From d48750f24aae072125cf9c553ca08ab85c607504 Mon Sep 17 00:00:00 2001 From: MaxKey Date: Thu, 18 Feb 2021 09:51:17 +0800 Subject: [PATCH] EntryPoints --- .../authn/support/jwt/HttpJwtEntryPoint.java | 22 +-- .../kerberos/HttpKerberosEntryPoint.java | 140 ++++++++++++++++ .../support/kerberos/KerberosService.java | 4 +- .../kerberos/RemoteKerberosService.java | 36 ---- .../rememberme/HttpRemeberMeEntryPoint.java | 59 +++---- .../HttpWsFederationEntryPoint.java | 157 ++++++++++++++++++ .../wsfederation/WsFederationService.java | 4 +- .../wsfederation/WsFederationServiceImpl.java | 60 +------ .../maxkey/web/endpoint/LoginEndpoint.java | 24 +-- .../main/java/org/maxkey/MaxKeyMvcConfig.java | 12 ++ .../contorller/RegistrationController.java | 55 ++++++ .../maxkey/web/endpoint/LoginEndpoint.java | 145 ++++------------ 12 files changed, 450 insertions(+), 268 deletions(-) create mode 100644 maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/HttpKerberosEntryPoint.java create mode 100644 maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/HttpWsFederationEntryPoint.java diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/jwt/HttpJwtEntryPoint.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/jwt/HttpJwtEntryPoint.java index 0c0781eb3..bbdd08cb3 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/jwt/HttpJwtEntryPoint.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/jwt/HttpJwtEntryPoint.java @@ -46,9 +46,11 @@ public class HttpJwtEntryPoint implements AsyncHandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception { boolean isAuthenticated= WebContext.isAuthenticated(); - String jwt = request.getParameter(WebConstants.JWT_TOKEN_PARAMETER); - if(!enable || isAuthenticated || jwt == null){ + + if(!enable + || isAuthenticated + || jwt == null){ return true; } @@ -70,16 +72,14 @@ public class HttpJwtEntryPoint implements AsyncHandlerInterceptor { _logger.info("getSession.getId : "+ request.getSession().getId()); //for jwt Login - if(!isAuthenticated){ - _logger.debug("jwt : " + jwt); + _logger.debug("jwt : " + jwt); - SignedJWT signedJWT = jwtLoginService.jwtTokenValidation(jwt); - if(signedJWT != null) { - String username =signedJWT.getJWTClaimsSet().getSubject(); - authenticationProvider.trustAuthentication(username, ConstantsLoginType.JWT, "", "", "success"); - } - - } + SignedJWT signedJWT = jwtLoginService.jwtTokenValidation(jwt); + if(signedJWT != null) { + String username =signedJWT.getJWTClaimsSet().getSubject(); + authenticationProvider.trustAuthentication(username, ConstantsLoginType.JWT, "", "", "success"); + _logger.debug("JWT Logined in , username " + username); + } return true; } diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/HttpKerberosEntryPoint.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/HttpKerberosEntryPoint.java new file mode 100644 index 000000000..6e9a0e1ee --- /dev/null +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/HttpKerberosEntryPoint.java @@ -0,0 +1,140 @@ +/* + * Copyright [2020] [MaxKey of copyright http://www.maxkey.top] + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +package org.maxkey.authn.support.kerberos; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.joda.time.DateTime; +import org.maxkey.authn.AbstractAuthenticationProvider; +import org.maxkey.configuration.ApplicationConfig; +import org.maxkey.constants.ConstantsLoginType; +import org.maxkey.crypto.ReciprocalUtils; +import org.maxkey.util.DateUtils; +import org.maxkey.util.JsonUtils; +import org.maxkey.web.WebConstants; +import org.maxkey.web.WebContext; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.web.servlet.AsyncHandlerInterceptor; + + +public class HttpKerberosEntryPoint implements AsyncHandlerInterceptor { + private static final Logger _logger = LoggerFactory.getLogger(HttpKerberosEntryPoint.class); + + boolean enable; + + ApplicationConfig applicationConfig; + + AbstractAuthenticationProvider authenticationProvider ; + + KerberosService kerberosService; + + @Override + public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception { + boolean isAuthenticated= WebContext.isAuthenticated(); + String kerberosTokenString = request.getParameter(WebConstants.KERBEROS_TOKEN_PARAMETER); + String kerberosUserDomain = request.getParameter(WebConstants.KERBEROS_USERDOMAIN_PARAMETER); + + if(!enable + || isAuthenticated + || kerberosTokenString == null){ + return true; + } + + _logger.debug("Kerberos Login Start ..."); + _logger.info("Request url : "+ request.getRequestURL()); + _logger.info("Request URI : "+ request.getRequestURI()); + _logger.info("Request ContextPath : "+ request.getContextPath()); + _logger.info("Request