1a33e6d86b0787998f56a1a59e9fb74547aa324f
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / hs / HandleServlet.java
1 /* 
2  * The Shibboleth License, Version 1. 
3  * Copyright (c) 2002 
4  * University Corporation for Advanced Internet Development, Inc. 
5  * All rights reserved
6  * 
7  * 
8  * Redistribution and use in source and binary forms, with or without 
9  * modification, are permitted provided that the following conditions are met:
10  * 
11  * Redistributions of source code must retain the above copyright notice, this 
12  * list of conditions and the following disclaimer.
13  * 
14  * Redistributions in binary form must reproduce the above copyright notice, 
15  * this list of conditions and the following disclaimer in the documentation 
16  * and/or other materials provided with the distribution, if any, must include 
17  * the following acknowledgment: "This product includes software developed by 
18  * the University Corporation for Advanced Internet Development 
19  * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement 
20  * may appear in the software itself, if and wherever such third-party 
21  * acknowledgments normally appear.
22  * 
23  * Neither the name of Shibboleth nor the names of its contributors, nor 
24  * Internet2, nor the University Corporation for Advanced Internet Development, 
25  * Inc., nor UCAID may be used to endorse or promote products derived from this 
26  * software without specific prior written permission. For written permission, 
27  * please contact shibboleth@shibboleth.org
28  * 
29  * Products derived from this software may not be called Shibboleth, Internet2, 
30  * UCAID, or the University Corporation for Advanced Internet Development, nor 
31  * may Shibboleth appear in their name, without prior written permission of the 
32  * University Corporation for Advanced Internet Development.
33  * 
34  * 
35  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
36  * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
37  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
38  * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK 
39  * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. 
40  * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY 
41  * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, 
42  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
43  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
44  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 
45  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
46  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
47  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
48  */
49
50 package edu.internet2.middleware.shibboleth.hs;
51
52 import java.io.ByteArrayOutputStream;
53 import java.io.IOException;
54 import java.io.PrintStream;
55 import java.security.KeyStore;
56 import java.security.KeyStoreException;
57 import java.security.NoSuchAlgorithmException;
58 import java.security.PrivateKey;
59 import java.security.UnrecoverableKeyException;
60 import java.security.cert.Certificate;
61 import java.security.cert.CertificateException;
62 import java.util.Arrays;
63 import java.util.Collections;
64 import java.util.Date;
65 import java.util.Properties;
66
67 import javax.servlet.RequestDispatcher;
68 import javax.servlet.ServletException;
69 import javax.servlet.UnavailableException;
70 import javax.servlet.http.HttpServlet;
71 import javax.servlet.http.HttpServletRequest;
72 import javax.servlet.http.HttpServletResponse;
73
74 import org.apache.log4j.Logger;
75 import org.apache.log4j.MDC;
76 import org.doomdark.uuid.UUIDGenerator;
77 import org.opensaml.QName;
78 import org.opensaml.SAMLAuthorityBinding;
79 import org.opensaml.SAMLBinding;
80 import org.opensaml.SAMLException;
81 import org.opensaml.SAMLResponse;
82 import sun.misc.BASE64Decoder;
83
84 import edu.internet2.middleware.shibboleth.common.AuthNPrincipal;
85 import edu.internet2.middleware.shibboleth.common.Constants;
86 import edu.internet2.middleware.shibboleth.common.ShibPOSTProfile;
87 import edu.internet2.middleware.shibboleth.common.ShibPOSTProfileFactory;
88
89 public class HandleServlet extends HttpServlet {
90
91         protected Properties configuration;
92         protected HandleRepository handleRepository;
93         protected ShibPOSTProfile postProfile;
94         private static Logger log = Logger.getLogger(HandleServlet.class.getName());
95         private Certificate[] certificates;
96         private PrivateKey privateKey;
97         protected Properties loadConfiguration() throws HandleException {
98
99                 //Set defaults
100                 Properties defaultProps = new Properties();
101                 defaultProps.setProperty(
102                         "edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation",
103                         "edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository");
104                 defaultProps.setProperty(
105                         "edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL",
106                         "1800000");
107                 defaultProps.setProperty(
108                         "edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer",
109                         "shib2.internet2.edu");
110                 defaultProps.setProperty(
111                         "edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePath",
112                         getServletContext().getRealPath("/WEB-INF/conf/handle.jks"));
113
114                 //Load from file
115                 Properties properties = new Properties(defaultProps);
116                 String propertiesFileLocation = getInitParameter("OriginPropertiesFile");
117                 if (propertiesFileLocation == null) {
118                         propertiesFileLocation = "/WEB-INF/conf/origin.properties";
119                 }
120                 try {
121                         log.debug("Loading Configuration from (" + propertiesFileLocation + ").");
122                         properties.load(getServletContext().getResourceAsStream(propertiesFileLocation));
123                 } catch (IOException e) {
124                         log.error("Could not load HS servlet configuration: " + e);
125                         throw new HandleException("Could not load HS servlet configuration.");
126                 }
127
128                 if (log.isDebugEnabled()) {
129                         ByteArrayOutputStream debugStream = new ByteArrayOutputStream();
130                         PrintStream debugPrinter = new PrintStream(debugStream);
131                         properties.list(debugPrinter);
132                         log.debug(
133                                 "Runtime configuration parameters: "
134                                         + System.getProperty("line.separator")
135                                         + debugStream.toString());
136                 }
137
138                 return properties;
139         }
140
141         public void init() throws ServletException {
142                 super.init();
143                 MDC.put("serviceId", "[HS] Core");
144                 try {
145                         log.info("Initializing Handle Service.");
146                         configuration = loadConfiguration();
147
148                         edu.internet2.middleware.eduPerson.Init.init();
149
150                         initPKI();
151
152                         postProfile =
153                                 ShibPOSTProfileFactory.getInstance(
154                                         Arrays.asList(new String[] { Constants.POLICY_CLUBSHIB }),
155                                         configuration.getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer"));
156
157                         handleRepository = HandleRepositoryFactory.getInstance(configuration);
158                         log.info("Handle Service initialization complete.");
159
160                 } catch (SAMLException ex) {
161                         log.fatal("Error initializing SAML libraries: " + ex);
162                         throw new UnavailableException("Handle Service failed to initialize.");
163                 } catch (HSConfigurationException ex) {
164                         log.fatal(
165                                 "Handle Service runtime configuration error.  Please fix and re-initialize. Cause: " + ex);
166                         throw new UnavailableException("Handle Service failed to initialize.");
167                 } catch (HandleRepositoryException ex) {
168                         log.fatal("Unable to load Handle Repository: " + ex);
169                         throw new UnavailableException("Handle Service failed to initialize.");
170                 } catch (Exception ex) {
171                         log.fatal("Error in initialization: " + ex);
172                         throw new ServletException("Handle Service could not be initialized.");
173                 }
174         }
175
176         protected void initPKI() throws HSConfigurationException {
177                 try {
178                         KeyStore keyStore = KeyStore.getInstance("JKS");
179
180                         keyStore.load(
181                                 getServletContext().getResourceAsStream(
182                                         configuration.getProperty(
183                                                 "edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath")),
184                                 configuration
185                                         .getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword")
186                                         .toCharArray());
187
188                         privateKey =
189                                 (PrivateKey) keyStore.getKey(
190                                         configuration.getProperty(
191                                                 "edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias"),
192                                         configuration
193                                                 .getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword")
194                                                 .toCharArray());
195
196                         if (configuration.getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.certAlias")
197                                 != null) {
198                                 certificates =
199                                         keyStore.getCertificateChain(
200                                                 configuration.getProperty(
201                                                         "edu.internet2.middleware.shibboleth.hs.HandleServlet.certAlias"));
202                         } else {
203                                 certificates =
204                                         keyStore.getCertificateChain(
205                                                 configuration.getProperty(
206                                                         "edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias"));
207                         }
208                 } catch (KeyStoreException e) {
209                         throw new HSConfigurationException("An error occurred while accessing the java keystore: " + e);
210                 } catch (NoSuchAlgorithmException e) {
211                         throw new HSConfigurationException(
212                                 "Appropriate JCE provider not found in the java environment: " + e);
213                 } catch (CertificateException e) {
214                         throw new HSConfigurationException(
215                                 "The java keystore contained a certificate that could not be loaded: " + e);
216                 } catch (IOException e) {
217                         throw new HSConfigurationException("An error occurred while reading the java keystore: " + e);
218                 } catch (UnrecoverableKeyException e) {
219                         throw new HSConfigurationException(
220                                 "An error occurred while attempting to load the key from the java keystore: " + e);
221                 }
222         }
223         public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
224
