reformat using eclipse's autoformatter. now if i could only make eclipse's indentatio...
authordmorr <dmorr@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 30 Mar 2007 17:53:13 +0000 (17:53 +0000)
committerdmorr <dmorr@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 30 Mar 2007 17:53:13 +0000 (17:53 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2166 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationHandler.java
src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationManager.java
src/edu/internet2/middleware/shibboleth/idp/authn/LoginContext.java
src/edu/internet2/middleware/shibboleth/idp/authn/Saml2LoginContext.java

index 3238fb6..957fd4b 100644 (file)
@@ -19,79 +19,79 @@ package edu.internet2.middleware.shibboleth.idp.authn;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-
 /**
- * Authentication handlers are responsible for authenticating a user using a 
+ * Authentication handlers are responsible for authenticating a user using a
  * particular authentication context class and logging users out for that same
  * mechanism.
  * 
- * When this handler is invoked to log a user in the incoming request will contain a 
- * {@link AuthnRequest} attribute registered under the name 
+ * When this handler is invoked to log a user in the incoming request will
+ * contain a {@link AuthnRequest} attribute registered under the name
  * <strong>AuthnRequest</strong>. If the authentication request coming into the
  * IdP is not a SAML 2 request the receiving profile handler will translate the
  * incoming details into a {@link AuthnRequest}.
  * 
- * Upon successfull authentication the handler <strong>must</strong> set a 
- * request attribute called <strong>principal</strong> with the principal name 
- * of the authenticated user. It must then forward the request/response to the 
+ * Upon successfull authentication the handler <strong>must</strong> set a
+ * request attribute called <strong>principal</strong> with the principal name
+ * of the authenticated user. It must then forward the request/response to the
  * provided return location by means of the
  * {@link javax.servlet.RequestDispatcher.RequestDispatcher#forward(
- *  javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
- * method.
+ * javax.servlet.ServletRequest, javax.servlet.ServletResponse)} method.
  * 
  * When this handler is invoked to log a user out of the particular
- * authentication source the handler may perform any operation necessary to 
- * log a user out. When finished it must then forward the request/response to
- * the provided return location by means of the
+ * authentication source the handler may perform any operation necessary to log
+ * a user out. When finished it must then forward the request/response to the
+ * provided return location by means of the
  * {@link RequestDispatcher#forward(javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
- * method. This call will occur before SAML logout requests have been sent to all services 
- * supporting such requests.
+ * method. This call will occur before SAML logout requests have been sent to
+ * all services supporting such requests.
  * 
- * AuthentcationHandlers <strong>MUST NOT</strong> change or add any data to the 
- * user's {@link javax.servlet.http.HttpSession} that persists past the process 
- * of authenticating the user, that is no additional session data may be added
- * and no existing session data may be changed when the handler redirects back 
- * to the return location.
+ * AuthentcationHandlers <strong>MUST NOT</strong> change or add any data to
+ * the user's {@link javax.servlet.http.HttpSession} that persists past the
+ * process of authenticating the user, that is no additional session data may be
+ * added and no existing session data may be changed when the handler redirects
+ * back to the return location.
  */
 public interface AuthenticationHandler {
 
-    
-    /**
-     * Authenticates the user making the request.
-     * 
-     * @param request user request
-     * @param response response to user
-     * @param loginCtx The {@link LoginContext} for the reqeust.
-     */
-    public void login(HttpServletRequest request, HttpServletResponse response,
-        LoginContext loginCtx);
-
-
-    /**
-     * Logs out the given user from the authentication
-     * mechanism represented by this handler.
-     * 
-     * @param request user request
-     * @param response response to user
-     * @param principal principal named as returned during authentication
-     */
-    public void logout(HttpServletRequest request, HttpServletResponse response,
-        String principal);
-
+       /**
+        * Authenticates the user making the request.
+        * 
+        * @param request
+        *            user request
+        * @param response
+        *            response to user
+        * @param loginCtx
+        *            The {@link LoginContext} for the reqeust.