ServletPath : "+ request.getServletPath()); + _logger.debug("RequestSessionId : "+ request.getRequestedSessionId()); + _logger.debug("isRequestedSessionIdValid : "+ request.isRequestedSessionIdValid()); + _logger.debug("getSession : "+ request.getSession(false)); + + // session not exists,session timeout,recreate new session + if(request.getSession(false) == null) { + _logger.info("recreate new session ."); + request.getSession(true); + } + + _logger.info("getSession.getId : "+ request.getSession().getId()); + + //for Kerberos Login + _logger.debug("Try Kerberos login "); + _logger.debug("encoder Kerberos Token "+kerberosTokenString); + _logger.debug("kerberos UserDomain "+kerberosUserDomain); + + String decoderKerberosToken=null; + for(KerberosProxy kerberosProxy : kerberosService.getKerberosProxys()){ + if(kerberosProxy.getUserdomain().equalsIgnoreCase(kerberosUserDomain)){ + decoderKerberosToken=ReciprocalUtils.aesDecoder(kerberosTokenString, kerberosProxy.getCrypto()); + break; + } + } + _logger.debug("decoder Kerberos Token "+decoderKerberosToken); + KerberosToken kerberosToken=new KerberosToken(); + kerberosToken=(KerberosToken)JsonUtils.json2Object(decoderKerberosToken, kerberosToken); + _logger.debug("Kerberos Token "+kerberosToken); + + DateTime notOnOrAfter=DateUtils.toUtcDate(kerberosToken.getNotOnOrAfter()); + _logger.debug("Kerberos Token is After Now "+notOnOrAfter.isAfterNow()); + + if(notOnOrAfter.isAfterNow()){ + authenticationProvider.trustAuthentication(kerberosToken.getPrincipal(),ConstantsLoginType.KERBEROS,kerberosUserDomain,"","success"); + _logger.debug("Kerberos Logined in , username " + kerberosToken.getPrincipal()); + } + + return true; + } + + public HttpKerberosEntryPoint() { + super(); + } + + public HttpKerberosEntryPoint (boolean enable) { + super(); + this.enable = enable; + } + + public HttpKerberosEntryPoint(AbstractAuthenticationProvider authenticationProvider, KerberosService kerberosService, + ApplicationConfig applicationConfig, boolean enable) { + super(); + this.authenticationProvider = authenticationProvider; + this.kerberosService = kerberosService; + this.applicationConfig = applicationConfig; + this.enable = enable; + } + + public boolean isEnable() { + return enable; + } + + public void setEnable(boolean enable) { + this.enable = enable; + } + + public void setApplicationConfig(ApplicationConfig applicationConfig) { + this.applicationConfig = applicationConfig; + } + + public void setAuthenticationProvider(AbstractAuthenticationProvider authenticationProvider) { + this.authenticationProvider = authenticationProvider; + } + + + +} diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/KerberosService.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/KerberosService.java index 748727259..a73143d1f 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/KerberosService.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/KerberosService.java @@ -17,9 +17,11 @@ package org.maxkey.authn.support.kerberos; +import java.util.List; + public interface KerberosService { - public boolean login(String kerberosTokenString,String kerberosUserDomain); + public List getKerberosProxys(); public String buildKerberosProxys( ); diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/RemoteKerberosService.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/RemoteKerberosService.java index ce0018d63..efcab950e 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/RemoteKerberosService.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/kerberos/RemoteKerberosService.java @@ -21,12 +21,6 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; - -import org.joda.time.DateTime; -import org.maxkey.authn.AbstractAuthenticationProvider; -import org.maxkey.constants.ConstantsLoginType; -import org.maxkey.crypto.ReciprocalUtils; -import org.maxkey.util.DateUtils; import org.maxkey.util.JsonUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,36 +28,6 @@ import org.slf4j.LoggerFactory; public class RemoteKerberosService implements KerberosService{ private static Logger _logger = LoggerFactory.getLogger(RemoteKerberosService.class); List kerberosProxys; - - AbstractAuthenticationProvider authenticationProvider ; - - public boolean login(String kerberosTokenString,String kerberosUserDomain){ - _logger.debug("encoder Kerberos Token "+kerberosTokenString); - _logger.debug("kerberos UserDomain "+kerberosUserDomain); - - String decoderKerberosToken=null; - for(KerberosProxy kerberosProxy : kerberosProxys){ - if(kerberosProxy.getUserdomain().equalsIgnoreCase(kerberosUserDomain)){ - decoderKerberosToken=ReciprocalUtils.aesDecoder(kerberosTokenString, kerberosProxy.getCrypto()); - break; - } - } - _logger.debug("decoder Kerberos Token "+decoderKerberosToken); - KerberosToken kerberosToken=new KerberosToken(); - kerberosToken=(KerberosToken)JsonUtils.json2Object(decoderKerberosToken, kerberosToken); - _logger.debug("Kerberos Token "+kerberosToken); - - DateTime notOnOrAfter=DateUtils.toUtcDate(kerberosToken.getNotOnOrAfter()); - _logger.debug("Kerberos Token is After Now "+notOnOrAfter.isAfterNow()); - if(notOnOrAfter.isAfterNow()){ - authenticationProvider.trustAuthentication(kerberosToken.getPrincipal(),ConstantsLoginType.KERBEROS,kerberosUserDomain,"","success"); - return true; - }else{ - - return false; - } - - } public List getKerberosProxys() { return kerberosProxys; diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/rememberme/HttpRemeberMeEntryPoint.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/rememberme/HttpRemeberMeEntryPoint.java index cbedd8baf..59ad38118 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/rememberme/HttpRemeberMeEntryPoint.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/rememberme/HttpRemeberMeEntryPoint.java @@ -49,9 +49,12 @@ public class HttpRemeberMeEntryPoint implements AsyncHandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception { boolean isAuthenticated= WebContext.isAuthenticated(); - Cookie readRemeberMeCookie = WebContext.readCookieByName(request,WebConstants.REMEBER_ME_COOKIE); - if(!enable || isAuthenticated){ + + if(!enable + || isAuthenticated + || readRemeberMeCookie==null + || !applicationConfig.getLoginConfig().isRemeberMe()){ return true; } @@ -72,37 +75,35 @@ public class HttpRemeberMeEntryPoint implements AsyncHandlerInterceptor { _logger.info("getSession.getId : "+ request.getSession().getId()); - if(applicationConfig.getLoginConfig().isRemeberMe()&&readRemeberMeCookie!=null){ - _logger.debug("Try RemeberMe login "); - String remeberMe = readRemeberMeCookie.getValue(); - _logger.debug("RemeberMe : " + remeberMe); + _logger.debug("Try RemeberMe login "); + String remeberMe = readRemeberMeCookie.getValue(); + _logger.debug("RemeberMe : " + remeberMe); - remeberMe = new String(Base64Utils.base64UrlDecode(remeberMe)); + remeberMe = new String(Base64Utils.base64UrlDecode(remeberMe)); - remeberMe = ReciprocalUtils.decoder(remeberMe); + remeberMe = ReciprocalUtils.decoder(remeberMe); - _logger.debug("decoder RemeberMe : " + remeberMe); - RemeberMe remeberMeCookie = new RemeberMe(); - remeberMeCookie = (RemeberMe) JsonUtils.json2Object(remeberMe, remeberMeCookie); - _logger.debug("Remeber Me Cookie : " + remeberMeCookie); + _logger.debug("decoder RemeberMe : " + remeberMe); + RemeberMe remeberMeCookie = new RemeberMe(); + remeberMeCookie = (RemeberMe) JsonUtils.json2Object(remeberMe, remeberMeCookie); + _logger.debug("Remeber Me Cookie : " + remeberMeCookie); - RemeberMe storeRemeberMe = remeberMeService.read(remeberMeCookie); - if (storeRemeberMe != null) { - DateTime loginDate = new DateTime(storeRemeberMe.getLastLogin()); - DateTime expiryDate = loginDate.plusSeconds(remeberMeService.getRemeberMeValidity()); - DateTime now = new DateTime(); - if (now.isBefore(expiryDate)) { - authenticationProvider.trustAuthentication( - storeRemeberMe.getUsername(), - ConstantsLoginType.REMEBER_ME, - "", - "", - "success"); - remeberMeService.updateRemeberMe(remeberMeCookie, response); - - } - } - } + RemeberMe storeRemeberMe = remeberMeService.read(remeberMeCookie); + if (storeRemeberMe != null) { + DateTime loginDate = new DateTime(storeRemeberMe.getLastLogin()); + DateTime expiryDate = loginDate.plusSeconds(remeberMeService.getRemeberMeValidity()); + DateTime now = new DateTime(); + if (now.isBefore(expiryDate)) { + authenticationProvider.trustAuthentication( + storeRemeberMe.getUsername(), + ConstantsLoginType.REMEBER_ME, + "", + "", + "success"); + remeberMeService.updateRemeberMe(remeberMeCookie, response); + _logger.debug("RemeberMe Logined in , username " + storeRemeberMe.getUsername()); + } + } return true; } diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/HttpWsFederationEntryPoint.