/** {@inheritDoc} */
protected void processAttribute(XMLObject xmlObject, Attr attribute)
throws UnmarshallingException {
AttributeDesignatorType attributeDesignatorType = (AttributeDesignatorType) xmlObject;
if (attribute.getLocalName().equals(AttributeDesignatorType.ATTRIBUTE_ID_ATTRIB_NAME)) {
attributeDesignatorType.setAttribtueId(
DatatypeHelper.safeTrimOrNullString(attribute.getValue()));
} else if (attribute.getLocalName().equals(AttributeDesignatorType.DATA_TYPE_ATTRIB_NAME)) {
attributeDesignatorType.setDataType(
DatatypeHelper.safeTrimOrNullString(attribute.getValue()));
} else if (attribute.getLocalName().equals(AttributeDesignatorType.ISSUER_ATTRIB_NAME)) {
attributeDesignatorType.setIssuer(DatatypeHelper.safeTrimOrNullString(attribute.getValue()));
} else if (attribute
.getLocalName()
.equals(AttributeDesignatorType.MUST_BE_PRESENT_ATTRIB_NAME)) {
if (attribute.getValue().equals("True") || attribute.getValue().equals("true")) {
attributeDesignatorType.setMustBePresentXSBoolean(XSBooleanValue.valueOf("1"));
} else {
attributeDesignatorType.setMustBePresentXSBoolean(XSBooleanValue.valueOf("0"));
}
} else {
super.processAttribute(xmlObject, attribute);
}
}
/**
* Validates that the authentication was successfully performed by the login handler. An
* authentication is considered successful if no error is bound to the request attribute {@link
* LoginHandler#AUTHENTICATION_ERROR_KEY} and there is a value for at least one of the following
* request attributes: {@link LoginHandler#SUBJECT_KEY}, {@link LoginHandler#PRINCIPAL_KEY}, or
* {@link LoginHandler#PRINCIPAL_NAME_KEY}.
*
* @param loginContext current login context
* @param httpRequest current HTTP request
* @param authenticationMethod the authentication method used to authenticate the user
* @throws AuthenticationException thrown if the authentication was not successful
*/
protected void validateSuccessfulAuthentication(
LoginContext loginContext, HttpServletRequest httpRequest, String authenticationMethod)
throws AuthenticationException {
LOG.debug("Validating authentication was performed successfully");
if (authenticationMethod == null) {
LOG.error("No authentication method reported by login handler.");
throw new AuthenticationException("No authentication method reported by login handler.");
}
String errorMessage =
DatatypeHelper.safeTrimOrNullString(
(String) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY));
if (errorMessage != null) {
LOG.debug(
"Error returned from login handler for authentication method {}:\n{}",
loginContext.getAttemptedAuthnMethod(),
errorMessage);
loginContext.setAuthenticationFailure(new AuthenticationException(errorMessage));
loginContext.setPrincipalAuthenticated(false);
return;
}
AuthenticationException authnException =
(AuthenticationException)
httpRequest.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY);
if (authnException != null) {
LOG.debug(
"Exception returned from login handler for authentication method {}:\n{}",
loginContext.getAttemptedAuthnMethod(),
authnException);
loginContext.setAuthenticationFailure(authnException);
loginContext.setPrincipalAuthenticated(false);
return;
}
Subject subject = (Subject) httpRequest.getAttribute(LoginHandler.SUBJECT_KEY);
Principal principal = (Principal) httpRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
String principalName =
DatatypeHelper.safeTrimOrNullString(
(String) httpRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));
if (subject == null && principal == null && principalName == null) {
LOG.error("No user identified by login handler.");
throw new AuthenticationException("No user identified by login handler.");
}
}
/** {@inheritDoc} */
protected void unmarshallTextContent(XMLObject xmlObject, Text content)
throws UnmarshallingException {
String textContent = DatatypeHelper.safeTrimOrNullString(content.getWholeText());
if (textContent != null) {
XSQName qname = (XSQName) xmlObject;
qname.setValue(XMLHelper.constructQName(textContent, XMLHelper.getElementAncestor(content)));
}
}
/**
* Constructor.
*
* @param extensionSchemas classpath location of metadata extension schemas, may be null
*/
public SchemaValidationFilter(String[] extensionSchemas) {
if (extensionSchemas != null) {
for (String extension : extensionSchemas) {
extension = DatatypeHelper.safeTrimOrNullString(extension);
if (extension != null) {
SAMLSchemaBuilder.addExtensionSchema(extension);
}
}
}
}
/**
* Gets the list of request paths the profile handler handles.