+        */
+       public void login(HttpServletRequest request, HttpServletResponse response,
+                       LoginContext loginCtx);
 
-    /**
-     * Gets whether this handler supports passive authentication.
-     * 
-     * @return whether this handler supports passive authentication
-     */
-    public boolean supportsPassive();
+       /**
+        * Logs out the given user from the authentication mechanism represented by
+        * this handler.
+        * 
+        * @param request
+        *            user request
+        * @param response
+        *            response to user
+        * @param principal
+        *            principal named as returned during authentication
+        */
+       public void logout(HttpServletRequest request,
+                       HttpServletResponse response, String principal);
 
+       /**
+        * Gets whether this handler supports passive authentication.
+        * 
+        * @return whether this handler supports passive authentication
+        */
+       public boolean supportsPassive();
 
-    /**
-     * Returns if this handler supports the ability
-     * to force a user to (re-)authenticate.
-     * 
-     * @return if this handler can force a user to (re-)authenticate.
-     */
-    public boolean supportsForceAuthentication();
+       /**
+        * Returns if this handler supports the ability to force a user to
+        * (re-)authenticate.
+        * 
+        * @return if this handler can force a user to (re-)authenticate.
+        */
+       public boolean supportsForceAuthentication();
 }
\ No newline at end of file
index 8a05451..7f80306 100644 (file)
@@ -38,320 +38,346 @@ import javolution.util.FastMap;
 import org.apache.log4j.Logger;
 import org.springframework.web.servlet.HttpServletBean;
 
-
 /**
  * Manager responsible for handling authentication requests.
  */
 public class AuthenticationManager extends HttpServletBean {
-    
-    /** log4j. */
-    private static final Logger log =
-           Logger.getLogger(AuthenticationManager.class.getName());
-    
-    /** SessionManager to be used. */
-    private SessionManager sessionMgr;
-    
-    /** Map of URIs onto AuthenticationHandlerInfo. */
-    private FastMap<String, AuthenticationHandler> handlerMap
-           = new FastMap<String, AuthenticationHandler>();
-    
-    /** The default AuthenticationHandler. */
-    private AuthenticationHandler defaultHandler;
-    
-    /* The URI for the default AuthenticationHandler. */
-    private String defaultHandlerURI;
-    
-    
-    /**
-     * Gets the session manager to be used.
-     *
-     * @return session manager to be used
-     */
-    public SessionManager getSessionManager() {
-       return sessionMgr;
-    }
-    
-    
-    /**
-     * Sets the session manager to be used.
-     *
-     * @param manager session manager to be used.
-     */
-    public void setSessionManager(final SessionManager manager) {
-       sessionMgr = manager;
-    }
-    
-    
-    /**
-     * Get the map of {@link AuthenticationHandlers}.
-     *
-     * @return The map of AuthenticationHandlers
-     */
-    public Map<String, AuthenticationHandler> getHandlerMap() {
-       
-       return new FastMap<String, AuthenticationHandler>(handlerMap);
-    }
-    
-    
-    /**
-     * Set the {@link AuthenticationHandler} map.
-     *
-     * @param handlerMap The Map of URIs to AuthenticationHandlers
-     */
-    public void setHandlerMap(final Map<String, AuthenticationHandler> handlerMap) {
-       
-       for (String uri : handlerMap.keySet()) {
-           addHandlerMapping(uri, handlerMap.get(uri));
+
+       /** log4j. */
+       private static final Logger log = Logger
+                       .getLogger(AuthenticationManager.class.getName());
+
+       /** SessionManager to be used. */
+       private SessionManager sessionMgr;
+
+       /** Map of URIs onto AuthenticationHandlerInfo. */
+       private FastMap<String, AuthenticationHandler> handlerMap = new FastMap<String, AuthenticationHandler>();
+
+       /** The default AuthenticationHandler. */
+       private AuthenticationHandler defaultHandler;
+
+       /* The URI for the default AuthenticationHandler. */
+       private String defaultHandlerURI;
+
+       /**
+        * Gets the session manager to be used.
