waffle.spring.DelegatingNegotiateSecurityFilter Maven / Gradle / Ivy
/**
* Waffle (https://github.com/Waffle/waffle)
*
* Copyright (c) 2010-2016 Application Security, Inc.
*
* All rights reserved. This program and the accompanying materials are made available under the terms of the Eclipse
* Public License v1.0 which accompanies this distribution, and is available at
* https://www.eclipse.org/legal/epl-v10.html.
*
* Contributors: Application Security, Inc.
*/
package waffle.spring;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
/**
*
* Supports optional injection of spring security entities, allowing Waffle to act as an interface towards an identity
* provider(the AD).
*
*
* Below mentioned entities are verified to be set before invoked, inherited entities are not.
*
*
* -
* The
AuthenticationManager
allows for the service provider to authorize the principal.
*
* -
* The
authenticationSuccessHandler
allows for the service provider to further populate the
* {@link org.springframework.security.core.Authentication Authentication} object.
*
* -
* The
AuthenticationFailureHandler
is called if the AuthenticationManager throws an
* {@link org.springframework.security.core.AuthenticationException AuthenticationException}.
*
* -
* The
AccessDeniedHandler
is called if the AuthenticationManager throws an
* {@link org.springframework.security.access.AccessDeniedException AccessDeniedException}.
*
* Example configuration:
*
*
* {@code
*
*
*
*
*
*
*
*
*
*
*
*
* }
*
*/
public class DelegatingNegotiateSecurityFilter extends NegotiateSecurityFilter {
/** The Constant LOGGER. */
private static final Logger LOGGER = LoggerFactory.getLogger(NegotiateSecurityFilter.class);
/** The authentication manager. */
private AuthenticationManager authenticationManager;
/** The authentication success handler. */
private AuthenticationSuccessHandler authenticationSuccessHandler;
/** The authentication failure handler. */
private AuthenticationFailureHandler authenticationFailureHandler;
/** The access denied handler. */
private AccessDeniedHandler accessDeniedHandler;
/**
* Instantiates a new delegating negotiate security filter.
*/
public DelegatingNegotiateSecurityFilter() {
super();
DelegatingNegotiateSecurityFilter.LOGGER.debug("[waffle.spring.NegotiateSecurityFilter] loaded");
}
/**
* Gets the access denied handler.
*
* @return the accessDeniedHandler
*/
public AccessDeniedHandler getAccessDeniedHandler() {
return this.accessDeniedHandler;
}
/**
* Sets the access denied handler.
*
* @param value
* the accessDeniedHandler to set
*/
public void setAccessDeniedHandler(final AccessDeniedHandler value) {
this.accessDeniedHandler = value;
}
/**
* Gets the authentication failure handler.
*
* @return the authenticationFailureHandler
*/
public AuthenticationFailureHandler getAuthenticationFailureHandler() {
return this.authenticationFailureHandler;
}
/**
* Sets the authentication failure handler.