*
* @param config profile handler configuration element
* @return list of request paths the profile handler handles
*/
protected List<String> getRequestPaths(Element config) {
ArrayList<String> requestPaths = new ArrayList<String>();
List<Element> requestPathElems = XMLHelper.getChildElementsByTagName(config, "RequestPath");
if (requestPathElems != null) {
for (Element requestPathElem : requestPathElems) {
requestPaths.add(DatatypeHelper.safeTrimOrNullString(requestPathElem.getTextContent()));
}
}
return requestPaths;
}
/** {@inheritDoc} */
public void init(ServletConfig config) throws ServletException {
super.init(config);
String retain =
DatatypeHelper.safeTrimOrNullString(config.getInitParameter(RETAIN_PRIVATE_CREDENTIALS));
if (retain != null) {
retainSubjectsPrivateCredentials = Boolean.parseBoolean(retain);
} else {
retainSubjectsPrivateCredentials = false;
}
retain =
DatatypeHelper.safeTrimOrNullString(config.getInitParameter(RETAIN_PUBLIC_CREDENTIALS));
if (retain != null) {
retainSubjectsPublicCredentials = Boolean.parseBoolean(retain);
} else {
retainSubjectsPublicCredentials = false;
}
context = config.getServletContext();
handlerManager = HttpServletHelper.getProfileHandlerManager(context);
sessionManager = HttpServletHelper.getSessionManager(context);
storageService =
(StorageService<String, LoginContextEntry>) HttpServletHelper.getStorageService(context);
}
/** {@inheritDoc} */
public void init(ServletConfig config) throws ServletException {
super.init(config);
allowedIPs = new LazyList<IPRange>();
String cidrBlocks = DatatypeHelper.safeTrimOrNullString(config.getInitParameter(IP_PARAM_NAME));
if (cidrBlocks != null) {
for (String cidrBlock : cidrBlocks.split(" ")) {
allowedIPs.add(IPRange.parseCIDRBlock(cidrBlock));
}
}
dateFormat = ISODateTimeFormat.dateTimeNoMillis();
startTime = new DateTime(ISOChronology.getInstanceUTC());
attributeResolver = HttpServletHelper.getAttributeResolver(config.getServletContext());
rpConfigManager =
HttpServletHelper.getRelyingPartyConfirmationManager(config.getServletContext());
}
/**
* Gets the subject from the request coming back from the login handler.
*
* @param httpRequest request coming back from the login handler
* @return the {@link Subject} created from the request
* @throws AuthenticationException thrown if no subject can be retrieved from the request
*/
protected Subject getLoginHandlerSubject(HttpServletRequest httpRequest)
throws AuthenticationException {
Subject subject = (Subject) httpRequest.getAttribute(LoginHandler.SUBJECT_KEY);
Principal principal = (Principal) httpRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
String principalName =
DatatypeHelper.safeTrimOrNullString(
(String) httpRequest.getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));
if (subject == null && (principal != null || principalName != null)) {
subject = new Subject();
if (principal == null) {
principal = new UsernamePrincipal(principalName);
}
subject.getPrincipals().add(principal);
}
return subject;
}
/**
* Completes the authentication process.
*
* <p>The principal name set by the authentication handler is retrieved and pushed in to the login
* context, a Shibboleth session is created if needed, information indicating that the user has
* logged into the service is recorded and finally control is returned back to the profile
* handler.
*
* @param loginContext current login context
* @param httpRequest current HTTP request
* @param httpResponse current HTTP response
*/
protected void completeAuthentication(
LoginContext loginContext, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
LOG.debug("Completing user authentication process");
Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
try {
// We allow a login handler to override the authentication method in the
// event that it supports multiple methods
String actualAuthnMethod =
DatatypeHelper.safeTrimOrNullString(
(String) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_METHOD_KEY));
if (actualAuthnMethod != null) {
if (!loginContext.getRequestedAuthenticationMethods().isEmpty()
&& !loginContext.getRequestedAuthenticationMethods().contains(actualAuthnMethod)) {
String msg =
"Relying patry required an authentication method of "
+ loginContext.getRequestedAuthenticationMethods()
+ " but the login handler performed "
+ actualAuthnMethod;
LOG.error(msg);
throw new AuthenticationException(msg);
}
} else {
actualAuthnMethod = loginContext.getAttemptedAuthnMethod();
}
// Check to make sure the login handler did the right thing
validateSuccessfulAuthentication(loginContext, httpRequest, actualAuthnMethod);
if (loginContext.getAuthenticationFailure() != null) {
returnToProfileHandler(httpRequest, httpResponse);
return;
}
// Check for an overridden authn instant.
DateTime actualAuthnInstant =
(DateTime) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_INSTANT_KEY);
// Get the Subject from the request. If force authentication was required then make sure the
// Subject identifies the same user that authenticated before
Subject subject = getLoginHandlerSubject(httpRequest);
if (loginContext.isForceAuthRequired()) {
validateForcedReauthentication(idpSession, actualAuthnMethod, subject);
// Reset the authn instant.
if (actualAuthnInstant == null) {
actualAuthnInstant = new DateTime();
}
}
loginContext.setPrincipalAuthenticated(true);
updateUserSession(
loginContext, subject, actualAuthnMethod, actualAuthnInstant, httpRequest, httpResponse);
LOG.debug(
"User {} authenticated with method {}",
loginContext.getPrincipalName(),
loginContext.getAuthenticationMethod());
} catch (AuthenticationException e) {
LOG.error("Authentication failed with the error:", e);
loginContext.setPrincipalAuthenticated(false);
loginContext.setAuthenticationFailure(e);
}
returnToProfileHandler(httpRequest, httpResponse);
}
