Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of https://github.com/Evolveum/midpoint
- Loading branch information
Showing
5 changed files
with
418 additions
and
418 deletions.
There are no files selected for viewing
231 changes: 115 additions & 116 deletions
231
gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/AuditedLogoutHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,116 +1,115 @@ | ||
/* | ||
* Copyright (c) 2010-2013 Evolveum and contributors | ||
* | ||
* This work is dual-licensed under the Apache License 2.0 | ||
* and European Union Public License. See LICENSE file for details. | ||
*/ | ||
|
||
package com.evolveum.midpoint.web.security; | ||
|
||
import com.evolveum.midpoint.audit.api.AuditEventRecord; | ||
import com.evolveum.midpoint.audit.api.AuditEventStage; | ||
import com.evolveum.midpoint.audit.api.AuditEventType; | ||
import com.evolveum.midpoint.audit.api.AuditService; | ||
import com.evolveum.midpoint.gui.api.GuiConstants; | ||
import com.evolveum.midpoint.gui.api.util.WebComponentUtil; | ||
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication; | ||
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication; | ||
import com.evolveum.midpoint.model.api.authentication.StateOfModule; | ||
import com.evolveum.midpoint.prism.PrismObject; | ||
import com.evolveum.midpoint.schema.constants.SchemaConstants; | ||
import com.evolveum.midpoint.schema.result.OperationResultStatus; | ||
import com.evolveum.midpoint.security.api.MidPointPrincipal; | ||
import com.evolveum.midpoint.task.api.Task; | ||
import com.evolveum.midpoint.task.api.TaskManager; | ||
import com.evolveum.midpoint.util.logging.Trace; | ||
import com.evolveum.midpoint.util.logging.TraceManager; | ||
import com.evolveum.midpoint.web.security.filter.MidpointAuthFilter; | ||
import com.evolveum.midpoint.web.security.util.SecurityUtils; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType; | ||
import org.apache.commons.lang3.StringUtils; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; | ||
|
||
import javax.servlet.ServletException; | ||
import javax.servlet.http.HttpServletRequest; | ||
import javax.servlet.http.HttpServletResponse; | ||
import java.io.IOException; | ||
|
||
/** | ||
* @author lazyman | ||
*/ | ||
public class AuditedLogoutHandler extends SimpleUrlLogoutSuccessHandler { | ||
|
||
private static final transient Trace LOGGER = TraceManager.getTrace(AuditedLogoutHandler.class); | ||
|
||
@Autowired | ||
private TaskManager taskManager; | ||
@Autowired | ||
private AuditService auditService; | ||
|
||
boolean useDefaultUrl = false; | ||
|
||
private boolean useDefaultUrl() { | ||
return useDefaultUrl; | ||
} | ||
|
||
@Override | ||
public void setDefaultTargetUrl(String defaultTargetUrl) { | ||
super.setDefaultTargetUrl(defaultTargetUrl); | ||
this.useDefaultUrl = true; | ||
} | ||
|
||
@Override | ||
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) | ||
throws IOException, ServletException { | ||
|
||
String targetUrl; | ||
if (useDefaultUrl()) { | ||
targetUrl = getDefaultTargetUrl(); | ||
} else { | ||
targetUrl = GuiConstants.DEFAULT_PATH_AFTER_LOGOUT; | ||
} | ||
|
||
if (authentication instanceof MidpointAuthentication) { | ||
MidpointAuthentication mpAuthentication = (MidpointAuthentication) authentication; | ||
ModuleAuthentication moduleAuthentication = mpAuthentication.getProcessingModuleAuthentication(); | ||
if (mpAuthentication.getAuthenticationChannel() != null) { | ||
targetUrl = mpAuthentication.getAuthenticationChannel().getPathDuringProccessing(); | ||
} | ||
} | ||
|
||
if (response.isCommitted()) { | ||
LOGGER.debug("Response has already been committed. Unable to redirect to " + targetUrl); | ||
} else { | ||
getRedirectStrategy().sendRedirect(request, response, targetUrl); | ||
} | ||
|
||
auditEvent(request, authentication); | ||
} | ||
|
||
private void auditEvent(HttpServletRequest request, Authentication authentication) { | ||
MidPointPrincipal principal = SecurityUtils.getPrincipalUser(authentication); | ||
PrismObject<UserType> user = principal != null ? principal.getUser().asPrismObject() : null; | ||
|
||
Task task = taskManager.createTaskInstance(); | ||
task.setOwner(user); | ||
task.setChannel(SchemaConstants.CHANNEL_GUI_USER_URI); | ||
|
||
AuditEventRecord record = new AuditEventRecord(AuditEventType.TERMINATE_SESSION, AuditEventStage.REQUEST); | ||
record.setInitiator(user); | ||
record.setParameter(WebComponentUtil.getName(user, false)); | ||
|
||
record.setChannel(SchemaConstants.CHANNEL_GUI_USER_URI); | ||
record.setTimestamp(System.currentTimeMillis()); | ||
record.setOutcome(OperationResultStatus.SUCCESS); | ||
