Search in sources :

Example 1 with WebIdUserDetails

use of won.node.springsecurity.userdetails.WebIdUserDetails in project webofneeds by researchstudio-sat.

the class DefaultWoNAccessDecisionVoter method vote.

@Override
public int vote(final Authentication authentication, final Object object, final Collection collection) {
    StopWatch stopWatch = new StopWatch();
    stopWatch.start();
    if (!(authentication instanceof PreAuthenticatedAuthenticationToken)) {
        return ACCESS_ABSTAIN;
    }
    Object principal = authentication.getPrincipal();
    if (!(principal instanceof WebIdUserDetails)) {
        return ACCESS_ABSTAIN;
    }
    WebIdUserDetails userDetails = (WebIdUserDetails) principal;
    if (!(object instanceof FilterInvocation)) {
        return ACCESS_ABSTAIN;
    }
    String webId = userDetails.getUsername();
    String resource = ((FilterInvocation) object).getRequest().getRequestURL().toString();
    if (authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).filter(r -> "ROLE_WEBID".equals(r)).findAny().isPresent()) {
        // perform our hard coded access control checks
        List<String> webIDs = new ArrayList<>(1);
        webIDs.add(webId);
        if (defaultAccessControlRules.isAccessPermitted(resource, webIDs)) {
            stopWatch.stop();
            logger.debug("access control check took " + stopWatch.getLastTaskTimeMillis() + " millis");
            return ACCESS_GRANTED;
        }
        return ACCESS_DENIED;
    }
    return ACCESS_DENIED;
}
Also used : WebIdUserDetails(won.node.springsecurity.userdetails.WebIdUserDetails) ArrayList(java.util.ArrayList) PreAuthenticatedAuthenticationToken(org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken) FilterInvocation(org.springframework.security.web.FilterInvocation) StopWatch(org.springframework.util.StopWatch)

Example 2 with WebIdUserDetails

use of won.node.springsecurity.userdetails.WebIdUserDetails in project webofneeds by researchstudio-sat.

the class UserDetailsService method handleClientCertificate.

private UserDetails handleClientCertificate(Certificate certificate, String principal) {
    List<GrantedAuthority> authorities = new ArrayList<>(3);
    authorities.add(new SimpleGrantedAuthority("ROLE_CLIENT_CERTIFICATE"));
    logger.debug("checking if principal '" + principal + "' is a webId");
    URI webID = toUriIfPossible(principal);
    if (webID != null) {
        // principal is an URI, try to verify:
        try {
            if (webIDVerificationAgent.verify(certificate.getPublicKey(), webID)) {
                authorities.add(new SimpleGrantedAuthority("ROLE_WEBID"));
                logger.debug("webId '" + principal + "' successfully verified - ROLE_WEBID granted");
                return new WebIdUserDetails(webID, authorities);
            } else {
                logger.debug("could not verify webId '" + principal + "'. ROLE_WEBID not granted");
            }
        } catch (Exception e) {
            logger.debug("could not verify webId '" + principal + "' because of an error during verification. ROLE_WEBID " + "not granted. Cause is logged", e);
        }
    }
    // certificate
    return new ClientCertificateUserDetails(principal, authorities);
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) ArrayList(java.util.ArrayList) WebIdUserDetails(won.node.springsecurity.userdetails.WebIdUserDetails) ClientCertificateUserDetails(won.node.springsecurity.userdetails.ClientCertificateUserDetails) URI(java.net.URI) UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) URISyntaxException(java.net.URISyntaxException)

Example 3 with WebIdUserDetails

use of won.node.springsecurity.userdetails.WebIdUserDetails in project webofneeds by researchstudio-sat.

the class WonAclAccessDecisionVoter method vote.

