Prevent connection to Access Manager - spring

GlassFish, Policy Agent, OpenAM, Portal on Spring:
I have a task to prevent access to Access manager from some blocked users (users are blocked dynamically by using portal), so that they could not connect to it and overload AM. After some googleing I understood that I need to prevent access to Access manager on Policy Agent step (may be I am wrong), I found that it is possible to add filters into web.xml.
So I add custom filter which redirects blocked users to another page:
<filter>
<filter-name>denyBlockedUsers</filter-name>
<filter-class>some.portal.servlets.DenyBlockedUsers</filter-class>
</filter>
<filter-mapping>
<filter-name>denyBlockedUsers</filter-name>
<url-pattern>/locked/*</url-pattern>
</filter-mapping>
Everything works fine.
For AM I have filter:
<filter>
<filter-name>Agent</filter-name>
<filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
</filter>
Question: is it really will not connect to Access manager before this filter? How can I check it? Logs?

Filter one you can do the following.
If request is from blocked user then first filter itself can fwd to another error page like blockeduser.jsp else fwd to filter 2(/agent/*).
<filter>
<filter-name>
denyBlockedUsers
</filter-name>
<filter-class>
some.portal.servlets.DenyBlockedUsers
</filter-class>
</filter>
<filter>
<filter-name>
Agent
</filter-name>
<filter-class>
com.filters.Filter2
</filter-class>
</filter>
<!-- Map the filter to a Servlet or URL -->
<filter-mapping>
<filter-name>
denyBlockedUsers
</filter-name>
<url-pattern>
/locked/*
</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>
Agent
</filter-name>
<url-pattern>
/agent/*
</url-pattern>
</filter-mapping>

If 'Access Manager' is OpenAM then AgentFilter MUST NOT be run in the same container.
Typically the 'Access Manager' performs authentication ... so you can you block someone you don't know? To know someone's Identity authentication has to be perform.
You may explain you're use case in detail though.

Related

Servlet filters not invoked for _am/api/discovery/* URLs?

I'm updating a GAE application to the Java8 Cloud SDK environment; I'm also updating it to use Cloud Endpoints version 2.
My app registers some servlet filters in its web.xml file, one for Objectify and one to do some initialisations such as creating singleton instances of some utility classes the app uses.
This is an excerpt of web.xml:
<servlet>
<servlet-name>EndpointsServlet</servlet-name>
<servlet-class>com.google.api.server.spi.EndpointsServlet</servlet-class>
<init-param>
<param-name>services</param-name>
<param-value>com.myapp.service.Service</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>EndpointsServlet</servlet-name>
<url-pattern>/_ah/api/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>InitializerFilter</filter-name>
<filter-class>com.myapp.InitializerFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>InitializerFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>ObjectifyFilter</filter-name>
<filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ObjectifyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Add a filter that fetches the service config from service management. -->
<filter>
<filter-name>endpoints-api-configuration</filter-name>
<filter-class>com.google.api.control.ServiceManagementConfigFilter</filter-class>
</filter>
<!-- Add a filter that performs Endpoints logging and monitoring. -->
<filter>
<filter-name>endpoints-api-controller</filter-name>
<filter-class>com.google.api.control.extensions.appengine.GoogleAppEngineControlFilter</filter-class>
<init-param>
<param-name>endpoints.projectId</param-name>
<param-value>${appId}</param-value>
</init-param>
<init-param>
<param-name>endpoints.serviceName</param-name>
<param-value>${service}-dot-${appId}.appspot.com</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>endpoints-api-configuration</filter-name>
<servlet-name>EndpointsServlet</servlet-name>
</filter-mapping>
<filter-mapping>
<filter-name>endpoints-api-controller</filter-name>
<servlet-name>EndpointsServlet</servlet-name>
</filter-mapping>
It looks like filters correctly kick for all URLs (for example, URLs handled by some other servlet that I instantiate but are not shown here), but not the _ah/api/discovery/* URLs that implement Google's nifty APIs Explorer tool.
No exceptions are thrown at deployment.
Note that I already tried changing the <url-pattern>/*</url-pattern> to <url-pattern>/_ah/api/*</url-pattern>, to <url-pattern>/_ah/api/discovery/*</url-pattern> and mapping using <servlet-name>EndpointsServlet</servlet-name> rather than a URL pattern, to no avail.
Awkwardly enough, the very same configuration did work on Friday morning, then after a redeployment made later in the afternoon it stopped. And I'm pretty positive I did not change anything.
Is this known behaviour? For example, this may be because the API Explorer is "stitched on" the endpoints URL externally rather than being part of EndpointServlet itself?
Otherwise, what am I doing wrong?
=========
I fixed this problem by moving the logic that was in the filter to a ServletContextListener, and this made the app stable. This is only viable for once-for-servlet-lifetime initialisations, of course, so the question still stands: is the cloud API Explorer expected to trigger the servlet filters registered on EndpointsServlet?

Multiple <url-pattern> in <filter-mapping> not working

I use several filter in my web.xml of my spring App. some of my filter has multiple url-pattern to act on these urls, likes below:
<filter>
<display-name>AuditLogFilter</display-name>
<filter-name>AuditLogFilter</filter-name>
<filter-class>org.somePackages.log.AuditLogFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuditLogFilter</filter-name>
<url-pattern>/portal/*</url-pattern>
<url-pattern>/view/*</url-pattern>
<url-pattern>/rest/**/front</url-pattern>
</filter-mapping>
But i found that the AuditLogFilter don't act on all of these url-patterns. any solution?
I Finally resolve my problem By changing the order of AuditLogFilter to top of my filters in web.xml. In other words, I put <filter> and <filter-mapping> parts in above of my filter definitions instead of end of web.xml file.