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/HttpWsFederationEntryPoint.java new file mode 100644 index 000000000..7fadfbc44 --- /dev/null +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/HttpWsFederationEntryPoint.java @@ -0,0 +1,157 @@ +/* + * Copyright [2020] [MaxKey of copyright http://www.maxkey.top] + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +package org.maxkey.authn.support.wsfederation; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.maxkey.authn.AbstractAuthenticationProvider; +import org.maxkey.configuration.ApplicationConfig; +import org.maxkey.constants.ConstantsLoginType; +import org.maxkey.util.StringUtils; +import org.maxkey.web.WebContext; +import org.opensaml.saml1.core.impl.AssertionImpl; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.web.servlet.AsyncHandlerInterceptor; + + +public class HttpWsFederationEntryPoint implements AsyncHandlerInterceptor { + private static final Logger _logger = LoggerFactory.getLogger(HttpWsFederationEntryPoint.class); + + boolean enable; + + ApplicationConfig applicationConfig; + + AbstractAuthenticationProvider authenticationProvider ; + + WsFederationService wsFederationService; + + @Override + public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception { + boolean isAuthenticated= WebContext.isAuthenticated(); + String wsFederationWA = request.getParameter(WsFederationConstants.WA); + String wsFederationWResult = request.getParameter(WsFederationConstants.WRESULT); + + if(!enable + || isAuthenticated + || !applicationConfig.getLoginConfig().isWsFederation() + || wsFederationWA == null){ + return true; + } + + _logger.debug("WsFederation Login Start ..."); + _logger.info("Request url : "+ request.getRequestURL()); + _logger.info("Request URI : "+ request.getRequestURI()); + _logger.info("Request ContextPath : "+ request.getContextPath()); + _logger.info("Request ServletPath : "+ request.getServletPath()); + _logger.debug("RequestSessionId : "+ request.getRequestedSessionId()); + _logger.debug("isRequestedSessionIdValid : "+ request.isRequestedSessionIdValid()); + _logger.debug("getSession : "+ request.getSession(false)); + + // session not exists,session timeout,recreate new session + if(request.getSession(false) == null) { + _logger.info("recreate new session ."); + request.getSession(true); + } + + _logger.info("getSession.getId : "+ request.getSession().getId()); + + //for WsFederation Login + _logger.debug("WsFederation : " + wsFederationWA +" , wsFederationWResult : " + wsFederationWResult); + if(applicationConfig.getLoginConfig().isWsFederation() + && StringUtils.isNotEmpty(wsFederationWA) + && wsFederationWA.equalsIgnoreCase(WsFederationConstants.WSIGNIN)){ + _logger.debug("wresult : {}"+wsFederationWResult); + + final String wctx = request.getParameter(WsFederationConstants.WCTX); + _logger.debug("wctx : {}"+ wctx); + + // create credentials + final AssertionImpl assertion = WsFederationUtils.parseTokenFromString(wsFederationWResult); + //Validate the signature + if (assertion != null && WsFederationUtils.validateSignature(assertion, wsFederationService.getWsFederationConfiguration().getSigningCertificates())) { + final WsFederationCredential wsFederationCredential = WsFederationUtils.createCredentialFromToken(assertion); + + if (wsFederationCredential != null && wsFederationCredential.isValid(wsFederationService.getWsFederationConfiguration().getRelyingParty(), + wsFederationService.getWsFederationConfiguration().getIdentifier(), + wsFederationService.getWsFederationConfiguration().getTolerance())) { + + //Give the library user a chance to change the attributes as necessary + if (wsFederationService.getWsFederationConfiguration().getAttributeMutator() != null) { + wsFederationService.getWsFederationConfiguration().getAttributeMutator().modifyAttributes( + wsFederationCredential.getAttributes(), + wsFederationService.getWsFederationConfiguration().getUpnSuffix()); + } + + authenticationProvider.trustAuthentication( + wsFederationCredential.getAttributes().get("").toString(), + ConstantsLoginType.WSFEDERATION, + "","","success"); + return true; + } else { + _logger.warn("SAML assertions are blank or no longer valid."); + } + } else { + _logger.error("WS Requested Security Token is blank or the signature is not valid."); + } + } + + return true; + } + + public HttpWsFederationEntryPoint() { + super(); + } + + public HttpWsFederationEntryPoint (boolean enable) { + super(); + this.enable = enable; + } + + public HttpWsFederationEntryPoint(AbstractAuthenticationProvider authenticationProvider, WsFederationService wsFederationService, + ApplicationConfig applicationConfig, boolean enable) { + super(); + this.authenticationProvider = authenticationProvider; + this.wsFederationService = wsFederationService; + this.applicationConfig = applicationConfig; + this.enable = enable; + } + + public boolean isEnable() { + return enable; + } + + public void setEnable(boolean enable) { + this.enable = enable; + } + + public void setApplicationConfig(ApplicationConfig applicationConfig) { + this.applicationConfig = applicationConfig; + } + + public void setAuthenticationProvider(AbstractAuthenticationProvider authenticationProvider) { + this.authenticationProvider = authenticationProvider; + } + + public void setWsFederationService(WsFederationService wsFederationService) { + this.wsFederationService = wsFederationService; + } + + + +} diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/WsFederationService.