+        * 
+        * @return session manager to be used
+        */
+       public SessionManager getSessionManager() {
+               return sessionMgr;
        }
-    }
-    
-    
-    /**
-     * Add a <code>&lt;String:AuthenticationHandler&gr;</code> mapping to the
-     * AuthenticationManager's table. If a mapping for the URI
-     * already exists, it will be overwritten.
-     *
-     * The URI SHOULD be from the saml-autn-context-2.0-os
-     *
-     * @param uri A URI identifying the authentcation method.
-     * @param handler The AuthenticationHandler.
-     */
-    public void addHandlerMapping(String uri, AuthenticationHandler handler) {
-       
-       if (uri == null || handler == null) {
-           return;
+
+       /**
+        * Sets the session manager to be used.
+        * 
+        * @param manager
+        *            session manager to be used.
+        */
+       public void setSessionManager(final SessionManager manager) {
+               sessionMgr = manager;
        }
-       
-       log.debug("registering " + handler.getClass().getName()
-       + " for " + uri);
-       
-       handlerMap.put(uri, handler);
-    }
-    
-    
-    /**
-     * Register the default {@link AuthenticationHandler}.
-     *
-     * @param uri The URI of the default authentication handler (from saml-authn-context-2.0-os)
-     * @param handler The default {@link AuthenticationHandler}.
-     */
-    public void setDefaultHandler(String uri, AuthenticationHandler handler) {
-       
-       log.debug("Registering default handler "
-               + handler.getClass().getName());
-       
-       defaultHandler = handler;
-       defaultHandlerURI = uri;
-    }
-    
-    
-    /**
-     * Remove a <String:AuthenticationHandler> mapping from the
-     * AuthenticationManager's table.
-     *
-     * The URI SHOULD be from the saml-authn-context-2.0-os
-     *
-     * @param uri A URI identifying the authentcation method.
-     */
-    public void removeHandlerMapping(String uri) {
-       
-       if (uri == null) {
-           return;
+
+       /**
+        * Get the map of {@link AuthenticationHandlers}.
+        * 
+        * @return The map of AuthenticationHandlers
+        */
+       public Map<String, AuthenticationHandler> getHandlerMap() {
+
+               return new FastMap<String, AuthenticationHandler>(handlerMap);
        }
-       
-       log.debug("unregistering handler for " + uri);
-       
-       handlerMap.remove(uri);
-    }
-    
-    
-    
-    /**
-     * Primary entrypoint for the AuthnManager.
-     *
-     * @param req The ServletRequest.
-     * @param resp The ServletResponse.
-     */
-    public void doPost(HttpServletRequest req,
-           HttpServletResponse resp) throws ServletException, IOException {
-       
-       if (req == null || resp == null) {
-           log.error("Invalid parameters in AuthenticationManager's doPost().");
-           return;
+
+       /**
+        * Set the {@link AuthenticationHandler} map.
+        * 
+        * @param handlerMap
+        *            The Map of URIs to AuthenticationHandlers
+        */
+       public void setHandlerMap(
+                       final Map<String, AuthenticationHandler> handlerMap) {
+
+               for (String uri : handlerMap.keySet()) {
+                       addHandlerMapping(uri, handlerMap.get(uri));
+               }
        }
-       
-       HttpSession httpSession = req.getSession();
-       Object o = httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
-       if (! (o instanceof LoginContext)) {
-           log.error("Invalid login context object -- object is not an instance of LoginContext.");
-           return;
+
+       /**
+        * Add a <code>&lt;String:AuthenticationHandler&gr;</code> mapping to the
+        * AuthenticationManager's table. If a mapping for the URI already exists,
+        * it will be overwritten.
+        * 
+        * The URI SHOULD be from the saml-autn-context-2.0-os
+        * 
+        * @param uri
+        *            A URI identifying the authentcation method.
+        * @param handler
+        *            The AuthenticationHandler.
