Merge pull request 'SAML Improvements' (#37) from feature/24534 into develop

Author: fmichielssen

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/AlreadyLoggedInFilter.java

@@ -0,0 +1,54 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2020 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.saml;
+
+
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.web.filter.GenericFilterBean;
+
+import javax.servlet.*;
+import java.io.IOException;
+
+/**
+ * A filter that sets a request attribute when the user is already logged in.
+ * This is used to know whether a user was already logged in when performing a SAML SSO request.
+ * If so, the user probably has clicked the back button and should therefore be redirected to the main page.
+ *
+ * Note: we don't redirect to the main page here, because that seems to be to intrusive. There may be good reasons
+ * to land on the SSO page again.
+ */
+public class AlreadyLoggedInFilter extends GenericFilterBean {
+
+    public static final String REQ_PROP_AUTH_BEFORE_SSO = "SP_REQ_PROP_AUTH_BEFORE_SSO";
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        if (auth != null && !(auth instanceof AnonymousAuthenticationToken)) {
+            request.setAttribute(REQ_PROP_AUTH_BEFORE_SSO, "true");
+        }
+        chain.doFilter(request, response);
+    }
+
+}
+

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/AuthenticationFailureHandler.java

@@ -20,33 +20,80 @@
  */
 package eu.openanalytics.containerproxy.auth.impl.saml;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensaml.common.SAMLException;
+import org.springframework.security.authentication.CredentialsExpiredException;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.saml.SAMLStatusException;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import java.io.IOException;
+import java.util.Objects;
 
-public class AuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler  {
+import static eu.openanalytics.containerproxy.auth.impl.saml.AlreadyLoggedInFilter.REQ_PROP_AUTH_BEFORE_SSO;
+
+public class AuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
+
+    private final Logger logger = LogManager.getLogger(getClass());
 
     public void onAuthenticationFailure(HttpServletRequest request,
                                         HttpServletResponse response, AuthenticationException exception)
             throws IOException, ServletException {
 
-
         if (exception.getCause() instanceof SAMLStatusException) {
             SAMLStatusException samlException = (SAMLStatusException) exception.getCause();
 
             if (samlException.getStatusCode().equals("urn:oasis:names:tc:SAML:2.0:status:RequestDenied")) {
                 response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/app-access-denied").build().toUriString());
                 return;
             }
+
+        } else if (exception.getCause() instanceof SAMLException) {
+            SAMLException samlException = (SAMLException) exception.getCause();
+
+            if (isOrWasAuthenticated(request) && (
+                       samlException.getMessage().startsWith("Response issue time is either too old or with date in the future")
+                    || samlException.getMessage().startsWith("InResponseToField of the Response doesn't correspond to sent message"))
+                    || samlException.getMessage().equals("Unsupported request")) {
+                response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/").build().toUriString());
+                return;
+            } else if (samlException.getCause() instanceof CredentialsExpiredException) {
+                logger.warn("The credentials of the user has expired, this typically indicates a misconfiguration, see https://shinyproxy.io/faq/#the-credentials-of-the-user-expire-when-using-saml for more information!");
+                response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/auth-error").build().toUriString());
+                return;
+            }
         }
 
         super.onAuthenticationFailure(request, response, exception);
     }
 
+    private boolean isOrWasAuthenticated(HttpServletRequest request) {
+        if (Objects.equals(request.getAttribute(REQ_PROP_AUTH_BEFORE_SSO), "true")) {
+            // Before doing a SSO request we check whether the user is authenticated, if so we set the SP_REQ_PROP_AUTH_BEFORE_SSO
+            // property. If the auth failed, the Spring SecurityContext is cleared and thus we cannot use that to
+            // check whether the user is authenticated.
+            return true;
+        }
+
+        HttpSession session = request.getSession();
+        Object obj = session.getAttribute("SPRING_SECURITY_CONTEXT");
+        if (obj instanceof SecurityContext) {
+            SecurityContext ctx = (SecurityContext) obj;
+            Authentication auth = ctx.getAuthentication();
+            // in some cases the session may still contain the security context so we fallback to that
+            return auth != null && auth.getPrincipal() != null;
+        }
+
+        return false;
+    }
+
 }

