/**
   * Gets mfa request context.
   *
   * @param serviceMfaData service specific mfa settings
   * @param attributeValue the value found in the attribute
   * @param targetService the target service
   * @return the mfa request context
   */
  private MultiFactorAuthenticationRequestContext getMfaRequestContext(
      final ServiceMfaData serviceMfaData,
      final String attributeValue,
      final WebApplicationService targetService) {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(targetService);
    final RegisteredServiceWithAttributes service =
        RegisteredServiceWithAttributes.class.cast(registeredService);
    final String method = String.class.cast(service.getExtraAttributes().get("method"));

    if (match(serviceMfaData.getAttributePattern(), attributeValue)) {
      if (!this.authenticationMethodConfiguration.containsAuthenticationMethod(
          serviceMfaData.getAuthenticationMethod())) {
        logger.info(
            "MFA attribute [{}] with value [{}] is not supported by the authentication method configuration.",
            serviceMfaData.getAttributeName(),
            serviceMfaData.getAuthenticationMethod());
        return null;
      }
      final int mfaMethodRank =
          this.authenticationMethodConfiguration
              .getAuthenticationMethod(serviceMfaData.getAuthenticationMethod())
              .getRank();
      final MultiFactorAuthenticationSupportingWebApplicationService svc =
          this.mfaServiceFactory.create(
              targetService.getId(),
              targetService.getId(),
              targetService.getArtifactId(),
              "POST".equals(method) ? ResponseType.POST : ResponseType.REDIRECT,
              serviceMfaData.getAuthenticationMethod(),
              MultiFactorAuthenticationSupportingWebApplicationService.AuthenticationMethodSource
                  .PRINCIPAL_ATTRIBUTE);

      return new MultiFactorAuthenticationRequestContext(svc, mfaMethodRank);
    }

    logger.trace("{} did not match {}", attributeValue, serviceMfaData.getAttributePattern());
    return null;
  }
  @Override
  public final WebApplicationService extractService(final HttpServletRequest request) {
    final WebApplicationService targetService = getTargetService(request);
    if (targetService == null) {
      return null;
    }
    String authenticationMethod = this.getAuthenticationMethod(request, targetService);
    if (StringUtils.isBlank(authenticationMethod)) {
      return null;
    }
    authenticationMethod =
        this.authenticationMethodTranslator.translate(targetService, authenticationMethod);
    this.authenticationMethodVerifier.verifyAuthenticationMethod(
        authenticationMethod, targetService, request);

    // Grab the HTTP method for the response off of the request.
    final String method = request.getParameter(CONST_PARAM_METHOD);

    final MultiFactorAuthenticationSupportingWebApplicationService mfaService =
        this.mfaWebApplicationServiceFactory.create(
            targetService.getId(),
            targetService.getId(),
            targetService.getArtifactId(),
            "POST".equalsIgnoreCase(method) ? ResponseType.POST : ResponseType.REDIRECT,
            authenticationMethod,
            getAuthenticationMethodSource());

    logger.debug(
        "Created multifactor authentication service instance for [{}] with [{}] as [{}] "
            + "and authentication method definition source [{}].",
        mfaService.getId(),
        CONST_PARAM_AUTHN_METHOD,
        mfaService.getAuthenticationMethod(),
        mfaService.getAuthenticationMethodSource());

    return mfaService;
  }
  /**
   * Handle the request. Specially, abides by the default behavior specified in the {@link
   * org.jasig.cas.web.ServiceValidateController} and then, invokes the {@link #getCommandClass()}
   * method to delegate the task of spec validation.
   *
   * @param request request object
   * @param response response object
   * @return A {@link ModelAndView} object pointing to either {@link #setSuccessView(String)} or
   *     {@link #setFailureView(String)}
   * @throws Exception In case the authentication method cannot be retrieved by the binder from the
   *     incoming request.
   */
  @Override
  protected final ModelAndView handleRequestInternal(
      final HttpServletRequest request, final HttpServletResponse response) throws Exception {
    final WebApplicationService service = this.argumentExtractor.extractService(request);
    final String serviceTicketId = service != null ? service.getArtifactId() : null;
    final String authnMethod = getAuthenticationMethodFromRequest(request);

    if (service == null || serviceTicketId == null) {
      logger.debug(
          String.format(
              "Could not process request; Service: %s, Service Ticket Id: %s",
              service, serviceTicketId));
      return generateErrorView("INVALID_REQUEST", "INVALID_REQUEST", authnMethod, null);
    }

    try {
      final Credential serviceCredentials = getServiceCredentialsFromRequest(request);
      String proxyGrantingTicketId = null;

      if (serviceCredentials != null) {
        try {
          proxyGrantingTicketId =
              this.centralAuthenticationService.delegateTicketGrantingTicket(
                  serviceTicketId, serviceCredentials);
        } catch (final TicketException e) {
          logger.error("TicketException generating ticket for: " + serviceCredentials, e);
        }
      }

      final Assertion assertion =
          this.centralAuthenticationService.validateServiceTicket(serviceTicketId, service);
      final AbstractMultiFactorAuthenticationProtocolValidationSpecification
          validationSpecification = this.getCommandClass();
      final ServletRequestDataBinder binder =
          new ServletRequestDataBinder(validationSpecification, "validationSpecification");
      initBinder(request, binder);
      binder.bind(request);

