예제 #1
0
  public Result callback() {

    final PlayWebContext context = new PlayWebContext(ctx(), config.getSessionStore());

    CommonHelper.assertNotNull("config", config);
    CommonHelper.assertNotNull("config.httpActionAdapter", config.getHttpActionAdapter());
    final Clients clients = config.getClients();
    CommonHelper.assertNotNull("clients", clients);
    final Client client = clients.findClient(context);
    logger.debug("client: {}", client);
    CommonHelper.assertNotNull("client", client);
    CommonHelper.assertTrue(
        client instanceof IndirectClient, "only indirect clients are allowed on the callback url");

    final Credentials credentials;
    try {
      credentials = client.getCredentials(context);
    } catch (final RequiresHttpAction e) {
      return (Result) config.getHttpActionAdapter().adapt(e.getCode(), context);
    }
    logger.debug("credentials: {}", credentials);

    final UserProfile profile = client.getUserProfile(credentials, context);
    logger.debug("profile: {}", profile);
    saveUserProfile(context, profile);
    return redirectToOriginallyRequestedUrl(context);
  }
  @Override
  public R perform(
      final C context,
      final Config config,
      final HttpActionAdapter<R, C> httpActionAdapter,
      final String inputDefaultUrl,
      final Boolean inputMultiProfile,
      final Boolean inputRenewSession) {

    logger.debug("=== CALLBACK ===");

    // default values
    final String defaultUrl;
    if (inputDefaultUrl == null) {
      defaultUrl = Pac4jConstants.DEFAULT_URL_VALUE;
    } else {
      defaultUrl = inputDefaultUrl;
    }
    final boolean multiProfile;
    if (inputMultiProfile == null) {
      multiProfile = false;
    } else {
      multiProfile = inputMultiProfile;
    }
    final boolean renewSession;
    if (inputRenewSession == null) {
      renewSession = true;
    } else {
      renewSession = inputRenewSession;
    }

    // checks
    assertNotNull("context", context);
    assertNotNull("config", config);
    assertNotNull("httpActionAdapter", httpActionAdapter);
    assertNotBlank(Pac4jConstants.DEFAULT_URL, defaultUrl);
    final Clients clients = config.getClients();
    assertNotNull("clients", clients);

    // logic
    final Client client = clients.findClient(context);
    logger.debug("client: {}", client);
    assertNotNull("client", client);
    assertTrue(
        client instanceof IndirectClient, "only indirect clients are allowed on the callback url");

    HttpAction action;
    try {
      final Credentials credentials = client.getCredentials(context);
      logger.debug("credentials: {}", credentials);

      final CommonProfile profile = client.getUserProfile(credentials, context);
      logger.debug("profile: {}", profile);
      saveUserProfile(context, profile, multiProfile, renewSession);
      action = redirectToOriginallyRequestedUrl(context, defaultUrl);

    } catch (final HttpAction e) {
      logger.debug("extra HTTP action required in callback: {}", e.getCode());
      action = e;
    }

    return httpActionAdapter.adapt(action.getCode(), context);
  }
예제 #3
0
  @Override
  protected void internalInit() {

    CommonHelper.assertTrue(
        CommonHelper.isNotBlank(this.idpMetadata) || CommonHelper.isNotBlank(this.idpMetadataPath),
        "Either idpMetadata or idpMetadataPath must be provided");
    CommonHelper.assertNotBlank("callbackUrl", this.callbackUrl);
    if (!this.callbackUrl.startsWith("http")) {
      throw new TechnicalException("SAML callbackUrl must be absolute");
    }

    if (CommonHelper.isNotBlank(this.keystorePath)
        || CommonHelper.isNotBlank(this.keystorePassword)
        || CommonHelper.isNotBlank(this.privateKeyPassword)) {
      CommonHelper.assertNotBlank("keystorePath", this.keystorePath);
      CommonHelper.assertNotBlank("keystorePassword", this.keystorePassword);
      CommonHelper.assertNotBlank("privateKeyPassword", this.privateKeyPassword);

      // load private key from the keystore and provide it as OpenSAML credentials
      this.credentialProvider =
          new CredentialProvider(this.keystorePath, this.keystorePassword, this.privateKeyPassword);
      this.decrypter = new EncryptionProvider(this.credentialProvider).buildDecrypter();
    }