+        */
+       public void addHandlerMapping(String uri, AuthenticationHandler handler) {
+
+               if (uri == null || handler == null) {
+                       return;
+               }
+
+               log
+                               .debug("registering " + handler.getClass().getName() + " for "
+                                               + uri);
+
+               handlerMap.put(uri, handler);
        }
-       LoginContext loginContext = (LoginContext)o;
-       
-       // If authentication has been attempted, don't try it again.
-       if (loginContext.getAuthenticationAttempted()) {
-           handleNewAuthnRequest(loginContext, req, resp);
-       } else {
-           finishAuthnRequest(loginContext, req, resp);
+
+       /**
+        * Register the default {@link AuthenticationHandler}.
+        * 
+        * @param uri
+        *            The URI of the default authentication handler (from
+        *            saml-authn-context-2.0-os)
+        * @param handler
+        *            The default {@link AuthenticationHandler}.
+        */
+       public void setDefaultHandler(String uri, AuthenticationHandler handler) {
+
+               log
+                               .debug("Registering default handler "
+                                               + handler.getClass().getName());
+
+               defaultHandler = handler;
+               defaultHandlerURI = uri;
        }
-    }
-    
-    
-    
-    /**
-     * Handle a new authentication request.
-     *
-     * @param loginContext The {@link LoginContext} for the new authentication request
-     * @param servletRequest The servlet request containing the authn request
-     * @param servletResponse The associated servlet response.
-     */
-    private void handleNewAuthnRequest(final LoginContext loginContext,
-       final HttpServletRequest servletRequest,
-       final HttpServletResponse servletResponse) throws ServletException, IOException {
-       
-       boolean forceAuthN = loginContext.getForceAuth();
-       boolean passiveAuthN = loginContext.getPassiveAuth();
-       
-       // set that authentication has been attempted, to prevent processing loops
-       loginContext.setAuthenticationAttempted();
-       
-       // if the profile handler set a list of requested authn methods,
-       // evaluate them. otherwise, evaluate the default handler.
-       String[] requestedAuthnMethods = loginContext.getRequestedAuthenticationMethods();
-       AuthenticationHandler handler = null;
-       
-       if (requestedAuthnMethods == null) {
-           
-           // if no authn methods were specified, try the default handler
-           
-           if (evaluateHandler(defaultHandler, "default", forceAuthN, passiveAuthN)) {
-               handler = defaultHandler;
-               loginContext.setAuthenticationMethod(defaultHandlerURI);
-           }
-           
-       } else {
-           
-           // evaluate all requested authn methods until we find a match.
-           
-           for (String authnMethodURI : requestedAuthnMethods) {
-               
-               AuthenticationHandler candidateHandler = handlerMap.get(authnMethodURI);
-               if (candidateHandler == null) {
-                   log.debug("No registered authentication handlers can satisfy the "
-                       + " requested authentication method " + authnMethodURI);
-                   continue;
-               }
-               
-               if (evaluateHandler(candidateHandler, authnMethodURI, forceAuthN, passiveAuthN)) {
-                   
-                   // we found a match. stop iterating.
-                   handler = candidateHandler;
-                   log.info("Using authentication handler " + handler.getClass().getName()
-                       + " for authentication method " + authnMethodURI);
-                   loginContext.setAuthenticationMethod(authnMethodURI);
-                   break;
+
+       /**
+        * Remove a <String:AuthenticationHandler> mapping from the
+        * AuthenticationManager's table.
+        * 
+        * The URI SHOULD be from the saml-authn-context-2.0-os
+        * 
+        * @param uri
+        *            A URI identifying the authentcation method.
+        */
+       public void removeHandlerMapping(String uri) {
+
+               if (uri == null) {
+                       return;
                }
-           }
+
+               log.debug("unregistering handler for " + uri);
+
+               handlerMap.remove(uri);
        }
-       
-       // if no acceptable handler was found, abort.
