Support for forceAuthn on both Mujina IdP and Mujina SP

mujina-common/pom.xml

@@ -20,7 +20,7 @@
   <parent>
     <groupId>org.openconext</groupId>
     <artifactId>mujina</artifactId>
-    <version>7.0.6</version>
+    <version>7.0.7</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

mujina-idp/pom.xml

@@ -20,7 +20,7 @@
   <parent>
     <groupId>org.openconext</groupId>
     <artifactId>mujina</artifactId>
-    <version>7.0.6</version>
+    <version>7.0.7</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

mujina-idp/src/main/java/mujina/idp/SAMLAttributeAuthenticationFilter.java

@@ -4,11 +4,13 @@
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.util.Map;
 import java.util.stream.Collectors;
 
 public class SAMLAttributeAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
 
+
   @Override
   protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
     Map<String, String[]> parameterMap = request.getParameterMap().entrySet().stream()

mujina-idp/src/main/java/mujina/idp/SsoController.java

@@ -15,11 +15,14 @@
 import org.opensaml.xml.validation.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -44,22 +47,21 @@ public class SsoController {
 
   @GetMapping("/SingleSignOnService")
   public void singleSignOnServiceGet(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
-    throws IOException, MarshallingException, SignatureException, MessageEncodingException, ValidationException, SecurityException, MessageDecodingException, MetadataProviderException {
+    throws IOException, MarshallingException, SignatureException, MessageEncodingException, ValidationException, SecurityException, MessageDecodingException, MetadataProviderException, ServletException {
     doSSO(request, response, authentication, false);
   }
 
   @PostMapping("/SingleSignOnService")
   public void singleSignOnServicePost(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
-    throws IOException, MarshallingException, SignatureException, MessageEncodingException, ValidationException, SecurityException, MessageDecodingException, MetadataProviderException {
+    throws IOException, MarshallingException, SignatureException, MessageEncodingException, ValidationException, SecurityException, MessageDecodingException, MetadataProviderException, ServletException {
     doSSO(request, response, authentication, true);
   }
 
-  private void doSSO(HttpServletRequest request, HttpServletResponse response, Authentication authentication, boolean postRequest) throws ValidationException, SecurityException, MessageDecodingException, MarshallingException, SignatureException, MessageEncodingException, MetadataProviderException {
+  private void doSSO(HttpServletRequest request, HttpServletResponse response, Authentication authentication, boolean postRequest) throws ValidationException, SecurityException, MessageDecodingException, MarshallingException, SignatureException, MessageEncodingException, MetadataProviderException, IOException, ServletException {
     SAMLMessageContext messageContext = samlMessageHandler.extractSAMLMessageContext(request, response, postRequest);
     AuthnRequest authnRequest = (AuthnRequest) messageContext.getInboundSAMLMessage();
 
     String assertionConsumerServiceURL = idpConfiguration.getAcsEndpoint() != null ? idpConfiguration.getAcsEndpoint() : authnRequest.getAssertionConsumerServiceURL();
-
     List<SAMLAttribute> attributes = attributes(authentication);
 
     SAMLPrincipal principal = new SAMLPrincipal(

mujina-idp/src/main/java/mujina/idp/WebSecurityConfigurer.java

@@ -12,6 +12,7 @@
 import org.opensaml.saml2.binding.encoding.HTTPPostSimpleSignEncoder;
 import org.opensaml.util.storage.MapBasedStorageService;
 import org.opensaml.util.storage.ReplayCache;
+import org.opensaml.util.storage.StorageService;
 import org.opensaml.ws.security.provider.BasicSecurityPolicy;
 import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver;
 import org.opensaml.xml.parse.StaticBasicParserPool;
@@ -56,11 +57,6 @@ public class WebSecurityConfigurer extends WebMvcConfigurerAdapter {
   @Autowired
   private Environment environment;
 
-  @Override
-  public void addViewControllers(ViewControllerRegistry registry) {
-//    registry.addViewController("/login").setViewName("login");
-  }
-
   @Bean
   @Autowired
   public SAMLMessageHandler samlMessageHandler(@Value("${idp.clock_skew}") int clockSkew,
@@ -72,8 +68,7 @@ public SAMLMessageHandler samlMessageHandler(@Value("${idp.clock_skew}") int clo
     throws XMLParserException, URISyntaxException {
     StaticBasicParserPool parserPool = new StaticBasicParserPool();
     BasicSecurityPolicy securityPolicy = new BasicSecurityPolicy();
-    securityPolicy.getPolicyRules().addAll(Arrays.asList(new IssueInstantRule(clockSkew, expires),
-      new MessageReplayRule(new ReplayCache(new MapBasedStorageService(), 14400000))));
+    securityPolicy.getPolicyRules().addAll(Arrays.asList(new IssueInstantRule(clockSkew, expires)));
 
