@Bean @ConditionalOnMissingBean(name = "checkWebAuthenticationRequestAction") @RefreshScope public Action checkWebAuthenticationRequestAction() { return new CheckWebAuthenticationRequestAction(casProperties.getAuthn().getMfa().getContentType()); }
@ConditionalOnMissingBean(name = "stubAttributeRepositories") @Bean @RefreshScope public List<IPersonAttributeDao> stubAttributeRepositories() { val list = new ArrayList<IPersonAttributeDao>(); val attrs = casProperties.getAuthn().getAttributeRepository().getStub().getAttributes(); if (!attrs.isEmpty()) { LOGGER.info("Found and added static attributes [{}] to the list of candidate attribute repositories", attrs.keySet()); list.add(Beans.newStubAttributeRepository(casProperties.getAuthn().getAttributeRepository())); } return list; }
@RefreshScope @Bean public Collection<BaseOidcScopeAttributeReleasePolicy> userDefinedScopeBasedAttributeReleasePolicies() { val oidc = casProperties.getAuthn().getOidc(); return oidc.getUserDefinedScopes().entrySet() .stream() .map(k -> new OidcCustomScopeAttributeReleasePolicy(k.getKey(), CollectionUtils.wrapList(k.getValue().split(",")))) .collect(Collectors.toSet()); }
@ConditionalOnMissingBean(name = "authenticationAttributeReleasePolicy") @RefreshScope @Bean public AuthenticationAttributeReleasePolicy authenticationAttributeReleasePolicy() { val release = casProperties.getAuthn().getAuthenticationAttributeRelease(); if (!release.isEnabled()) { LOGGER.debug("CAS is configured to not release protocol-level authentication attributes."); return AuthenticationAttributeReleasePolicy.noOp(); } val attributesToNeverRelease = CollectionUtils.wrapSet( CasViewConstants.MODEL_ATTRIBUTE_NAME_PRINCIPAL_CREDENTIAL, CasViewConstants.MODEL_ATTRIBUTE_NAME_PROXY_GRANTING_TICKET, RememberMeCredential.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME); attributesToNeverRelease.addAll(release.getNeverRelease()); return new DefaultAuthenticationAttributeReleasePolicy(release.getOnlyRelease(), attributesToNeverRelease, casProperties.getAuthn().getMfa().getAuthenticationContextAttribute()); } }
/** * Build redirect url by requested authn context. * * @param initialUrl the initial url * @param authnRequest the authn request * @param request the request * @return the redirect url */ protected String buildRedirectUrlByRequestedAuthnContext(final String initialUrl, final AuthnRequest authnRequest, final HttpServletRequest request) { val authenticationContextClassMappings = this.casProperties.getAuthn().getSamlIdp().getAuthenticationContextClassMappings(); if (authnRequest.getRequestedAuthnContext() == null || authenticationContextClassMappings == null || authenticationContextClassMappings.isEmpty()) { return initialUrl; } val mappings = getAuthenticationContextMappings(); val p = authnRequest.getRequestedAuthnContext().getAuthnContextClassRefs() .stream() .filter(ref -> { val clazz = ref.getAuthnContextClassRef(); return mappings.containsKey(clazz); }) .findFirst(); if (p.isPresent()) { val mappedClazz = mappings.get(p.get().getAuthnContextClassRef()); return initialUrl + '&' + casProperties.getAuthn().getMfa().getRequestParameter() + '=' + mappedClazz; } return initialUrl; }
@Bean @ConditionalOnMissingBean(name = "authenticationPolicyFactory") public ContextualAuthenticationPolicyFactory<ServiceContext> authenticationPolicyFactory() { if (casProperties.getAuthn().getPolicy().isRequiredHandlerAuthenticationPolicyEnabled()) { return new RequiredHandlerAuthenticationPolicyFactory(); } return new AcceptAnyAuthenticationPolicyFactory(); }
@ConditionalOnMissingBean(name = "tokenAuthenticationHandler") @Bean public AuthenticationHandler tokenAuthenticationHandler() { val token = casProperties.getAuthn().getToken(); return new TokenAuthenticationHandler(token.getName(), servicesManager.getIfAvailable(), tokenPrincipalFactory(), PrincipalNameTransformerUtils.newPrincipalNameTransformer(token.getPrincipalTransformation())); }
@ConditionalOnMissingBean(name = "authenticationHandlerResolversExecutionPlanConfigurer") @Bean public AuthenticationEventExecutionPlanConfigurer authenticationHandlerResolversExecutionPlanConfigurer() { return plan -> { if (casProperties.getAuthn().getPolicy().isSourceSelectionEnabled()) { plan.registerAuthenticationHandlerResolver(byCredentialSourceAuthenticationHandlerResolver()); } plan.registerAuthenticationHandlerResolver(registeredServiceAuthenticationHandlerResolver()); }; } }
@Bean public AuthenticationHandler tokenAuthenticationHandler() { final TokenAuthenticationProperties token = casProperties.getAuthn().getToken(); return new TokenAuthenticationHandler(token.getName(), servicesManager, tokenPrincipalFactory(), Beans.newPrincipalNameTransformer(token.getPrincipalTransformation())); }
@ConditionalOnMissingBean(name = "mfaTrustStorageCleaner") @Bean public MultifactorAuthenticationTrustStorageCleaner mfaTrustStorageCleaner() { return new MultifactorAuthenticationTrustStorageCleaner( casProperties.getAuthn().getMfa().getTrusted(), mfaTrustEngine()); }
@Override public Map<String, Object> getAttributesForUser(final String uid) { val finalAttributes = new HashMap<String, Object>(); casProperties.getAuthn().getAttributeRepository().getGroovy() .forEach(groovy -> { val args = new Object[] {uid, LOGGER, casProperties, applicationContext}; val personAttributesMap = ScriptingUtils.executeGroovyScript(groovy.getLocation(), args, Map.class, true); finalAttributes.putAll(personAttributesMap); }); return finalAttributes; } }
public AuthenticationEventExecutionPlanConfigurer authenticationPolicyExecutionPlanConfigurer() { return plan -> { val police = casProperties.getAuthn().getPolicy();
@Bean public CipherExecutor tokenCipherExecutor() { final CryptographyProperties crypto = casProperties.getAuthn().getToken().getCrypto(); return new TokenTicketCipherExecutor(crypto.getEncryption().getKey(), crypto.getSigning().getKey()); }
@Override public Map<String, Object> getAttributesInternal(final Principal principal, final Map<String, Object> attributes, final RegisteredService service) { val applicationContext = ApplicationContextProvider.getApplicationContext(); if (applicationContext == null) { LOGGER.warn("Could not locate the application context to process attributes"); return new HashMap<>(); } val resolvedAttributes = new TreeMap<String, Object>(String.CASE_INSENSITIVE_ORDER); resolvedAttributes.putAll(attributes); val attributesToRelease = Maps.<String, Object>newHashMapWithExpectedSize(attributes.size()); LOGGER.debug("Attempting to map and filter claims based on resolved attributes [{}]", resolvedAttributes); val properties = applicationContext.getBean(CasConfigurationProperties.class); val supportedClaims = properties.getAuthn().getOidc().getClaims(); val allowedClaims = new LinkedHashSet<String>(getAllowedAttributes()); allowedClaims.retainAll(supportedClaims); LOGGER.debug("[{}] is designed to allow claims [{}] for scope [{}]. After cross-checking with " + "supported claims [{}], the final collection of allowed attributes is [{}]", getClass().getSimpleName(), getAllowedAttributes(), getScopeName(), supportedClaims, allowedClaims); allowedClaims.stream() .map(claim -> mapClaimToAttribute(claim, resolvedAttributes)) .filter(p -> p.getValue() != null) .forEach(p -> attributesToRelease.put(p.getKey(), p.getValue())); return attributesToRelease; }