    // Bootsrap OpenSAML
    try {
      DefaultBootstrap.bootstrap();
      NamedKeyInfoGeneratorManager manager =
          Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager();
      X509KeyInfoGeneratorFactory generator = new X509KeyInfoGeneratorFactory();
      generator.setEmitEntityCertificate(true);
      generator.setEmitEntityCertificateChain(true);
      manager.registerFactory(Saml2Client.SAML_METADATA_KEY_INFO_GENERATOR, generator);
    } catch (ConfigurationException e) {
      throw new SamlException("Error bootstrapping OpenSAML", e);
    }

    // required parserPool for XML processing
    final StaticBasicParserPool parserPool = newStaticBasicParserPool();
    final AbstractMetadataProvider idpMetadataProvider = idpMetadataProvider(parserPool);

    final XMLObject md;
    try {
      md = idpMetadataProvider.getMetadata();
    } catch (MetadataProviderException e) {
      throw new SamlException("Error initializing idpMetadataProvider", e);
    }

    // If no idpEntityId declared, select first EntityDescriptor entityId as our IDP entityId
    if (this.idpEntityId == null) {
      this.idpEntityId = getIdpEntityId(md);
    }

    // Generate our Service Provider metadata
    Saml2MetadataGenerator metadataGenerator = new Saml2MetadataGenerator();
    if (this.credentialProvider != null) {
      metadataGenerator.setCredentialProvider(this.credentialProvider);
      metadataGenerator.setAuthnRequestSigned(true);
    }
    // If the spEntityId is blank, use the callback url
    if (CommonHelper.isBlank(this.spEntityId)) {
      this.spEntityId = getCallbackUrl();
    }
    metadataGenerator.setEntityId(this.spEntityId);
    // Assertion consumer service url is the callback url
    metadataGenerator.setAssertionConsumerServiceUrl(getCallbackUrl());
    // for now same for logout url
    metadataGenerator.setSingleLogoutServiceUrl(getCallbackUrl());
    AbstractMetadataProvider spMetadataProvider = metadataGenerator.buildMetadataProvider();

    // Initialize metadata provider for our SP and get the XML as a String
    try {
      spMetadataProvider.initialize();
      this.spMetadata = metadataGenerator.printMetadata();
    } catch (MetadataProviderException e) {
      throw new TechnicalException("Error initializing spMetadataProvider", e);
    } catch (MarshallingException e) {
      logger.warn("Unable to print SP metadata", e);
    }

    // Put IDP and SP metadata together
    ChainingMetadataProvider metadataManager = new ChainingMetadataProvider();
    try {
      metadataManager.addMetadataProvider(idpMetadataProvider);
      metadataManager.addMetadataProvider(spMetadataProvider);
    } catch (MetadataProviderException e) {
      throw new TechnicalException("Error adding idp or sp metadatas to manager", e);
    }

    // Build the contextProvider
    this.contextProvider =
        new Saml2ContextProvider(metadataManager, this.idpEntityId, this.spEntityId);

    // Get an AuthnRequest builder
    this.authnRequestBuilder =
        new Saml2AuthnRequestBuilder(forceAuth, comparisonType, destinationBindingType);

    // Build the WebSSO handler for sending and receiving SAML2 messages
    MessageEncoder encoder = null;
    if (SAMLConstants.SAML2_POST_BINDING_URI.equals(destinationBindingType)) {
      // Get a velocity engine for the HTTP-POST binding (building of an HTML document)
      VelocityEngine velocityEngine = VelocityEngineFactory.getEngine();
      encoder = new HTTPPostEncoder(velocityEngine, "/templates/saml2-post-binding.vm");
    } else if (SAMLConstants.SAML2_REDIRECT_BINDING_URI.equals(destinationBindingType)) {
      encoder = new HTTPRedirectDeflateEncoder();
    } else {
      throw new UnsupportedOperationException(
          "Binding type - " + destinationBindingType + " is not supported");
    }

    // Do we need binding specific decoder?
    MessageDecoder decoder = new Pac4jHTTPPostDecoder(parserPool);
    this.handler =
        new Saml2WebSSOProfileHandler(
            this.credentialProvider, encoder, decoder, parserPool, destinationBindingType);

    // Build provider for digital signature validation and encryption
    this.signatureTrustEngineProvider = new SignatureTrustEngineProvider(metadataManager);

    // Build the SAML response validator
    this.responseValidator = new Saml2ResponseValidator();
    if (this.maximumAuthenticationLifetime != null) {
      this.responseValidator.setMaximumAuthenticationLifetime(this.maximumAuthenticationLifetime);
    }
  }
예제 #4
0
 private PlayWebContext getPlayWebContext(final WebContext context) {
   CommonHelper.assertTrue(context instanceof PlayWebContext, "context must be a PlayWebContext");
   return (PlayWebContext) context;
 }