@Override
protected void internalInit() {
extractor = new BasicAuthExtractor(headerName, prefixHeader, getName());
super.internalInit();
CommonHelper.assertNotBlank("callbackUrl", this.callbackUrl);
CommonHelper.assertNotBlank("realmName", this.realmName);
}
@Override
protected void internalInit(final WebContext context) {
CommonHelper.assertNotBlank("callbackUrl", this.callbackUrl);
if (CommonHelper.isBlank(this.casLoginUrl) && CommonHelper.isBlank(this.casPrefixUrl)) {
throw new TechnicalException("casLoginUrl and casPrefixUrl cannot be both blank");
}
initializeClientConfiguration();
initializeLogoutHandler(context);
if (this.casProtocol == CasProtocol.CAS10) {
initializeCas10Protocol();
} else if (this.casProtocol == CasProtocol.CAS20) {
initializeCas20Protocol(context);
} else if (this.casProtocol == CasProtocol.CAS20_PROXY) {
initializeCas20ProxyProtocol(context);
} else if (this.casProtocol == CasProtocol.CAS30) {
initializeCas30Protocol(context);
} else if (this.casProtocol == CasProtocol.CAS30_PROXY) {
initializeCas30ProxyProtocol(context);
} else if (this.casProtocol == CasProtocol.SAML) {
initializeSAMLProtocol();
}
addAuthorizationGenerator(new DefaultCasAuthorizationGenerator<CasProfile>());
}
@Override
protected void internalInit() {
super.internalInit();
CommonHelper.assertNotBlank("scope", this.scope);
CommonHelper.assertNotBlank("fields", this.fields);
StateApi20 api20 = new LinkedInApi20();
this.service =
new LinkedInOAuth20ServiceImpl(
api20,
new OAuthConfig(
this.key, this.secret, this.callbackUrl, SignatureType.Header, this.scope, null),
this.connectTimeout,
this.readTimeout,
this.proxyHost,
this.proxyPort);
}
@Override
protected void internalInit() {
CommonHelper.assertNotBlank("callbackUrl", this.callbackUrl);
CommonHelper.assertNotNull("logoutHandler", this.logoutHandler);
if (CommonHelper.isBlank(this.casLoginUrl) && CommonHelper.isBlank(this.casPrefixUrl)) {
throw new TechnicalException("casLoginUrl and casPrefixUrl cannot be both blank");
}
if (this.casPrefixUrl != null && !this.casPrefixUrl.endsWith("/")) {
this.casPrefixUrl += "/";
}
if (CommonHelper.isBlank(this.casPrefixUrl)) {
this.casPrefixUrl = this.casLoginUrl.replaceFirst("/login", "/");
} else if (CommonHelper.isBlank(this.casLoginUrl)) {
this.casLoginUrl = this.casPrefixUrl + "login";
}
if (this.casProtocol == CasProtocol.CAS10) {
this.ticketValidator = new Cas10TicketValidator(this.casPrefixUrl);
} else if (this.casProtocol == CasProtocol.CAS20) {
this.ticketValidator = new Cas20ServiceTicketValidator(this.casPrefixUrl);
if (this.casProxyReceptor != null) {
final Cas20ServiceTicketValidator cas20ServiceTicketValidator =
(Cas20ServiceTicketValidator) this.ticketValidator;
cas20ServiceTicketValidator.setProxyCallbackUrl(this.casProxyReceptor.getCallbackUrl());
cas20ServiceTicketValidator.setProxyGrantingTicketStorage(
this.casProxyReceptor.getProxyGrantingTicketStorage());
}
} else if (this.casProtocol == CasProtocol.CAS20_PROXY) {
this.ticketValidator = new Cas20ProxyTicketValidator(this.casPrefixUrl);
final Cas20ProxyTicketValidator cas20ProxyTicketValidator =
(Cas20ProxyTicketValidator) this.ticketValidator;
cas20ProxyTicketValidator.setAcceptAnyProxy(this.acceptAnyProxy);
cas20ProxyTicketValidator.setAllowedProxyChains(this.allowedProxyChains);
if (this.casProxyReceptor != null) {
cas20ProxyTicketValidator.setProxyCallbackUrl(this.casProxyReceptor.getCallbackUrl());
cas20ProxyTicketValidator.setProxyGrantingTicketStorage(
this.casProxyReceptor.getProxyGrantingTicketStorage());
}
} else if (this.casProtocol == CasProtocol.SAML) {
this.ticketValidator = new Saml11TicketValidator(this.casPrefixUrl);
}
}
@Override
protected void internalInit(final WebContext context) {
super.internalInit(context);
CommonHelper.assertNotBlank("fields", this.fields);