-       if (handler == null) {
-           loginContext.setAuthenticationOK(false);
-           loginContext.setAuthenticationFailureMessage(
-                   "No installed AuthenticationHandler can satisfy the authentication request.");
-           
-           log.error("No registered authentication handlers could satisify any requested "
-                   + "authentication methods. Unable to process authentication request.");
-           
-           RequestDispatcher dispatcher =
-                   servletRequest.getRequestDispatcher(loginContext.getProfileHandlerURL());
-           dispatcher.forward(servletRequest, servletResponse);
+
+       /**
+        * Primary entrypoint for the AuthnManager.
+        * 
+        * @param req
+        *            The ServletRequest.
+        * @param resp
+        *            The ServletResponse.
+        */
+       public void doPost(HttpServletRequest req, HttpServletResponse resp)
+                       throws ServletException, IOException {
+
+               if (req == null || resp == null) {
+                       log
+                                       .error("Invalid parameters in AuthenticationManager's doPost().");
+                       return;
+               }
+
+               HttpSession httpSession = req.getSession();
+               Object o = httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
+               if (!(o instanceof LoginContext)) {
+                       log
+                                       .error("Invalid login context object -- object is not an instance of LoginContext.");
+                       return;
+               }
+               LoginContext loginContext = (LoginContext) o;
+
+               // If authentication has been attempted, don't try it again.
+               if (loginContext.getAuthenticationAttempted()) {
+                       handleNewAuthnRequest(loginContext, req, resp);
+               } else {
+                       finishAuthnRequest(loginContext, req, resp);
+               }
        }
-       
-       // otherwise, forward control to the AuthenticationHandler
-       ServletContext servletContext = getServletContext();
-       loginContext.setAuthenticationManagerURL(servletRequest.getPathInfo());
-       handler.login(servletRequest, servletResponse, loginContext);
-    }
-    
-    
-    /**
-     * Handle the "return leg" of an authentication request
-     * (i.e. clean up after an authentication handler has run).
-     *
-     */
-    private void finishAuthnRequest(final LoginContext loginContext,
-       final HttpServletRequest servletRequest,
-       final HttpServletResponse servletResponse) throws ServletException, IOException {
-       
-       // if authentication was successful, the authentication handler should
-       // have updated the LoginContext with additional information. Use that
-       // info to create a Session.
-       if (loginContext.getAuthenticationOK()) {
-           
-           AuthenticationMethodInformation authMethodInfo = new AuthenticationMethodInformationImpl(
-               loginContext.getAuthenticationMethod(), loginContext.getAuthenticationInstant(),
-               loginContext.getAuthenticationDuration());
-           
-           InetAddress addr;
-           try {
-               addr = InetAddress.getByName(servletRequest.getRemoteAddr());
-           } catch (Exception ex) {
-               addr = null;
-           }
-           
-           Session shibSession = (Session) sessionMgr.createSession(addr,
-               loginContext.getUserID());
-           List<AuthenticationMethodInformation> authMethods =
-               shibSession.getAuthenticationMethods();
-           authMethods.add(authMethodInfo);
-           loginContext.setSessionID(shibSession.getSessionID());
+
+       /**
+        * Handle a new authentication request.
+        * 
+        * @param loginContext
+        *            The {@link LoginContext} for the new authentication request
+        * @param servletRequest
+        *            The servlet request containing the authn request
+        * @param servletResponse
+        *            The associated servlet response.
+        */
+       private void handleNewAuthnRequest(final LoginContext loginContext,
+                       final HttpServletRequest servletRequest,
+                       final HttpServletResponse servletResponse) throws ServletException,
+                       IOException {
+
+               boolean forceAuthN = loginContext.getForceAuth();
+               boolean passiveAuthN = loginContext.getPassiveAuth();
+
+               // set that authentication has been attempted, to prevent processing
+               // loops
+               loginContext.setAuthenticationAttempted();
+
+               // if the profile handler set a list of requested authn methods,
+               // evaluate them. otherwise, evaluate the default handler.
