MID-7796: adding error log for situation when mP couldn't initailize …

…auth seq and fix using only one auth seq
Evolveum · Apr 1, 2022 · 81fbff4 · 81fbff4
1 parent fb3fff2
commit 81fbff4
Show file tree

Hide file tree

Showing 16 changed files with 139 additions and 76 deletions.
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/error/PageError.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/error/PageError.java
@@ -212,4 +212,9 @@ private String getUrlForLogout() {
         }
         return SecurityUtils.getPathForLogoutWithContextPath(getRequest().getContextPath(), moduleAuthentication.getPrefix());
     }
+
+    @Override
+    protected void createBreadcrumb() {
+        //don't create breadcrumb for error page
+    }
 }
diff --git a/...in-gui/src/main/java/com/evolveum/midpoint/web/page/forgetpassword/PageResetPassword.java b/...in-gui/src/main/java/com/evolveum/midpoint/web/page/forgetpassword/PageResetPassword.java
@@ -7,6 +7,7 @@
 package com.evolveum.midpoint.web.page.forgetpassword;
 
 import com.evolveum.midpoint.authentication.api.authorization.Url;
+import com.evolveum.midpoint.authentication.api.util.AuthUtil;
 import com.evolveum.midpoint.web.page.admin.home.dto.MyPasswordsDto;
 import com.evolveum.midpoint.web.page.admin.home.dto.PasswordAccountDto;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
@@ -73,7 +74,7 @@ protected void finishChangePassword(final OperationResult result, AjaxRequestTar
             MyPasswordsDto passwords = getPasswordDto();
             PrismObject<? extends FocusType> focus = passwords.getFocus();
             if (focus == null) {
-                SecurityContextHolder.getContext().setAuthentication(null);
+                AuthUtil.clearMidpointAuthentication();
                 return;
             }
 
@@ -91,7 +92,7 @@ protected void finishChangePassword(final OperationResult result, AjaxRequestTar
                 }
             }
 
-            SecurityContextHolder.getContext().setAuthentication(null);
+            AuthUtil.clearMidpointAuthentication();
             showResult(result);
             target.add(getFeedbackPanel());
         } else if (showFeedback) {

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/AbstractPageLogin.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/AbstractPageLogin.java
@@ -66,6 +66,7 @@ public boolean isVisible() {
 
             @Override
             public void onClick(AjaxRequestTarget target) {
+                AuthUtil.clearMidpointAuthentication();
                 setResponsePage(getMidpointApplication().getHomePage());
             }
         };

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageRegistrationFinish.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageRegistrationFinish.java
@@ -6,6 +6,7 @@
  */
 package com.evolveum.midpoint.web.page.login;
 
+import com.evolveum.midpoint.authentication.api.util.AuthUtil;
 import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils;
 import com.evolveum.midpoint.prism.Objectable;
 import com.evolveum.midpoint.prism.PrismContext;
@@ -219,7 +220,7 @@ public boolean isEnabled() {
 
             @Override
             public void onClick(AjaxRequestTarget target) {
-                SecurityContextHolder.getContext().setAuthentication(null);
+                AuthUtil.clearMidpointAuthentication();
                 setResponsePage(PageLogin.class);
             }
         };

diff --git a/...c/main/java/com/evolveum/midpoint/authentication/api/RemoveUnusedSecurityFilterEvent.java b/...c/main/java/com/evolveum/midpoint/authentication/api/RemoveUnusedSecurityFilterEvent.java
@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2010-2019 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.authentication.api;
+
+import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
+
+import org.springframework.context.ApplicationEvent;
+
+/**
+ * @author skublik
+ */
+
+public abstract class RemoveUnusedSecurityFilterEvent extends ApplicationEvent{
+    protected RemoveUnusedSecurityFilterEvent(Object source) {
+        super(source);
+    }
+
+    public abstract MidpointAuthentication getMpAuthentication();
+}
diff --git a/.../RemoveUnusedSecurityFilterPublisher.java → .../RemoveUnusedSecurityFilterPublisher.java b/.../RemoveUnusedSecurityFilterPublisher.java → .../RemoveUnusedSecurityFilterPublisher.java
@@ -4,11 +4,12 @@
  * This work is dual-licensed under the Apache License 2.0
  * and European Union Public License. See LICENSE file for details.
  */
-package com.evolveum.midpoint.authentication.impl.session;
+package com.evolveum.midpoint.authentication.api;
 
 import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationEvent;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.stereotype.Component;
 