|
||
// probably not needed, as audit service would take care of it; but it doesn't hurt so let's keep it here | ||
record.setHostIdentifier(request.getLocalName()); | ||
record.setRemoteHostAddress(request.getLocalAddr()); | ||
record.setNodeIdentifier(taskManager.getNodeId()); | ||
record.setSessionIdentifier(request.getRequestedSessionId()); | ||
|
||
auditService.audit(record, task); | ||
} | ||
} | ||
/* | ||
* Copyright (c) 2010-2013 Evolveum and contributors | ||
* | ||
* This work is dual-licensed under the Apache License 2.0 | ||
* and European Union Public License. See LICENSE file for details. | ||
*/ | ||
|
||
package com.evolveum.midpoint.web.security; | ||
|
||
import com.evolveum.midpoint.audit.api.AuditEventRecord; | ||
import com.evolveum.midpoint.audit.api.AuditEventStage; | ||
import com.evolveum.midpoint.audit.api.AuditEventType; | ||
import com.evolveum.midpoint.audit.api.AuditService; | ||
import com.evolveum.midpoint.gui.api.GuiConstants; | ||
import com.evolveum.midpoint.gui.api.util.WebComponentUtil; | ||
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication; | ||
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication; | ||
import com.evolveum.midpoint.model.api.authentication.StateOfModule; | ||
import com.evolveum.midpoint.prism.PrismObject; | ||
import com.evolveum.midpoint.schema.constants.SchemaConstants; | ||
import com.evolveum.midpoint.schema.result.OperationResultStatus; | ||
import com.evolveum.midpoint.security.api.MidPointPrincipal; | ||
import com.evolveum.midpoint.task.api.Task; | ||
import com.evolveum.midpoint.task.api.TaskManager; | ||
import com.evolveum.midpoint.util.logging.Trace; | ||
import com.evolveum.midpoint.util.logging.TraceManager; | ||
import com.evolveum.midpoint.web.security.filter.MidpointAuthFilter; | ||
import com.evolveum.midpoint.web.security.util.SecurityUtils; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType; | ||
import org.apache.commons.lang3.StringUtils; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; | ||
|
||
import javax.servlet.ServletException; | ||
import javax.servlet.http.HttpServletRequest; | ||
import javax.servlet.http.HttpServletResponse; | ||
import java.io.IOException; | ||
|
||
/** | ||
* @author lazyman | ||
*/ | ||
public class AuditedLogoutHandler extends SimpleUrlLogoutSuccessHandler { | ||
|
||
private static final transient Trace LOGGER = TraceManager.getTrace(AuditedLogoutHandler.class); | ||
|
||
@Autowired | ||
private TaskManager taskManager; | ||
@Autowired | ||
private AuditService auditService; | ||
|
||
boolean useDefaultUrl = false; | ||
|
||
private boolean useDefaultUrl() { | ||
return useDefaultUrl; | ||
} | ||
|
||
@Override | ||
public void setDefaultTargetUrl(String defaultTargetUrl) { | ||
super.setDefaultTargetUrl(defaultTargetUrl); | ||
this.useDefaultUrl = true; | ||
} | ||
|
||
@Override | ||
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) | ||
throws IOException, ServletException { | ||
|
||
String targetUrl = null; | ||
if (useDefaultUrl()) { | ||
targetUrl = getDefaultTargetUrl(); | ||
} else { | ||
targetUrl = GuiConstants.DEFAULT_PATH_AFTER_LOGOUT; | ||
} | ||
|
||
if (authentication instanceof MidpointAuthentication) { | ||
MidpointAuthentication mpAuthentication = (MidpointAuthentication) authentication; | ||
if (mpAuthentication.getAuthenticationChannel() != null) { | ||
targetUrl = mpAuthentication.getAuthenticationChannel().getPathDuringProccessing(); | ||
} | ||
} | ||
|
||
if (response.isCommitted()) { | ||
LOGGER.debug("Response has already been committed. Unable to redirect to " + targetUrl); | ||
} else { | ||
getRedirectStrategy().sendRedirect(request, response, targetUrl); | ||
} | ||
|
||
auditEvent(request, authentication); | ||
} | ||
|
||
private void auditEvent(HttpServletRequest request, Authentication authentication) { | ||
MidPointPrincipal principal = SecurityUtils.getPrincipalUser(authentication); | ||
PrismObject<UserType> user = principal != null ? principal.getUser().asPrismObject() : null; | ||
|
||
Task task = taskManager.createTaskInstance(); | ||
task.setOwner(user); | ||
task.setChannel(SchemaConstants.CHANNEL_GUI_USER_URI); | ||
|
||
AuditEventRecord record = new AuditEventRecord(AuditEventType.TERMINATE_SESSION, AuditEventStage.REQUEST); | ||
record.setInitiator(user); | ||
record.setParameter(WebComponentUtil.getName(user, false)); | ||
|
||
record.setChannel(SchemaConstants.CHANNEL_GUI_USER_URI); | ||
record.setTimestamp(System.currentTimeMillis()); | ||
record.setOutcome(OperationResultStatus.SUCCESS); | ||
|
||
// probably not needed, as audit service would take care of it; but it doesn't hurt so let's keep it here | ||