     HTTPRedirectDeflateDecoder httpRedirectDeflateDecoder = new HTTPRedirectDeflateDecoder(parserPool);
     HTTPPostDecoder httpPostDecoder = new HTTPPostDecoder(parserPool);
@@ -124,6 +119,9 @@ protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter
     @Autowired
     private IdpConfiguration idpConfiguration;
 
+    @Autowired
+    private SAMLMessageHandler samlMessageHandler;
+
     private SAMLAttributeAuthenticationFilter authenticationFilter() throws Exception {
       SAMLAttributeAuthenticationFilter filter = new SAMLAttributeAuthenticationFilter();
       filter.setAuthenticationManager(authenticationManagerBean());
@@ -136,6 +134,7 @@ protected void configure(HttpSecurity http) throws Exception {
       http
         .csrf().disable()
         .addFilterBefore(authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
+        .addFilterBefore(new ForceAuthnFilter(samlMessageHandler), SAMLAttributeAuthenticationFilter.class)
         .authorizeRequests()
         .antMatchers("/", "/metadata", "/favicon.ico", "/api/**", "/*.css", "/*.js").permitAll()
         .antMatchers("/admin/**").hasRole("ADMIN")

mujina-sp/pom.xml

@@ -20,7 +20,7 @@
   <parent>
     <groupId>org.openconext</groupId>
     <artifactId>mujina</artifactId>
-    <version>7.0.6</version>
+    <version>7.0.7</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

mujina-sp/src/main/java/mujina/sp/RoleSAMLAuthenticationProvider.java

@@ -11,7 +11,6 @@ public class RoleSAMLAuthenticationProvider extends SAMLAuthenticationProvider {
 
   @Override
   protected Collection<? extends GrantedAuthority> getEntitlements(SAMLCredential credential, Object userDetail) {
-    //TODO based on ??
     return AuthorityUtils.createAuthorityList("ROLE_USER");
   }
 }

mujina-sp/src/main/java/mujina/sp/WebSecurityConfigurer.java

@@ -101,7 +101,7 @@ public SAMLEntryPoint samlEntryPoint() {
     WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
     webSSOProfileOptions.setIncludeScoping(false);
 
-    SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
+    SAMLEntryPoint samlEntryPoint = new ConfigurableSAMLEntryPoint();
     samlEntryPoint.setFilterProcessesUrl("login");
     samlEntryPoint.setDefaultProfileOptions(webSSOProfileOptions);
     return samlEntryPoint;
@@ -122,7 +122,7 @@ public void configure(WebSecurity web) throws Exception {
   protected void configure(HttpSecurity http) throws Exception {
     http
       .authorizeRequests()
-      .antMatchers("/", "/metadata", "/favicon.ico", "/*.css", "/api/**", assertionConsumerServiceURLPath + "/**").permitAll()
+      .antMatchers("/", "/metadata", "/favicon.ico", "/*.css", "/sp.js", "/api/**", assertionConsumerServiceURLPath + "/**").permitAll()
       .anyRequest().hasRole("USER")
       .and()
       .httpBasic().authenticationEntryPoint(samlEntryPoint())

mujina-sp/src/main/resources/public/main.css

@@ -54,6 +54,10 @@ a.button {
     display: inline-block;
     transition: all 0.1s linear;
 }
+section.force-authn {
+    margin-top: 25px;
+    margin-left: -100px;
+}
 .button:hover {
     background-color: #4fa9c5;
 }

mujina-sp/src/main/resources/templates/index.html

@@ -3,12 +3,17 @@
 <head>
     <title>Mujina Service Provider</title>
     <link rel="stylesheet" type="text/css" href="/main.css"/>
+    <script th:src="@{/sp.js}"></script>
 </head>
 <body>
 <section class="login-container">
     <section class="login">
         <h1>Mujina Service Provider</h1>
-        <a class="button" th:href="@{/user.html}">Login</a>
+        <a id="user-link" class="button" th:href="@{/user.html?force-authn=false}">Login</a>
+        <section class="force-authn">
+            <input type="checkbox" id="force-authn" name="force-authn"/>
+            <label for="force-authn">Force Authn request?</label>
+        </section>
     </section>
     <a class="powered-by" href="https://openconext.org/" target="_blank">Copyright © 2018 OpenConext</a>
 </section>

pom.xml

@@ -20,7 +20,7 @@
 
   <groupId>org.openconext</groupId>
   <artifactId>mujina</artifactId>
-  <version>7.0.6</version>
+  <version>7.0.7</version>
   <packaging>pom</packaging>
 
   <properties>