List of usage examples for org.springframework.security.web.authentication.preauth PreAuthenticatedAuthenticationToken getPrincipal
public Object getPrincipal()
From source file:net.maritimecloud.identityregistry.utils.AccessControlUtil.java
public static boolean hasPermission(String permission) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (auth instanceof KeycloakAuthenticationToken) { log.debug("OIDC permission lookup"); // Keycloak authentication KeycloakAuthenticationToken kat = (KeycloakAuthenticationToken) auth; KeycloakSecurityContext ksc = (KeycloakSecurityContext) kat.getCredentials(); Map<String, Object> otherClaims = ksc.getToken().getOtherClaims(); if (otherClaims.containsKey(AccessControlUtil.PERMISSIONS_PROPERTY_NAME)) { String usersPermissions = (String) otherClaims.get(AccessControlUtil.PERMISSIONS_PROPERTY_NAME); String[] permissionList = usersPermissions.split(","); for (String per : permissionList) { if (per.equalsIgnoreCase(permission)) { return true; }/* w w w .ja v a 2s.co m*/ } } } else if (auth instanceof PreAuthenticatedAuthenticationToken) { log.debug("Certificate permission lookup"); // Certificate authentication PreAuthenticatedAuthenticationToken token = (PreAuthenticatedAuthenticationToken) auth; // Check that the permission is granted to this user InetOrgPerson person = ((InetOrgPerson) token.getPrincipal()); Collection<GrantedAuthority> authorities = person.getAuthorities(); for (GrantedAuthority authority : authorities) { String usersPermissions = authority.getAuthority(); String[] permissionList = usersPermissions.split(","); for (String per : permissionList) { if (per.equalsIgnoreCase(permission)) { return true; } } } } else { if (auth != null) { log.debug("Unknown authentication method: " + auth.getClass()); } } return false; }
From source file:net.maritimecloud.identityregistry.utils.AccessControlUtil.java
public static boolean isUserSync(String userSyncMRN, String userSyncO, String userSyncOU, String userSyncC) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (auth instanceof PreAuthenticatedAuthenticationToken) { log.debug("Certificate authentication of user sync'er in process"); // Certificate authentication PreAuthenticatedAuthenticationToken token = (PreAuthenticatedAuthenticationToken) auth; // Check that the Organization name of the accessed organization and the organization in the certificate is equal InetOrgPerson person = ((InetOrgPerson) token.getPrincipal()); if (userSyncMRN.equals(person.getUid()) && userSyncO.equals(person.getO()) // Hack alert! There is no country property in this type, so we misuse PostalAddress... && userSyncOU.equals(person.getOu()) && userSyncC.equals(person.getPostalAddress())) { log.debug("User sync'er accepted!"); return true; }//from w w w. ja v a2 s. c om log.debug("This was not the user-sync'er! " + userSyncMRN + "~" + person.getUid() + ", " + userSyncO + "~" + person.getO() + ", " + userSyncOU + "~" + person.getOu() + ", " + userSyncC + "~" + person.getPostalAddress()); } return false; }
From source file:net.maritimecloud.identityregistry.utils.AccessControlUtil.java
public static boolean hasAccessToOrg(String orgMrn) { if (orgMrn == null || orgMrn.trim().isEmpty()) { log.debug("The orgMrn was empty!"); return false; }//from ww w . j a v a 2 s . c om Authentication auth = SecurityContextHolder.getContext().getAuthentication(); // First check if the user is a SITE_ADMIN, in which case he gets access. for (GrantedAuthority authority : auth.getAuthorities()) { String role = authority.getAuthority(); log.debug("User has role: " + role); if ("ROLE_SITE_ADMIN".equals(role)) { return true; } } log.debug("User not a SITE_ADMIN"); // Check if the user is part of the organization if (auth instanceof KeycloakAuthenticationToken) { log.debug("OIDC authentication in