record.setHostIdentifier(request.getLocalName()); | ||
record.setRemoteHostAddress(request.getLocalAddr()); | ||
record.setNodeIdentifier(taskManager.getNodeId()); | ||
record.setSessionIdentifier(request.getRequestedSessionId()); | ||
|
||
auditService.audit(record, task); | ||
} | ||
} |
107 changes: 54 additions & 53 deletions
107
...ui/src/main/java/com/evolveum/midpoint/web/security/channel/GuiAuthenticationChannel.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,53 +1,54 @@ | ||
/* | ||
* Copyright (c) 2010-2019 Evolveum and contributors | ||
* | ||
* This work is dual-licensed under the Apache License 2.0 | ||
* and European Union Public License. See LICENSE file for details. | ||
*/ | ||
package com.evolveum.midpoint.web.security.channel; | ||
|
||
import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils; | ||
import com.evolveum.midpoint.model.api.ModelInteractionService; | ||
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel; | ||
import com.evolveum.midpoint.model.api.authentication.ModuleWebSecurityConfiguration; | ||
import com.evolveum.midpoint.schema.constants.SchemaConstants; | ||
import com.evolveum.midpoint.schema.util.SecurityPolicyUtil; | ||
import com.evolveum.midpoint.security.api.Authorization; | ||
import com.evolveum.midpoint.task.api.TaskManager; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType; | ||
import org.apache.commons.lang3.StringUtils; | ||
import org.apache.commons.lang3.Validate; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.core.context.SecurityContextHolder; | ||
|
||
import java.util.Collection; | ||
|
||
import static org.springframework.security.saml.util.StringUtils.stripSlashes; | ||
|
||
/** | ||
* @author skublik | ||
*/ | ||
|
||
public class GuiAuthenticationChannel extends AuthenticationChannelImpl { | ||
|
||
private TaskManager taskManager; | ||
private ModelInteractionService modelInteractionService; | ||
|
||
public GuiAuthenticationChannel(TaskManager taskManager, ModelInteractionService modelInteractionService) { | ||
this.taskManager = taskManager; | ||
this.modelInteractionService = modelInteractionService; | ||
} | ||
|
||
public String getChannelId() { | ||
return SchemaConstants.CHANNEL_USER_URI; | ||
} | ||
|
||
public String getPathAfterSuccessfulAuthentication() { | ||
if (WebModelServiceUtils.isPostAuthenticationEnabled(taskManager, modelInteractionService)) { | ||
return "/self/postAuthentication"; | ||
} | ||
|
||
return super.getPathAfterSuccessfulAuthentication(); | ||
} | ||
|
||
} | ||
/* | ||
* Copyright (c) 2010-2019 Evolveum and contributors | ||
* | ||
* This work is dual-licensed under the Apache License 2.0 | ||
* and European Union Public License. See LICENSE file for details. | ||
*/ | ||
package com.evolveum.midpoint.web.security.channel; | ||
|
||
import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils; | ||
import com.evolveum.midpoint.model.api.ModelInteractionService; | ||
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel; | ||
import com.evolveum.midpoint.model.api.authentication.ModuleWebSecurityConfiguration; | ||
import com.evolveum.midpoint.schema.constants.SchemaConstants; | ||
import com.evolveum.midpoint.schema.util.SecurityPolicyUtil; | ||
import com.evolveum.midpoint.security.api.Authorization; | ||
import com.evolveum.midpoint.task.api.TaskManager; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType; | ||
import org.apache.commons.lang3.StringUtils; | ||
import org.apache.commons.lang3.Validate; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.core.context.SecurityContextHolder; | ||
|
||
import java.util.Collection; | ||
|
||
import static org.springframework.security.saml.util.StringUtils.stripSlashes; | ||
|
||
/** | ||
* @author skublik | ||
*/ | ||
|
||
public class GuiAuthenticationChannel extends AuthenticationChannelImpl { | ||
|
||
private TaskManager taskManager; | ||
private ModelInteractionService modelInteractionService; | ||
|
||
public GuiAuthenticationChannel(AuthenticationSequenceChannelType channel, TaskManager taskManager, ModelInteractionService modelInteractionService) { | ||
super(channel); | ||
this.taskManager = taskManager; | ||
this.modelInteractionService = modelInteractionService; | ||
} | ||
|
||
public String getChannelId() { | ||
return SchemaConstants.CHANNEL_USER_URI; | ||
} | ||
|
||
public String getPathAfterSuccessfulAuthentication() { | ||
if (WebModelServiceUtils.isPostAuthenticationEnabled(taskManager, modelInteractionService)) { | ||
return "/self/postAuthentication"; | ||
} | ||
|
||
return super.getPathAfterSuccessfulAuthentication(); | ||
} | ||
|
||
} |
Oops, something went wrong.