@@ -33,7 +34,7 @@ public class RemoveUnusedSecurityFilterPublisher {
 
     public void publishCustomEvent(final MidpointAuthentication mpAuthentication) {
         LOGGER.trace("Publishing RemoveUnusedSecurityFilterEvent event. With authentication: " + mpAuthentication);
-        RemoveUnusedSecurityFilterEvent customSpringEvent = new RemoveUnusedSecurityFilterEvent(this, mpAuthentication);
+        RemoveUnusedSecurityFilterEventImpl customSpringEvent = new RemoveUnusedSecurityFilterEventImpl(this, mpAuthentication);
         applicationEventPublisher.publishEvent(customSpringEvent);
     }
 
@@ -45,4 +46,19 @@ public void afterConstruct(){
     public static RemoveUnusedSecurityFilterPublisher get() {
         return instance;
     }
+
+    private class RemoveUnusedSecurityFilterEventImpl extends RemoveUnusedSecurityFilterEvent {
+
+        private final MidpointAuthentication mpAuthentication;
+
+        RemoveUnusedSecurityFilterEventImpl(Object source, MidpointAuthentication mpAuthentication) {
+            super(source);
+            this.mpAuthentication = mpAuthentication;
+        }
+
+        @Override
+        public MidpointAuthentication getMpAuthentication() {
+            return mpAuthentication;
+        }
+    }
 }
diff --git a/...hentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java b/...hentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java
@@ -6,6 +6,8 @@
  */
 package com.evolveum.midpoint.authentication.api.util;
 
+import com.evolveum.midpoint.authentication.api.RemoveUnusedSecurityFilterPublisher;
+import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.authentication.api.AuthenticationModuleState;
@@ -150,6 +152,7 @@ public static String stripEndingSlashes(String s) {
         }
         return s;
     }
+
     public static String stripStartingSlashes(String s) {
         if (StringUtils.isNotEmpty(s) && s.startsWith("/")) {
             if (s.equals("/")) {
@@ -172,4 +175,14 @@ public static String resolveTokenTypeByModuleType(String nameOfModuleType) {
         }
         return nameOfModuleType;
     }
+
+    public static void clearMidpointAuthentication() {
+        Authentication oldAuthentication = SecurityContextHolder.getContext().getAuthentication();
+        if (oldAuthentication instanceof MidpointAuthentication
+                && ((MidpointAuthentication)oldAuthentication).getAuthenticationChannel() != null
+                && SecurityPolicyUtil.DEFAULT_CHANNEL.equals(((MidpointAuthentication)oldAuthentication).getAuthenticationChannel().getChannelId())) {
+            RemoveUnusedSecurityFilterPublisher.get().publishCustomEvent((MidpointAuthentication) oldAuthentication);
+        }
+        SecurityContextHolder.getContext().setAuthentication(null);
+    }
 }
diff --git a/...impl/src/main/java/com/evolveum/midpoint/authentication/impl/MidpointSecurityContext.java b/...impl/src/main/java/com/evolveum/midpoint/authentication/impl/MidpointSecurityContext.java
@@ -8,7 +8,7 @@
 
 import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
 
-import com.evolveum.midpoint.authentication.impl.session.RemoveUnusedSecurityFilterPublisher;
+import com.evolveum.midpoint.authentication.api.RemoveUnusedSecurityFilterPublisher;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;

diff --git a/...com/evolveum/midpoint/authentication/impl/configuration/InitialSecurityConfiguration.java b/...com/evolveum/midpoint/authentication/impl/configuration/InitialSecurityConfiguration.java
@@ -8,7 +8,7 @@
 
 import com.evolveum.midpoint.authentication.impl.MidpointAutowiredBeanFactoryObjectPostProcessor;
 import com.evolveum.midpoint.authentication.impl.session.MidpointSessionRegistry;
-import com.evolveum.midpoint.authentication.impl.session.RemoveUnusedSecurityFilterPublisher;
+import com.evolveum.midpoint.authentication.api.RemoveUnusedSecurityFilterPublisher;
 import com.evolveum.midpoint.authentication.impl.session.SessionAndRequestScopeImpl;
 