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java

@@ -21,31 +21,17 @@
 package eu.openanalytics.containerproxy.auth.impl.saml;
 
 import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Timer;
-
-import javax.inject.Inject;
-
 import eu.openanalytics.containerproxy.auth.impl.SAMLAuthenticationBackend;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.velocity.app.VelocityEngine;
-import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.util.resource.ResourceException;
-import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.parse.StaticBasicParserPool;
 import org.opensaml.xml.parse.XMLParserException;
-import org.opensaml.xml.schema.XSAny;
-import org.opensaml.xml.schema.XSString;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
@@ -60,7 +46,6 @@
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.saml.*;
-import org.springframework.security.saml.context.SAMLContextProvider;
 import org.springframework.security.saml.context.SAMLContextProviderImpl;
 import org.springframework.security.saml.key.EmptyKeyManager;
 import org.springframework.security.saml.key.JKSKeyManager;
@@ -74,14 +59,7 @@
 import org.springframework.security.saml.processor.SAMLProcessorImpl;
 import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
 import org.springframework.security.saml.util.VelocityFactory;
-import org.springframework.security.saml.websso.SingleLogoutProfile;
-import org.springframework.security.saml.websso.SingleLogoutProfileImpl;
-import org.springframework.security.saml.websso.WebSSOProfile;
-import org.springframework.security.saml.websso.WebSSOProfileConsumer;
-import org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl;
-import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl;
-import org.springframework.security.saml.websso.WebSSOProfileImpl;
-import org.springframework.security.saml.websso.WebSSOProfileOptions;
+import org.springframework.security.saml.websso.*;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
@@ -92,6 +70,9 @@
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
+import javax.inject.Inject;
+import java.util.*;
+
 @Configuration
 @ConditionalOnProperty(name="proxy.authentication", havingValue="saml")
 public class SAMLConfiguration {
@@ -100,6 +81,7 @@ public class SAMLConfiguration {
 
 	private static final String PROP_LOG_ATTRIBUTES = "proxy.saml.log-attributes";
 	private static final String PROP_FORCE_AUTHN = "proxy.saml.force-authn";
+	private static final String PROP_MAX_AUTHENTICATION_AGE = "proxy.saml.max-authentication-age";
 	private static final String PROP_KEYSTORE = "proxy.saml.keystore";
 	private static final String PROP_ENCRYPTION_CERT_NAME = "proxy.saml.encryption-cert-name";
 	private static final String PROP_ENCRYPTION_CERT_PASSWORD = "proxy.saml.encryption-cert-password";
@@ -117,7 +99,7 @@ public class SAMLConfiguration {
 
 	@Inject
 	private UserLogoutHandler userLogoutHandler;
-	
+
 	@Bean
 	public SAMLEntryPoint samlEntryPoint() {
 		SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
@@ -326,9 +308,19 @@ public SAMLProcessingFilter samlWebSSOProcessingFilter() throws Exception {
 		return samlWebSSOProcessingFilter;
 	}
 
+	@Bean
+    public AlreadyLoggedInFilter alreadyLoggedInFilter() {
+		return new AlreadyLoggedInFilter();
+	}
+
 	@Bean
 	public WebSSOProfileConsumer webSSOprofileConsumer() {
-		return new WebSSOProfileConsumerImpl();
+		WebSSOProfileConsumerImpl res = new WebSSOProfileConsumerImpl();
+		Integer maxAuthenticationAge = environment.getProperty(PROP_MAX_AUTHENTICATION_AGE, Integer.class);
+		if (maxAuthenticationAge != null) {
+			res.setMaxAuthenticationAge(maxAuthenticationAge);
+		}
+		return res;
 	}
 
 	@Bean
@@ -342,7 +334,7 @@ public SAMLFilterSet samlFilter() throws Exception {
 		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()));
 		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()));
 		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter()));
-		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter()));
+		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), alreadyLoggedInFilter(), samlWebSSOProcessingFilter()));
 		return new SAMLFilterSet(chains);
 	}
 

src/main/resources/templates/auth-error.html

@@ -39,8 +39,8 @@
 <body>
 	<div class="container">
 		<h2>An error occurred during the authentication procedure.</h2>
-		<p><b>If you are a user of <span th:text="${application_name}"></span>:</b> please report this issue to your administrator.</p>
-		<p><b>If you are an administrator of <span th:text="${application_name}"></span>:</b> this error page is typically shown because of an configuration error in the OpenID setup. See the ShinyProxy logs for more information.</p>
+		<p><b>If you are a user of <span th:text="${application_name}"></span>:</b> please report this issue to your administrator and try to log out from your Identity Provider.</p>
+		<p><b>If you are an administrator of <span th:text="${application_name}"></span>:</b> this error page is typically shown because of an configuration error in the authentication setup. See the ShinyProxy logs for more information.</p>
 	</div>
 
 <style>