@Override public boolean supports(final Authentication authentication, final Object resultValue, final Exception exception) { return super.supports(authentication, resultValue, exception) && authentication.getAttributes().containsKey(SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_USER); } }
@Override public void update(final Authentication authn) { this.attributes.putAll(authn.getAttributes()); this.authenticationDate = authn.getAuthenticationDate(); }
private Collection<MultifactorAuthenticationProvider> getSatisfiedAuthenticationProviders(final Authentication authentication, final Collection<MultifactorAuthenticationProvider> providers) { val contexts = CollectionUtils.toCollection(authentication.getAttributes().get(this.authenticationContextAttribute)); if (contexts == null || contexts.isEmpty()) { LOGGER.debug("No authentication context could be determined based on authentication attribute [{}]", this.authenticationContextAttribute); return null; } return providers.stream() .filter(p -> contexts.contains(p.getId())) .collect(Collectors.toCollection(LinkedHashSet::new)); } }
@Override public String getPrincipalIdFrom(final Authentication authentication, final Object returnValue, final Exception exception) { if (authentication == null) { return Credential.UNKNOWN_ID; } if (supports(authentication, returnValue, exception)) { val attributes = authentication.getAttributes(); val surrogateUser = attributes.get(SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_USER).toString(); val principalId = attributes.get(SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL).toString(); return String.format("(Primary User: [%s], Surrogate User: [%s])", principalId, surrogateUser); } return super.getPrincipalIdFrom(authentication, returnValue, exception); }
private static Boolean isRememberMeRecordedInAuthentication(final RequestContext requestContext) { LOGGER.debug("Request does not indicate a remember-me authentication event. Locating authentication object from the request context..."); val auth = WebUtils.getAuthentication(requestContext); if (auth == null) { return Boolean.FALSE; } val attributes = auth.getAttributes(); LOGGER.trace("Located authentication attributes [{}]", attributes); if (attributes.containsKey(RememberMeCredential.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME)) { val rememberMeValue = attributes.getOrDefault(RememberMeCredential.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME, Boolean.FALSE); LOGGER.debug("Located remember-me authentication attribute [{}]", rememberMeValue); return CollectionUtils.wrapSet(rememberMeValue).contains(Boolean.TRUE); } return Boolean.FALSE; }
/** * Is remember me authentication? * looks at the authentication object to find {@link RememberMeCredential#AUTHENTICATION_ATTRIBUTE_REMEMBER_ME} * and expects the assertion to also note a new login session. * * @param model the model * @param assertion the assertion * @return true if remember-me, false if otherwise. */ public static boolean isRememberMeAuthentication(final Authentication model, final Assertion assertion) { val authnAttributes = convertAttributeValuesToMultiValuedObjects(model.getAttributes()); val authnMethod = (Collection) authnAttributes.get(RememberMeCredential.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME); return authnMethod != null && authnMethod.contains(Boolean.TRUE) && assertion.isFromNewLogin(); }
@Override protected String getExpirationPolicyNameFor(final TicketState ticketState) { val attributes = ticketState.getAuthentication().getAttributes(); if (attributes.containsKey(SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL) && attributes.containsKey(SurrogateAuthenticationService.AUTHENTICATION_ATTR_SURROGATE_USER)) { LOGGER.trace("Ticket is associated with a surrogate authentication."); return PolicyTypes.SURROGATE.name(); } LOGGER.trace("Ticket is not associated with a surrogate authentication."); return PolicyTypes.DEFAULT.name(); }
@Override public Set<Event> resolveEventViaAuthenticationAttribute(final Authentication authentication, final Collection<String> attributeNames, final RegisteredService service, final Optional<RequestContext> context, final Collection<MultifactorAuthenticationProvider> providers, final Predicate<String> predicate) { return resolveEventViaAttribute(authentication.getPrincipal(), authentication.getAttributes(), attributeNames, service, context, providers, predicate); }
private boolean isRememberMeAuthentication(final RequestContext requestContext) { final HttpServletRequest request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext); final String value = request.getParameter(RememberMeCredential.REQUEST_PARAMETER_REMEMBER_ME); LOGGER.debug("Locating request parameter [{}] with value [{}]", RememberMeCredential.REQUEST_PARAMETER_REMEMBER_ME, value); boolean isRememberMe = StringUtils.isNotBlank(value) && WebUtils.isRememberMeAuthenticationEnabled(requestContext); if (!isRememberMe) { LOGGER.debug("Request does not indicate a remember-me authentication event. Locating authentication object from the request context..."); final Authentication auth = WebUtils.getAuthentication(requestContext); if (auth != null) { final Map<String, Object> attributes = auth.getAttributes(); LOGGER.debug("Located authentication attributes [{}]", attributes); if (attributes.containsKey(RememberMeCredential.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME)) { final Object rememberMeValue = attributes.getOrDefault(RememberMeCredential.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME, false); LOGGER.debug("Located remember-me authentication attribute [{}]", rememberMeValue); isRememberMe = CollectionUtils.wrapSet(rememberMeValue).contains(true); } } } LOGGER.debug("Is this request from a remember-me authentication event? [{}]", BooleanUtils.toStringYesNo(isRememberMe)); return isRememberMe; }
private static View buildCallbackViewViaRedirectUri(final J2EContext context, final String clientId, final Authentication authentication, final OAuthCode code) { val attributes = authentication.getAttributes(); val state = attributes.get(OAuth20Constants.STATE).toString(); val nonce = attributes.get(OAuth20Constants.NONCE).toString(); val redirectUri = context.getRequestParameter(OAuth20Constants.REDIRECT_URI); LOGGER.debug("Authorize request verification successful for client [{}] with redirect uri [{}]", clientId, redirectUri); var callbackUrl = redirectUri; callbackUrl = CommonHelper.addParameter(callbackUrl, OAuth20Constants.CODE, code.getId()); if (StringUtils.isNotBlank(state)) { callbackUrl = CommonHelper.addParameter(callbackUrl, OAuth20Constants.STATE, state); } if (StringUtils.isNotBlank(nonce)) { callbackUrl = CommonHelper.addParameter(callbackUrl, OAuth20Constants.NONCE, nonce); } LOGGER.debug("Redirecting to URL [{}]", callbackUrl); return new RedirectView(callbackUrl); } }
@Override protected String getExpirationPolicyNameFor(final TicketState ticketState) { val attrs = ticketState.getAuthentication().getAttributes(); val rememberMeRes = CollectionUtils.firstElement(attrs.get(RememberMeCredential.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME)); if (rememberMeRes.isEmpty()) { return PolicyTypes.DEFAULT.name(); } val b = (Boolean) rememberMeRes.get(); if (b.equals(Boolean.FALSE)) { LOGGER.trace("Ticket is not associated with a remember-me authentication."); return PolicyTypes.DEFAULT.name(); } return PolicyTypes.REMEMBER_ME.name(); }
/** * Skip bypass and support event based on authentication attributes. * * @param bypass the bypass settings for the provider. * @param authn the authn * @return the boolean */ protected boolean locateMatchingAttributeBasedOnAuthenticationAttributes( final MultifactorAuthenticationProviderBypassProperties bypass, final Authentication authn) { return locateMatchingAttributeValue(bypass.getAuthenticationAttributeName(), bypass.getAuthenticationAttributeValue(), authn.getAttributes()); }
/** * Decide if credential password should be released as attribute. * The credential must have been cached as an authentication attribute * and the attribute release policy must be allowed to release the * attribute. * * @param attributes the attributes * @param authentication the authentication * @param service the service */ protected void decideIfCredentialPasswordShouldBeReleasedAsAttribute(final Map<String, Object> attributes, final Authentication authentication, final RegisteredService service) { val policy = service.getAttributeReleasePolicy(); val isAuthorized = policy != null && policy.isAuthorizedToReleaseCredentialPassword() && isAttributeAllowedForRelease(CasViewConstants.MODEL_ATTRIBUTE_NAME_PRINCIPAL_CREDENTIAL); val element = CollectionUtils.firstElement(authentication.getAttributes().get(CasViewConstants.MODEL_ATTRIBUTE_NAME_PRINCIPAL_CREDENTIAL)); val credential = element.map(Object::toString).orElse(null); decideAttributeReleaseBasedOnServiceAttributePolicy(attributes, credential, CasViewConstants.MODEL_ATTRIBUTE_NAME_PRINCIPAL_CREDENTIAL, service, isAuthorized); }
@EventListener @Async public void onTgtCreateEvent(CasTicketGrantingTicketCreatedEvent event) { TicketGrantingTicket ticketGrantingTicket = event.getTicketGrantingTicket(); String id = ticketGrantingTicket.getAuthentication().getPrincipal().getId(); String tgt = ticketGrantingTicket.getId(); String clientName = (String) ticketGrantingTicket.getAuthentication().getAttributes().get("clientName"); //获取可以认证的id List<String> authIds = service.obtain(clientName, id); if (authIds != null) { //循环触发登出 authIds.forEach(authId -> logoutService.triggerLogout(authId, tgt)); } } }
@Override public void authorize(final HttpServletRequest request, final Service service, final Assertion assertion) { val registeredService = this.servicesManager.findServiceBy(service); RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService); if (registeredService.getRequiredHandlers() != null && !registeredService.getRequiredHandlers().isEmpty()) { LOGGER.debug("Evaluating service [{}] to ensure required authentication handlers can satisfy assertion", service); val attributes = assertion.getPrimaryAuthentication().getAttributes(); if (attributes.containsKey(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS)) { val assertedHandlers = CollectionUtils.toCollection( attributes.get(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS)); val matchesAll = assertedHandlers.containsAll(registeredService.getRequiredHandlers()); if (!matchesAll) { throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY); } } } } }
private static void buildAuthenticationHistory(final Set<Authentication> authentications, final Map<String, Object> authenticationAttributes, final Map<String, Object> principalAttributes, final AuthenticationBuilder authenticationBuilder) { LOGGER.trace("Collecting authentication history based on [{}] authentication events", authentications.size()); authentications.forEach(authn -> { val authenticatedPrincipal = authn.getPrincipal(); LOGGER.debug("Evaluating authentication principal [{}] for inclusion in result", authenticatedPrincipal); principalAttributes.putAll(CoreAuthenticationUtils.mergeAttributes(principalAttributes, authenticatedPrincipal.getAttributes())); LOGGER.debug("Collected principal attributes [{}] for inclusion in this result for principal [{}]", principalAttributes, authenticatedPrincipal.getId()); authenticationAttributes.putAll(CoreAuthenticationUtils.mergeAttributes(authenticationAttributes, authn.getAttributes())); LOGGER.debug("Finalized authentication attributes [{}] for inclusion in this authentication result", authenticationAttributes); authenticationBuilder .addSuccesses(authn.getSuccesses()) .addFailures(authn.getFailures()) .addCredentials(authn.getCredentials()); }); }
@Override public InterruptResponse inquireInternal(final Authentication authentication, final RegisteredService registeredService, final Service service, final Credential credential, final RequestContext requestContext) { if (ResourceUtils.doesResourceExist(watchableScript.getResource())) { val principal = authentication.getPrincipal(); val attributes = new HashMap<String, Object>(principal.getAttributes()); attributes.putAll(authentication.getAttributes()); final Object[] args = {principal.getId(), attributes, service != null ? service.getId() : null, LOGGER}; return watchableScript.execute(args, InterruptResponse.class); } return InterruptResponse.none(); } }
@Override @SneakyThrows public String build(final TicketGrantingTicket ticketGrantingTicket) { val authentication = ticketGrantingTicket.getAuthentication(); val attributes = new HashMap<String, Object>(authentication.getAttributes()); attributes.putAll(authentication.getPrincipal().getAttributes()); val dt = ZonedDateTime.now().plusSeconds(expirationPolicy.getTimeToLive()); val validUntilDate = DateTimeUtils.dateOf(dt); return buildJwt(ticketGrantingTicket.getId(), casSeverPrefix, DateTimeUtils.dateOf(ticketGrantingTicket.getCreationTime()), authentication.getPrincipal().getId(), validUntilDate, attributes); }
/** * Build cas assertion. * * @param authentication the authentication * @param service the service * @param registeredService the registered service * @param attributesToCombine the attributes to combine * @return the assertion */ protected Assertion buildCasAssertion(final Authentication authentication, final Service service, final RegisteredService registeredService, final Map<String, Object> attributesToCombine) { val attributes = registeredService.getAttributeReleasePolicy().getAttributes(authentication.getPrincipal(), service, registeredService); val principal = new AttributePrincipalImpl(authentication.getPrincipal().getId(), attributes); val authnAttrs = new LinkedHashMap(authentication.getAttributes()); authnAttrs.putAll(attributesToCombine); return new AssertionImpl(principal, DateTimeUtils.dateOf(authentication.getAuthenticationDate()), null, DateTimeUtils.dateOf(authentication.getAuthenticationDate()), authnAttrs); }
/** * Creates a new builder initialized with data from the given authentication source. * * @param source Authentication source. * @return New builder instance initialized with all fields in the given authentication source. */ public static AuthenticationBuilder newInstance(final Authentication source) { val builder = new DefaultAuthenticationBuilder(source.getPrincipal()); builder.setAuthenticationDate(source.getAuthenticationDate()); builder.setCredentials(source.getCredentials()); builder.setSuccesses(source.getSuccesses()); builder.setFailures(source.getFailures()); builder.setAttributes(source.getAttributes()); return builder; }