/** {@inheritDoc} */
  protected void processAttribute(XMLObject xmlObject, Attr attribute)
      throws UnmarshallingException {

    AttributeDesignatorType attributeDesignatorType = (AttributeDesignatorType) xmlObject;

    if (attribute.getLocalName().equals(AttributeDesignatorType.ATTRIBUTE_ID_ATTRIB_NAME)) {
      attributeDesignatorType.setAttribtueId(
          DatatypeHelper.safeTrimOrNullString(attribute.getValue()));
    } else if (attribute.getLocalName().equals(AttributeDesignatorType.DATA_TYPE_ATTRIB_NAME)) {
      attributeDesignatorType.setDataType(
          DatatypeHelper.safeTrimOrNullString(attribute.getValue()));
    } else if (attribute.getLocalName().equals(AttributeDesignatorType.ISSUER_ATTRIB_NAME)) {
      attributeDesignatorType.setIssuer(DatatypeHelper.safeTrimOrNullString(attribute.getValue()));
    } else if (attribute
        .getLocalName()
        .equals(AttributeDesignatorType.MUST_BE_PRESENT_ATTRIB_NAME)) {
      if (attribute.getValue().equals("True") || attribute.getValue().equals("true")) {
        attributeDesignatorType.setMustBePresentXSBoolean(XSBooleanValue.valueOf("1"));
      } else {
        attributeDesignatorType.setMustBePresentXSBoolean(XSBooleanValue.valueOf("0"));
      }
    } else {
      super.processAttribute(xmlObject, attribute);
    }
  }
  /**
   * Validates that the authentication was successfully performed by the login handler. An
   * authentication is considered successful if no error is bound to the request attribute {@link
   * LoginHandler#AUTHENTICATION_ERROR_KEY} and there is a value for at least one of the following
   * request attributes: {@link LoginHandler#SUBJECT_KEY}, {@link LoginHandler#PRINCIPAL_KEY}, or
   * {@link LoginHandler#PRINCIPAL_NAME_KEY}.
   *
   * @param loginContext current login context
   * @param httpRequest current HTTP request
   * @param authenticationMethod the authentication method used to authenticate the user
   * @throws AuthenticationException thrown if the authentication was not successful
   */
  protected void validateSuccessfulAuthentication(
      LoginContext loginContext, HttpServletRequest httpRequest, String authenticationMethod)
      throws AuthenticationException {
    LOG.debug("Validating authentication was performed successfully");

    if (authenticationMethod == null) {
      LOG.error("No authentication method reported by login handler.");
      throw new AuthenticationException("No authentication method reported by login handler.");
    }

    String errorMessage =
        DatatypeHelper.safeTrimOrNullString(
            (String) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY));
    if (errorMessage != null) {
      LOG.debug(
          "Error returned from login handler for authentication method {}:\n{}",
          loginContext.getAttemptedAuthnMethod(),
          errorMessage);
      loginContext.setAuthenticationFailure(new AuthenticationException(errorMessage));
      loginContext.setPrincipalAuthenticated(false);
      return;
    }

    AuthenticationException authnException =
        (AuthenticationException)
            httpRequest.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY);
    if (authnException != null) {
      LOG.debug(
          "Exception returned from login handler for authentication method {}:\n{}",
          loginContext.getAttemptedAuthnMethod(),
          authnException);
      loginContext.setAuthenticationFailure(authnException);
      loginContext.setPrincipalAuthenticated(false);
      return;
    }

    Subject subject = (Subject) httpRequest.getAttribute(LoginHandler.SUBJECT_KEY);
    Principal principal = (Principal) httpRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
    String principalName =
        DatatypeHelper.safeTrimOrNullString(
            (String) httpRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));

    if (subject == null && principal == null && principalName == null) {
      LOG.error("No user identified by login handler.");
      throw new AuthenticationException("No user identified by login handler.");
    }
  }
Esempio n. 3
0
 /** {@inheritDoc} */
 protected void unmarshallTextContent(XMLObject xmlObject, Text content)
     throws UnmarshallingException {
   String textContent = DatatypeHelper.safeTrimOrNullString(content.getWholeText());
   if (textContent != null) {
     XSQName qname = (XSQName) xmlObject;
     qname.setValue(XMLHelper.constructQName(textContent, XMLHelper.getElementAncestor(content)));
   }
 }
 /**
  * Constructor.
  *
  * @param extensionSchemas classpath location of metadata extension schemas, may be null
  */
 public SchemaValidationFilter(String[] extensionSchemas) {
   if (extensionSchemas != null) {
     for (String extension : extensionSchemas) {
       extension = DatatypeHelper.safeTrimOrNullString(extension);
       if (extension != null) {
         SAMLSchemaBuilder.addExtensionSchema(extension);
       }
     }
   }
 }
  /**
   * Gets the list of request paths the profile handler handles.
   *
   * @param config profile handler configuration element
   * @return list of request paths the profile handler handles
   */
  protected List<String> getRequestPaths(Element config) {
    ArrayList<String> requestPaths = new ArrayList<String>();
    List<Element> requestPathElems = XMLHelper.getChildElementsByTagName(config, "RequestPath");
    if (requestPathElems != null) {
      for (Element requestPathElem : requestPathElems) {
        requestPaths.add(DatatypeHelper.safeTrimOrNullString(requestPathElem.getTextContent()));
      }
    }

    return requestPaths;
  }
  /** {@inheritDoc} */
  public void init(ServletConfig config) throws ServletException {
    super.init(config);