 import org.springframework.beans.factory.config.AutowireCapableBeanFactory;

diff --git a/...veum/midpoint/authentication/impl/configuration/MidpointWebSecurityConfigurerAdapter.java b/...veum/midpoint/authentication/impl/configuration/MidpointWebSecurityConfigurerAdapter.java
@@ -18,7 +18,6 @@
 import com.evolveum.midpoint.authentication.impl.handler.AuditedAccessDeniedHandler;
 import com.evolveum.midpoint.authentication.impl.handler.AuditedLogoutHandler;
 import com.evolveum.midpoint.authentication.impl.handler.MidPointAuthenticationSuccessHandler;
-import com.evolveum.midpoint.authentication.impl.session.RemoveUnusedSecurityFilterPublisher;
 import com.evolveum.midpoint.authentication.impl.session.SessionAndRequestScope;
 import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
 

diff --git a/...pl/src/main/java/com/evolveum/midpoint/authentication/impl/filter/MidpointAuthFilter.java b/...pl/src/main/java/com/evolveum/midpoint/authentication/impl/filter/MidpointAuthFilter.java
@@ -30,14 +30,15 @@
 
 import com.evolveum.midpoint.authentication.impl.util.AuthModuleImpl;
 import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
-import com.evolveum.midpoint.authentication.impl.session.RemoveUnusedSecurityFilterPublisher;
+import com.evolveum.midpoint.authentication.api.RemoveUnusedSecurityFilterPublisher;
 
 import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.WebAttributes;
@@ -136,7 +137,7 @@ private void doFilterInternal(ServletRequest request, ServletResponse response,
         if (authWrapper.sequence == null) {
             IllegalArgumentException ex = new IllegalArgumentException(getMessageSequenceIsNull(httpRequest, authWrapper));
             LOGGER.error(ex.getMessage(), ex);
-            ((HttpServletResponse) response).sendRedirect(httpRequest.getContextPath());
+            ((HttpServletResponse) response).sendError(401, "web.security.provider.invalid");
             return;
         }
         setLogoutPath(request, response);
@@ -178,10 +179,18 @@ private void removingFiltersAfterProcessing(MidpointAuthentication mpAuthenticat
         }
     }
 
+    private void clearAuthentication(HttpServletRequest httpRequest) {
+        Authentication oldAuthentication = SecurityContextHolder.getContext().getAuthentication();
+        if (!AuthSequenceUtil.isSpecificSequence(httpRequest) && oldAuthentication instanceof MidpointAuthentication) {
+            removeUnusedSecurityFilterPublisher.publishCustomEvent((MidpointAuthentication) oldAuthentication);
+        }
+        SecurityContextHolder.getContext().setAuthentication(null);
+    }
+
     private void runFilters(AuthenticationWrapper authWrapper, int indexOfProcessingModule, FilterChain chain,
             HttpServletRequest httpRequest, ServletResponse response) throws ServletException, IOException {
         VirtualFilterChain vfc = new VirtualFilterChain(
-                chain, ((AuthModuleImpl)authWrapper.authModules.get(indexOfProcessingModule)).getSecurityFilterChain().getFilters());
+                chain, ((AuthModuleImpl) authWrapper.authModules.get(indexOfProcessingModule)).getSecurityFilterChain().getFilters());
         vfc.doFilter(httpRequest, response);
     }
 
@@ -224,9 +233,9 @@ private void initAuthenticationModule(MidpointAuthentication mpAuthentication, A
                 authWrapper.authModules = authModulesOfSpecificSequences.get(authWrapper.sequence.getName());
                 if (authWrapper.authModules != null) {
                     for (AuthModule authModule : authWrapper.authModules) {
-                        if (authModule != null && ((AuthModuleImpl)authModule).getConfiguration() != null) {
+                        if (authModule != null && ((AuthModuleImpl) authModule).getConfiguration() != null) {
                             authenticationManager.getProviders().clear();
-                            for (AuthenticationProvider authenticationProvider : ((AuthModuleImpl)authModule).getConfiguration().getAuthenticationProviders()) {
+                            for (AuthenticationProvider authenticationProvider : ((AuthModuleImpl) authModule).getConfiguration().getAuthenticationProviders()) {
                                 authenticationManager.getProviders().add(authenticationProvider);
                             }
                         }
@@ -294,7 +303,7 @@ private void createMpAuthentication(HttpServletRequest httpRequest, Authenticati
         mpAuthentication.setSessionId(httpRequest.getSession(false) != null ?
                 httpRequest.getSession(false).getId() : RandomStringUtils.random(30, true, true).toUpperCase());
         mpAuthentication.addAuthentications(authWrapper.authModules.get(0).getBaseModuleAuthentication());
-        SecurityContextHolder.getContext().setAuthentication(null);
+        clearAuthentication(httpRequest);
         SecurityContextHolder.getContext().setAuthentication(mpAuthentication);
     }
 
