/** {@inheritDoc} */ protected void processAttribute(XMLObject xmlObject, Attr attribute) throws UnmarshallingException { AttributeDesignatorType attributeDesignatorType = (AttributeDesignatorType) xmlObject; if (attribute.getLocalName().equals(AttributeDesignatorType.ATTRIBUTE_ID_ATTRIB_NAME)) { attributeDesignatorType.setAttribtueId( DatatypeHelper.safeTrimOrNullString(attribute.getValue())); } else if (attribute.getLocalName().equals(AttributeDesignatorType.DATA_TYPE_ATTRIB_NAME)) { attributeDesignatorType.setDataType( DatatypeHelper.safeTrimOrNullString(attribute.getValue())); } else if (attribute.getLocalName().equals(AttributeDesignatorType.ISSUER_ATTRIB_NAME)) { attributeDesignatorType.setIssuer(DatatypeHelper.safeTrimOrNullString(attribute.getValue())); } else if (attribute .getLocalName() .equals(AttributeDesignatorType.MUST_BE_PRESENT_ATTRIB_NAME)) { if (attribute.getValue().equals("True") || attribute.getValue().equals("true")) { attributeDesignatorType.setMustBePresentXSBoolean(XSBooleanValue.valueOf("1")); } else { attributeDesignatorType.setMustBePresentXSBoolean(XSBooleanValue.valueOf("0")); } } else { super.processAttribute(xmlObject, attribute); } }
/** * Validates that the authentication was successfully performed by the login handler. An * authentication is considered successful if no error is bound to the request attribute {@link * LoginHandler#AUTHENTICATION_ERROR_KEY} and there is a value for at least one of the following * request attributes: {@link LoginHandler#SUBJECT_KEY}, {@link LoginHandler#PRINCIPAL_KEY}, or * {@link LoginHandler#PRINCIPAL_NAME_KEY}. * * @param loginContext current login context * @param httpRequest current HTTP request * @param authenticationMethod the authentication method used to authenticate the user * @throws AuthenticationException thrown if the authentication was not successful */ protected void validateSuccessfulAuthentication( LoginContext loginContext, HttpServletRequest httpRequest, String authenticationMethod) throws AuthenticationException { LOG.debug("Validating authentication was performed successfully"); if (authenticationMethod == null) { LOG.error("No authentication method reported by login handler."); throw new AuthenticationException("No authentication method reported by login handler."); } String errorMessage = DatatypeHelper.safeTrimOrNullString( (String) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY)); if (errorMessage != null) { LOG.debug( "Error returned from login handler for authentication method {}:\n{}", loginContext.getAttemptedAuthnMethod(), errorMessage); loginContext.setAuthenticationFailure(new AuthenticationException(errorMessage)); loginContext.setPrincipalAuthenticated(false); return; } AuthenticationException authnException = (AuthenticationException) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY); if (authnException != null) { LOG.debug( "Exception returned from login handler for authentication method {}:\n{}", loginContext.getAttemptedAuthnMethod(), authnException); loginContext.setAuthenticationFailure(authnException); loginContext.setPrincipalAuthenticated(false); return; } Subject subject = (Subject) httpRequest.getAttribute(LoginHandler.SUBJECT_KEY); Principal principal = (Principal) httpRequest.getAttribute(LoginHandler.PRINCIPAL_KEY); String principalName = DatatypeHelper.safeTrimOrNullString( (String) httpRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY)); if (subject == null && principal == null && principalName == null) { LOG.error("No user identified by login handler."); throw new AuthenticationException("No user identified by login handler."); } }
/** {@inheritDoc} */ protected void unmarshallTextContent(XMLObject xmlObject, Text content) throws UnmarshallingException { String textContent = DatatypeHelper.safeTrimOrNullString(content.getWholeText()); if (textContent != null) { XSQName qname = (XSQName) xmlObject; qname.setValue(XMLHelper.constructQName(textContent, XMLHelper.getElementAncestor(content))); } }
/** * Constructor. * * @param extensionSchemas classpath location of metadata extension schemas, may be null */ public SchemaValidationFilter(String[] extensionSchemas) { if (extensionSchemas != null) { for (String extension : extensionSchemas) { extension = DatatypeHelper.safeTrimOrNullString(extension); if (extension != null) { SAMLSchemaBuilder.addExtensionSchema(extension); } } } }
/** * Gets the list of request paths the profile handler handles. * * @param config profile handler configuration element * @return list of request paths the profile handler handles */ protected List<String> getRequestPaths(Element config) { ArrayList<String> requestPaths = new ArrayList<String>(); List<Element> requestPathElems = XMLHelper.getChildElementsByTagName(config, "RequestPath"); if (requestPathElems != null) { for (Element requestPathElem : requestPathElems) { requestPaths.add(DatatypeHelper.safeTrimOrNullString(requestPathElem.getTextContent())); } } return requestPaths; }
/** {@inheritDoc} */ public void init(ServletConfig config) throws ServletException { super.init(config); String retain = DatatypeHelper.safeTrimOrNullString(config.getInitParameter(RETAIN_PRIVATE_CREDENTIALS)); if (retain != null) { retainSubjectsPrivateCredentials = Boolean.parseBoolean(retain); } else { retainSubjectsPrivateCredentials = false; } retain = DatatypeHelper.safeTrimOrNullString(config.getInitParameter(RETAIN_PUBLIC_CREDENTIALS)); if (retain != null) { retainSubjectsPublicCredentials = Boolean.parseBoolean(retain); } else { retainSubjectsPublicCredentials = false; } context = config.getServletContext(); handlerManager = HttpServletHelper.getProfileHandlerManager(context); sessionManager = HttpServletHelper.getSessionManager(context); storageService = (StorageService<String, LoginContextEntry>) HttpServletHelper.getStorageService(context); }
/** {@inheritDoc} */ public void init(ServletConfig config) throws ServletException { super.init(config); allowedIPs = new LazyList<IPRange>(); String cidrBlocks = DatatypeHelper.safeTrimOrNullString(config.getInitParameter(IP_PARAM_NAME)); if (cidrBlocks != null) { for (String cidrBlock : cidrBlocks.split(" ")) { allowedIPs.add(IPRange.parseCIDRBlock(cidrBlock)); } } dateFormat = ISODateTimeFormat.dateTimeNoMillis(); startTime = new DateTime(ISOChronology.getInstanceUTC()); attributeResolver = HttpServletHelper.getAttributeResolver(config.getServletContext()); rpConfigManager = HttpServletHelper.getRelyingPartyConfirmationManager(config.getServletContext()); }
/** * Gets the subject from the request coming back from the login handler. * * @param httpRequest request coming back from the login handler * @return the {@link Subject} created from the request * @throws AuthenticationException thrown if no subject can be retrieved from the request */ protected Subject getLoginHandlerSubject(HttpServletRequest httpRequest) throws AuthenticationException { Subject subject = (Subject) httpRequest.getAttribute(LoginHandler.SUBJECT_KEY); Principal principal = (Principal) httpRequest.getAttribute(LoginHandler.PRINCIPAL_KEY); String principalName = DatatypeHelper.safeTrimOrNullString( (String) httpRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY)); if (subject == null && (principal != null || principalName != null)) { subject = new Subject(); if (principal == null) { principal = new UsernamePrincipal(principalName); } subject.getPrincipals().add(principal); } return subject; }
/** * Completes the authentication process. * * <p>The principal name set by the authentication handler is retrieved and pushed in to the login * context, a Shibboleth session is created if needed, information indicating that the user has * logged into the service is recorded and finally control is returned back to the profile * handler. * * @param loginContext current login context * @param httpRequest current HTTP request * @param httpResponse current HTTP response */ protected void completeAuthentication( LoginContext loginContext, HttpServletRequest httpRequest, HttpServletResponse httpResponse) { LOG.debug("Completing user authentication process"); Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE); try { // We allow a login handler to override the authentication method in the // event that it supports multiple methods String actualAuthnMethod = DatatypeHelper.safeTrimOrNullString( (String) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_METHOD_KEY)); if (actualAuthnMethod != null) { if (!loginContext.getRequestedAuthenticationMethods().isEmpty() && !loginContext.getRequestedAuthenticationMethods().contains(actualAuthnMethod)) { String msg = "Relying patry required an authentication method of " + loginContext.getRequestedAuthenticationMethods() + " but the login handler performed " + actualAuthnMethod; LOG.error(msg); throw new AuthenticationException(msg); } } else { actualAuthnMethod = loginContext.getAttemptedAuthnMethod(); } // Check to make sure the login handler did the right thing validateSuccessfulAuthentication(loginContext, httpRequest, actualAuthnMethod); if (loginContext.getAuthenticationFailure() != null) { returnToProfileHandler(httpRequest, httpResponse); return; } // Check for an overridden authn instant. DateTime actualAuthnInstant = (DateTime) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_INSTANT_KEY); // Get the Subject from the request. If force authentication was required then make sure the // Subject identifies the same user that authenticated before Subject subject = getLoginHandlerSubject(httpRequest); if (loginContext.isForceAuthRequired()) { validateForcedReauthentication(idpSession, actualAuthnMethod, subject); // Reset the authn instant. if (actualAuthnInstant == null) { actualAuthnInstant = new DateTime(); } } loginContext.setPrincipalAuthenticated(true); updateUserSession( loginContext, subject, actualAuthnMethod, actualAuthnInstant, httpRequest, httpResponse); LOG.debug( "User {} authenticated with method {}", loginContext.getPrincipalName(), loginContext.getAuthenticationMethod()); } catch (AuthenticationException e) { LOG.error("Authentication failed with the error:", e); loginContext.setPrincipalAuthenticated(false); loginContext.setAuthenticationFailure(e); } returnToProfileHandler(httpRequest, httpResponse); }