225                 log.debug("Recieved a request.");
226                 MDC.put("serviceId", "[HS] " + UUIDGenerator.getInstance().generateRandomBasedUUID());
227                 MDC.put("remoteAddr", req.getRemoteAddr());
228                 log.info("Handling request.");
229
230                 try {
231                         checkRequestParams(req);
232
233                         req.setAttribute("shire", req.getParameter("shire"));
234                         req.setAttribute("target", req.getParameter("target"));
235
236                         String handle = handleRepository.getHandle(new AuthNPrincipal(req.getRemoteUser()));
237                         log.info("Issued Handle (" + handle + ") to (" + req.getRemoteUser() + ")");
238
239                         byte[] buf = generateAssertion(handle, req.getParameter("shire"), req.getRemoteAddr(), req.getAuthType());
240
241                         createForm(req, res, buf);
242
243                 } catch (HandleRepositoryException ex) {
244                         log.error(ex);
245                         handleError(req, res, ex);
246                         return;
247                 } catch (HandleException ex) {
248                         log.error(ex);
249                         handleError(req, res, ex);
250                         return;
251                 } catch (SAMLException ex) {
252                         log.error(ex);
253                         handleError(req, res, ex);
254                         return;
255                 }
256
257         }
258
259         protected byte[] generateAssertion(String handle, String shireURL, String clientAddress, String authType)
260                 throws SAMLException, IOException {
261
262                 SAMLAuthorityBinding binding =
263                         new SAMLAuthorityBinding(
264                                 SAMLBinding.SAML_SOAP_HTTPS,
265                                 configuration.getProperty("edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl"),
266                                 new QName(org.opensaml.XML.SAMLP_NS, "AttributeQuery"));
267
268                 SAMLResponse r =
269                         postProfile.prepare(
270                                 shireURL,
271                                 handle,
272                                 configuration.getProperty(
273                                         "edu.internet2.middleware.shibboleth.hs.HandleServlet.authenticationDomain"),
274                                 clientAddress,
275                                 authType,
276                                 new Date(System.currentTimeMillis()),
277                                 Collections.singleton(binding),
278                                 privateKey,
279                                 Arrays.asList(certificates),
280                                 null,
281                                 null);
282                 return r.toBase64();
283         }
284
285         protected void createForm(HttpServletRequest req, HttpServletResponse res, byte[] buf)
286                 throws HandleException {
287                 try {
288                         /**
289                          * forwarding to hs.jsp for submission
290                              */
291                         //Hardcoded to ASCII to ensure Base64 encoding compatibility
292                         req.setAttribute("assertion", new String(buf, "ASCII"));
293
294                         if (log.isDebugEnabled()) {
295                                 try {
296                                         log.debug(
297                                                 "Dumping generated SAML Response:"
298                                                         + System.getProperty("line.separator")
299                                                         + new String(new BASE64Decoder().decodeBuffer(new String(buf, "ASCII")), "UTF8"));
300                                 } catch (IOException e) {
301                                         log.error("Encountered an error while decoding SAMLReponse for logging purposes.");
302                                 }
303                         }
304
305                         RequestDispatcher rd = req.getRequestDispatcher("/hs.jsp");
306                         rd.forward(req, res);
307
308                 } catch (IOException ex) {
309                         throw new HandleException("IO interruption while displaying Handle Service UI." + ex);
310                 } catch (ServletException ex) {
311                         throw new HandleException("Problem displaying Handle Service UI." + ex);
312                 }
313
314         }
315
316         protected void handleError(HttpServletRequest req, HttpServletResponse res, Exception e)
317                 throws ServletException, IOException {
318
319                 req.setAttribute("errorText", e.toString());
320                 req.setAttribute("requestURL", req.getRequestURI().toString());
321                 RequestDispatcher rd = req.getRequestDispatcher("/hserror.jsp");
322
323                 rd.forward(req, res);
324
325         }
326
327         protected void checkRequestParams(HttpServletRequest req) throws HandleException {
328
329                 if (req.getParameter("target") == null || req.getParameter("target").equals("")) {
330                         throw new HandleException("Invalid data from SHIRE: no target URL received.");
331                 }
332                 if ((req.getParameter("shire") == null) || (req.getParameter("shire").equals(""))) {
333                         throw new HandleException("Invalid data from SHIRE: No acceptance URL received.");
334                 }
335                 if ((req.getRemoteUser() == null) || (req.getRemoteUser().equals(""))) {
336                         throw new HandleException("Unable to authenticate remote user");
337                 }
338                 if ((req.getRemoteAddr() == null) || (req.getRemoteAddr().equals(""))) {
339                         throw new HandleException("Unable to obtain client address.");
340                 }
341         }
342
343 }
344
345     
346