    String retain =
        DatatypeHelper.safeTrimOrNullString(config.getInitParameter(RETAIN_PRIVATE_CREDENTIALS));
    if (retain != null) {
      retainSubjectsPrivateCredentials = Boolean.parseBoolean(retain);
    } else {
      retainSubjectsPrivateCredentials = false;
    }

    retain =
        DatatypeHelper.safeTrimOrNullString(config.getInitParameter(RETAIN_PUBLIC_CREDENTIALS));
    if (retain != null) {
      retainSubjectsPublicCredentials = Boolean.parseBoolean(retain);
    } else {
      retainSubjectsPublicCredentials = false;
    }
    context = config.getServletContext();
    handlerManager = HttpServletHelper.getProfileHandlerManager(context);
    sessionManager = HttpServletHelper.getSessionManager(context);
    storageService =
        (StorageService<String, LoginContextEntry>) HttpServletHelper.getStorageService(context);
  }
Esempio n. 7
0
  /** {@inheritDoc} */
  public void init(ServletConfig config) throws ServletException {
    super.init(config);

    allowedIPs = new LazyList<IPRange>();

    String cidrBlocks = DatatypeHelper.safeTrimOrNullString(config.getInitParameter(IP_PARAM_NAME));
    if (cidrBlocks != null) {
      for (String cidrBlock : cidrBlocks.split(" ")) {
        allowedIPs.add(IPRange.parseCIDRBlock(cidrBlock));
      }
    }

    dateFormat = ISODateTimeFormat.dateTimeNoMillis();
    startTime = new DateTime(ISOChronology.getInstanceUTC());
    attributeResolver = HttpServletHelper.getAttributeResolver(config.getServletContext());
    rpConfigManager =
        HttpServletHelper.getRelyingPartyConfirmationManager(config.getServletContext());
  }
  /**
   * Gets the subject from the request coming back from the login handler.
   *
   * @param httpRequest request coming back from the login handler
   * @return the {@link Subject} created from the request
   * @throws AuthenticationException thrown if no subject can be retrieved from the request
   */
  protected Subject getLoginHandlerSubject(HttpServletRequest httpRequest)
      throws AuthenticationException {
    Subject subject = (Subject) httpRequest.getAttribute(LoginHandler.SUBJECT_KEY);
    Principal principal = (Principal) httpRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
    String principalName =
        DatatypeHelper.safeTrimOrNullString(
            (String) httpRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));

    if (subject == null && (principal != null || principalName != null)) {
      subject = new Subject();
      if (principal == null) {
        principal = new UsernamePrincipal(principalName);
      }
      subject.getPrincipals().add(principal);
    }

    return subject;
  }
  /**
   * Completes the authentication process.
   *
   * <p>The principal name set by the authentication handler is retrieved and pushed in to the login
   * context, a Shibboleth session is created if needed, information indicating that the user has
   * logged into the service is recorded and finally control is returned back to the profile
   * handler.
   *
   * @param loginContext current login context
   * @param httpRequest current HTTP request
   * @param httpResponse current HTTP response
   */
  protected void completeAuthentication(
      LoginContext loginContext, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
    LOG.debug("Completing user authentication process");

    Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);

    try {
      // We allow a login handler to override the authentication method in the
      // event that it supports multiple methods
      String actualAuthnMethod =
          DatatypeHelper.safeTrimOrNullString(
              (String) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_METHOD_KEY));
      if (actualAuthnMethod != null) {
        if (!loginContext.getRequestedAuthenticationMethods().isEmpty()
            && !loginContext.getRequestedAuthenticationMethods().contains(actualAuthnMethod)) {
          String msg =
              "Relying patry required an authentication method of "
                  + loginContext.getRequestedAuthenticationMethods()
                  + " but the login handler performed "
                  + actualAuthnMethod;
          LOG.error(msg);
          throw new AuthenticationException(msg);
        }
      } else {
        actualAuthnMethod = loginContext.getAttemptedAuthnMethod();
      }

      // Check to make sure the login handler did the right thing
      validateSuccessfulAuthentication(loginContext, httpRequest, actualAuthnMethod);
      if (loginContext.getAuthenticationFailure() != null) {
        returnToProfileHandler(httpRequest, httpResponse);
        return;
      }

      // Check for an overridden authn instant.
      DateTime actualAuthnInstant =
          (DateTime) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_INSTANT_KEY);

      // Get the Subject from the request. If force authentication was required then make sure the
      // Subject identifies the same user that authenticated before
      Subject subject = getLoginHandlerSubject(httpRequest);
      if (loginContext.isForceAuthRequired()) {
        validateForcedReauthentication(idpSession, actualAuthnMethod, subject);

        // Reset the authn instant.
        if (actualAuthnInstant == null) {
          actualAuthnInstant = new DateTime();
        }
      }

      loginContext.setPrincipalAuthenticated(true);
      updateUserSession(
          loginContext, subject, actualAuthnMethod, actualAuthnInstant, httpRequest, httpResponse);
      LOG.debug(
          "User {} authenticated with method {}",
          loginContext.getPrincipalName(),
          loginContext.getAuthenticationMethod());
    } catch (AuthenticationException e) {
      LOG.error("Authentication failed with the error:", e);
      loginContext.setPrincipalAuthenticated(false);
      loginContext.setAuthenticationFailure(e);
    }

    returnToProfileHandler(httpRequest, httpResponse);
  }