use of password.pwm.http.servlet.oauth.OAuthSettings in project pwm by pwm-project.
the class AuthenticationFilter method processAuthenticatedSession.
private void processAuthenticatedSession(final PwmRequest pwmRequest, final PwmFilterChain chain) throws IOException, ServletException, PwmUnrecoverableException {
final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
final PwmSession pwmSession = pwmRequest.getPwmSession();
// read the basic auth info out of the header (if it exists);
if (pwmRequest.getConfig().readSettingAsBoolean(PwmSetting.BASIC_AUTH_ENABLED)) {
final BasicAuthInfo basicAuthInfo = BasicAuthInfo.parseAuthHeader(pwmApplication, pwmRequest);
final BasicAuthInfo originalBasicAuthInfo = pwmSession.getLoginInfoBean().getBasicAuth();
// check to make sure basic auth info is same as currently known user in session.
if (basicAuthInfo != null && originalBasicAuthInfo != null && !(originalBasicAuthInfo.equals(basicAuthInfo))) {
// if we read here then user is using basic auth, and header has changed since last request
// this means something is screwy, so log out the session
// read the current user info for logging
final UserInfo userInfo = pwmSession.getUserInfo();
final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_BAD_SESSION, "basic auth header user '" + basicAuthInfo.getUsername() + "' does not match currently logged in user '" + userInfo.getUserIdentity() + "', session will be logged out");
LOGGER.info(pwmRequest, errorInformation);
// log out their user
pwmSession.unauthenticateUser(pwmRequest);
// send en error to user.
pwmRequest.respondWithError(errorInformation, true);
return;
}
}
// check status of oauth expiration
if (pwmSession.getLoginInfoBean().getOauthExp() != null) {
final OAuthSettings oauthSettings = OAuthSettings.forSSOAuthentication(pwmRequest.getConfig());
final OAuthMachine oAuthMachine = new OAuthMachine(oauthSettings);
if (oAuthMachine.checkOAuthExpiration(pwmRequest)) {
pwmRequest.respondWithError(new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, "oauth access token has expired"));
return;
}
}
handleAuthenticationCookie(pwmRequest);
if (forceRequiredRedirects(pwmRequest) == ProcessStatus.Halt) {
return;
}
// user session is authed, and session and auth header match, so forward request on.
chain.doFilter();
}
use of password.pwm.http.servlet.oauth.OAuthSettings in project pwm by pwm-project.
the class ForgottenPasswordServlet method forwardUserBasedOnRecoveryMethod.
private void forwardUserBasedOnRecoveryMethod(final PwmRequest pwmRequest, final IdentityVerificationMethod method) throws ServletException, PwmUnrecoverableException, IOException {
LOGGER.debug(pwmRequest, "attempting to forward request to handle verification method " + method.toString());
final ForgottenPasswordBean forgottenPasswordBean = forgottenPasswordBean(pwmRequest);
ForgottenPasswordUtil.verifyRequirementsForAuthMethod(pwmRequest, forgottenPasswordBean, method);
switch(method) {
case PREVIOUS_AUTH:
{
throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, "previous authentication is required, but user has not previously authenticated"));
}
case ATTRIBUTES:
{
pwmRequest.addFormInfoToRequestAttr(forgottenPasswordBean.getAttributeForm(), Collections.emptyMap(), false, false);
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ATTRIBUTES);
}
break;
case CHALLENGE_RESPONSES:
{
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordChallengeSet, forgottenPasswordBean.getPresentableChallengeSet());
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_RESPONSES);
}
break;
case OTP:
{
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordOtpRecord, ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean).getOtpUserRecord());
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_ENTER_OTP);
}
break;
case TOKEN:
{
final ForgottenPasswordBean.Progress progress = forgottenPasswordBean.getProgress();
final List<TokenDestinationItem> tokenDestinations = ForgottenPasswordUtil.figureAvailableTokenDestinations(pwmRequest, forgottenPasswordBean);
if (progress.getTokenDestination() == null) {
final boolean autoSelect = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.FORGOTTEN_PASSWORD_TOKEN_AUTO_SELECT_DEST));
if (autoSelect && tokenDestinations.size() == 1) {
final TokenDestinationItem singleItem = tokenDestinations.iterator().next();
progress.setTokenDestination(singleItem);
}
}
if (progress.getTokenDestination() == null) {
forwardToTokenChoiceJsp(pwmRequest);
return;
}
if (!progress.isTokenSent()) {
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
ForgottenPasswordUtil.initializeAndSendToken(pwmRequest, userInfo, progress.getTokenDestination());
progress.setTokenSent(true);
}
if (!progress.getSatisfiedMethods().contains(IdentityVerificationMethod.TOKEN)) {
forwardToEnterTokenJsp(pwmRequest);
return;
}
}
break;
case REMOTE_RESPONSES:
{
final UserInfo userInfo = ForgottenPasswordUtil.readUserInfo(pwmRequest, forgottenPasswordBean);
final VerificationMethodSystem remoteMethod;
if (forgottenPasswordBean.getProgress().getRemoteRecoveryMethod() == null) {
remoteMethod = new RemoteVerificationMethod();
remoteMethod.init(pwmRequest.getPwmApplication(), userInfo, pwmRequest.getSessionLabel(), pwmRequest.getLocale());
forgottenPasswordBean.getProgress().setRemoteRecoveryMethod(remoteMethod);
} else {
remoteMethod = forgottenPasswordBean.getProgress().getRemoteRecoveryMethod();
}
final List<VerificationMethodSystem.UserPrompt> prompts = remoteMethod.getCurrentPrompts();
final String displayInstructions = remoteMethod.getCurrentDisplayInstructions();
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordPrompts, new ArrayList<>(prompts));
pwmRequest.setAttribute(PwmRequestAttribute.ForgottenPasswordInstructions, displayInstructions);
pwmRequest.forwardToJsp(JspUrl.RECOVER_PASSWORD_REMOTE);
}
break;
case OAUTH:
forgottenPasswordBean.getProgress().setInProgressVerificationMethod(IdentityVerificationMethod.OAUTH);
final ForgottenPasswordProfile forgottenPasswordProfile = ForgottenPasswordUtil.forgottenPasswordProfile(pwmRequest.getPwmApplication(), forgottenPasswordBean);
final OAuthSettings oAuthSettings = OAuthSettings.forForgottenPassword(forgottenPasswordProfile);
final OAuthMachine oAuthMachine = new OAuthMachine(oAuthSettings);
pwmRequest.getPwmApplication().getSessionStateService().saveSessionBeans(pwmRequest);
final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
oAuthMachine.redirectUserToOAuthServer(pwmRequest, null, userIdentity, forgottenPasswordProfile.getIdentifier());
break;
default:
throw new UnsupportedOperationException("unexpected method during forward: " + method.toString());
}
}
Aggregations