-
Notifications
You must be signed in to change notification settings - Fork 188
/
MidpointAnonymousAuthenticationFilter.java
138 lines (119 loc) · 6.87 KB
/
MidpointAnonymousAuthenticationFilter.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/*
* Copyright (c) 2010-2019 Evolveum and contributors
*
* This work is dual-licensed under the Apache License 2.0
* and European Union Public License. See LICENSE file for details.
*/
package com.evolveum.midpoint.web.security.filter;
import com.evolveum.midpoint.model.api.authentication.AuthModule;
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel;
import com.evolveum.midpoint.prism.PrismContainer;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.schema.SchemaRegistry;
import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import com.evolveum.midpoint.web.security.factory.channel.AuthChannelRegistryImpl;
import com.evolveum.midpoint.web.security.factory.module.AuthModuleRegistryImpl;
import com.evolveum.midpoint.web.security.util.SecurityUtils;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationsPolicyType;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.util.Assert;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
/**
* @author skublik
*/
public class MidpointAnonymousAuthenticationFilter extends AnonymousAuthenticationFilter {
private static final Trace LOGGER = TraceManager.getTrace(MidpointAnonymousAuthenticationFilter.class);
private AuthModuleRegistryImpl authRegistry;
private AuthChannelRegistryImpl authChannelRegistry;
private PrismContext prismContext;
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
private String key;
public MidpointAnonymousAuthenticationFilter(AuthModuleRegistryImpl authRegistry, AuthChannelRegistryImpl authChannelRegistry, PrismContext prismContext,
String key, Object principal, List<GrantedAuthority> authorities) {
super(key, principal, authorities);
this.key = key;
this.authRegistry = authRegistry;
this.authChannelRegistry = authChannelRegistry;
this.prismContext = prismContext;
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
if (SecurityContextHolder.getContext().getAuthentication() == null) {
SecurityContextHolder.getContext().setAuthentication(
createAuthentication((HttpServletRequest) req));
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Populated SecurityContextHolder with anonymous token: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
}
else {
if (SecurityContextHolder.getContext().getAuthentication() instanceof MidpointAuthentication) {
MidpointAuthentication mpAuthentication = (MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication();
ModuleAuthentication moduleAuthentication = mpAuthentication.getProcessingModuleAuthentication();
if (moduleAuthentication != null && moduleAuthentication.getAuthentication() == null) {
Authentication authentication = createBasicAuthentication((HttpServletRequest) req);
moduleAuthentication.setAuthentication(authentication);
mpAuthentication.setPrincipal(authentication.getPrincipal());
}
}
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
}
chain.doFilter(req, res);
}
protected Authentication createAuthentication(HttpServletRequest request) {
Authentication auth = createBasicAuthentication(request);
MidpointAuthentication authentication = new MidpointAuthentication(SecurityPolicyUtil.createDefaultSequence());
AuthenticationsPolicyType authenticationsPolicy = null;
try {
authenticationsPolicy = SecurityPolicyUtil.createDefaultAuthenticationPolicy(prismContext.getSchemaRegistry());
} catch (SchemaException e) {
LOGGER.error("Couldn't get default authentication policy");
throw new IllegalArgumentException("Couldn't get default authentication policy", e);
}
AuthenticationSequenceType sequence = SecurityPolicyUtil.createDefaultSequence();
AuthenticationChannel authenticationChannel = SecurityUtils.buildAuthChannel(authChannelRegistry, sequence);
List<AuthModule> authModules = SecurityUtils.buildModuleFilters(authRegistry, sequence, request, authenticationsPolicy.getModules(),
null, new HashMap<Class<? extends Object>, Object>(), authenticationChannel);
authentication.setAuthModules(authModules);
ModuleAuthentication module = authModules.get(0).getBaseModuleAuthentication();
module.setAuthentication(auth);
authentication.addAuthentications(module);
authentication.setPrincipal(auth.getPrincipal());
return authentication;
}
protected Authentication createBasicAuthentication(HttpServletRequest request) {
AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key,
getPrincipal(), getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails(request));
return auth;
}
public void setAuthenticationDetailsSource(
AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource,
"AuthenticationDetailsSource required");
this.authenticationDetailsSource = authenticationDetailsSource;
}
}