@Override
@Transactional
public int vote(final Authentication authentication, final FilterInvocation filterInvocation, final Collection<ConfigAttribute> configAttributes) {
    StopWatch stopWatch = new StopWatch();
    stopWatch.start();
    if (configAttributes.stream().map(Object::toString).anyMatch(x -> x.equals("permitAll"))) {
        // check ACLs
        return ACCESS_GRANTED;
    }
    String webId = null;
    AuthToken authToken = null;
    if (authentication instanceof PreAuthenticatedAuthenticationToken) {
        Object principal = authentication.getPrincipal();
        if (principal instanceof WebIdUserDetails) {
            WebIdUserDetails userDetails = (WebIdUserDetails) principal;
            // check if the WebId was verified successfully, otherwise treat as anonymous
            if (authentication.getAuthorities().stream().map(GrantedAuthority::getAuthority).filter(r -> "ROLE_WEBID".equals(r)).findAny().isPresent()) {
                // if the webid was not verified, use none
                webId = userDetails.getUsername();
            }
        }
    } else if (authentication instanceof WonAclTokenAuthentication) {
        authToken = (AuthToken) ((WonAclTokenAuthentication) authentication).getDetails();
    }
    if (webId != null && webId.equals(cryptographyService.getDefaultPrivateKeyAlias())) {
        // if the WoN node itself is the requestor, bypass all checks and allow
        if (logger.isDebugEnabled()) {
            logger.debug("Requestor is WonNode itself, authenticated by its WebID. Bypassing any ACL checks");
        }
        WonAclRequestHelper.setWonAclEvaluationContext(filterInvocation.getRequest(), WonAclEvalContext.allowAll());
        return ACCESS_GRANTED;
    }
    String resource = filterInvocation.getRequest().getRequestURL().toString();
    URI resourceUri = null;
    try {
        resourceUri = uriService.toResourceURIIfPossible(new URI(resource));
    } catch (URISyntaxException e) {
        logger.debug("Cannot process ACL for resource {}", resource);
        return ACCESS_DENIED;
    }
    if (logger.isDebugEnabled()) {
        logger.debug("Processing WoN ACL for request to resource {}", resourceUri);
    }
    int result = ACCESS_DENIED;
    // perform our hard coded access control checks
    // prepare the legacy implementation in case the target atom(s) have no acl
    // graph
    final List<String> webids = webId != null ? List.of(webId) : Collections.emptyList();
    Supplier<Integer> legacyImpl = () -> {
        if (defaultAccessControlRules.isAccessPermitted(resource, webids)) {
            return ACCESS_GRANTED;
        }
        return ACCESS_DENIED;
    };
    if (WonMessageUriHelper.isLocalMessageURI(resourceUri, uriService.getMessageResourceURIPrefix())) {
        // handle request for message
        result = voteForMessageRequest(webId, authToken, resourceUri, filterInvocation, legacyImpl);
    } else {
        // handle other requests
        result = voteForNonMessageRequest(webId, authToken, resourceUri, filterInvocation, legacyImpl);
    }
    stopWatch.stop();
    if (logger.isDebugEnabled()) {
        logger.debug("access control check for {} with webid {}, token {} took {} millis, result: {} ", new Object[] { resourceUri, webId, authToken == null ? "(no token)" : "present", stopWatch.getLastTaskTimeMillis(), (result == ACCESS_GRANTED ? "granted" : (result == ACCESS_DENIED ? "denied" : (result == ACCESS_ABSTAIN ? "abstain" : result))) });
    }
    return result;
}
Also used : PreAuthenticatedAuthenticationToken(org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken) URISyntaxException(java.net.URISyntaxException) URI(java.net.URI) StopWatch(org.springframework.util.StopWatch) WebIdUserDetails(won.node.springsecurity.userdetails.WebIdUserDetails) Transactional(javax.transaction.Transactional)

Aggregations

WebIdUserDetails (won.node.springsecurity.userdetails.WebIdUserDetails)3 URI (java.net.URI)2 URISyntaxException (java.net.URISyntaxException)2 ArrayList (java.util.ArrayList)2 PreAuthenticatedAuthenticationToken (org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken)2 StopWatch (org.springframework.util.StopWatch)2 Transactional (javax.transaction.Transactional)1 GrantedAuthority (org.springframework.security.core.GrantedAuthority)1 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)1 UsernameNotFoundException (org.springframework.security.core.userdetails.UsernameNotFoundException)1 FilterInvocation (org.springframework.security.web.FilterInvocation)1 ClientCertificateUserDetails (won.node.springsecurity.userdetails.ClientCertificateUserDetails)1