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/WsFederationService.java index 2376ecd3b..7e626a36f 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/WsFederationService.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/WsFederationService.java @@ -17,9 +17,7 @@ package org.maxkey.authn.support.wsfederation; -import javax.servlet.http.HttpServletRequest; - public interface WsFederationService { - public boolean login(String wsFederationWA,String wsFederationWResult,HttpServletRequest request); + public WsFederationConfiguration getWsFederationConfiguration(); } diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/WsFederationServiceImpl.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/WsFederationServiceImpl.java index ae2c11a72..8ac0c6fd3 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/WsFederationServiceImpl.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/wsfederation/WsFederationServiceImpl.java @@ -17,72 +17,24 @@ package org.maxkey.authn.support.wsfederation; -import javax.servlet.http.HttpServletRequest; - -import org.maxkey.authn.AbstractAuthenticationProvider; -import org.maxkey.constants.ConstantsLoginType; -import org.maxkey.util.StringUtils; -import org.opensaml.saml1.core.impl.AssertionImpl; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Qualifier; public class WsFederationServiceImpl implements WsFederationService{ final static Logger _logger = LoggerFactory.getLogger(WsFederationServiceImpl.class); private WsFederationConfiguration wsFederationConfiguration; - - @Autowired - @Qualifier("authenticationProvider") - AbstractAuthenticationProvider authenticationProvider ; - - public boolean login(String wsFederationWA,String wsFederationWResult,HttpServletRequest request){ - // it's an authentication - if (StringUtils.isNotEmpty(wsFederationWA) && wsFederationWA.equalsIgnoreCase(WsFederationConstants.WSIGNIN)) { - _logger.debug("wresult : {}"+wsFederationWResult); - - final String wctx = request.getParameter(WsFederationConstants.WCTX); - _logger.debug("wctx : {}"+ wctx); - - // create credentials - final AssertionImpl assertion = WsFederationUtils.parseTokenFromString(wsFederationWResult); - //Validate the signature - if (assertion != null && WsFederationUtils.validateSignature(assertion, wsFederationConfiguration.getSigningCertificates())) { - final WsFederationCredential wsFederationCredential = WsFederationUtils.createCredentialFromToken(assertion); - - if (wsFederationCredential != null && wsFederationCredential.isValid(wsFederationConfiguration.getRelyingParty(), - wsFederationConfiguration.getIdentifier(), - wsFederationConfiguration.getTolerance())) { - - //Give the library user a chance to change the attributes as necessary - if (wsFederationConfiguration.getAttributeMutator() != null) { - wsFederationConfiguration.getAttributeMutator().modifyAttributes( - wsFederationCredential.getAttributes(), - wsFederationConfiguration.getUpnSuffix()); - } - - authenticationProvider.trustAuthentication( - wsFederationCredential.getAttributes().get("").toString(), - ConstantsLoginType.WSFEDERATION, - "","","success"); - return true; - } else { - _logger.warn("SAML assertions are blank or no longer valid."); - return false; - } - } else { - _logger.error("WS Requested Security Token is blank or the signature is not valid."); - return false; - } - } - return false; - } public void setWsFederationConfiguration( WsFederationConfiguration wsFederationConfiguration) { this.wsFederationConfiguration = wsFederationConfiguration; } + + public WsFederationConfiguration getWsFederationConfiguration() { + return wsFederationConfiguration; + } + + } diff --git a/maxkey-web-manage/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java b/maxkey-web-manage/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java index 9b395bae1..26767b070 100644 --- a/maxkey-web-manage/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java +++ b/maxkey-web-manage/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java @@ -17,9 +17,6 @@ package org.maxkey.web.endpoint; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - import org.maxkey.authn.AbstractAuthenticationProvider; import org.maxkey.authn.LoginCredential; import org.maxkey.configuration.ApplicationConfig; @@ -56,26 +53,19 @@ public class LoginEndpoint { * @return */ @RequestMapping(value={"/login"}) - public ModelAndView login( - HttpServletRequest request, - HttpServletResponse response) { - + public ModelAndView login() { _logger.debug("LoginController /login."); - ModelAndView modelAndView = new ModelAndView(); boolean isAuthenticated= WebContext.isAuthenticated(); - //for normal login - if(!isAuthenticated){ - modelAndView.addObject("isRemeberMe", applicationConfig.getLoginConfig().isRemeberMe()); - - modelAndView.addObject("isCaptcha", applicationConfig.getLoginConfig().isCaptcha()); - modelAndView.addObject("sessionid", WebContext.getSession().getId()); + if(isAuthenticated){ + return WebContext.redirect("/main"); } - if(WebContext.isAuthenticated()){ - return WebContext.redirect("/main"); - } + ModelAndView modelAndView = new ModelAndView(); + modelAndView.addObject("isRemeberMe", applicationConfig.getLoginConfig().isRemeberMe()); + modelAndView.addObject("isCaptcha", applicationConfig.getLoginConfig().isCaptcha()); + modelAndView.addObject("sessionid", WebContext.getSession().getId()); modelAndView.setViewName("login"); return modelAndView; } diff --git a/maxkey-web-maxkey/src/main/java/org/maxkey/MaxKeyMvcConfig.java b/maxkey-web-maxkey/src/main/java/org/maxkey/MaxKeyMvcConfig.java index c217c20df..164733cd5 100644 --- a/maxkey-web-maxkey/src/main/java/org/maxkey/MaxKeyMvcConfig.java +++ b/maxkey-web-maxkey/src/main/java/org/maxkey/MaxKeyMvcConfig.java @@ -20,6 +20,8 @@ package org.maxkey; import org.maxkey.authn.AbstractAuthenticationProvider; import org.maxkey.authn.support.basic.BasicEntryPoint; import org.maxkey.authn.support.httpheader.HttpHeaderEntryPoint; +import org.maxkey.authn.support.kerberos.HttpKerberosEntryPoint; +import org.maxkey.authn.support.kerberos.KerberosService; import org.maxkey.authn.support.rememberme.AbstractRemeberMeService; import org.maxkey.authn.support.rememberme.HttpRemeberMeEntryPoint; import org.maxkey.configuration.ApplicationConfig; @@ -59,6 +61,10 @@ public class MaxKeyMvcConfig implements WebMvcConfigurer { @Qualifier("remeberMeService") AbstractRemeberMeService remeberMeService; + @Autowired + @Qualifier("kerberosService") + KerberosService kerberosService; + @Autowired PermissionAdapter permissionAdapter; @@ -115,6 +121,12 @@ public class MaxKeyMvcConfig implements WebMvcConfigurer { authenticationProvider,remeberMeService,applicationConfig,true)) .addPathPatterns("/login"); + _logger.debug("add HttpKerberosEntryPoint"); + registry.addInterceptor(new HttpKerberosEntryPoint( + authenticationProvider,kerberosService,applicationConfig,true)) + .addPathPatterns("/login"); + + if(httpHeaderEnable) { registry.addInterceptor(new HttpHeaderEntryPoint(httpHeaderName,httpHeaderEnable)) .addPathPatterns("/*"); diff --git a/maxkey-web-maxkey/src/main/java/org/maxkey/web/contorller/RegistrationController.java b/maxkey-web-maxkey/src/main/java/org/maxkey/web/contorller/RegistrationController.java index 0d26d0739..8fa325841 100644 --- a/maxkey-web-maxkey/src/main/java/org/maxkey/web/contorller/RegistrationController.java +++ b/maxkey-web-maxkey/src/main/java/org/maxkey/web/contorller/RegistrationController.java @@ -17,8 +17,13 @@ package org.maxkey.web.contorller; +import java.io.IOException; import java.util.Date; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + import org.apache.commons.mail.DefaultAuthenticator; import org.apache.commons.mail.EmailException; import org.apache.commons.mail.HtmlEmail; @@ -31,7 +36,10 @@ import org.maxkey.domain.UserInfo; import org.maxkey.persistence.service.RegistrationService; import org.maxkey.persistence.service.UserInfoService; import org.maxkey.util.DateUtils; +import org.maxkey.util.StringUtils; +import org.maxkey.web.WebConstants; import org.maxkey.web.WebContext; +import org.maxkey.web.message.Message; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -42,6 +50,7 @@ import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.servlet.ModelAndView; @@ -174,5 +183,51 @@ public class RegistrationController { return modelAndView; } + + /** + * view register + * @return + */ + @RequestMapping(value={"/register"}) + public ModelAndView register(HttpServletRequest request,HttpServletResponse response) { + _logger.debug("/register."); + ModelAndView modelAndView = new ModelAndView("registration/register"); + Object loginErrorMessage=WebContext.getAttribute(WebConstants.LOGIN_ERROR_SESSION_MESSAGE); + modelAndView.addObject("loginErrorMessage", loginErrorMessage==null?"":loginErrorMessage); + WebContext.removeAttribute(WebConstants.LOGIN_ERROR_SESSION_MESSAGE); + return modelAndView; + } + + @RequestMapping(value={"/registeron"}) + @ResponseBody + public Message registeron(UserInfo userInfo,@RequestParam String emailMobile) throws ServletException, IOException { + if(StringUtils.isNullOrBlank(emailMobile)) { + return new Message(WebContext.getI18nValue("register.emailMobile.error"),"1"); + } + if(StringUtils.isValidEmail(emailMobile)) { + userInfo.setEmail(emailMobile); + } + if(StringUtils.isValidMobileNo(emailMobile)) { + userInfo.setMobile(emailMobile); + } + if(!