this.api20 = new ExtendedFacebookApi();
if (StringUtils.isNotBlank(this.scope)) {
this.service =
new StateOAuth20ServiceImpl(
this.api20,
new OAuthConfig(
this.key,
this.secret,
computeFinalCallbackUrl(context),
SignatureType.Header,
this.scope,
null),
this.connectTimeout,
this.readTimeout,
this.proxyHost,
this.proxyPort);
} else {
this.service =
new StateOAuth20ServiceImpl(
this.api20,
new OAuthConfig(
this.key,
this.secret,
computeFinalCallbackUrl(context),
SignatureType.Header,
null,
null),
this.connectTimeout,
this.readTimeout,
this.proxyHost,
this.proxyPort);
}
}
@Override
public R perform(
final C context,
final Config config,
final HttpActionAdapter<R, C> httpActionAdapter,
final String inputDefaultUrl,
final Boolean inputMultiProfile,
final Boolean inputRenewSession) {
logger.debug("=== CALLBACK ===");
// default values
final String defaultUrl;
if (inputDefaultUrl == null) {
defaultUrl = Pac4jConstants.DEFAULT_URL_VALUE;
} else {
defaultUrl = inputDefaultUrl;
}
final boolean multiProfile;
if (inputMultiProfile == null) {
multiProfile = false;
} else {
multiProfile = inputMultiProfile;
}
final boolean renewSession;
if (inputRenewSession == null) {
renewSession = true;
} else {
renewSession = inputRenewSession;
}
// checks
assertNotNull("context", context);
assertNotNull("config", config);
assertNotNull("httpActionAdapter", httpActionAdapter);
assertNotBlank(Pac4jConstants.DEFAULT_URL, defaultUrl);
final Clients clients = config.getClients();
assertNotNull("clients", clients);
// logic
final Client client = clients.findClient(context);
logger.debug("client: {}", client);
assertNotNull("client", client);
assertTrue(
client instanceof IndirectClient, "only indirect clients are allowed on the callback url");
HttpAction action;
try {
final Credentials credentials = client.getCredentials(context);
logger.debug("credentials: {}", credentials);
final CommonProfile profile = client.getUserProfile(credentials, context);
logger.debug("profile: {}", profile);
saveUserProfile(context, profile, multiProfile, renewSession);
action = redirectToOriginallyRequestedUrl(context, defaultUrl);
} catch (final HttpAction e) {
logger.debug("extra HTTP action required in callback: {}", e.getCode());
action = e;
}
return httpActionAdapter.adapt(action.getCode(), context);
}
@Override
protected void internalInit() {
CommonHelper.assertTrue(
CommonHelper.isNotBlank(this.idpMetadata) || CommonHelper.isNotBlank(this.idpMetadataPath),
"Either idpMetadata or idpMetadataPath must be provided");
CommonHelper.assertNotBlank("callbackUrl", this.callbackUrl);
if (!this.callbackUrl.startsWith("http")) {
throw new TechnicalException("SAML callbackUrl must be absolute");
}
if (CommonHelper.isNotBlank(this.keystorePath)
|| CommonHelper.isNotBlank(this.keystorePassword)
|| CommonHelper.isNotBlank(this.privateKeyPassword)) {
CommonHelper.assertNotBlank("keystorePath", this.keystorePath);
CommonHelper.assertNotBlank("keystorePassword", this.keystorePassword);
CommonHelper.assertNotBlank("privateKeyPassword", this.privateKeyPassword);
// load private key from the keystore and provide it as OpenSAML credentials
this.credentialProvider =
new CredentialProvider(this.keystorePath, this.keystorePassword, this.privateKeyPassword);
this.decrypter = new EncryptionProvider(this.credentialProvider).buildDecrypter();
}
// Bootsrap OpenSAML
try {
DefaultBootstrap.bootstrap();
NamedKeyInfoGeneratorManager manager =
Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager();
X509KeyInfoGeneratorFactory generator = new X509KeyInfoGeneratorFactory();
generator.setEmitEntityCertificate(true);
generator.setEmitEntityCertificateChain(true);
manager.registerFactory(Saml2Client.SAML_METADATA_KEY_INFO_GENERATOR, generator);
} catch (ConfigurationException e) {
