public PasswordPolicyConfiguration(final PasswordPolicyProperties props) { this(null, props.isWarnAll(), props.getWarningDays(), props.getLoginFailures()); } }
public AnyCredential() { setEnabled(true); } }
@Override public IPAddressIntelligenceResponse examineInternal(final RequestContext context, final String clientIpAddress) { val groovyResource = adaptiveAuthenticationProperties.getIpIntel().getGroovy().getLocation(); return ScriptingUtils.executeGroovyScript(groovyResource, new Object[]{context, clientIpAddress, LOGGER}, IPAddressIntelligenceResponse.class, true); } }
@Bean public OpenIdPrincipalResolver openIdPrincipalResolver() { val personDirectory = casProperties.getPersonDirectory(); val principal = casProperties.getAuthn().getOpenid().getPrincipal(); val principalAttribute = StringUtils.defaultIfBlank(principal.getPrincipalAttribute(), personDirectory.getPrincipalAttribute()); return new OpenIdPrincipalResolver(attributeRepository.getIfAvailable(), openidPrincipalFactory(), principal.isReturnNull() || personDirectory.isReturnNull(), principalAttribute, principal.isUseExistingPrincipalId() || personDirectory.isUseExistingPrincipalId()); }
public AuthenticationEventExecutionPlanConfigurer authenticationPolicyExecutionPlanConfigurer() { return plan -> { val police = casProperties.getAuthn().getPolicy(); if (police.getReq().isEnabled()) { LOGGER.trace("Activating authentication policy [{}]", RequiredHandlerAuthenticationPolicy.class.getSimpleName()); plan.registerAuthenticationPolicy(new RequiredHandlerAuthenticationPolicy(police.getReq().getHandlerName(), police.getReq().isTryAll())); } else if (police.getAllHandlers().isEnabled()) { LOGGER.trace("Activating authentication policy [{}]", AllAuthenticationHandlersSucceededAuthenticationPolicy.class.getSimpleName()); plan.registerAuthenticationPolicy(new AllAuthenticationHandlersSucceededAuthenticationPolicy()); } else if (police.getAll().isEnabled()) { LOGGER.trace("Activating authentication policy [{}]", AllCredentialsValidatedAuthenticationPolicy.class.getSimpleName()); plan.registerAuthenticationPolicy(new AllCredentialsValidatedAuthenticationPolicy()); } else if (police.getNotPrevented().isEnabled()) { LOGGER.trace("Activating authentication policy [{}]", NotPreventedAuthenticationPolicy.class.getSimpleName()); plan.registerAuthenticationPolicy(notPreventedAuthenticationPolicy()); } else if (police.getUniquePrincipal().isEnabled()) { LOGGER.trace("Activating authentication policy [{}]", UniquePrincipalAuthenticationPolicy.class.getSimpleName()); plan.registerAuthenticationPolicy(new UniquePrincipalAuthenticationPolicy(ticketRegistry.getIfAvailable())); } else if (!police.getGroovy().isEmpty()) { LOGGER.trace("Activating authentication policy [{}]", GroovyScriptAuthenticationPolicy.class.getSimpleName()); police.getGroovy().forEach(groovy -> plan.registerAuthenticationPolicy(new GroovyScriptAuthenticationPolicy(resourceLoader, groovy.getScript()))); } else if (!police.getRest().isEmpty()) { LOGGER.trace("Activating authentication policy [{}]", RestfulAuthenticationPolicy.class.getSimpleName()); police.getRest().forEach(r -> plan.registerAuthenticationPolicy(new RestfulAuthenticationPolicy(new RestTemplate(), r.getEndpoint()))); } else if (police.getAny().isEnabled()) { LOGGER.trace("Activating authentication policy [{}]", AtLeastOneCredentialValidatedAuthenticationPolicy.class.getSimpleName()); plan.registerAuthenticationPolicy(new AtLeastOneCredentialValidatedAuthenticationPolicy(police.getAny().isTryAll()));