process"); // Keycloak authentication KeycloakAuthenticationToken kat = (KeycloakAuthenticationToken) auth; KeycloakSecurityContext ksc = (KeycloakSecurityContext) kat.getCredentials(); Map<String, Object> otherClaims = ksc.getToken().getOtherClaims(); if (otherClaims.containsKey(AccessControlUtil.ORG_PROPERTY_NAME) && ((String) otherClaims.get(AccessControlUtil.ORG_PROPERTY_NAME)).toLowerCase() .equals(orgMrn.toLowerCase())) { log.debug("Entity from org: " + otherClaims.get(AccessControlUtil.ORG_PROPERTY_NAME) + " is in " + orgMrn); return true; } log.debug("Entity from org: " + otherClaims.get(AccessControlUtil.ORG_PROPERTY_NAME) + " is not in " + orgMrn); } else if (auth instanceof PreAuthenticatedAuthenticationToken) { log.debug("Certificate authentication in process"); // Certificate authentication PreAuthenticatedAuthenticationToken token = (PreAuthenticatedAuthenticationToken) auth; // Check that the Organization name of the accessed organization and the organization in the certificate is equal InetOrgPerson person = ((InetOrgPerson) token.getPrincipal()); // The O(rganization) value in the certificate is an MRN String certOrgMrn = person.getO(); if (orgMrn.equals(certOrgMrn)) { log.debug("Entity with O=" + certOrgMrn + " is in " + orgMrn); return true; } log.debug("Entity with O=" + certOrgMrn + " is not in " + orgMrn); } else { log.debug("Unknown authentication method: " + auth.getClass()); } return false; }
From source file:nl.surfnet.coin.api.oauth.ClientMetaDataPreAuthenticatedGrantedAuthoritiesUserDetailsService.java
@Override protected UserDetails createuserDetails(Authentication token, Collection<? extends GrantedAuthority> authorities) { if (token instanceof PreAuthenticatedAuthenticationToken) { PreAuthenticatedAuthenticationToken preToken = (PreAuthenticatedAuthenticationToken) token; Object principal = preToken.getPrincipal(); if (principal instanceof ClientMetaDataPrincipal) { return new ClientMetaDataUser(token.getName(), "N/A", true, true, true, true, authorities, ((ClientMetaDataPrincipal) principal).getClientMetaData()); } else {/*from w w w .j av a 2 s.c o m*/ throw new RuntimeException( "The principal on the PreAuthenticatedAuthenticationToken is of the type '" + (principal != null ? principal.getClass() : "null") + "'. Required is a (sub)class of ClientMetaDataPrincipal"); } } else { throw new RuntimeException("The token is of the type '" + (token != null ? token.getClass() : "null") + "'. Required is a (sub)class of PreAuthenticatedAuthenticationToken"); } }
From source file:jp.pigumer.security.ExampleAuthenticationProvider.java
@Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { PreAuthenticatedAuthenticationToken auth = (PreAuthenticatedAuthenticationToken) authentication; String username = (String) auth.getPrincipal(); LOG.debug("authenticate: " + Objects.toString(auth, "")); User user = userDetailsService.loadUser(username); ExampleAuthentication result = new ExampleAuthentication(user, user.getAuthorities()); result.setDetails(auth.getDetails()); LOG.debug("authenticate: " + Objects.toString(result, "")); return result; }
From source file:de.punyco.thirtytwosquare.auth.GoogleUserDetailsService.java
@Override public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws UsernameNotFoundException { LOG.info("Loading user details for token {}", token); User user = (User) token.getPrincipal(); UserAccount userAccount = userRepository.findByUserId(user.getUserId()); if (userAccount == null) { userAccount = UserAccount.withGoogleId(user.getUserId()); userAccount.setEmail(user.getEmail()); userAccount.setNickname(user.getNickname()); }// www . j a v a2 s.com return userAccount; }
From source file:de.zib.gndms.gndms.security.HostAndUserDetailsService.java
