/** * Ensure service access is allowed. * * @param service the service * @param registeredService the registered service */ public static void ensureServiceAccessIsAllowed(final Service service, final RegisteredService registeredService) { ensureServiceAccessIsAllowed(service.getId(), registeredService); }
/** * Ensure service access is allowed. * * @param registeredService the registered service */ public static void ensureServiceAccessIsAllowed(final RegisteredService registeredService) { ensureServiceAccessIsAllowed(registeredService != null ? registeredService.getName() : StringUtils.EMPTY, registeredService); }
/** * Resolve registered service in request context. * * @param requestContext the request context * @return the registered service */ protected RegisteredService resolveRegisteredServiceInRequestContext(final RequestContext requestContext) { val resolvedService = resolveServiceFromAuthenticationRequest(requestContext); if (resolvedService != null) { val service = this.servicesManager.findServiceBy(resolvedService); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(resolvedService, service); return service; } LOGGER.debug("Authentication request is not accompanied by a service given none is specified"); return null; } }
@Bean @ConditionalOnMissingBean(name = "requestedContextValidator") public RequestedContextValidator requestedContextValidator() { return (assertion, request) -> { LOGGER.debug("Locating the primary authentication associated with this service request [{}]", assertion.getService()); val service = servicesManager.getIfAvailable().findServiceBy(assertion.getService()); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(assertion.getService(), service); return Pair.of(Boolean.TRUE, Optional.empty()); }; } }
@Override protected Credential constructCredentialsFromRequest(final RequestContext requestContext) { final HttpServletRequest request = WebUtils.getHttpServletRequest(requestContext); String authTokenValue = request.getParameter(TokenConstants.PARAMETER_NAME_TOKEN); if (StringUtils.isBlank(authTokenValue)) { authTokenValue = request.getHeader(TokenConstants.PARAMETER_NAME_TOKEN); } final Service service = WebUtils.getService(requestContext); if (StringUtils.isNotBlank(authTokenValue) && service != null) { try { final RegisteredService registeredService = this.servicesManager.findServiceBy(service); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); final Credential credential = new TokenCredential(authTokenValue, service); LOGGER.debug("Received token authentication request [{}] ", credential); return credential; } catch (final Exception e) { LOGGER.warn(e.getMessage(), e); } } return null; } }
/** * Ensure principal access is allowed for service. * * @param service the service * @param registeredService the registered service * @param principalId the principal id * @param attributes the attributes */ static void ensurePrincipalAccessIsAllowedForService(final Service service, final RegisteredService registeredService, final String principalId, final Map<String, Object> attributes) { ensureServiceAccessIsAllowed(service, registeredService); if (!registeredService.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(principalId, attributes)) { LOGGER.warn("Cannot grant access to service [{}] because it is not authorized for use by [{}].", service.getId(), principalId); val handlerErrors = new HashMap<String, Throwable>(); val message = String.format("Cannot grant service access to %s", principalId); val exception = new UnauthorizedServiceForPrincipalException(message, registeredService, principalId, attributes); handlerErrors.put(UnauthorizedServiceForPrincipalException.class.getSimpleName(), exception); throw new PrincipalException(UnauthorizedServiceForPrincipalException.CODE_UNAUTHZ_SERVICE, handlerErrors, new HashMap<>()); } }
@Override public boolean validate(final J2EContext context) { val request = context.getRequest(); val responseType = request.getParameter(OAuth20Constants.RESPONSE_TYPE); if (!OAuth20Utils.checkResponseTypes(responseType, OAuth20ResponseTypes.values())) { LOGGER.warn("Response type [{}] is not supported.", responseType); return false; } val clientId = request.getParameter(OAuth20Constants.CLIENT_ID); val registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, clientId); try { RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService); } catch (final UnauthorizedServiceException e) { LOGGER.warn("Registered service access is not allowed for service definition for client id [{}]", clientId); return false; } return OAuth20Utils.isAuthorizedResponseTypeForService(context, registeredService); }
@Override public void authorize(final HttpServletRequest request, final Service service, final Assertion assertion) { val registeredService = this.servicesManager.findServiceBy(service); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); if (registeredService.getRequiredHandlers() != null && !registeredService.getRequiredHandlers().isEmpty()) { LOGGER.debug("Evaluating service [{}] to ensure required authentication handlers can satisfy assertion", service); val attributes = assertion.getPrimaryAuthentication().getAttributes(); if (attributes.containsKey(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS)) { val assertedHandlers = CollectionUtils.toCollection( attributes.get(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS)); val matchesAll = assertedHandlers.containsAll(registeredService.getRequiredHandlers()); if (!matchesAll) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); } } } } }
/** * Get the relying party id for a service. * * @param service the service to get an id for * @param configuration the configuration * @return relying party id */ public String getRelyingPartyIdentifier(final Service service, final WsFederationConfiguration configuration) { val relyingPartyIdentifier = configuration.getRelyingPartyIdentifier(); if (service != null) { val registeredService = this.servicesManager.findServiceBy(service); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); if (RegisteredServiceProperty.RegisteredServiceProperties.WSFED_RELYING_PARTY_ID.isAssignedTo(registeredService)) { LOGGER.debug("Determined relying party identifier from service [{}] to be [{}]", service, relyingPartyIdentifier); return RegisteredServiceProperty.RegisteredServiceProperties.WSFED_RELYING_PARTY_ID.getPropertyValue(registeredService).getValue(); } } LOGGER.debug("Determined relying party identifier to be [{}]", relyingPartyIdentifier); return relyingPartyIdentifier; } }
@Override protected WebApplicationService buildInternal(final WebApplicationService service, final Map<String, String> parameters) { final RegisteredService registeredService = this.servicesManager.findServiceBy(service); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); final Map.Entry<String, RegisteredServiceProperty> property = registeredService.getProperties() .entrySet().stream() .filter(entry -> entry.getKey().equalsIgnoreCase(TokenConstants.PROPERTY_NAME_TOKEN_AS_RESPONSE) && BooleanUtils.toBoolean(entry.getValue().getValue())) .distinct() .findFirst() .orElse(null); if (property == null) { return super.buildInternal(service, parameters); } final String jwt = generateToken(service, parameters); final TokenWebApplicationService jwtService = new TokenWebApplicationService(service.getId(), service.getOriginalUrl(), service.getArtifactId()); jwtService.setFormat(service.getFormat()); jwtService.setLoggedOutAlready(service.isLoggedOutAlready()); parameters.put(CasProtocolConstants.PARAMETER_TICKET, jwt); return jwtService; }
@Override public void authorize(final HttpServletRequest request, final Service service, final Assertion assertion) { val registeredService = this.servicesManager.findServiceBy(service); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); LOGGER.debug("Evaluating service [{}] for delegated authentication policy", service); val policy = registeredService.getAccessStrategy().getDelegatedAuthenticationPolicy(); if (policy != null) { val attributes = assertion.getPrimaryAuthentication().getAttributes(); if (attributes.containsKey(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME)) { val clientNameAttr = attributes.get(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME); val value = CollectionUtils.firstElement(clientNameAttr); if (value.isPresent()) { val client = value.get().toString(); LOGGER.debug("Evaluating delegated authentication policy [{}] for client [{}] and service [{}]", policy, client, registeredService); val context = AuditableContext.builder() .registeredService(registeredService) .properties(CollectionUtils.wrap(Client.class.getSimpleName(), client)) .build(); val result = delegatedAuthenticationPolicyEnforcer.execute(context); result.throwExceptionIfNeeded(); } } } } }
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service);
val registeredService = getRegisteredServiceByClientId(clientId); try { RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(clientId, registeredService); } catch (final Exception e) { LOGGER.error(e.getMessage(), e);
.build(); try { RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); } catch (final PrincipalException e) { result.setException(e); .build(); try { RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService); } catch (final PrincipalException e) { result.setException(e);
/** * Ensure service access is allowed. * * @param service the service * @param registeredService the registered service * @param authentication the authentication * @param retrievePrincipalAttributesFromReleasePolicy retrieve attributes from release policy or simply rely on the principal attributes * already collected. Setting this value to false bears the assumption that the policy * has run already. * @throws UnauthorizedServiceException the unauthorized service exception * @throws PrincipalException the principal exception */ static void ensurePrincipalAccessIsAllowedForService(final Service service, final RegisteredService registeredService, final Authentication authentication, final boolean retrievePrincipalAttributesFromReleasePolicy) throws UnauthorizedServiceException, PrincipalException { ensureServiceAccessIsAllowed(service, registeredService); val principal = authentication.getPrincipal(); val principalAttrs = retrievePrincipalAttributesFromReleasePolicy && registeredService != null && registeredService.getAttributeReleasePolicy() != null ? registeredService.getAttributeReleasePolicy().getAttributes(principal, service, registeredService) : authentication.getPrincipal().getAttributes(); val attributes = new HashMap<String, Object>(principalAttrs); attributes.putAll(authentication.getAttributes()); ensurePrincipalAccessIsAllowedForService(service, registeredService, principal.getId(), attributes); }
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
@Override protected Event doExecute(final RequestContext requestContext) { val service = this.serviceSelectionStrategy.resolveService(WebUtils.getService(requestContext)); if (service != null) { val registeredService = this.servicesManager.findServiceBy(service); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); if (registeredService instanceof SamlRegisteredService) { val samlService = SamlRegisteredService.class.cast(registeredService); val adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(resolver, samlService, service.getId()); if (adaptor.isEmpty()) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + service.getId()); } val mdui = MetadataUIUtils.locateMetadataUserInterfaceForEntityId(adaptor.get().getEntityDescriptor(), service.getId(), registeredService, WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext)); WebUtils.putServiceUserInterfaceMetadata(requestContext, mdui); } } return success(); } }
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(selectedService, registeredService);