(StringUtils.isValidEmail(emailMobile)||StringUtils.isValidMobileNo(emailMobile))) { + return new Message(WebContext.getI18nValue("register.emailMobile.error"),"1"); + } + UserInfo temp=userInfoService.queryUserInfoByEmailMobile(emailMobile); + if(temp!=null) { + return new Message(WebContext.getI18nValue("register.emailMobile.exist"),"1"); + } + + temp=userInfoService.loadByUsername(userInfo.getUsername()); + if(temp!=null) { + return new Message(WebContext.getI18nValue("register.user.error"),"1"); + } + userInfo.setStatus(ConstantsStatus.ACTIVE); + if(userInfoService.insert(userInfo)) { + return new Message(WebContext.getI18nValue("login.text.register.success"),"0"); + } + return new Message(WebContext.getI18nValue("login.text.register.error"),"1"); + + } } diff --git a/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java b/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java index 72476286e..d9fdb3cd1 100644 --- a/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java +++ b/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java @@ -19,25 +19,19 @@ package org.maxkey.web.endpoint; import java.io.IOException; import java.util.HashMap; - import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; - import org.maxkey.authn.AbstractAuthenticationProvider; import org.maxkey.authn.LoginCredential; import org.maxkey.authn.support.kerberos.KerberosService; import org.maxkey.authn.support.socialsignon.service.SocialSignOnProviderService; -import org.maxkey.authn.support.wsfederation.WsFederationConstants; import org.maxkey.configuration.ApplicationConfig; -import org.maxkey.constants.ConstantsStatus; import org.maxkey.domain.UserInfo; import org.maxkey.password.onetimepwd.AbstractOtpAuthn; import org.maxkey.persistence.service.UserInfoService; -import org.maxkey.util.StringUtils; import org.maxkey.web.WebConstants; import org.maxkey.web.WebContext; -import org.maxkey.web.message.Message; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -46,11 +40,9 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.ModelAttribute; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.servlet.ModelAndView; - /** * @author Crystal.Sea * @@ -63,6 +55,10 @@ public class LoginEndpoint { @Qualifier("applicationConfig") ApplicationConfig applicationConfig; + @Autowired + @Qualifier("authenticationProvider") + AbstractAuthenticationProvider authenticationProvider ; + @Autowired @Qualifier("socialSignOnProviderService") SocialSignOnProviderService socialSignOnProviderService; @@ -75,14 +71,6 @@ public class LoginEndpoint { @Qualifier("userInfoService") UserInfoService userInfoService; - /*@Autowired - @Qualifier("wsFederationService") - WsFederationService wsFederationService;*/ - - @Autowired - @Qualifier("authenticationProvider") - AbstractAuthenticationProvider authenticationProvider ; - @Autowired @Qualifier("tfaOtpAuthn") protected AbstractOtpAuthn tfaOtpAuthn; @@ -92,66 +80,35 @@ public class LoginEndpoint { * @return */ @RequestMapping(value={"/login"}) - public ModelAndView login( - HttpServletRequest request, - HttpServletResponse response, - @RequestParam(value=WebConstants.CAS_SERVICE_PARAMETER,required=false) String casService, - @RequestParam(value=WebConstants.KERBEROS_TOKEN_PARAMETER,required=false) String kerberosToken, - @RequestParam(value=WebConstants.KERBEROS_USERDOMAIN_PARAMETER,required=false) String kerberosUserDomain, - @RequestParam(value=WsFederationConstants.WA,required=false) String wsFederationWA, - @RequestParam(value=WsFederationConstants.WRESULT,required=false) String wsFederationWResult) { - + public ModelAndView login() { _logger.debug("LoginController /login."); - ModelAndView modelAndView = new ModelAndView("login"); - boolean isAuthenticated= WebContext.isAuthenticated(); - //for Kerberos login - if(!isAuthenticated){ - if(applicationConfig.getLoginConfig().isKerberos()&& - kerberosUserDomain!=null&&!kerberosUserDomain.equals("")&& - kerberosToken!