/** * Gets the authentication satisfied by policy. * * @param ticket the ticket * @param context the context * @return the authentication satisfied by policy * @throws AbstractTicketException the ticket exception */ protected final Authentication getAuthenticationSatisfiedByPolicy( final TicketGrantingTicket ticket, final ServiceContext context) throws AbstractTicketException { final ContextualAuthenticationPolicy<ServiceContext> policy = serviceContextAuthenticationPolicyFactory.createPolicy(context); if (policy.isSatisfiedBy(ticket.getAuthentication())) { logger.debug("Authentication policy {} is satisfied by the authentication associated with {}", policy, ticket.getId()); return ticket.getAuthentication(); } for (final Authentication auth : ticket.getSupplementalAuthentications()) { if (policy.isSatisfiedBy(auth)) { logger.debug("Authentication policy {} is satisfied by supplemental authentication associated with {}", policy, ticket.getId()); return auth; } } throw new UnsatisfiedAuthenticationPolicyException(policy); }
@Override public Collection<Map<String, Object>> getActiveSsoSessions() throws BulkRetrievalOfTicketsNotSupportedException { final List<Map<String, Object>> activeSessions = new ArrayList<Map<String, Object>>(); for(TicketGrantingTicket tgt : this.ticketSupport.getNonExpiredTicketGrantingTickets()) { final Map<String, Object> sso = new HashMap<String, Object>(3); sso.put(SsoSessionAttributeKeys.AUTHENTICATED_PRINCIPAL.toString(), tgt.getAuthentication().getPrincipal().getId()); sso.put(SsoSessionAttributeKeys.AUTHENTICATION_DATE.toString(), tgt.getAuthentication().getAuthenticatedDate()); sso.put(SsoSessionAttributeKeys.NUMBER_OF_USES.toString(), tgt.getCountOfUses()); activeSessions.add(Collections.unmodifiableMap(sso)); } return Collections.unmodifiableCollection(activeSessions); } }
@Override public Service getProxiedBy() { return getTicket().getProxiedBy(); }
@Override public void addTicket(final Ticket ticket) { if (ticket instanceof TicketGrantingTicket) { final TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) ticket; final String ticketId = ticketGrantingTicket.getId(); final String userName = ticketGrantingTicket.getAuthentication().getPrincipal().getId().toLowerCase(); logger.debug("Creating mapping ticket {} to user name {}", ticketId, userName); this.cache.put(ticketId, userName); } this.ticketRegistry.addTicket(ticket); }
final TicketGrantingTicket tgt = (TicketGrantingTicket) ticket; if (option == SsoSessionReportOptions.DIRECT && tgt.getProxiedBy() != null) { continue; final Authentication authentication = tgt.getAuthentication(); final Principal principal = authentication.getPrincipal(); sso.put(SsoSessionAttributeKeys.AUTHENTICATION_DATE_FORMATTED.toString(), dateFormat.format(authentication.getAuthenticationDate())); sso.put(SsoSessionAttributeKeys.NUMBER_OF_USES.toString(), tgt.getCountOfUses()); sso.put(SsoSessionAttributeKeys.TICKET_GRANTING_TICKET.toString(), tgt.getId()); sso.put(SsoSessionAttributeKeys.PRINCIPAL_ATTRIBUTES.toString(), principal.getAttributes()); sso.put(SsoSessionAttributeKeys.AUTHENTICATION_ATTRIBUTES.toString(), authentication.getAttributes()); if (tgt.getProxiedBy() != null) { sso.put(SsoSessionAttributeKeys.IS_PROXIED.toString(), Boolean.TRUE); sso.put(SsoSessionAttributeKeys.PROXIED_BY.toString(), tgt.getProxiedBy().getId()); } else { sso.put(SsoSessionAttributeKeys.IS_PROXIED.toString(), Boolean.FALSE); sso.put(SsoSessionAttributeKeys.AUTHENTICATED_SERVICES.toString(), tgt.getServices());
/** * Put ticket granting ticket in request and flow scopes. * * @param context the context * @param ticket the ticket value */ public static void putTicketGrantingTicketInScopes( final RequestContext context, @NotNull final TicketGrantingTicket ticket) { final String ticketValue = ticket != null ? ticket.getId() : null; putTicketGrantingTicketInScopes(context, ticketValue); }
@Override public Authentication getAuthenticationFrom(final String ticketGrantingTicketId) throws RuntimeException { final TicketGrantingTicket tgt = this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class); return tgt == null ? null : tgt.getAuthentication(); }
final Service proxiedBy = ticketGrantingTicket.getProxiedBy(); if (proxiedBy != null) { logger.debug("TGT is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId()); logger.debug("TGT {} is not proxied by another service", ticketGrantingTicket.getId());
@Override public HandlerResult authenticate(final Credential credential) throws GeneralSecurityException { final OpenIdCredential c = (OpenIdCredential) credential; final TicketGrantingTicket t = this.ticketRegistry.getTicket(c.getTicketGrantingTicketId(), TicketGrantingTicket.class); if (t == null || t.isExpired()) { throw new FailedLoginException("TGT is null or expired."); } final Principal principal = t.getAuthentication().getPrincipal(); if (!principal.getId().equals(c.getUsername())) { throw new FailedLoginException("Principal ID mismatch"); } return new DefaultHandlerResult(this, new BasicCredentialMetaData(c), principal); }