val mfaRequestHeader = casProperties.getAuthn().getMfa().getRequestHeader(); val headers = request.getHeaders(mfaRequestHeader); if (headers != null && headers.hasMoreElements()) { val mfaRequestParameter = casProperties.getAuthn().getMfa().getRequestParameter(); val params = request.getParameterValues(mfaRequestParameter); if (params != null && params.length > 0) { val attributeName = casProperties.getAuthn().getMfa().getSessionAttribute(); val session = request.getSession(false); var attributeValue = session != null ? session.getAttribute(attributeName) : null;
/** * Determines a default bundle of attributes that may be released to all services * without the explicit mapping for each service. * * @param p the principal * @param attributes the attributes * @return the released by default attributes */ protected Map<String, Object> getReleasedByDefaultAttributes(final Principal p, final Map<String, Object> attributes) { val ctx = ApplicationContextProvider.getApplicationContext(); if (ctx != null) { LOGGER.trace("Located application context. Retrieving default attributes for release, if any"); val props = ctx.getAutowireCapableBeanFactory().getBean(CasConfigurationProperties.class); val defaultAttrs = props.getAuthn().getAttributeRepository().getDefaultAttributesToRelease(); LOGGER.debug("Default attributes for release are: [{}]", defaultAttrs); val defaultAttributesToRelease = new TreeMap<String, Object>(String.CASE_INSENSITIVE_ORDER); defaultAttrs.forEach(key -> { if (attributes.containsKey(key)) { LOGGER.debug("Found and added default attribute for release: [{}]", key); defaultAttributesToRelease.put(key, attributes.get(key)); } }); return defaultAttributesToRelease; } return new TreeMap<>(); }
/** * Validate. * * @param context the context */ public void validate(final ValidationContext context) { if (!context.getUserEvent().equalsIgnoreCase("submit")) { return; } val messages = context.getMessageContext(); ApplicationContextProvider.getCasProperties().ifPresent(props -> { if (StringUtils.isBlank(source) && props.getAuthn().getPolicy().isSourceSelectionEnabled()) { messages.addMessage(new MessageBuilder() .error() .source("source") .code("source.required") .build()); } }); } }
@Bean @RefreshScope @ConditionalOnMissingBean(name = "tokenCipherExecutor") public CipherExecutor tokenCipherExecutor() { val crypto = casProperties.getAuthn().getToken().getCrypto(); val enabled = FunctionUtils.doIf( !crypto.isEnabled() && StringUtils.isNotBlank(crypto.getEncryption().getKey()) && StringUtils.isNotBlank(crypto.getSigning().getKey()), () -> { LOGGER.warn("Token encryption/signing is not enabled explicitly in the configuration, yet signing/encryption keys " + "are defined for operations. CAS will proceed to enable the token encryption/signing functionality."); return Boolean.TRUE; }, crypto::isEnabled) .get(); if (enabled) { return new TokenTicketCipherExecutor(crypto.getEncryption().getKey(), crypto.getSigning().getKey(), crypto.getAlg(), crypto.isEncryptionEnabled(), crypto.isSigningEnabled(), crypto.getSigning().getKeySize(), crypto.getEncryption().getKeySize()); } LOGGER.info("Token cookie encryption/signing is turned off. This " + "MAY NOT be safe in a production environment. Consider using other choices to handle encryption, " + "signing and verification of generated tokens."); return CipherExecutor.noOp(); }
introspect.setScope("CAS"); introspect.setAud(service.getServiceId()); introspect.setIss(casProperties.getAuthn().getOidc().getIssuer());
final HttpServletRequest httpServletRequest, final Service service) { val predicateResource = casProperties.getAuthn().getMfa().getGlobalPrincipalAttributePredicate();