JASIG CAS: single sign out not working

I have single sign on working beautifully, but single sign-out is not working.
The scenario is like this:
Open webapp1 and get redirected to CAS login page
Enter details and login
Open webapp2 which also uses CAS. Automatically logs in, as the user already signed in.
Log out of webapp1
Try to open webapp1 or webapp2 (in another tab) redirects you back to the login page.
However, the session to webapp2 in step 3 is not closed and the user can still use the application without any problems. How do I automatically invalidate the session when the user signs out?
The log off button for both applications first call session.invalidate() and then redirects to https://localhost:8443/cas/logout
The single sign out filter is the first filter in the web.xml file. I also have the SingleSignOutHttpSessionListener in web.xml.
Following is the extract from my web.xml
<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params.
CAS Authentication Filter and CAS Validation Filter need a serverName init-param
in lieu of a context-param definition. -->
<context-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443</param-value>
</context-param>
<!-- Facilitates CAS single sign-out -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--
CAS client filters
Single sign-out filter MUST come first since it needs to be evaluated
before other filters.
-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<!--
IMPORTANT:
Use Saml11AuthenticationFilter for version 3.1.12 and later.
Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
versions.
-->
<filter-class>
org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!-- Leniency of time checking in ms when validating SAML assertions. Consider
setting this parameter more liberally if you anticipate system clock drift
on your application servers relative to the CAS server. The default is 1000
(1s) and at least one person had problems with drift at that small a tolerance
value. A good approach is to start low and then increase by 1000 as needed
until problems stop. Note that increasing this value may have negative security
implications. Consider fixing clock drift problems as an alternative. -->
<param-name>tolerance</param-name>
<param-value>1000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I also had another issue with standard CAS protocol, where single sign-out worked on an integration server but not from localhost.
Scenario
log into both http://my-app-dev/app and http://localhost:8080/app with CAS on http://my-cas/cas
log out of CAS http://my-cas/cas/logout
http://my-app-dev/app now bounces me to CAS
http://localhost:8080 - still logged in!
I suspect the reason is the CAS server couldn't send a sign-out message to localhost:8080 because localhost is resolved in the CAS server's context, so it doesn't actually talk to my local dev environment.
If you're using SAML 1.1 protocol be sure that you included the artifactParameterName parameter
https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>artifactParameterName</param-name>
<param-value>SAMLart</param-value>
</init-param>
</filter>
I had the same problem. We had a java and a php client. When I went to http://mycasserver/logout only the java client logged out.
For the single sign out to work in the php client, you have to change:
phpCAS::handleLogoutRequests();
for
phpCAS::handleLogoutRequests(false);
And Voila!
Refer to the documentation at phpCAS examples
I've had basically the same configuration for my application before I switched to the spring configuration. I had a look on the SVN and basically the only difference to your config is the use of the Single Sign Out Listener
listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
Could this work for you? Of course don't forget to add it on both WebApps if it works.
UPDATE:
I found the description of the listener in the docs, and it should do what's missing in your setting
You should verify that the CAS server can send a HTTP request to your webapp. Have a look in the logs of the CAS server.

Print the access logs before UrlRewriteFilter

I have an application in which currently I am using two filters.
First one is UrlRewriteFilter which is for re-writing the url.
<filter>
<filter-name>UrlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
<init-param>
<param-name>logLevel</param-name>
<param-value>DEBUG</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>UrlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Second is a filter which is printing the performance of each page, along with the url.
<filter>
<filter-name>PerfLoggingFilter</filter-name>
<filter-class>
com.sia.saa.common.filter.PerfLoggingFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>PerfLoggingFilter</filter-name>
<url-pattern>*.form</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
But in the logs only the re-written URL is being printed and not the original url.
Please suggest a way so that URL re-writing can continue but in the logs only the original url is printed.
Note: Post questions in case you need other details.
Since UrlRewriteFilter uses RequestDispatcher.forward(), I guess you can obtain original request URLs in your logging filter as
request.getAttribute("javax.servlet.forward.request_uri")
so that you can log them.
Is it not possible to have the second filter before the first one? If the second filter is executed first, you will have the original url...

CAS Single Sign Out requests being ignored by JSP+Spring

I've set up CAS for single sign on with my Spring+JSP webapp, but now I've found out that single sign out isn't actually logging me out of the applications. I've confirmed that if I go to the CAS logout page, I do receive a SAMLP logout request from CAS. When I go back to a secured page in the app, however, I get in without logging back in to CAS. If I go to the local app logout page (/j_spring_security_logout), then I will get logged out and immediately redirected to the CAS login page.
In a nutshell, it appears that the local app isn't registering the logout request from CAS and calling its own logout procedure.
Here's the CAS portion of my web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>authenticationFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Ticket Validation Filter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>ticketValidationFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Ticket Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
Do I need a specific CAS bean created to handle logouts in my applicationContext.xml files? Or is configured completely through the web.xml file?
When you debug the SingleSignOutFilter does it invalidate the user session? Maybe the CAS Token is being held in it, or in the SecurityContextHolder so it doesn't ask for a new login. I have a similar issue and am sorry to not be able to fully understand SS + CAS.

Resources