@ConditionalOnMissingBean(name = "ipAddressIntelligenceService") @Bean @RefreshScope public IPAddressIntelligenceService ipAddressIntelligenceService() { val adaptive = casProperties.getAuthn().getAdaptive(); val intel = adaptive.getIpIntel(); if (StringUtils.isNotBlank(intel.getRest().getUrl())) { return new RestfulIPAddressIntelligenceService(adaptive); } if (intel.getGroovy().getLocation() != null) { return new GroovyIPAddressIntelligenceService(adaptive); } if (StringUtils.isNotBlank(intel.getBlackDot().getEmailAddress())) { return new RestfulIPAddressIntelligenceService(adaptive); } return IPAddressIntelligenceService.allowed(); } }
public GroovyScriptMultifactorAuthenticationTrigger(final CasConfigurationProperties casProperties) { this.casProperties = casProperties; val groovyScript = casProperties.getAuthn().getMfa().getGroovyScript(); this.watchableScript = new WatchableGroovyScriptResource(groovyScript); }
@ConditionalOnMissingBean(name = "groovyAttributeRepositories") @Bean @RefreshScope public List<IPersonAttributeDao> groovyAttributeRepositories() { val list = new ArrayList<IPersonAttributeDao>(); casProperties.getAuthn().getAttributeRepository().getGroovy().forEach(groovy -> { if (groovy.getLocation() != null) { val dao = new GroovyPersonAttributeDao(new InternalGroovyScriptDao(applicationContext, casProperties)); dao.setCaseInsensitiveUsername(groovy.isCaseInsensitive()); dao.setOrder(groovy.getOrder()); LOGGER.debug("Configured Groovy attribute sources from [{}]", groovy.getLocation()); list.add(dao); } }); return list; }
@Override public Map<String, Object> getAttributesForUser(final String uid) { val finalAttributes = new HashMap<String, Object>(); casProperties.getAuthn().getAttributeRepository().getGroovy() .forEach(groovy -> { val args = new Object[] {uid, LOGGER, casProperties, applicationContext}; val personAttributesMap = ScriptingUtils.executeGroovyScript(groovy.getLocation(), args, Map.class, true); finalAttributes.putAll(personAttributesMap); }); return finalAttributes; } }
@ConditionalOnMissingBean(name = "stubAttributeRepositories") @Bean @RefreshScope public List<IPersonAttributeDao> stubAttributeRepositories() { val list = new ArrayList<IPersonAttributeDao>(); val attrs = casProperties.getAuthn().getAttributeRepository().getStub().getAttributes(); if (!attrs.isEmpty()) { LOGGER.info("Found and added static attributes [{}] to the list of candidate attribute repositories", attrs.keySet()); list.add(Beans.newStubAttributeRepository(casProperties.getAuthn().getAttributeRepository())); } return list; }
@Bean @RefreshScope @ConditionalOnMissingBean(name = "globalPrincipalAttributeRepository") public PrincipalAttributesRepository globalPrincipalAttributeRepository() { val props = casProperties.getAuthn().getAttributeRepository(); val cacheTime = props.getExpirationTime(); if (cacheTime <= 0) { LOGGER.warn("Caching for the global principal attribute repository is disabled"); return new DefaultPrincipalAttributesRepository(); } return new CachingPrincipalAttributesRepository(props.getExpirationTimeUnit().toUpperCase(), cacheTime); }
@ConditionalOnMissingBean(name = "grouperAttributeRepositories") @Bean @RefreshScope public List<IPersonAttributeDao> grouperAttributeRepositories() { val list = new ArrayList<IPersonAttributeDao>(); val gp = casProperties.getAuthn().getAttributeRepository().getGrouper(); if (gp.isEnabled()) { val dao = new GrouperPersonAttributeDao(); dao.setOrder(gp.getOrder()); LOGGER.debug("Configured Grouper attribute source"); list.add(dao); } return list; }