      /**
       * The binder does not support field aliases. This means that the request parameter names must
       * exactly match the validation spec fields, or the match fails. Since the validation request
       * per the modified protocol will use 'authn_method', we could either create a matching field
       * inside the validation object, create a custom data binder object that does the conversion,
       * or simply bind the parameter manually.
       *
       * <p>This implementation opts for the latter choice.
       */
      validationSpecification.setAuthenticationMethod(authnMethod);

      try {
        if (!validationSpecification.isSatisfiedBy(assertion)) {
          logger.debug(
              "ServiceTicket [" + serviceTicketId + "] does not satisfy validation specification.");
          return generateErrorView("INVALID_TICKET", "INVALID_TICKET_SPEC", authnMethod, null);
        }
      } catch (final UnrecognizedMultiFactorAuthenticationMethodException e) {
        logger.debug(e.getMessage(), e);
        return generateErrorView(
            e.getCode(), e.getMessage(), authnMethod, new Object[] {e.getAuthenticationMethod()});
      } catch (final UnacceptableMultiFactorAuthenticationMethodException e) {
        logger.debug(e.getMessage(), e);
        return generateErrorView(
            e.getCode(),
            e.getMessage(),
            authnMethod,
            new Object[] {serviceTicketId, e.getAuthenticationMethod()});
      }

      onSuccessfulValidation(serviceTicketId, assertion);

      final ModelAndView success = new ModelAndView(this.successView);
      success.addObject(MODEL_ASSERTION, assertion);

      if (serviceCredentials != null && proxyGrantingTicketId != null) {
        final String proxyIou = this.proxyHandler.handle(serviceCredentials, proxyGrantingTicketId);
        success.addObject(MODEL_PROXY_GRANTING_TICKET_IOU, proxyIou);
      }

      final String authnMethods =
          MultiFactorUtils.getFulfilledAuthenticationMethodsAsString(assertion);
      if (StringUtils.isNotBlank(authnMethods)) {
        success.addObject(MODEL_AUTHN_METHOD, authnMethods);
      }
      logger.debug(String.format("Successfully validated service ticket: %s", serviceTicketId));

      return success;
    } catch (final TicketValidationException e) {
      return generateErrorView(
          e.getCode(),
          e.getCode(),
          authnMethod,
          new Object[] {serviceTicketId, e.getOriginalService().getId(), service.getId()});
    } catch (final TicketException te) {
      return generateErrorView(
          te.getCode(), te.getCode(), authnMethod, new Object[] {serviceTicketId});
    } catch (final UnauthorizedServiceException e) {
      return generateErrorView(e.getMessage(), e.getMessage(), authnMethod, null);
    }
  }
Пример #4
0
  protected final ModelAndView handleRequestInternal(
      final HttpServletRequest request, final HttpServletResponse response) throws Exception {
    final WebApplicationService service = this.argumentExtractor.extractService(request);
    final String serviceTicketId = service != null ? service.getArtifactId() : null;

    if (service == null || serviceTicketId == null) {
      logger.debug(
          String.format(
              "Could not process request; Service: %s, Service Ticket Id: %s",
              service, serviceTicketId));
      return generateErrorView("INVALID_REQUEST", "INVALID_REQUEST", null);
    }

    try {
      final Credentials serviceCredentials = getServiceCredentialsFromRequest(request);
      String proxyGrantingTicketId = null;

      // XXX should be able to validate AND THEN use
      if (serviceCredentials != null) {
        try {
          proxyGrantingTicketId =
              this.centralAuthenticationService.delegateTicketGrantingTicket(
                  serviceTicketId, serviceCredentials);
        } catch (final TicketException e) {
          logger.error("TicketException generating ticket for: " + serviceCredentials, e);
        }
      }

      final Assertion assertion =
          this.centralAuthenticationService.validateServiceTicket(serviceTicketId, service);

      final ValidationSpecification validationSpecification = this.getCommandClass();
      final ServletRequestDataBinder binder =
          new ServletRequestDataBinder(validationSpecification, "validationSpecification");
      initBinder(request, binder);
      binder.bind(request);

      if (!validationSpecification.isSatisfiedBy(assertion)) {
        if (logger.isDebugEnabled()) {
          logger.debug(
              "ServiceTicket [" + serviceTicketId + "] does not satisfy validation specification.");
        }
        return generateErrorView("INVALID_TICKET", "INVALID_TICKET_SPEC", null);
      }

      onSuccessfulValidation(serviceTicketId, assertion);

      final ModelAndView success = new ModelAndView(this.successView);
      success.addObject(MODEL_ASSERTION, assertion);

      if (serviceCredentials != null && proxyGrantingTicketId != null) {
        final String proxyIou = this.proxyHandler.handle(serviceCredentials, proxyGrantingTicketId);
        success.addObject(MODEL_PROXY_GRANTING_TICKET_IOU, proxyIou);
      }

      if (logger.isDebugEnabled()) {
        logger.debug(
            String.format(
                "Successfully validated service ticket [%s] for service [%s]",
                serviceTicketId, service.getId()));
      }

      return success;
    } catch (final TicketValidationException e) {
      return generateErrorView(
          e.getCode(),
          e.getCode(),
          new Object[] {serviceTicketId, e.getOriginalService().getId(), service.getId()});
    } catch (final TicketException te) {
      return generateErrorView(te.getCode(), te.getCode(), new Object[] {serviceTicketId});
    } catch (final UnauthorizedServiceException e) {
      return generateErrorView(e.getMessage(), e.getMessage(), null);
    }
  }