+               String[] requestedAuthnMethods = loginContext
+                               .getRequestedAuthenticationMethods();
+               AuthenticationHandler handler = null;
+
+               if (requestedAuthnMethods == null) {
+
+                       // if no authn methods were specified, try the default handler
+
+                       if (evaluateHandler(defaultHandler, "default", forceAuthN,
+                                       passiveAuthN)) {
+                               handler = defaultHandler;
+                               loginContext.setAuthenticationMethod(defaultHandlerURI);
+                       }
+
+               } else {
+
+                       // evaluate all requested authn methods until we find a match.
+
+                       for (String authnMethodURI : requestedAuthnMethods) {
+
+                               AuthenticationHandler candidateHandler = handlerMap
+                                               .get(authnMethodURI);
+                               if (candidateHandler == null) {
+                                       log
+                                                       .debug("No registered authentication handlers can satisfy the "
+                                                                       + " requested authentication method "
+                                                                       + authnMethodURI);
+                                       continue;
+                               }
+
+                               if (evaluateHandler(candidateHandler, authnMethodURI,
+                                               forceAuthN, passiveAuthN)) {
+
+                                       // we found a match. stop iterating.
+                                       handler = candidateHandler;
+                                       log.info("Using authentication handler "
+                                                       + handler.getClass().getName()
+                                                       + " for authentication method " + authnMethodURI);
+                                       loginContext.setAuthenticationMethod(authnMethodURI);
+                                       break;
+                               }
+                       }
+               }
+
+               // if no acceptable handler was found, abort.
+               if (handler == null) {
+                       loginContext.setAuthenticationOK(false);
+                       loginContext
+                                       .setAuthenticationFailureMessage("No installed AuthenticationHandler can satisfy the authentication request.");
+
+                       log
+                                       .error("No registered authentication handlers could satisify any requested "
+                                                       + "authentication methods. Unable to process authentication request.");
+
+                       RequestDispatcher dispatcher = servletRequest
+                                       .getRequestDispatcher(loginContext.getProfileHandlerURL());
+                       dispatcher.forward(servletRequest, servletResponse);
+               }
+
+               // otherwise, forward control to the AuthenticationHandler
+               ServletContext servletContext = getServletContext();
+               loginContext.setAuthenticationManagerURL(servletRequest.getPathInfo());
+               handler.login(servletRequest, servletResponse, loginContext);
        }
-       
-       RequestDispatcher dispatcher =
-           servletRequest.getRequestDispatcher(loginContext.getProfileHandlerURL());
-       dispatcher.forward(servletRequest, servletResponse);
-    }
-    
-    
-    /**
-     * "Stub" method for handling LogoutRequest.
-     */
-    private void handleLogoutRequest(final HttpServletRequest servletRequest,
-       final HttpServletResponse servletResponse) throws ServletException, IOException {
-       
-    }
-    
-    
-    /**
-     * Evaluate an authenticationhandler against a set of evaluation criteria.
-     *
-     * @param handler A candiate {@link AuthenticationHandler}
-     * @param description A description of the handler
-     * @param forceAuthN Is (re)authentication forced?
-     * @param passiveAuthN Can the AuthenticationHandler take control of the UI
-     *
-     * @return <code>true</code> if handler meets the criteria, otherwise <code>false</code>
-     */
-    private boolean evaluateHandler(final AuthenticationHandler handler,
-       String description, boolean forceAuthN, boolean passiveAuthN) {
-       
-       if (handler == null) {
-           return false;
+
+       /**
+        * Handle the "return leg" of an authentication request (i.e. clean up after
+        * an authentication handler has run).
+        * 
+        */
+       private void finishAuthnRequest(final LoginContext loginContext,
+                       final HttpServletRequest servletRequest,
+                       final HttpServletResponse servletResponse) throws ServletException,
+                       IOException {
+
+               // if authentication was successful, the authentication handler should
+               // have updated the LoginContext with additional information. Use that
+               // info to create a Session.
