Ignore:
Timestamp:
10/08/07 16:31:59 (12 years ago)
Author:
pjkersha
Message:

ows_server/ows_server/models/ndgSecurity.py:

handling

found to be invalid

ows_server/ows_server/controllers/login.py:

  • use security.util.setSecuritySession to set correct security keys for

session object

ows_server/ows_server/controllers/logout.py:

  • got rid of proxy cert authentication for SOAP messages. Use application

cert with sessID instead.

ows_server/ows_server/lib/security_util.py:

ows_server/ows_server/lib/base.py:

Location:
TI05-delivery/ows_framework/trunk/ows_server/ows_server
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py

    r2794 r2798  
    33 
    44from ows_server.lib.base import * 
    5 from ows_server.lib.security_util import LoginServiceQuery 
     5from ows_server.lib.security_util import setSecuritySession, LoginServiceQuery 
    66from ows_common.exception_report import OwsError 
    77from paste.request import parse_querystring 
     
    133133         
    134134        # Make a security cookie here ... 
    135         session['ndgSec']={'h':smURI, 
    136                            'u':username, 
    137                            'roles':attCert.roles, 
    138                            'sid':sessID} 
     135        setSecuritySession(h=smURI,u=username,roles=attCert.roles,sid=sessID) 
    139136        session['panelView']='History' 
    140137        session.save() 
     
    181178        c.providers=dict([(k,v['loginURI']) for k,v in trustedHosts.items()]) 
    182179         
     180        if 'panelView' in session: del session['panelView'] 
     181        session.save() 
    183182        return render_response('wayf') 
    184183         
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py

    r2748 r2798  
    11from ows_server.lib.base import * 
     2from ows_server.lib.security_util import SecuritySession 
     3 
    24from paste.request import parse_querystring 
    35import sys # include in case tracefile is set to sys.stderr  
     
    5860        self.__setup() 
    5961 
    60         # If the user logged in locally, their proxy cert will be available  
    61         # stored in the session object.  This can be used to authenticate in  
    62         # the disconnect request. 
    63         wssCertChain = session['ndgSec'].get('wssCertChain') 
    64          
    6562        # Look into the session and go kill the wallet 
    6663        if not hasattr(self, "smClnt"): 
     
    7370                            sslCACertFilePathList=self.sslCACertFilePathList, 
    7471                            sslPeerCertCN=self.sslPeerCertCN, 
    75                             signingCertChain=wssCertChain, 
    7672                            signingCertFilePath=self.wssCertFilePath, 
    7773                            signingPriKeyFilePath=self.wssPriKeyFilePath, 
     
    7975                            caCertFilePathList=self.wssCACertFilePathList, 
    8076                            tracefile=self.tracefile)        
    81  
    82         # Set authentication method for Session Manager.  If a 
    83         # proxy cert is available in the session then this can be used, 
    84         # otherwise use the session ID 
    85         if wssCertChain: 
    86             sessID = None 
    87             self.smClnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1' 
    88             self.smClnt.signatureHandler.signingPriKey = \ 
    89                                                 session['ndgSec']['wssPriKey']                
    90         else: 
    91             sessID = session['ndgSec']['sessID'] 
    9277             
    9378        # Disconnect from Session Manager 
    9479        try: 
    95             self.smClnt.disconnect(sessID=sessID) 
     80            self.smClnt.disconnect(sessID=session['ndgSec']['sid']) 
    9681        except Exception, e: 
    9782            c.xml = "Error disconnecting: %s" % e 
    9883         
    9984        # easy to kill our cookie 
    100         if 'ndgSec' in session: del session['ndgSec'] 
     85        SecuritySession.delete() 
    10186        if 'ndgCleared' in session: del session['ndgCleared'] 
    10287         
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py

    r2795 r2798  
    88import ows_server.models as model 
    99import ows_server.lib.helpers as h 
    10 from ows_server.lib.security_util import UpdateSecuritySession, \ 
    11                                         LoginServiceQuery 
     10from ows_server.lib.security_util import setSecuritySession, LoginServiceQuery 
    1211from ows_common import exceptions as OWS_E 
    1312from ows_common.operations_metadata import OperationsMetadata, Operation, RequestMethod 
     
    3231        c.requestURL=construct_url(environ) 
    3332        if 'h' in request.params: 
    34             UpdateSecuritySession() 
     33            setSecuritySession() 
    3534             
    3635            if 'panelView' not in session: 
     
    4241 
    4342            cc=construct_url(environ,querystring=qs) 
    44              
    4543            h.redirect_to(cc) 
    4644 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/security_util.py

    r2794 r2798  
    2828    def __init__(self, **subKeys): 
    2929        """Update the security key of session object with the 
    30         input sub keys""" 
     30        input sub keys 
    3131         
     32        type **subKeys: dict 
     33        param **subKeys: set any of the security keywords as contained in 
     34        SecuritySession.subKeys""" 
     35         
     36        # Set the security session keys from request.params if no keywords  
     37        # were input 
    3238        if subKeys == {}: 
    33             subKeys = request.params 
     39            subKeys = LoginServiceQuery.decodeRequestParams() 
    3440             
    3541        # Ensure security key is present 
     
    4349         
    4450        # Update security values 
    45         session[SecuritySession.key].update(subKeys) 
    46          
    47         # Modify roles from a comma delimited string into a list 
    48         if 'roles' in subKeys: 
    49             # Roles were modified 
    50             session[SecuritySession.key]['roles'] = \ 
    51                 session[SecuritySession.key]['roles'].split( 
    52                                                 LoginServiceQuery.rolesSep) 
     51        session[SecuritySession.key].update(subKeys)             
     52        session.save() 
     53 
     54    @classmethod 
     55    def delete(self): 
     56        """Delete security key from session object""" 
     57        if SecuritySession.key in session: 
     58            del session[SecuritySession.key] 
     59            session.save() 
    5360             
    54         session.save() 
    55                           
    56 UpdateSecuritySession = SecuritySession 
     61setSecuritySession = SecuritySession 
    5762            
    5863  
     
    6772         
    6873    def __str__(self): 
    69         """Provide convenient short-cut for call to nake query string""" 
     74        """Provide convenient short-cut for call to make query string 
     75 
     76        @rtype: string 
     77        @return: URL query string with security args""" 
    7078        return self.makeQueryStr() 
    7179    
     
    7482        """Create the query string containing the required security  
    7583        credentials to return to the service provider 
    76         """ 
     84         
     85        @rtype: string 
     86        @return: URL query string with security args""" 
    7787         
    7888        # Make a copy of the security session dict reseting the 
     
    8898    def stripFromURI(self): 
    8999        """Make a new query string using Pylons request.params but stripping 
    90         args relating to security""" 
     100        args relating to security 
     101         
     102        @rtype: string 
     103        @return: URL query string with security args removed""" 
    91104        return LoginServiceQuery.argSep.join(['%s=%s' % (i,request.params[i])\ 
    92105                                       for i in request.params \ 
    93106                                       if i not in LoginServiceQuery.keys]) 
     107 
     108    @classmethod 
     109    def decodeRequestParams(self): 
     110        """Get security parameters from request.params received from Login  
     111        Service (IdP).  Decode parameters where necessary: roles are sent as a 
     112        comma delimited list - convert into a list type 
     113         
     114        @rtype: dict 
     115        @return: dictionary of security parameters  
     116        """ 
     117         
     118        try: 
     119            # request.params is actually a MultiDict type but for the purposes 
     120            # of this code it can be treated as a regular dict type 
     121            keys = dict([(k, request.params[k]) for k in self.keys]) 
     122        except KeyError, e: 
     123            OwsError, \ 
     124                '%s argument is missing from URL returned by Login Service' %\ 
     125                str(e) 
     126                 
     127        # Modify roles from a comma delimited string into a list 
     128        if 'roles' in keys: 
     129            keys['roles'] = keys['roles'].split(LoginServiceQuery.rolesSep) 
     130 
     131        return keys 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py

    r2794 r2798  
    11import sys # tracefile config param may be set to e.g. sys.stderr 
    22 
     3from pylons import request 
     4 
    35from ows_common.exception_report import OwsError 
    4 from pylons import request 
    5 from ndg.security.common.SessionMgr import SessionMgrClient, \ 
     6from ows_server.lib.security_util import SecuritySession 
     7from ndg.security.common.SessionMgr import SessionMgrClient, SessionNotFound,\ 
     8    SessionCertTimeError, SessionExpired, InvalidSession, \ 
    69    AttributeRequestDenied 
    710 
     
    2023    AccessDeniedMsg = "Access Denied" 
    2124    NotLoggedInMsg = 'Not Logged in' 
    22      
     25    SessionExpiredMsg = 'Session has expired.  Please re-login' 
     26    InvalidSessionMsg = 'Session is invalid.  Please try re-login' 
     27 
    2328    def __init__(self, securityElement, securityTokens): 
    2429        """Initialise settings for WS-Security and SSL for SOAP 
     
    7681        except AttributeError: 
    7782            raise OwsError, 'NDG Security Error: No %s'%m 
     83         
     84        # Check self.securityTokens - if not set then the user mustn't be  
     85        # logged in.  This situation is possible if a user has been denied 
     86        # access to data and then tried to logout - after log out they are 
     87        # redirected back to the page where they tried accessing data but this 
     88        # time they will have no security credential set 
     89        if not self.securityTokens: 
     90            # Try to recover and do something sensible 
     91            # 
     92            # TODO: this adds insult to injury if the person has just been 
     93            # denied access to data.  Instead do a redirect back to the  
     94            # discovery page? 
     95            # P J Kershaw 10/08/07 
     96            return False, self.__class__.NotLoggedInMsg 
    7897 
    7998        # Create Session Manager client 
     
    136155        Certificate with the required role to gain access to the resource 
    137156        in question""" 
    138          
     157             
    139158        try: 
    140159 
     
    147166            self.reqAAURI="http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority" 
    148167            attCert = self.smClnt.getAttCert(attAuthorityURI=self.reqAAURI, 
    149                                      sessID=self.securityTokens['sessID'], 
     168                                     sessID=self.securityTokens['sid'], 
    150169                                     reqRole=self.reqRole) 
    151170 
    152171        except AttributeRequestDenied, e: 
    153172            # TODO: write exception to log 
    154             return False, self.__class__.AccessDeniedMsg 
     173            return False, str(e) 
     174         
     175        except SessionNotFound, e: 
     176            # Clear the security details from the session object 
     177            SecuritySession.delete() 
     178            return False, self.__class__.NotLoggedInMsg 
     179 
     180        except SessionExpired, e: 
     181            # Clear the security details from the session object 
     182            SecuritySession.delete() 
     183            return False, self.__class__.SessionExpiredMsg 
     184 
     185        except SessionCertTimeError, e: 
     186            # Clear the security details from the session object 
     187            SecuritySession.delete() 
     188            return False, self.__class__.InvalidSessionMsg 
     189             
     190        except InvalidSession, e: 
     191            SecuritySession.delete() 
     192            return False, self.__class__.InvalidSessionMsg 
     193 
    155194        except Exception, e: 
    156195            raise OwsError, "Gatekeeper request for attribute certificate: "+\ 
Note: See TracChangeset for help on using the changeset viewer.