check status of oauth expiration
    if (pwmSession.getLoginInfoBean().getOauthExp() != null) {
        final OAuthSettings oauthSettings = OAuthSettings.forSSOAuthentication(pwmRequest.getConfig());
        final OAuthMachine oAuthMachine = new OAuthMachine(oauthSettings);
        if (oAuthMachine.checkOAuthExpiration(pwmRequest)) {
            pwmRequest.respondWithError(new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, "oauth access token has expired"));
            return;
        }
    }
    handleAuthenticationCookie(pwmRequest);
    if (forceRequiredRedirects(pwmRequest) == ProcessStatus.Halt) {
        return;
    }
    // user session is authed, and session and auth header match, so forward request on.
    chain.doFilter();
}
Also used : ErrorInformation(password.pwm.error.ErrorInformation) PwmApplication(password.pwm.PwmApplication) BasicAuthInfo(password.pwm.util.BasicAuthInfo) UserInfo(password.pwm.ldap.UserInfo) OAuthMachine(password.pwm.http.servlet.oauth.OAuthMachine) OAuthSettings(password.pwm.http.servlet.oauth.OAuthSettings) PwmSession(password.pwm.http.PwmSession)

Example 2 with OAuthMachine

use of password.pwm.http.servlet.oauth.OAuthMachine in project pwm by pwm-project.

the class ForgottenPasswordServlet method forwardUserBasedOnRecoveryMethod.

private void forwardUserBasedOnRecoveryMethod(final PwmRequest pwmRequest, final IdentityVerificationMethod method) throws ServletException, PwmUnrecoverableException, IOException {
    LOGGER.debug(pwmRequest, "attempting to forward request to handle verification method " + method.toString());
    final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
    ForgottenPasswordUtil.verifyRequirementsForAuthMethod(pwmRequest, forgottenPasswordBean, method);
    switch(method) {
        case PREVIOUS_AUTH:
            {
                throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "previous authentication is required, but user has not previously authenticated"));
            }
        case ATTRIBUTES:
            {
                pwmRequest.addFormInfoToRequestAttr(forgottenPasswordBean.getAttributeForm(), Collections.emptyMap(), false, false);
                pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ATTRIBUTES);
            }
            break;
        case CHALLENGE_RESPONSES:
            {
                pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordChallengeSet, forgottenPasswordBean.getPresentableChallengeSet());
                pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_RESPONSES);
            }
            break;
        case OTP:
            {
                pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordOtpRecord, ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean).getOtpUserRecord());
                pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ENTER_OTP);
            }
            break;
        case TOKEN:
            {
                final ForgottenPasswordBean.Progress progress = forgottenPasswordBean.getProgress();
                final List<TokenDestinationItem> tokenDestinations = ForgottenPasswordUtil.figureAvailableTokenDestinations(pwmRequest, forgottenPasswordBean);
                if (progress.getTokenDestination() == null) {
                    final boolean autoSelect = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.FORGOTTEN_PASSWORD_TOKEN_AUTO_SELECT_DEST));
                    if (autoSelect && tokenDestinations.size() == 1) {
                        final TokenDestinationItem singleItem = tokenDestinations.iterator().next();
                        progress.setTokenDestination(singleItem);
                    }
                }
                if (progress.getTokenDestination() == null) {
                    forwardToTokenChoiceJsp(pwmRequest);
                    return;
                }
                if (!progress.isTokenSent()) {
                    final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
                    ForgottenPasswordUtil.initializeAndSendToken(pwmRequest, userInfo, progress.getTokenDestination());
                    progress.setTokenSent(true);
                }
                if (!progress.getSatisfiedMethods().contains(IdentityVerificationMethod.TOKEN)) {
                    forwardToEnterTokenJsp(pwmRequest);
                    return;
                }
            }
            break;
        case REMOTE_RESPONSES:
            {
                final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
                final VerificationMethodSystem remoteMethod;
                if (forgottenPasswordBean.getProgress().getRemoteRecoveryMethod() == null) {
                    remoteMethod = new RemoteVerificationMethod();
                    remoteMethod.init(pwmRequest.getPwmApplication(), userInfo, pwmRequest.getSessionLabel(), pwmRequest.getLocale());
                    forgottenPasswordBean.getProgress().setRemoteRecoveryMethod(remoteMethod);
                } else {
                    remoteMethod = forgottenPasswordBean.getProgress().getRemoteRecoveryMethod();
                }
                final List<VerificationMethodSystem.UserPrompt> prompts = remoteMethod.getCurrentPrompts();
                final String displayInstructions = remoteMethod.getCurrentDisplayInstructions();
                pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordPrompts, new ArrayList<>(prompts));
                pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordInstructions, displayInstructions);
                pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_REMOTE);
            }
            break;
        case OAUTH:
            forgottenPasswordBean.getProgress().setInProgressVerificationMethod(IdentityVerificationMethod.OAUTH);
            final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
            final OAuthSettings oAuthSettings = OAuthSettings.forForgottenPassword(forgottenPasswordProfile);
            final OAuthMachine oAuthMachine = new OAuthMachine(oAuthSettings);
            pwmRequest.getPwmApplication().getSessionStateService().saveSessionBeans(pwmRequest);
            final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
            oAuthMachine.redirectUserToOAuthServer(pwmRequest, null, userIdentity, forgottenPasswordProfile.getIdentifier());
            break;
        default:
            throw new UnsupportedOperationException("unexpected method during forward: " + method.toString());
    }
}
Also used : ForgottenPasswordProfile(password.pwm.config.profile.ForgottenPasswordProfile) UserIdentity(password.pwm.bean.UserIdentity) ArrayList(java.util.ArrayList) PwmUnrecoverableException(password.pwm.error.PwmUnrecoverableException) UserInfo(password.pwm.ldap.UserInfo) OAuthMachine(password.pwm.http.servlet.oauth.OAuthMachine) TokenDestinationItem(password.pwm.bean.TokenDestinationItem) VerificationMethodSystem(password.pwm.VerificationMethodSystem) ErrorInformation(password.pwm.error.ErrorInformation) List(java.util.List) ArrayList(java.util.ArrayList) OAuthSettings(password.pwm.http.servlet.oauth.OAuthSettings) ForgottenPasswordBean(password.pwm.http.bean.ForgottenPasswordBean)

Aggregations

ErrorInformation (password.pwm.error.ErrorInformation)2 OAuthMachine (password.pwm.http.servlet.oauth.OAuthMachine)2 OAuthSettings (password.pwm.http.servlet.oauth.OAuthSettings)2 UserInfo (password.pwm.ldap.UserInfo)2 ArrayList (java.util.ArrayList)1 List (java.util.List)1 PwmApplication (password.pwm.PwmApplication)1 VerificationMethodSystem (password.pwm.VerificationMethodSystem)1 TokenDestinationItem (password.pwm.bean.TokenDestinationItem)1 UserIdentity (password.pwm.bean.UserIdentity)1 ForgottenPasswordProfile (password.pwm.config.profile.ForgottenPasswordProfile)1 PwmUnrecoverableException (password.pwm.error.PwmUnrecoverableException)1 PwmSession (password.pwm.http.PwmSession)1 ForgottenPasswordBean (password.pwm.http.bean.ForgottenPasswordBean)1 BasicAuthInfo (password.pwm.util.BasicAuthInfo)1