@ConditionalOnMissingBean(name = "authenticationHandlerResolversExecutionPlanConfigurer") @Bean public AuthenticationEventExecutionPlanConfigurer authenticationHandlerResolversExecutionPlanConfigurer() { return plan -> { if (casProperties.getAuthn().getPolicy().isSourceSelectionEnabled()) { plan.registerAuthenticationHandlerResolver(byCredentialSourceAuthenticationHandlerResolver()); } plan.registerAuthenticationHandlerResolver(registeredServiceAuthenticationHandlerResolver()); }; } }
/** * New password policy handling strategy. * * @param properties the properties * @return the authentication password policy handling strategy */ public static AuthenticationPasswordPolicyHandlingStrategy newPasswordPolicyHandlingStrategy(final PasswordPolicyProperties properties) { if (properties.getStrategy() == PasswordPolicyProperties.PasswordPolicyHandlingOptions.REJECT_RESULT_CODE) { LOGGER.debug("Created password policy handling strategy based on blacklisted authentication result codes"); return new RejectResultCodePasswordPolicyHandlingStrategy(); } val location = properties.getGroovy().getLocation(); if (properties.getStrategy() == PasswordPolicyProperties.PasswordPolicyHandlingOptions.GROOVY && location != null) { LOGGER.debug("Created password policy handling strategy based on Groovy script [{}]", location); return new GroovyPasswordPolicyHandlingStrategy(location); } LOGGER.trace("Created default password policy handling strategy"); return new DefaultPasswordPolicyHandlingStrategy(); } }
@Bean @ConditionalOnMissingBean(name = "authenticationPolicyFactory") public ContextualAuthenticationPolicyFactory<ServiceContext> authenticationPolicyFactory() { if (casProperties.getAuthn().getPolicy().isRequiredHandlerAuthenticationPolicyEnabled()) { return new RequiredHandlerAuthenticationPolicyFactory(); } return new AcceptAnyAuthenticationPolicyFactory(); }
private boolean isIpAddressRejected(final RequestContext requestContext, final String clientIp) { LOGGER.trace("Located client IP address as [{}]", clientIp); val ipResult = ipAddressIntelligenceService.examine(requestContext, clientIp); if (ipResult.isBanned()) { LOGGER.warn("Client IP [{}] is banned", clientIp); return true; } if (ipResult.isRanked()) { val threshold = adaptiveAuthenticationProperties.getRisk().getThreshold(); if (ipResult.getScore() >= threshold) { LOGGER.warn("Client IP [{}] is rejected for authentication because intelligence score [{}] is higher than the configured risk threshold [{}]", clientIp, ipResult.getScore(), threshold); return true; } } return false; } }
@Override public UmaServerDiscoverySettings getObject() { val uma = casProperties.getAuthn().getUma(); return new UmaServerDiscoverySettings(casProperties, uma.getIssuer()); }
private boolean isUserAgentRejected(final String userAgent) { return StringUtils.isNotBlank(this.adaptiveAuthenticationProperties.getRejectBrowsers()) && Pattern.compile(this.adaptiveAuthenticationProperties.getRejectBrowsers()).matcher(userAgent).find(); }
private boolean isClientIpAddressRejected(final String clientIp) { return StringUtils.isNotBlank(this.adaptiveAuthenticationProperties.getRejectIpAddresses()) && Pattern.compile(this.adaptiveAuthenticationProperties.getRejectIpAddresses()).matcher(clientIp).find(); }
/** * Gets resource set uri location. * * @param saved the saved * @return the resource set uri location */ protected String getResourceSetUriLocation(final ResourceSet saved) { return casProperties.getAuthn().getUma().getIssuer() + OAuth20Constants.BASE_OAUTH20_URL + "/" + OAuth20Constants.UMA_RESOURCE_SET_REGISTRATION_URL + "/" + saved.getId(); } }