throw new SamlException("Error bootstrapping OpenSAML", e);
}
// required parserPool for XML processing
final StaticBasicParserPool parserPool = newStaticBasicParserPool();
final AbstractMetadataProvider idpMetadataProvider = idpMetadataProvider(parserPool);
final XMLObject md;
try {
md = idpMetadataProvider.getMetadata();
} catch (MetadataProviderException e) {
throw new SamlException("Error initializing idpMetadataProvider", e);
}
// If no idpEntityId declared, select first EntityDescriptor entityId as our IDP entityId
if (this.idpEntityId == null) {
this.idpEntityId = getIdpEntityId(md);
}
// Generate our Service Provider metadata
Saml2MetadataGenerator metadataGenerator = new Saml2MetadataGenerator();
if (this.credentialProvider != null) {
metadataGenerator.setCredentialProvider(this.credentialProvider);
metadataGenerator.setAuthnRequestSigned(true);
}
// If the spEntityId is blank, use the callback url
if (CommonHelper.isBlank(this.spEntityId)) {
this.spEntityId = getCallbackUrl();
}
metadataGenerator.setEntityId(this.spEntityId);
// Assertion consumer service url is the callback url
metadataGenerator.setAssertionConsumerServiceUrl(getCallbackUrl());
// for now same for logout url
metadataGenerator.setSingleLogoutServiceUrl(getCallbackUrl());
AbstractMetadataProvider spMetadataProvider = metadataGenerator.buildMetadataProvider();
// Initialize metadata provider for our SP and get the XML as a String
try {
spMetadataProvider.initialize();
this.spMetadata = metadataGenerator.printMetadata();
} catch (MetadataProviderException e) {
throw new TechnicalException("Error initializing spMetadataProvider", e);
} catch (MarshallingException e) {
logger.warn("Unable to print SP metadata", e);
}
// Put IDP and SP metadata together
ChainingMetadataProvider metadataManager = new ChainingMetadataProvider();
try {
metadataManager.addMetadataProvider(idpMetadataProvider);
metadataManager.addMetadataProvider(spMetadataProvider);
} catch (MetadataProviderException e) {
throw new TechnicalException("Error adding idp or sp metadatas to manager", e);
}
// Build the contextProvider
this.contextProvider =
new Saml2ContextProvider(metadataManager, this.idpEntityId, this.spEntityId);
// Get an AuthnRequest builder
this.authnRequestBuilder =
new Saml2AuthnRequestBuilder(forceAuth, comparisonType, destinationBindingType);
// Build the WebSSO handler for sending and receiving SAML2 messages
MessageEncoder encoder = null;
if (SAMLConstants.SAML2_POST_BINDING_URI.equals(destinationBindingType)) {
// Get a velocity engine for the HTTP-POST binding (building of an HTML document)
VelocityEngine velocityEngine = VelocityEngineFactory.getEngine();
encoder = new HTTPPostEncoder(velocityEngine, "/templates/saml2-post-binding.vm");
} else if (SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(destinationBindingType)) {
encoder = new HTTPRedirectDeflateEncoder();
} else {
throw new UnsupportedOperationException(
"Binding type - " + destinationBindingType + " is not supported");
}
// Do we need binding specific decoder?
MessageDecoder decoder = new Pac4jHTTPPostDecoder(parserPool);
this.handler =
new Saml2WebSSOProfileHandler(
this.credentialProvider, encoder, decoder, parserPool, destinationBindingType);
// Build provider for digital signature validation and encryption
this.signatureTrustEngineProvider = new SignatureTrustEngineProvider(metadataManager);
// Build the SAML response validator
this.responseValidator = new Saml2ResponseValidator();
if (this.maximumAuthenticationLifetime != null) {
this.responseValidator.setMaximumAuthenticationLifetime(this.maximumAuthenticationLifetime);
}
}
@Override
protected void internalInit(final WebContext context) {
CommonHelper.assertNotBlank("publicKey", this.publicKey);
super.internalInit(context);
}
