コード例 #1
0
  /**
   * Establish the SAML2IDP using the PROXY_URLPATH_CONTEXT from the session<br>
   * Also puts the SAML2IDP's EntityId in the Session as PROXY_SHADOWED_ENTITYID<br>
   * <br>
   * When no SAML2IDP match could be made, there will be no PROXY_SHADOWED_ENTITYID attribute
   * written in the session, and null is returned.
   *
   * @param oAttributes Session Attributes
   * @param oURLPathContext non-null initialized URLPathContext instance to process
   * @return SAML2IDP organization as established, or null when no match could be made
   */
  protected SAML2IDP processURLPathContext(
      ISessionAttributes oAttributes, URLPathContext oURLPathContext) throws OAException {
    // Did we try to find a match before?
    if (oAttributes.contains(
        com.alfaariss.oa.util.session.ProxyAttributes.class,
        com.alfaariss.oa.util.session.ProxyAttributes.PROXY_SHADOWED_IDPID)) {
      String sShadowedEntityId =
          (String)
              oAttributes.get(
                  com.alfaariss.oa.util.session.ProxyAttributes.class,
                  com.alfaariss.oa.util.session.ProxyAttributes.PROXY_SHADOWED_IDPID);

      // Re-use this intelligence, and return the SAML2IDP instance
      IIDP oIDP = _organizationStorage.getIDP(sShadowedEntityId);
      if (oIDP instanceof SAML2IDP) {
        _logger.info("Found IDP '" + sShadowedEntityId + "' from previous URLPath Context match");
        return (SAML2IDP) oIDP;
      } else {
        _logger.warn(
            "Non-SAML2IDP found in IDP Storage - inform developers of this condition! (1)");
        return null;
      }
    }

    String sIValue = oURLPathContext.getParams().get("i");
    if (sIValue == null) {
      _logger.info("No 'i' value found in URLPath Context path ('" + oURLPathContext + "')");
      return null;
    }

    List<IIDP> lAllIDPs = _organizationStorage.getAll();
    for (IIDP oIDP : lAllIDPs) {
      String sIDPEntityIdHash = DigestUtils.shaHex(oIDP.getID());
      if (sIDPEntityIdHash.equalsIgnoreCase(sIValue)) {
        _logger.info("Found IDP '" + oIDP.getID() + "' in matching URLPath Context");
        if (oIDP instanceof SAML2IDP) {
          // Store the IDP that was found on the map
          oAttributes.put(
              com.alfaariss.oa.util.session.ProxyAttributes.class,
              com.alfaariss.oa.util.session.ProxyAttributes.PROXY_SHADOWED_IDPID,
              oIDP.getID());

          // Return result
          return (SAML2IDP) oIDP;
        } else {
          _logger.warn(
              "Non-SAML2IDP found in IDP Storage - inform developers of this condition! (2)");
          return null;
        }
      }
    }

    _logger.info("No IDP found for provided i");
    return null;
  }
コード例 #2
0
  /**
   * Requestor selection based on RemoteASelectMethod.authenticate.
   *
   * <p>When implementing Synchronous (querying) authentication, this method should be adapted. -
   * Warnings
   *
   * @see
   *     com.alfaariss.oa.sso.authentication.web.IWebAuthenticationMethod#authenticate(javax.servlet.http.HttpServletRequest,
   *     javax.servlet.http.HttpServletResponse, com.alfaariss.oa.api.session.ISession)
   */
  @SuppressWarnings("unchecked")
  public UserEvent authenticate(
      HttpServletRequest request, HttpServletResponse response, ISession session)
      throws OAException {
    try {
      ISessionAttributes oAttributes = session.getAttributes();

      // check proxy att:
      Integer intCnt = (Integer) oAttributes.get(ProxyAttributes.class, ProxyAttributes.PROXYCOUNT);
      if (intCnt != null && intCnt <= 0) {
        _logger.debug("No more authentication proxying allowed: " + intCnt);
        _eventLogger.info(
            new UserEventLogItem(
                session,
                request.getRemoteAddr(),
                UserEvent.AUTHN_METHOD_FAILED,
                this,
                "ProxyCount <= 0"));
        return UserEvent.AUTHN_METHOD_FAILED;
      }

      SAML2IDP organization = null;
      List<Warnings> warnings = null;

      // Figure out whether there exists a pre-selected organization in the URLPath context
      URLPathContext oURLPathContext =
          (URLPathContext)
              oAttributes.get(
                  com.alfaariss.oa.util.session.ProxyAttributes.class,
                  com.alfaariss.oa.util.session.ProxyAttributes.PROXY_URLPATH_CONTEXT);

      if (oURLPathContext != null) {
        organization = processURLPathContext(oAttributes, oURLPathContext);
      }

      if (organization != null) {
        _logger.info("Established organization from URLPathContext: " + organization.getID());

        // Add to Session context if it is not there yet
        if (!oAttributes.contains(
            SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION)) {
          oAttributes.put(
              SAML2AuthenticationMethod.class, _sMethodId, SELECTED_ORGANIZATION, organization);
        }
      } else {
        if (oAttributes.contains(
            SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION)) {
          organization =
              (SAML2IDP)
                  oAttributes.get(
                      SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION);
        } else {
          List<SAML2IDP> listSelectableOrganizations = null;

          if (oAttributes.contains(
              SAML2AuthenticationMethod.class, _sMethodId + "." + LIST_AVAILABLE_ORGANIZATIONS)) {
            // The selected organization was not available, select again:
            listSelectableOrganizations =
                (List<SAML2IDP>)
                    oAttributes.get(
                        SAML2AuthenticationMethod.class,
                        _sMethodId + "." + LIST_AVAILABLE_ORGANIZATIONS);

            warnings = new Vector<Warnings>();
            warnings.add(Warnings.WARNING_ORGANIZATION_UNAVAILABLE);
          } else {
            IUser oUser = session.getUser();
            if (oUser != null) {
              // verify if user that was identified in previous authn method may use this SAML2
              // authn method
              if (!oUser.isAuthenticationRegistered(_sMethodId)) {
                _eventLogger.info(
                    new UserEventLogItem(
                        session,
                        request.getRemoteAddr(),
                        UserEvent.AUTHN_METHOD_NOT_REGISTERED,
                        this,
                        null));

                return UserEvent.AUTHN_METHOD_NOT_REGISTERED;
              }
            }

            listSelectableOrganizations = new Vector<SAML2IDP>();
            Vector fallbackList = new Vector<String>();

            Collection<String> cForcedOrganizations = getForcedIDPs(session);
            if (cForcedOrganizations != null && !cForcedOrganizations.isEmpty())
              oAttributes.put(
                  SAML2AuthNConstants.class,
                  SAML2AuthNConstants.FORCED_ORGANIZATIONS,
                  cForcedOrganizations);

            List<SAML2IDP> listIDPs = _organizationStorage.getAll();
            for (SAML2IDP saml2IDP : listIDPs) {
              fallbackList.add(saml2IDP);
              if (cForcedOrganizations == null || cForcedOrganizations.contains(saml2IDP.getID())) {
                // if no forced organizations are defined or organization is in the forced
                // organization list: Add to select organization list.
                listSelectableOrganizations.add(saml2IDP);
              }
            }

            if (listSelectableOrganizations.isEmpty()) {
              // DD if no forced orgs are known locally, add all and let user decide.
              // Make sure proxy orgs are send with AuthN request
              listSelectableOrganizations = fallbackList;
            }
          }

          if (listSelectableOrganizations.size() == 0) {
            _logger.debug("No organizations available to choose from");
            _eventLogger.info(
                new UserEventLogItem(
                    session,
                    request.getRemoteAddr(),
                    UserEvent.AUTHN_METHOD_NOT_SUPPORTED,
                    this,
                    null));

            return UserEvent.AUTHN_METHOD_NOT_SUPPORTED;
          }

          if (_oSelector == null) {
            organization = listSelectableOrganizations.get(0);

            _logger.debug("No selector configured, using: " + organization.getID());
          } else {
            try {
              // Select requestor
              organization =
                  _oSelector.resolve(
                      request,
                      response,
                      session,
                      listSelectableOrganizations,
                      _sFriendlyName,
                      warnings);
            } catch (OAException e) {
              _eventLogger.info(
                  new UserEventLogItem(
                      session,
                      request.getRemoteAddr(),
                      UserEvent.INTERNAL_ERROR,
                      this,
                      "selecting organization"));
              throw e;
            }
          }

          if (organization == null) {
            // Page is shown
            _eventLogger.info(
                new UserEventLogItem(
                    session,
                    request.getRemoteAddr(),
                    UserEvent.AUTHN_METHOD_IN_PROGRESS,
                    this,
                    null));

            return UserEvent.AUTHN_METHOD_IN_PROGRESS;
          }

          oAttributes.put(
              SAML2AuthenticationMethod.class, _sMethodId, SELECTED_ORGANIZATION, organization);

          listSelectableOrganizations.remove(organization);
          oAttributes.put(
              SAML2AuthenticationMethod.class,
              _sMethodId,
              LIST_AVAILABLE_ORGANIZATIONS,
              listSelectableOrganizations);
        }
      }

      UserEvent event = null;

      if (_profileWebBrowserSSO != null) {
        event =
            _profileWebBrowserSSO.process(
                request, response, session, organization, _htAttributeMapper);

        _eventLogger.info(
            new UserEventLogItem(session, request.getRemoteAddr(), event, this, null));
      } else {
        _eventLogger.info(
            new UserEventLogItem(
                session,
                request.getRemoteAddr(),
                UserEvent.AUTHN_METHOD_FAILED,
                this,
                "No suitable SAML2 profile could be found for authentication"));
        event = UserEvent.AUTHN_METHOD_FAILED;
      }

      if (event == UserEvent.AUTHN_METHOD_FAILED && _bEnableFallback) {
        // fallback
        event = UserEvent.AUTHN_METHOD_IN_PROGRESS;
        oAttributes.remove(
            SAML2AuthenticationMethod.class, _sMethodId + "." + SELECTED_ORGANIZATION);

        _eventLogger.info(
            new UserEventLogItem(
                session,
                request.getRemoteAddr(),
                UserEvent.AUTHN_METHOD_IN_PROGRESS,
                this,
                "Fallback mechanism activated"));

        event = authenticate(request, response, session);
      }

      return event;
    } catch (OAException oae) {
      _eventLogger.info(
          new UserEventLogItem(
              session,
              request.getRemoteAddr(),
              UserEvent.AUTHN_METHOD_FAILED,
              this,
              oae.getLocalizedMessage()));

      throw oae;
    }
  }