/** * Produce unauthorized error view model and view. * * @return the model and view */ public static ModelAndView produceUnauthorizedErrorView() { return produceErrorView(new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY)); }
/** * Produce unauthorized error view model and view. * * @return the model and view */ public static ModelAndView produceUnauthorizedErrorView() { return produceErrorView(new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY)); }
/** * Ensure service access is allowed. * * @param service the service * @param registeredService the registered service */ public static void ensureServiceAccessIsAllowed(final String service, final RegisteredService registeredService) { if (registeredService == null) { val msg = String.format("Unauthorized Service Access. Service [%s] is not found in service registry.", service); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) { val msg = String.format("Unauthorized Service Access. Service [%s] is not enabled in service registry.", service); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!ensureServiceIsNotExpired(registeredService)) { val msg = String.format("Expired Service Access. Service [%s] has been expired", service); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_EXPIRED_SERVICE, msg); } }
/** * Ensure that the service is found and enabled in the service registry. * * @param registeredService the located entry in the registry * @param service authenticating service * @throws UnauthorizedServiceException if service is determined to be unauthorized */ private static void verifyRegisteredServiceProperties(final RegisteredService registeredService, final Service service) { if (registeredService == null) { val msg = String.format("Service [%s] is not found in service registry.", service.getId()); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) { val msg = String.format("ServiceManagement: Unauthorized Service Access. " + "Service [%s] is not enabled in service registry.", service.getId()); LOGGER.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } }
/** * Gets registered service and verify. * * @param serviceId the service id * @return the registered service and verify */ protected SamlRegisteredService verifySamlRegisteredService(final String serviceId) { if (StringUtils.isBlank(serviceId)) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Could not verify/locate SAML registered service since no serviceId is provided"); } LOGGER.debug("Checking service access in CAS service registry for [{}]", serviceId); val registeredService = this.servicesManager.findServiceBy(this.webApplicationServiceFactory.createService(serviceId)); if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.warn("[{}] is not found in the registry or service access is denied. Ensure service is registered in service registry", serviceId); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); } if (registeredService instanceof SamlRegisteredService) { val samlRegisteredService = (SamlRegisteredService) registeredService; LOGGER.debug("Located SAML service in the registry as [{}] with the metadata location of [{}]", samlRegisteredService.getServiceId(), samlRegisteredService.getMetadataLocation()); return samlRegisteredService; } LOGGER.error("CAS has found a match for service [{}] in registry but the match is not defined as a SAML service", serviceId); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); }
/** * Gets registered service and facade. * * @param request the request * @return the registered service and facade */ protected Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> getRegisteredServiceAndFacade(final AuthnRequest request) { val issuer = SamlIdPUtils.getIssuerFromSamlObject(request); LOGGER.debug("Located issuer [{}] from authentication context", issuer); val registeredService = verifySamlRegisteredService(issuer); LOGGER.debug("Located SAML metadata for [{}]", registeredService.getServiceId()); val adaptor = getSamlMetadataFacadeFor(registeredService, request); if (adaptor.isEmpty()) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer); } val facade = adaptor.get(); return Pair.of(registeredService, facade); }
/** * Verify saml authentication request. * * @param authenticationContext the pair * @param request the request * @return the pair * @throws Exception the exception */ protected Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest( final Pair<? extends SignableSAMLObject, MessageContext> authenticationContext, final HttpServletRequest request) throws Exception { val authnRequest = (AuthnRequest) authenticationContext.getKey(); val issuer = SamlIdPUtils.getIssuerFromSamlObject(authnRequest); LOGGER.debug("Located issuer [{}] from authentication request", issuer); val registeredService = verifySamlRegisteredService(issuer); LOGGER.debug("Fetching saml metadata adaptor for [{}]", issuer); val adaptor = SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, registeredService, authnRequest); if (adaptor.isEmpty()) { LOGGER.warn("No metadata could be found for [{}]", issuer); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer); } val facade = adaptor.get(); verifyAuthenticationContextSignature(authenticationContext, request, authnRequest, facade); SamlUtils.logSamlObject(this.configBean, authnRequest); return Pair.of(registeredService, facade); }
/** * Redirect to provider. Receive the client name from the request and then try to determine and build the endpoint url * for the redirection. The redirection data/url must contain a delegated client ticket id so that the request be can * restored on the trip back. SAML clients use the relay-state session attribute while others use request parameters. * * @param request the request * @param response the response * @return the view */ @GetMapping(ENDPOINT_REDIRECT) public View redirectToProvider(final HttpServletRequest request, final HttpServletResponse response) { val wsfedId = request.getParameter(PARAMETER_NAME); try { val cfg = configurations.stream().filter(c -> c.getId().equals(wsfedId)).findFirst().orElse(null); if (cfg == null) { throw new IllegalArgumentException("Could not locate WsFederation configuration for " + wsfedId); } val service = determineService(request); val id = wsFederationHelper.getRelyingPartyIdentifier(service, cfg); val url = cfg.getAuthorizationUrl(id, cfg.getId()); wsFederationCookieManager.store(request, response, cfg.getId(), service, cfg); return new RedirectView(url); } catch (final Exception e) { LOGGER.error(e.getMessage(), e); } throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); }
@Audit(action = "DELEGATED_CLIENT", actionResolverName = "DELEGATED_CLIENT_ACTION_RESOLVER", resourceResolverName = "DELEGATED_CLIENT_RESOURCE_RESOLVER") @Override public AuditableExecutionResult execute(final AuditableContext context) { val result = AuditableExecutionResult.of(context); if (context.getRegisteredService().isPresent() && context.getProperties().containsKey(Client.class.getSimpleName())) { val registeredService = context.getRegisteredService().get(); val clientName = context.getProperties().get(Client.class.getSimpleName()).toString(); val policy = registeredService.getAccessStrategy().getDelegatedAuthenticationPolicy(); if (policy != null) { if (!policy.isProviderAllowed(clientName, registeredService)) { LOGGER.debug("Delegated authentication policy for [{}] does not allow for using client [{}]", registeredService, clientName); val e = new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); result.setException(e); } } } return result; } }
/** * Gets registered service jwt secret. * * @param service the service * @param propName the prop name * @return the registered service jwt secret */ protected static String getRegisteredServiceJwtSecret(final RegisteredService service, final String propName) { if (service == null || !service.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.debug("Service is not defined/found or its access is disabled in the registry"); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); } if (service.getProperties().containsKey(propName)) { final RegisteredServiceProperty propSigning = service.getProperties().get(propName); final String tokenSigningSecret = propSigning.getValue(); if (StringUtils.isNotBlank(tokenSigningSecret)) { LOGGER.debug("Found the secret value [{}] for service [{}]", propName, service.getServiceId()); return tokenSigningSecret; } } LOGGER.warn("Service [{}] does not define a property [{}] in the registry", service.getServiceId(), propName); return null; } }
@Override public void authorize(final HttpServletRequest request, final Service service, final Assertion assertion) { val registeredService = this.servicesManager.findServiceBy(service); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); if (registeredService.getRequiredHandlers() != null && !registeredService.getRequiredHandlers().isEmpty()) { LOGGER.debug("Evaluating service [{}] to ensure required authentication handlers can satisfy assertion", service); val attributes = assertion.getPrimaryAuthentication().getAttributes(); if (attributes.containsKey(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS)) { val assertedHandlers = CollectionUtils.toCollection( attributes.get(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS)); val matchesAll = assertedHandlers.containsAll(registeredService.getRequiredHandlers()); if (!matchesAll) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); } } } } }
+ "Service [%s] will not be automatically authorized to request authentication.", service.getId()); logger.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_EMPTY_SVC_MGMR, msg); + "Service [%s] is not found in service registry.", service.getId()); logger.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg);
@Override protected Event doExecute(final RequestContext context) throws Exception { final Service service = WebUtils.getService(context); final RegisteredService registeredService = this.servicesManager.findServiceBy(service); if (registeredService == null) { final String msg = String.format("Service Management: Unauthorized Service Access. " + "Service [%s] does not match entries in service registry.", service.getId()); logger.warn(msg); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) { final String msg = String.format("Service Management: Access to service [%s] " + "is disabled by the service registry.", service.getId()); logger.warn(msg); WebUtils.putUnauthorizedRedirectUrlIntoFlowScope(context, registeredService.getAccessStrategy().getUnauthorizedRedirectUrl()); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } return success(); } }
/** * Gets registered service jwt secret. * * @param service the service * @param propName the prop name * @return the registered service jwt secret */ protected String getRegisteredServiceJwtProperty(final RegisteredService service, final RegisteredServiceProperty.RegisteredServiceProperties propName) { if (service == null || !service.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.debug("Service is not defined/found or its access is disabled in the registry"); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); } if (propName.isAssignedTo(service)) { return propName.getPropertyValue(service).getValue(); } LOGGER.warn("Service [{}] does not define a property [{}] in the registry", service.getServiceId(), propName); return null; }
/** * Gets principal attributes. Will attempt to locate the principal * attribute repository from the context if one is defined to use * that instance to locate attributes. If none is available, * will use the default principal attributes. * * @param p the principal * @param service the service * @param registeredService the registered service * @return the principal attributes */ protected Map<String, Object> getPrincipalAttributesFromReleasePolicy(final Principal p, final Service service, final RegisteredService registeredService) { if (registeredService != null && registeredService.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.debug("Located service [{}] in the registry. Attempting to resolve attributes for [{}]", registeredService, p.getId()); if (registeredService.getAttributeReleasePolicy() == null) { LOGGER.debug("No attribute release policy is defined for [{}]. Returning default principal attributes", service.getId()); return p.getAttributes(); } return registeredService.getAttributeReleasePolicy().getAttributes(p, service, registeredService); } LOGGER.debug("Could not locate service [{}] in the registry.", service.getId()); throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE); } }
throw new UnauthorizedServiceException("Redirect URI is unauthorized for this service definition");
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Service unauthorized");
val adaptor = getSamlMetadataFacadeFor(service, query); if (adaptor.isEmpty()) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
val adaptor = getSamlMetadataFacadeFor(service, artifactMsg); if (adaptor.isEmpty()) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
WebUtils.getHttpServletRequest(context).getRequestURL()); throw new NoSuchFlowExecutionException(context.getFlowExecutionContext().getKey(), new UnauthorizedServiceException("screen.service.required.message", "Service is required"));