currentAuthentication = context.getAuthentication(); if (currentAuthentication != null) { final Authentication original = ticketGrantingTicket.getAuthentication(); if (!currentAuthentication.getPrincipal().equals(original.getPrincipal())) { logger.debug("Principal associated with current authentication {} does not match " currentAuthentication, currentAuthentication.getPrincipal(), original.getPrincipal()); ticketGrantingTicket.getSupplementalAuthentications().clear(); ticketGrantingTicket.getSupplementalAuthentications().add(currentAuthentication); logger.debug("Added authentication to the collection of supplemental authentications");
evaluatePossibilityOfMixedPrincipals(context, ticketGrantingTicket); if (ticketGrantingTicket.getCountOfUses() > 0 && !registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) { logger.warn("Service [{}] is not allowed to use SSO.", service.getId()); throw new UnauthorizedSsoServiceException(); getAuthenticationSatisfiedByPolicy(ticketGrantingTicket.getRoot(), new ServiceContext(service, registeredService)); final List<Authentication> authentications = ticketGrantingTicket.getChainedAuthentications(); final Principal principal = authentications.get(authentications.size() - 1).getPrincipal();
@Override public boolean ticketGrantingTicketExistsAndExpired(String ticketGrantingTicketId) { final Ticket ticket = this.ticketRegistry.getTicket(ticketGrantingTicketId); if (ticket != null && ticket instanceof TicketGrantingTicket) { return TicketGrantingTicket.class.cast(ticket).isExpired(); } return false; }
final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot(); final Authentication authentication = getAuthenticationSatisfiedByPolicy( root, new ServiceContext(serviceTicket.getService(), registeredService)); serviceTicket.getGrantingTicket().getChainedAuthentications(), serviceTicket.getService(), serviceTicket.isFromNewLogin());
@Override public List<Authentication> getChainedAuthentications() { return getTicket().getChainedAuthentications(); }
@Override public TicketGrantingTicket getRoot() { return getTicket().getRoot(); }
@Override public String handle(final Credential credential, final TicketGrantingTicket proxyGrantingTicketId) { final HttpBasedServiceCredential serviceCredentials = (HttpBasedServiceCredential) credential; final String proxyIou = this.uniqueTicketIdGenerator.getNewTicketId(ProxyGrantingTicket.PROXY_GRANTING_TICKET_IOU_PREFIX); final URL callbackUrl = serviceCredentials.getCallbackUrl(); final String serviceCredentialsAsString = callbackUrl.toExternalForm(); final int bufferLength = serviceCredentialsAsString.length() + proxyIou.length() + proxyGrantingTicketId.getId().length() + BUFFER_LENGTH_ADDITIONAL_CHARGE; final StringBuilder stringBuffer = new StringBuilder(bufferLength); stringBuffer.append(serviceCredentialsAsString); if (callbackUrl.getQuery() != null) { stringBuffer.append('&'); } else { stringBuffer.append('?'); } stringBuffer.append(PARAMETER_PROXY_GRANTING_TICKET_IOU); stringBuffer.append('='); stringBuffer.append(proxyIou); stringBuffer.append('&'); stringBuffer.append(PARAMETER_PROXY_GRANTING_TICKET_ID); stringBuffer.append('='); stringBuffer.append(proxyGrantingTicketId); if (this.httpClient.isValidEndPoint(stringBuffer.toString())) { logger.debug("Sent ProxyIou of {} for service: {}", proxyIou, serviceCredentials); return proxyIou; } logger.debug("Failed to send ProxyIou of {} for service: {}", proxyIou, serviceCredentials); return null; }
@Override /** {@inheritDoc} */ public Authentication getAuthenticationFrom(final String ticketGrantingTicketId) throws RuntimeException { final TicketGrantingTicket tgt = this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class); return tgt == null ? null : tgt.getAuthentication(); }
@Override public final boolean isExpired() { final TicketGrantingTicket tgt = getGrantingTicket(); return this.expirationPolicy.isExpired(this) || (tgt != null && tgt.isExpired()) || isExpiredInternal(); }
@Override public final List<Authentication> getChainedAuthentications() { final List<Authentication> list = new ArrayList<>(); list.add(getAuthentication()); if (getGrantingTicket() == null) { return Collections.unmodifiableList(list); } list.addAll(getGrantingTicket().getChainedAuthentications()); return Collections.unmodifiableList(list); }
@Override public final TicketGrantingTicket getGrantingTicket() { final TicketGrantingTicket old = this.ticket.getGrantingTicket(); if (old == null || !callback) { return old; } return this.ticketRegistry.getTicket(old.getId(), Ticket.class); }