@Override public UserDetails loadUserDetails( final PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken) throws UsernameNotFoundException { String dn = (String) preAuthenticatedAuthenticationToken.getPrincipal(); try {//from ww w . j ava 2s . c om if (GridMapUserDetailsService.searchInGridMapfile(allowedHostsFileName, dn)) { if (reverseDNSTest) try { if (!reverseDNSLookup(X509DnConverter.openSslDnExtractCn(dn), preAuthenticatedAuthenticationToken.getDetails())) { logger.info("Host-CN revers DNS lookup failed for: " + dn); throw new BadCredentialsException("Host-CN reverse DNS lookup failed."); } } catch (UnknownHostException e) { throw new BadCredentialsException("", e); } GNDMSUserDetails userDetails = new GNDMSUserDetails(); userDetails.setAuthorities(Collections.<GrantedAuthority>emptyList()); userDetails.setDn(dn); userDetails.setIsUser(false); return userDetails; } else { final SecurityContext context = SecurityContextHolder.getContext(); if (context != null && context.getAuthentication() != null) { final Object principal = context.getAuthentication().getPrincipal(); if (principal instanceof GNDMSUserDetails) { // now this must be the Request header authentication final GNDMSUserDetails gndmsUserDetails = (GNDMSUserDetails) principal; if (gndmsUserDetails.isUser()) // the x509 cert from the previous filter must have been a user cert // check if the dn's match if (!dn.equals(gndmsUserDetails.getUsername())) throw new UsernameNotFoundException("Certificate vs HttpHeader: dn mismatch ('" + dn + "' vs. '" + gndmsUserDetails.getUsername() + "'."); } } return userDetailsService.loadUserByUsername(dn); } } catch (IOException e) { throw new RuntimeException(e); } }
From source file:nl.surfnet.coin.api.oauth.OpenConextOauth1TokenServices.java
@Override protected void storeToken(String value, OAuthProviderTokenImpl token) { Assert.notNull(token, "Token cannot be null"); Assert.notNull(value, "token value cannot be null"); Authentication userAuthentication = token.getUserAuthentication(); String userId = null;//from w ww . ja v a2 s.c o m if (token.isAccessToken()) { String consumerKey = token.getConsumerKey(); /* * get the client detail from Janus as we are unable to store them * somewhere along the 'road' and we cache this call anyway */ ConsumerDetails consumerDetails = consumerDetailsService.loadConsumerByConsumerKey(consumerKey); if (consumerDetails instanceof OpenConextConsumerDetails) { OpenConextConsumerDetails extendedBaseConsumerDetails = (OpenConextConsumerDetails) consumerDetails; if (userAuthentication instanceof PreAuthenticatedAuthenticationToken) { PreAuthenticatedAuthenticationToken pre = (PreAuthenticatedAuthenticationToken) userAuthentication; Object principal = pre.getPrincipal(); if (principal instanceof ClientMetaDataUser) { ((ClientMetaDataUser) principal) .setClientMetaData(extendedBaseConsumerDetails.getClientMetaData()); userId = ((ClientMetaDataUser) principal).getUsername(); } else if (principal instanceof SAMLAuthenticationToken) { ((SAMLAuthenticationToken) principal) .setClientMetaData(extendedBaseConsumerDetails.getClientMetaData()); userId = ((SAMLAuthenticationToken) principal).getName(); } else { throw new RuntimeException( "The principal on the PreAuthenticatedAuthenticationToken is of the type '" + (principal != null ? principal.getClass() : "null") + "'. Required is a (sub)class of ClientMetaDataUser or a (sub)class of SAMLAuthenticationToken"); } } else if (userAuthentication instanceof SAMLAuthenticationToken) { SAMLAuthenticationToken samlToken = (SAMLAuthenticationToken) userAuthentication; samlToken.setClientMetaData(extendedBaseConsumerDetails.getClientMetaData()); userId = samlToken.getName(); } else { throw new RuntimeException("The userAuthentication is of the type '" + (userAuthentication != null ? userAuthentication.getClass() : "null") + "'. Required is a (sub)class of PreAuthenticatedAuthenticationToken or SAMLAuthenticationToken"); } } else { throw new RuntimeException("The consumerDetails is of the type '" + (consumerDetails != null ? consumerDetails.getClass() : "null") + "'. Required is a (sub)class of ExtendedBaseConsumerDetails"); } } jdbcTemplate.update(deleteTokenSql, value); jdbcTemplate.update(insertTokenSql, value, token.getCallbackUrl(), token.getVerifier(), token.getSecret(), token.getConsumerKey(), userId, token.isAccessToken(), token.getTimestamp(), SerializationUtils.serialize(userAuthentication)); }
From source file:org.apigw.authserver.x509.CertifiedClientAuthenticationUserDetailsService.java
@Override public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws AuthenticationException { if (token.getName() == null) { throw new UsernameNotFoundException("Username null not found"); }//from w w w . j ava2 s. co m final X509ClientPrincipal principal = (X509ClientPrincipal) token.getPrincipal(); CertifiedClient clientDetails = clientDetailsService.loadClientByX509Cert(principal.getIssuerDN(), principal.getSubjectDN()); boolean expired = hasExpired(clientDetails); boolean enabled = !expired; return new User(clientDetails.getClientId(), "N/A", enabled, !expired, true, !clientDetails.isLocked(), clientDetails.getAuthorities()); }
From source file:nl.surfnet.coin.api.AbstractApiController.java
protected ClientMetaData getClientMetaData() { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); ClientMetaData metaData = null;/*from w w w .j a v a 2 s . c o m*/ // oauth2 if (authentication instanceof OAuth2Authentication) { OAuth2Authentication oauth2 = (OAuth2Authentication) authentication; String clientId = oauth2.getAuthorizationRequest().getClientId(); ClientDetails clientDetails = janusClientDetailsService.loadClientByClientId(clientId); metaData = ((OpenConextClientDetails) clientDetails).getClientMetaData(); registerApiVersion("oauth2"); } // oauth1 3-legged else if (authentication instanceof PreAuthenticatedAuthenticationToken) { PreAuthenticatedAuthenticationToken preAuth = (PreAuthenticatedAuthenticationToken) authentication; Object principal = preAuth.getPrincipal(); if (principal instanceof ClientMetaDataUser) { ClientMetaDataUser user = (ClientMetaDataUser) principal; metaData = user.getClientMetaData(); if (metaData == null) { Object details = preAuth.getDetails(); if (details instanceof OAuthAuthenticationDetails) { OAuthAuthenticationDetails authDetails = (OAuthAuthenticationDetails) details; ConsumerDetails consumerDetails = authDetails.getConsumerDetails(); if (consumerDetails instanceof OpenConextConsumerDetails) { OpenConextConsumerDetails base = (OpenConextConsumerDetails) consumerDetails; metaData = base.getClientMetaData(); } } } registerApiVersion("oauth1-3legged"); } } // oauth1 2-legged else if (authentication instanceof ConsumerAuthentication) { ConsumerAuthentication conAuth = (ConsumerAuthentication) authentication; ConsumerDetails consumerDetails = conAuth.getConsumerDetails(); if (consumerDetails instanceof OpenConextConsumerDetails) { OpenConextConsumerDetails details = (OpenConextConsumerDetails) consumerDetails; metaData = details.getClientMetaData(); registerApiVersion("oauth1-2legged"); } } else if (authentication instanceof SAMLAuthenticationToken) { SAMLAuthenticationToken samlToken = (SAMLAuthenticationToken) authentication; metaData = samlToken.getClientMetaData(); registerApiVersion("oauth2"); } else { throw new IllegalArgumentException("Authentication is of unknown class ('" + (authentication != null ? authentication.getClass() : "null") + "')"); } Assert.notNull(metaData, "ClientMetaData may not be null for checking ACL's. Authentication is of class ('" + (authentication != null ? authentication.getClass() : "null") + "')"); return metaData; }