jespa.http

Class DuoHttpSecurityFilter

java.lang.Object

jespa.http.HttpSecurityService

jespa.http.DuoHttpSecurityService

jespa.http.DuoHttpSecurityFilter

All Implemented Interfaces:

javax.servlet.Filter

public class DuoHttpSecurityFilter
extends DuoHttpSecurityService
implements javax.servlet.Filter

This Servlet Filter combines the Duo Universal Prompt Java Client (duo_universal_java) 2FA functionality from duosecurity.com with the Windows built-in SSO capability of Windows clients joined to a Windows domain.

The behavior of this Filter is identical to that of the regular jespa.http.HttpSecurityFilter but extends the DuoHttpSecurityService to add the Duo functionality.

See the DuoHttpSecurityService API documentation for details.

To configure this Filter, provide DuoHttpSecurityService properties using init-params or indirectly using the properties.path property to load properties from a properties file.

The following web.xml fragment illustrates how to use the properties.path property to load DuoHttpSecurityService properties:

<filter>
    <filter-name>DuoHttpSecurityFilter</filter-name>
    <filter-class>jespa.http.DuoHttpSecurityFilter</filter-class>
    <init-param>
        <param-name>properties.path</param-name>
        <param-value>file://path/to/jetty/base/etc/ntlm_duo.prp</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>DuoHttpSecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

A web.xml fragment that initializes the DuoHttpSecurityFilter with a properties File

Note: An absolute properties.path property value must be prefixed with file:/ (one slash) followed by the host specific path like file:/C:\path\to\tomcat\base\conf\ntlm_duo.prp. A non-absolute properties.path property is relative to the webapp context root like /WEB-INF/ntlm_duo.prp. See the HSS description of the properties.path property for details.

The file ntlm_duo.prp file in this example might look something like the following:

# HttpSecurityService Properties

provider.classname = jespa.ntlm.NtlmSecurityProvider
http.parameter.username.name = username
http.parameter.password.name = password
http.parameter.logout.name = logout
fallback.location = /mctrl/login
excludes = /login
groups.allowed = BUSICORP\\MCTRL Dashboard, BUSICORP\\MCTRL Agents

# NtlmSecurityProvider Properties

jespa.log.path = /path/to/jetty/base/logs/jespa.log
jespa.log.level = 4
jespa.account.canonicalForm = 3

jespa.bindstr = busi.corp
jespa.dns.servers = 192.168.15.110,192.168.15.115
jespa.dns.site = USNY
jespa.service.acctname = mctrl$@busi.corp
jespa.service.password = koM~9-DUt$00yUw

# DuoHttpSecurityService Properties

duo.clientId = DIRSJWINVALIDK72JSU2
duo.clientSecret = kSKf93kInValidPDfKNdI2lsLmVUiT90011sMCn
duo.api.host = api-1234abcd.duosecurity.com
duo.redirect.uri = https://apps1.busi.corp:8443/mctrl/duo-callback
duo.failmode = OPEN
duo.excludes = /api/v1/userctrl,/api/v1/bindings/*.sch

An example properties file for the DuoHttpSecurityFilter

See the Installation section in the Jespa Operator's Manual for details.

The complete DuoHttpSecurityFilter code is simply the following:

package jespa.http;

import java.util.Map;
import java.util.HashMap;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;

import jespa.security.SecurityProviderException;

public class DuoHttpSecurityFilter extends DuoHttpSecurityService implements Filter
{
        public void init(FilterConfig config) throws ServletException
        {
                Map<String,String> properties = new HashMap();

                Enumeration<String> e = config.getInitParameterNames();
                while (e.hasMoreElements()) {
                        String name = e.nextElement();
                        properties.put(name, config.getInitParameter(name));
                }

                try {
                        super.init(config.getFilterName(), config.getServletContext(), properties);
                } catch (SecurityProviderException spe) {
                        throw new ServletException(spe);
                }
        }
}

The complete source code of the DuoHttpSecurityFilter

The above code listing shows that this class converts all init-params into a Map of properties which it then passes to the DuoHttpSecurityService.init(java.lang.String, javax.servlet.ServletContext, java.util.Map) method.

This code might be used as a template to create your own custom Filter that extends DuoHttpSecurityService and potentially override functionality of that class.

Field Summary

Fields inherited from class jespa.http.DuoHttpSecurityService

DUO_TOKEN_FAILED_OPEN

Constructor Summary

Constructors

Constructor and Description
DuoHttpSecurityFilter()

Method Summary

Modifier and Type	Method and Description
void	init(javax.servlet.FilterConfig config) This method just converts all init-params into a Map of properties which it then passes to DuoHttpSecurityService.init().

Methods inherited from class jespa.http.DuoHttpSecurityService

doFilter, init, isDuoProtected, isLogout, onDuoException, onDuoResult, onException, onPropertiesUpdate

Methods inherited from class jespa.http.HttpSecurityService

destroy, getBindingsCertHashPolicy, getBindingsTargetSpnsPolicy, getConnectionId, getRequestCredential, getRequestPath, getServletContext, init, isAllowedAccess, isAnonymous, isProtected, matchWildcard, toString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface javax.servlet.Filter

destroy, doFilter

Constructor Detail

DuoHttpSecurityFilter

public DuoHttpSecurityFilter()

Method Detail

init

public void init(javax.servlet.FilterConfig config)
          throws javax.servlet.ServletException

This method just converts all init-params into a Map of properties which it then passes to DuoHttpSecurityService.init(). See DuoHttpSecurityService.

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException