From 508fa1aef68acafece1b90a69ef0154da3df4ce9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 3 Oct 2024 13:47:41 +0000 Subject: [PATCH] Remove failed login attempt for saml authenticator (#4762) Signed-off-by: Derek Ho (cherry picked from commit 39adb47dba52088d1c78b032e67e81971b15e9fd) Signed-off-by: github-actions[bot] --- .../amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java | 3 ++- .../java/org/opensearch/security/auth/BackendRegistry.java | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java index ae3d1c9128..20e0b25b5c 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java @@ -88,6 +88,7 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable { private static final Pattern PATTERN_PATH_PREFIX = Pattern.compile(REGEX_PATH_PREFIX); private static boolean openSamlInitialized = false; + public static final String SAML_TYPE = "saml"; private String subjectKey; private String rolesKey; @@ -175,7 +176,7 @@ public AuthCredentials extractCredentials(final SecurityRequest request, final T @Override public String getType() { - return "saml"; + return SAML_TYPE; } @Override diff --git a/src/main/java/org/opensearch/security/auth/BackendRegistry.java b/src/main/java/org/opensearch/security/auth/BackendRegistry.java index d633d307e9..f06b5aa56d 100644 --- a/src/main/java/org/opensearch/security/auth/BackendRegistry.java +++ b/src/main/java/org/opensearch/security/auth/BackendRegistry.java @@ -75,6 +75,7 @@ import static org.apache.http.HttpStatus.SC_FORBIDDEN; import static org.apache.http.HttpStatus.SC_SERVICE_UNAVAILABLE; import static org.apache.http.HttpStatus.SC_UNAUTHORIZED; +import static com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.SAML_TYPE; public class BackendRegistry { @@ -303,7 +304,10 @@ public boolean authenticate(final SecurityRequestChannel request) { if (authDomain.isChallenge()) { final Optional restResponse = httpAuthenticator.reRequestAuthentication(request, null); if (restResponse.isPresent()) { - auditLog.logFailedLogin("", false, null, request); + // saml will always hit this to re-request authentication + if (!authDomain.getHttpAuthenticator().getType().equals(SAML_TYPE)) { + auditLog.logFailedLogin("", false, null, request); + } if (isTraceEnabled) { log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'"); }