*
* @param value
* the authenticationFailureHandler to set
*/
public void setAuthenticationFailureHandler(final AuthenticationFailureHandler value) {
this.authenticationFailureHandler = value;
}
/*
* (non-Javadoc)
* @see waffle.spring.NegotiateSecurityFilter#setAuthentication(javax.servlet.http.HttpServletRequest,
* javax.servlet.http.HttpServletResponse, org.springframework.security.core.Authentication)
*/
@Override
protected boolean setAuthentication(final HttpServletRequest request, final HttpServletResponse response,
final Authentication authentication) {
try {
if (this.authenticationManager != null) {
DelegatingNegotiateSecurityFilter.LOGGER.debug("Delegating to custom authenticationmanager");
final Authentication customAuthentication = this.authenticationManager.authenticate(authentication);
SecurityContextHolder.getContext().setAuthentication(customAuthentication);
} else {
SecurityContextHolder.getContext().setAuthentication(authentication);
}
if (this.authenticationSuccessHandler != null) {
try {
this.authenticationSuccessHandler.onAuthenticationSuccess(request, response, authentication);
} catch (final IOException | ServletException e) {
DelegatingNegotiateSecurityFilter.LOGGER.warn("Error calling authenticationSuccessHandler: {}",
e.getMessage());
DelegatingNegotiateSecurityFilter.LOGGER.trace("", e);
return false;
}
}
} catch (final AuthenticationException e) {
DelegatingNegotiateSecurityFilter.LOGGER
.warn("Error authenticating user in custom authenticationmanager: {}", e.getMessage());
this.sendAuthenticationFailed(request, response, e);
return false;
} catch (final AccessDeniedException e) {
DelegatingNegotiateSecurityFilter.LOGGER.warn("Error authorizing user in custom authenticationmanager: {}",
e.getMessage());
this.sendAccessDenied(request, response, e);
return false;
}
return true;
}
/*
* (non-Javadoc)
* @see waffle.spring.NegotiateSecurityFilter#afterPropertiesSet()
*/
@Override
public void afterPropertiesSet() throws ServletException {
super.afterPropertiesSet();
if (this.getProvider() == null) {
throw new ServletException("Missing NegotiateSecurityFilter.Provider");
}
}
/**
* Forward to authenticationFailureHandler.
*
* @param request
* the request
* @param response
* HTTP Response
* @param ae
* the ae
*/
private void sendAuthenticationFailed(final HttpServletRequest request, final HttpServletResponse response,
final AuthenticationException ae) {
if (this.authenticationFailureHandler != null) {
try {
this.authenticationFailureHandler.onAuthenticationFailure(request, response, ae);
return;
} catch (final IOException e) {
DelegatingNegotiateSecurityFilter.LOGGER.warn("Exception invoking authenticationFailureHandler: {}",
e.getMessage());
DelegatingNegotiateSecurityFilter.LOGGER.trace("", e);
} catch (final ServletException e) {
DelegatingNegotiateSecurityFilter.LOGGER
.warn("ServletException invoking authenticationFailureHandler: {}", e.getMessage());
DelegatingNegotiateSecurityFilter.LOGGER.trace("", e);
}
}
super.sendUnauthorized(response, true);
}
/**
* Forward to accessDeniedHandler.
*
* @param request
* the request
* @param response
* HTTP Response
* @param ae
* the ae
*/
private void sendAccessDenied(final HttpServletRequest request, final HttpServletResponse response,
final AccessDeniedException ae) {
if (this.accessDeniedHandler != null) {
try {
this.accessDeniedHandler.handle(request, response, ae);
return;
} catch (final IOException e) {
DelegatingNegotiateSecurityFilter.LOGGER.warn("IOException invoking accessDeniedHandler: {}",
e.getMessage());
DelegatingNegotiateSecurityFilter.LOGGER.trace("", e);
} catch (final ServletException e) {
DelegatingNegotiateSecurityFilter.LOGGER.warn("ServletException invoking accessDeniedHandler: {}",
e.getMessage());
DelegatingNegotiateSecurityFilter.LOGGER.trace("", e);
}
}
// fallback
this.sendUnauthorized(response, true);
}
/**
* Gets the authentication success handler.
*
* @return the authenticationSuccessHandler
*/
public AuthenticationSuccessHandler getAuthenticationSuccessHandler() {
return this.authenticationSuccessHandler;
}
/**
* Sets the authentication success handler.
*
* @param value
* the authenticationSuccessHandler to set
*/
public void setAuthenticationSuccessHandler(final AuthenticationSuccessHandler value) {
this.authenticationSuccessHandler = value;
}
/**
* Gets the authentication manager.
*
* @return the authenticationManager
*/
public AuthenticationManager getAuthenticationManager() {
return this.authenticationManager;
}
/**
* Sets the authentication manager.
*
* @param value
* the authenticationManager to set
*/
public void setAuthenticationManager(final AuthenticationManager value) {
this.authenticationManager = value;
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy