Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OP-14834: invalidate session and throw SAMLAuthenticationException #209

Merged
merged 19 commits into from
May 17, 2022
Merged

OP-14834: invalidate session and throw SAMLAuthenticationException #209

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
f82aee5
OP-14834: Check and update the token.
rahul-chekuri May 16, 2022
c5a723f
OP-14834: Updated logs and packages.
rahul-chekuri May 16, 2022
74593b8
OP-14834: Only validates ExpiringUsernameAuthenticationToken.
rahul-chekuri May 16, 2022
75bd501
OP-14834: Only validates ExpiringUsernameAuthenticationToken.
rahul-chekuri May 16, 2022
59bc15d
OP-14834: Added SamlAuthTokenUpdateFilter to the filter chain.
rahul-chekuri May 16, 2022
775f91c
OP-14834: Added SamlAuthTokenUpdateFilter to the filter chain after b…
rahul-chekuri May 16, 2022
c529c5f
OP-14834: redirect to logout
rahul-chekuri May 16, 2022
89a0c1d
OP-14834: throw AccessDeniedException
rahul-chekuri May 16, 2022
91d10be
OP-14834:redirect to /saml/login.
rahul-chekuri May 16, 2022
40d03d3
OP-14834:redirect to /saml/sso.
rahul-chekuri May 16, 2022
ae00558
OP-14834: send html response
rahul-chekuri May 16, 2022
5f3a247
OP-14834: clear context
rahul-chekuri May 16, 2022
65a98dd
OP-14834: invalidate session
rahul-chekuri May 16, 2022
376d265
OP-14834: and then logout
rahul-chekuri May 16, 2022
97e45a3
OP-14834: clear context, invalidate session and redirect to log out url.
rahul-chekuri May 16, 2022
f52881b
OP-14834: invalidate session and throw SAMLAuthenticationException
rahul-chekuri May 16, 2022
1fc20cc
OP-14834: removed commented code.
rahul-chekuri May 16, 2022
dbb31ed
OP-14834: Updated the log message.
rahul-chekuri May 16, 2022
9b3a805
OP-14834: Updated the certificate
rahul-chekuri May 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions gate-saml/src/main/groovy/com/netflix/spinnaker/gate/security/saml/SamlSsoConfig.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import com.netflix.spinnaker.gate.security.SpinnakerAuthConfig
import com.netflix.spinnaker.gate.services.PermissionService
import com.netflix.spinnaker.kork.core.RetrySupport
import com.netflix.spinnaker.security.User
import com.opsmx.spinnaker.gate.security.saml.SamlAuthTokenUpdateFilter
import groovy.util.logging.Slf4j
import org.opensaml.saml2.core.Assertion
import org.opensaml.saml2.core.Attribute
Expand All @@ -43,11 +44,12 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
import org.springframework.security.core.userdetails.UserDetailsService
import org.springframework.security.core.userdetails.UsernameNotFoundException
import org.springframework.security.extensions.saml2.config.SAMLConfigurer
import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
import org.springframework.security.saml.SAMLCredential
import org.springframework.security.saml.userdetails.SAMLUserDetailsService
import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
import org.springframework.security.web.authentication.RememberMeServices
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
import org.springframework.session.web.http.DefaultCookieSerializer
import org.springframework.stereotype.Component

Expand Down Expand Up @@ -168,7 +170,9 @@ class SamlSsoConfig extends WebSecurityConfigurerAdapter {
.keyPassword(samlSecurityConfigProperties.keyStorePassword)

saml.init(http)

SamlAuthTokenUpdateFilter authTokenUpdateFilter = new SamlAuthTokenUpdateFilter()
http.addFilterAfter(authTokenUpdateFilter,
BasicAuthenticationFilter.class)
// @formatter:on

}
Expand Down
13 changes: 13 additions & 0 deletions ...aml/src/main/java/com/opsmx/spinnaker/gate/security/saml/SAMLAuthenticationException.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package com.opsmx.spinnaker.gate.security.saml;

import org.springframework.security.core.AuthenticationException;

public class SAMLAuthenticationException extends AuthenticationException {
public SAMLAuthenticationException(String msg) {
super(msg);
}

public SAMLAuthenticationException(String msg, Throwable t) {
super(msg, t);
}
}
59 changes: 59 additions & 0 deletions ...-saml/src/main/java/com/opsmx/spinnaker/gate/security/saml/SamlAuthTokenUpdateFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
/*
* Copyright 2022 OpsMx, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package com.opsmx.spinnaker.gate.security.saml;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
import org.springframework.web.filter.GenericFilterBean;

public class SamlAuthTokenUpdateFilter extends GenericFilterBean {

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
logger.debug("SamlAuthTokenUpdateFilter doFilter started");
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

logger.debug("Previously Authenticated is : " + authentication);
if (authentication instanceof ExpiringUsernameAuthenticationToken
&& !authentication.isAuthenticated()) {
if (logger.isDebugEnabled()) {
logger.debug(
"Previously Authenticated token Expired; redirecting to authentication entry point.");
}

HttpSession session = request.getSession();
if (session != null) {
session.invalidate();
}
throw new SAMLAuthenticationException("Previously Authenticated token Expired");
}
logger.debug("SamlAuthTokenUpdateFilter doFilter ended");

chain.doFilter(request, response);
}
}