=null && !kerberosToken.equals("")){ - _logger.debug("Try Kerberos login "); - isAuthenticated=kerberosService.login(kerberosToken,kerberosUserDomain); - } - } - //for WsFederation login - if(!isAuthenticated){ - if(applicationConfig.getLoginConfig().isWsFederation()&& - StringUtils.isNotEmpty(wsFederationWA) && - wsFederationWA.equalsIgnoreCase(WsFederationConstants.WSIGNIN)){ - _logger.debug("Try WsFederation login "); - //isAuthenticated=wsFederationService.login(wsFederationWA,wsFederationWResult,request); - } - } - - //for normal login - if(!isAuthenticated){ - modelAndView.addObject("isRemeberMe", applicationConfig.getLoginConfig().isRemeberMe()); - modelAndView.addObject("isKerberos", applicationConfig.getLoginConfig().isKerberos()); - modelAndView.addObject("isMfa", applicationConfig.getLoginConfig().isMfa()); - if(applicationConfig.getLoginConfig().isMfa()) { - modelAndView.addObject("otpType", tfaOtpAuthn.getOtpType()); - modelAndView.addObject("otpInterval", tfaOtpAuthn.getInterval()); - } - - if( applicationConfig.getLoginConfig().isKerberos()){ - modelAndView.addObject("userDomainUrlJson", kerberosService.buildKerberosProxys()); - - } - modelAndView.addObject("isCaptcha", applicationConfig.getLoginConfig().isCaptcha()); - modelAndView.addObject("sessionid", WebContext.getSession().getId()); - //modelAndView.addObject("jwtToken",jwtLoginService.buildLoginJwt()); - //load Social Sign On Providers - if(applicationConfig.getLoginConfig().isSocialSignOn()){ - _logger.debug("Load Social Sign On Providers "); - modelAndView.addObject("ssopList", socialSignOnProviderService.getSocialSignOnProviders()); - } - } - if(isAuthenticated){ return WebContext.redirect("/forwardindex"); } + + //for normal login + ModelAndView modelAndView = new ModelAndView("login"); + modelAndView.addObject("isRemeberMe", applicationConfig.getLoginConfig().isRemeberMe()); + modelAndView.addObject("isKerberos", applicationConfig.getLoginConfig().isKerberos()); + modelAndView.addObject("isMfa", applicationConfig.getLoginConfig().isMfa()); + if(applicationConfig.getLoginConfig().isMfa()) { + modelAndView.addObject("otpType", tfaOtpAuthn.getOtpType()); + modelAndView.addObject("otpInterval", tfaOtpAuthn.getInterval()); + } + + if( applicationConfig.getLoginConfig().isKerberos()){ + modelAndView.addObject("userDomainUrlJson", kerberosService.buildKerberosProxys()); + } + modelAndView.addObject("isCaptcha", applicationConfig.getLoginConfig().isCaptcha()); + modelAndView.addObject("sessionid", WebContext.getSession().getId()); + //modelAndView.addObject("jwtToken",jwtLoginService.buildLoginJwt()); + //load Social Sign On Providers + if(applicationConfig.getLoginConfig().isSocialSignOn()){ + _logger.debug("Load Social Sign On Providers "); + modelAndView.addObject("ssopList", socialSignOnProviderService.getSocialSignOnProviders()); + } Object loginErrorMessage=WebContext.getAttribute(WebConstants.LOGIN_ERROR_SESSION_MESSAGE); modelAndView.addObject("loginErrorMessage", loginErrorMessage==null?"":loginErrorMessage); @@ -203,51 +160,5 @@ public class LoginEndpoint { return "fail"; } - - /** - * view register - * @return - */ - @RequestMapping(value={"/register"}) - public ModelAndView register(HttpServletRequest request,HttpServletResponse response) { - - _logger.debug("LoginController /register."); - ModelAndView modelAndView = new ModelAndView("registration/register"); - Object loginErrorMessage=WebContext.getAttribute(WebConstants.LOGIN_ERROR_SESSION_MESSAGE); - modelAndView.addObject("loginErrorMessage", loginErrorMessage==null?"":loginErrorMessage); - WebContext.removeAttribute(WebConstants.LOGIN_ERROR_SESSION_MESSAGE); - return modelAndView; - } - - @RequestMapping(value={"/registeron"}) - @ResponseBody - public Message registeron(UserInfo userInfo,@RequestParam String emailMobile) throws ServletException, IOException { - if(StringUtils.isNullOrBlank(emailMobile)) { - return new Message(WebContext.getI18nValue("register.emailMobile.error"),"1"); - } - if(StringUtils.isValidEmail(emailMobile)) { - userInfo.setEmail(emailMobile); - } - if(StringUtils.isValidMobileNo(emailMobile)) { - userInfo.setMobile(emailMobile); - } - if(!(StringUtils.isValidEmail(emailMobile)||StringUtils.isValidMobileNo(emailMobile))) { - return new Message(WebContext.getI18nValue("register.emailMobile.error"),"1"); - } - UserInfo temp=userInfoService.queryUserInfoByEmailMobile(emailMobile); - if(temp!=null) { - return new Message(WebContext.getI18nValue("register.emailMobile.exist"),"1"); - } - - temp=userInfoService.loadByUsername(userInfo.getUsername()); - if(temp!=null) { - return new Message(WebContext.getI18nValue("register.user.error"),"1"); - } - userInfo.setStatus(ConstantsStatus.ACTIVE); - if(userInfoService.insert(userInfo)) { - return new Message(WebContext.getI18nValue("login.text.register.success"),"0"); - } - return new Message(WebContext.getI18nValue("login.text.register.error"),"1"); - - } + }