@@ -331,7 +340,7 @@ private List<AuthModule> createAuthenticationModuleBySequence(MidpointAuthentica
             HttpServletRequest httpRequest, AuthenticationModulesType modules, AuthenticationChannel authenticationChannel, CredentialsPolicyType credentialsPolicy) {
         List<AuthModule> authModules;
         if (processingDifferentAuthenticationSequence(mpAuthentication, sequence)) {
-            SecurityContextHolder.getContext().setAuthentication(null);
+            clearAuthentication(httpRequest);
             authenticationManager.getProviders().clear();
             authModules = AuthSequenceUtil.buildModuleFilters(
                     authModuleRegistry, sequence, httpRequest, modules,
@@ -430,7 +439,7 @@ private void processingOfAuthenticatedRequest(MidpointAuthentication mpAuthentic
             if (AuthenticationModuleState.SUCCESSFULLY.equals(moduleAuthentication.getState())) {
                 int i = mpAuthentication.getIndexOfModule(moduleAuthentication);
                 VirtualFilterChain vfc = new VirtualFilterChain(chain,
-                        ((AuthModuleImpl)mpAuthentication.getAuthModules().get(i)).getSecurityFilterChain().getFilters());
+                        ((AuthModuleImpl) mpAuthentication.getAuthModules().get(i)).getSecurityFilterChain().getFilters());
                 vfc.doFilter(httpRequest, response);
             }
         }

diff --git a/...m/evolveum/midpoint/authentication/impl/handler/MidPointAuthenticationSuccessHandler.java b/...m/evolveum/midpoint/authentication/impl/handler/MidPointAuthenticationSuccessHandler.java
@@ -91,9 +91,6 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
                 String localePath = savedRequest.getRedirectUrl().substring(startIndex, endIndex);
                 channelSavedRequest = AuthSequenceUtil.searchChannelByPath(localePath);
             }
-            if (channelSavedRequest == null) {
-                channelSavedRequest = SecurityPolicyUtil.DEFAULT_CHANNEL;
-            }
             if (!(channelSavedRequest.equals(authenticatedChannel))) {
                 getRedirectStrategy().sendRedirect(request, response, urlSuffix);
                 return;

diff --git a/.../main/java/com/evolveum/midpoint/authentication/impl/session/MidpointSessionRegistry.java b/.../main/java/com/evolveum/midpoint/authentication/impl/session/MidpointSessionRegistry.java
@@ -6,6 +6,7 @@
  */
 package com.evolveum.midpoint.authentication.impl.session;
 
+import com.evolveum.midpoint.authentication.api.RemoveUnusedSecurityFilterPublisher;
 import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
 
 import org.springframework.security.core.context.SecurityContext;

diff --git a/...va/com/evolveum/midpoint/authentication/impl/session/RemoveUnusedSecurityFilterEvent.java b/...va/com/evolveum/midpoint/authentication/impl/session/RemoveUnusedSecurityFilterEvent.java
diff --git a/...com/evolveum/midpoint/authentication/impl/session/RemoveUnusedSecurityFilterListener.java b/...com/evolveum/midpoint/authentication/impl/session/RemoveUnusedSecurityFilterListener.java
@@ -8,6 +8,7 @@
 
 import com.evolveum.midpoint.authentication.api.AuthModule;
 
+import com.evolveum.midpoint.authentication.api.RemoveUnusedSecurityFilterEvent;
 import com.evolveum.midpoint.authentication.impl.MidpointAutowiredBeanFactoryObjectPostProcessor;
 
 import com.evolveum.midpoint.authentication.impl.util.AuthModuleImpl;