/** {@inheritDoc} */ @Override protected void buildAuthenticationResult(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { super.buildAuthenticationResult(profileRequestContext, authenticationContext); // Bypass c14n. We already operate on a canonical name, so just re-confirm it. profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class, true).setPrincipalName(username); }
/** {@inheritDoc} */ @Override protected void doInitialize() throws ComponentInitializationException { super.doInitialize(); if (resultLookupStrategy == null) { throw new ComponentInitializationException("Result lookup strategy cannot be null"); } }
/** * Record a successful authentication attempt against the configured counter. * * @since 3.3.0 */ protected void recordSuccess() { MetricsSupport.getMetricRegistry().counter(getMetricName() + ".successes").inc(); }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); recordFailure(); return false; } return true; }
log.debug("{} Adding custom Principal(s) defined on underlying flow descriptor", getLogPrefix()); getSubject().getPrincipals().addAll( authenticationContext.getAttemptedFlow().getSupportedPrincipals()); populateSubject(getSubject())); authenticationContext.setAuthenticationResult(result); log.info("{} Predicate indicates authentication result {} be cacheable in a session", getLogPrefix(), authenticationContext.isResultCacheable() ? "will" : "will not");
return false; } else if (authenticationContext.getAttemptedFlow() == null) { log.info("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); return false; if (rpCtx != null && rpCtx.getOperator() != null && !getSubject().getPrincipals().isEmpty()) { log.debug("{} Request contains principal requirements, evaluating for compatibility", getLogPrefix()); for (final Principal p : rpCtx.getRequestedPrincipals()) { final PrincipalEvalPredicateFactory factory = final PrincipalEvalPredicate predicate = factory.getPredicate(p); if (predicate.apply(this)) { log.debug("{} Compatible with principal type '{}' and operator '{}'", getLogPrefix(), p.getClass(), rpCtx.getOperator()); rpCtx.setMatchingPrincipal(predicate.getMatchingPrincipal()); return true; } else { log.debug("{} Not compatible with principal type '{}' and operator '{}'", getLogPrefix(), p.getClass(), rpCtx.getOperator()); getLogPrefix(), p.getClass(), rpCtx.getOperator()); log.info("{} Skipping validator, not compatible with request's principal requirements", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.REQUEST_UNSUPPORTED); return false; final String fixedEvent = authenticationContext.getFixedEventLookupStrategy().apply(profileRequestContext); if (fixedEvent != null) {
/** * Set supported non-user-specific principals that the action will include in the subjects * it generates, in place of any default principals from the flow. * * <p>Setting to a null or empty collection will maintain the default behavior of relying on the flow.</p> * * @param <T> a type of principal to add, if not generic * @param principals supported principals to include */ public <T extends Principal> void setSupportedPrincipals( @Nullable @NonnullElements final Collection<T> principals) { ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this); getSubject().getPrincipals().clear(); if (principals != null && !principals.isEmpty()) { getSubject().getPrincipals().addAll(Collections2.filter(principals, Predicates.notNull())); } }
/** Constructor. */ public AbstractValidationAction() { addDefaultPrincipals = true; authenticatedSubject = new Subject(); clearErrorContext = true; classifiedMessages = Collections.emptyMap(); requesterLookupStrategy = new RelyingPartyIdLookupFunction(); responderLookupStrategy = new ResponderIdLookupFunction(); setMetricName(DEFAULT_METRIC_NAME); }
/** * Adds an exception encountered during the action to an {@link AuthenticationErrorContext}, creating one if * necessary, beneath the {@link AuthenticationContext}. * * <p>The exception message is evaluated as a potential match as a "classified" error and if matched, * the classification label is attached to the {@link AuthenticationErrorContext} and used as the * resulting event for the action. * * @param profileRequestContext the current profile request context * @param authenticationContext the current authentication context * @param e the exception to process * @param eventId the event to "return" via an {@link org.opensaml.profile.context.EventContext} if * the exception message is not classified */ protected void handleError( @Nonnull final ProfileRequestContext<InboundMessageType, OutboundMessageType> profileRequestContext, @Nonnull final AuthenticationContext authenticationContext, @Nonnull final Exception e, @Nonnull @NotEmpty final String eventId) { final AuthenticationErrorContext errorCtx = authenticationContext.getSubcontext(AuthenticationErrorContext.class, true); errorCtx.addException(e); handleError(profileRequestContext, authenticationContext, e.getMessage(), eventId); }
@Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false;
/** {@inheritDoc} */ @Override @Nonnull @NonnullElements @Unmodifiable @NotLive public <T extends Principal> Set<T> getSupportedPrincipals( @Nonnull final Class<T> c) { return getSubject().getPrincipals(c); }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); recordFailure(); return false; } extContext = authenticationContext.getSubcontext(ExternalAuthenticationContext.class); if (extContext == null) { log.debug("{} No ExternalAuthenticationContext available within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_AUTHN_CTX); recordFailure(); return false; } return true; }
/** * Record a failed authentication attempt against the configured counter. * * @since 3.3.0 */ protected void recordFailure() { MetricsSupport.getMetricRegistry().counter(getMetricName() + ".failures").inc(); }
/** {@inheritDoc} */ @Override protected void doInitialize() throws ComponentInitializationException { super.doInitialize(); if (authAuthenticator == null) { throw new ComponentInitializationException("DuoAuthAuthenticator cannot be null"); } if (preauthAuthenticator == null) { throw new ComponentInitializationException("DuoPreauthAuthenticator cannot be null"); } }
/** {@inheritDoc} */ @Override protected void buildAuthenticationResult(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { super.buildAuthenticationResult(profileRequestContext, authenticationContext); // Bypass c14n. We already operate on a canonical name, so just re-confirm it. profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class, true).setPrincipalName(username); }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); recordFailure(); return false; } usernameContext = authenticationContext.getSubcontext(UsernameContext.class); if (usernameContext == null) { log.debug("{} No UsernameContext available within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return false; } if (usernameContext.getUsername() == null) { log.debug("{} No username available within UsernameContext", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return false; } return true; }
@Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false;
@Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false;
@Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false;
@Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false;