diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java index e4ac06a26..c885f0049 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfiguration.java @@ -7,6 +7,7 @@ import org.pac4j.core.credentials.Credentials; import org.pac4j.core.credentials.TokenCredentials; import org.pac4j.core.credentials.authenticator.Authenticator; +import org.pac4j.core.exception.CredentialsException; import org.pac4j.core.profile.CommonProfile; import org.pac4j.core.profile.definition.CommonProfileDefinition; import org.pac4j.http.client.direct.ParameterClient; @@ -27,11 +28,12 @@ public SAML2ModelAuthorizationGenerator saml2ModelAuthorizationGenerator(UserRep } @Bean - public Config config(final Pac4jConfigurationProperties pac4jConfigurationProperties, final SAML2ModelAuthorizationGenerator saml2ModelAuthorizationGenerator) { + public Config config(final Pac4jConfigurationProperties pac4jConfigurationProperties, + final SAML2ModelAuthorizationGenerator saml2ModelAuthorizationGenerator) { final Clients clients = new Clients(pac4jConfigurationProperties.getCallbackUrl()); - if(pac4jConfigurationProperties.getTypeOfAuth().equals("SAML2")) { //f + if (pac4jConfigurationProperties.getTypeOfAuth().equals("SAML2")) { final SAML2ClientConfiguration saml2ClientConfiguration = new SAML2ClientConfiguration(); saml2ClientConfiguration.setKeystorePath(pac4jConfigurationProperties.getKeystorePath()); saml2ClientConfiguration.setKeystorePassword(pac4jConfigurationProperties.getKeystorePassword()); @@ -47,17 +49,23 @@ public Config config(final Pac4jConfigurationProperties pac4jConfigurationProper final SAML2Client saml2Client = new SAML2Client(saml2ClientConfiguration); saml2Client.setName("Saml2Client"); saml2Client.addAuthorizationGenerator(saml2ModelAuthorizationGenerator); - SAML2Authenticator saml2Authenticator = new SAML2Authenticator(saml2ClientConfiguration.getAttributeAsId(), saml2ClientConfiguration.getMappedAttributes()); - saml2Authenticator.setProfileDefinition(new CommonProfileDefinition<>(p -> new BetterSAML2Profile(pac4jConfigurationProperties.getSaml2ProfileMapping().getUsername()))); + SAML2Authenticator saml2Authenticator = new SAML2Authenticator(saml2ClientConfiguration.getAttributeAsId(), + saml2ClientConfiguration.getMappedAttributes()); + saml2Authenticator.setProfileDefinition(new CommonProfileDefinition<>( + p -> new BetterSAML2Profile(pac4jConfigurationProperties.getSaml2ProfileMapping().getUsername()))); saml2Client.setAuthenticator(saml2Authenticator); clients.setClients(saml2Client); - } - else if (pac4jConfigurationProperties.getTypeOfAuth().equals("HEADER")) { - HeaderClient headerClient = new HeaderClient(pac4jConfigurationProperties.getAuthenticationHeader(), new Authenticator() { + } else if (pac4jConfigurationProperties.getTypeOfAuth().equals("HEADER")) { + HeaderClient headerClient = new HeaderClient(pac4jConfigurationProperties.getAuthenticationHeader(), new Authenticator() { @Override public void validate(Credentials credentials, WebContext context) { - + if (credentials instanceof TokenCredentials) { + TokenCredentials creds = (TokenCredentials) credentials; + String remoteUser = creds.getToken(); + } else { + throw new CredentialsException("Invalid Credentials object generated by HeaderClient"); + } } }); clients.setClients(headerClient); diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java index 55a94bb73..57e38d91b 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jConfigurationProperties.java @@ -10,6 +10,8 @@ @EnableConfigurationProperties @ConditionalOnProperty(name = "shibui.pac4j-enabled", havingValue = "true") public class Pac4jConfigurationProperties { + final static String DEFAULT_AUTH_HEADER = "REMOTE_USER"; + private String keystorePath = "/tmp/samlKeystore.jks"; private String keystorePassword = "changeit"; private String privateKeyPassword = "changeit"; @@ -22,7 +24,7 @@ public class Pac4jConfigurationProperties { private boolean wantAssertionsSigned = true; private SAML2ProfileMapping saml2ProfileMapping; private String typeOfAuth = "SAML2"; - private String authenticationHeader = "REMOTE_USER"; + private String authenticationHeader = DEFAULT_AUTH_HEADER; public static class SAML2ProfileMapping { private String username; diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java index fc3a7c081..812a20e09 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java @@ -82,19 +82,15 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserRepository use @Override protected void configure(HttpSecurity http) throws Exception { - final SecurityFilter securityFilter = new SecurityFilter(this.config, "Saml2Client"); final SecurityFilter securityFilterForHeader = new SecurityFilter(this.config, "HeaderClient"); final CallbackFilter callbackFilter = new CallbackFilter(this.config); http.antMatcher("/**").addFilterBefore(callbackFilter, BasicAuthenticationFilter.class) - .addFilterBefore(securityFilter, BasicAuthenticationFilter.class) .addFilterBefore(securityFilterForHeader, BasicAuthenticationFilter.class) //xxx check on this .addFilterAfter(new AddNewUserFilter(pac4jConfigurationProperties, userRepository, roleRepository, emailService), SecurityFilter.class); http.authorizeRequests().anyRequest().fullyAuthenticated(); - http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS); - http.csrf().disable(); http.headers().frameOptions().disable(); }