/** * Get the executing {@link AuthenticationFlowDescriptor}. * * @param key external authentication key * @param httpRequest servlet request * * @return active descriptor, or null * @throws ExternalAuthenticationException if unable to access the profile context */ @Nullable public AuthenticationFlowDescriptor getAuthenticationFlowDescriptor(@Nonnull @NotEmpty final String key, @Nonnull final HttpServletRequest httpRequest) throws ExternalAuthenticationException { final ProfileRequestContext prc = ExternalAuthentication.getProfileRequestContext(key, httpRequest); final AuthenticationContext authnCtx = prc.getSubcontext(AuthenticationContext.class); return (authnCtx != null) ? authnCtx.getAttemptedFlow() : null; }
/** {@inheritDoc} */ @SuppressWarnings("deprecation") @Override protected void doStart(@Nonnull final HttpServletRequest request) throws ExternalAuthenticationException { final AuthenticationContext authnContext = profileRequestContext.getSubcontext(AuthenticationContext.class); if (authnContext == null) { throw new ExternalAuthenticationException("No AuthenticationContext found"); } else if (authnContext.getAttemptedFlow() == null) { throw new ExternalAuthenticationException("No attempted authentication flow set"); } request.setAttribute(ProfileRequestContext.BINDING_KEY, profileRequestContext); request.setAttribute(EXTENDED_FLOW_PARAM, extendedFlow); request.setAttribute(PASSIVE_AUTHN_PARAM, authnContext.isPassive()); request.setAttribute(FORCE_AUTHN_PARAM, authnContext.isForceAuthn()); final Collection<Principal> principals = authnContext.getAttemptedFlow().getSupportedPrincipals(); if (!principals.isEmpty()) { request.setAttribute(AUTHN_METHOD_PARAM, principals.iterator().next().getName()); } final RelyingPartyContext rpCtx = relyingPartyContextLookupStrategy.apply(profileRequestContext); if (rpCtx != null) { request.setAttribute(RELYING_PARTY_PARAM, rpCtx.getRelyingPartyId()); } }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); recordFailure(); return false; } return true; }
if (authenticationContext.getAttemptedFlow() != null) { log.info("{} Moving incomplete flow {} to intermediate set", getLogPrefix(), authenticationContext.getAttemptedFlow().getId()); authenticationContext.getIntermediateFlows().put( authenticationContext.getAttemptedFlow().getId(), authenticationContext.getAttemptedFlow());
if (ac != null && ac.getAttemptedFlow() != null) { final AuthenticationResult mfaResult = ac.getActiveResults().get(ac.getAttemptedFlow().getId()); if (mfaResult != null) { if (ac.isForceAuthn()) {
mfaCtx.setAuthenticationFlowDescriptor(authenticationContext.getAttemptedFlow()); mfaCtx.setTransitionMap(transitionMap); mfaCtx.setNextFlowId(null);
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); recordFailure(); return false; } extContext = authenticationContext.getSubcontext(ExternalAuthenticationContext.class); if (extContext == null) { log.debug("{} No ExternalAuthenticationContext available within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_AUTHN_CTX); recordFailure(); return false; } return true; }
@Nonnull final AuthenticationContext authenticationContext) { if (addDefaultPrincipals && authenticationContext.getAttemptedFlow() != null) { log.debug("{} Adding custom Principal(s) defined on underlying flow descriptor", getLogPrefix()); getSubject().getPrincipals().addAll( authenticationContext.getAttemptedFlow().getSupportedPrincipals()); final AuthenticationResult result = new AuthenticationResult(authenticationContext.getAttemptedFlow().getId(), populateSubject(getSubject())); authenticationContext.setAuthenticationResult(result);
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); recordFailure(); return false; } usernameContext = authenticationContext.getSubcontext(UsernameContext.class); if (usernameContext == null) { log.debug("{} No UsernameContext available within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return false; } if (usernameContext.getUsername() == null) { log.debug("{} No username available within UsernameContext", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return false; } return true; }
if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
if (authenticationContext.getAttemptedFlow() == null) { log.info("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
/** * Update an existing session. * * <p>If the result is the product of an attempted flow, then it's added to the session. * If reused, its last activity time is updated.</p> * * @param authenticationContext current authentication context * @param session session to update * @throws SessionException if an error occurs updating the session */ private void updateIdPSession(@Nonnull final AuthenticationContext authenticationContext, @Nonnull final IdPSession session) throws SessionException { if (authenticationContext.getAttemptedFlow() != null) { if (authenticationContext.isResultCacheable()) { log.debug("{} Adding new AuthenticationResult for flow {} to existing session {}", getLogPrefix(), authenticationContext.getAuthenticationResult().getAuthenticationFlowId(), session.getId()); session.addAuthenticationResult(authenticationContext.getAuthenticationResult()); } } else { log.debug("{} Updating activity time on reused AuthenticationResult for flow {} in existing session {}", getLogPrefix(), authenticationContext.getAuthenticationResult().getAuthenticationFlowId(), session.getId()); session.updateAuthenticationResultActivity(authenticationContext.getAuthenticationResult()); } }
} else if (authenticationContext.getAttemptedFlow() == null) { log.info("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);