+               if (loginContext.getAuthenticationOK()) {
+
+                       AuthenticationMethodInformation authMethodInfo = new AuthenticationMethodInformationImpl(
+                                       loginContext.getAuthenticationMethod(), loginContext
+                                                       .getAuthenticationInstant(), loginContext
+                                                       .getAuthenticationDuration());
+
+                       InetAddress addr;
+                       try {
+                               addr = InetAddress.getByName(servletRequest.getRemoteAddr());
+                       } catch (Exception ex) {
+                               addr = null;
+                       }
+
+                       Session shibSession = (Session) sessionMgr.createSession(addr,
+                                       loginContext.getUserID());
+                       List<AuthenticationMethodInformation> authMethods = shibSession
+                                       .getAuthenticationMethods();
+                       authMethods.add(authMethodInfo);
+                       loginContext.setSessionID(shibSession.getSessionID());
+               }
+
+               RequestDispatcher dispatcher = servletRequest
+                               .getRequestDispatcher(loginContext.getProfileHandlerURL());
+               dispatcher.forward(servletRequest, servletResponse);
        }
-       
-       if (forceAuthN && !handler.supportsForceAuthentication()) {
-           log.debug("The RequestedAuthnContext required forced authentication, "
-               + "but the " + description + " handler does not support that feature.");
-           return false;
+
+       /**
+        * "Stub" method for handling LogoutRequest.
+        */
+       private void handleLogoutRequest(final HttpServletRequest servletRequest,
+                       final HttpServletResponse servletResponse) throws ServletException,
+                       IOException {
+
        }
-       
-       if (passiveAuthN && !handler.supportsPassive()) {
-           log.debug("The RequestedAuthnContext required passive authentication, "
-               + "but the " + description + " handler does not support that feature.");
-           return false;
+
+       /**
+        * Evaluate an authenticationhandler against a set of evaluation criteria.
+        * 
+        * @param handler
+        *            A candiate {@link AuthenticationHandler}
+        * @param description
+        *            A description of the handler
+        * @param forceAuthN
+        *            Is (re)authentication forced?
+        * @param passiveAuthN
+        *            Can the AuthenticationHandler take control of the UI
+        * 
+        * @return <code>true</code> if handler meets the criteria, otherwise
+        *         <code>false</code>
+        */
+       private boolean evaluateHandler(final AuthenticationHandler handler,
+                       String description, boolean forceAuthN, boolean passiveAuthN) {
+
+               if (handler == null) {
+                       return false;
+               }
+
+               if (forceAuthN && !handler.supportsForceAuthentication()) {
+                       log
+                                       .debug("The RequestedAuthnContext required forced authentication, "
+                                                       + "but the "
+                                                       + description
+                                                       + " handler does not support that feature.");
+                       return false;
+               }
+
+               if (passiveAuthN && !handler.supportsPassive()) {
+                       log
+                                       .debug("The RequestedAuthnContext required passive authentication, "
+                                                       + "but the "
+                                                       + description
+                                                       + " handler does not support that feature.");
+                       return false;
+               }
+
+               return true;
        }
-       
-       return true;
-    }
 }
index be46103..d8ae500 100644 (file)
 
 package edu.internet2.middleware.shibboleth.idp.authn;
 
-
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.joda.time.DateTime;
 
-
 /**
- * Login context created by a profile handler and interpreted
- * by the authentication package.
+ * Login context created by a profile handler and interpreted by the
+ * authentication package.
  * 
  * Two properties are tracked by default:
  * 
@@ -35,354 +33,351 @@ import org.joda.time.DateTime;
  * A Map&lt;String, Object&gt; is provided to store other properties.
  * Alternatively, a profile handler may create a subclass of LoginContext with
  * extra fields.
- *
- * LoginContexts should be created by a profile handler when authentication is needed.
- * Once control has returned to the profile handler, it should remove the LoginContext
- * from the HttpSession.
- *
- * The {@link AuthenticationManager} or an {@link AuthenticationHandler} should set the
- * {@link LoginContext#setAuthenticationAttempted()}, {@link LoginContext#setAuthnOK(boolean)},
- * {@link LoginContext#setAuthnFailure(String)}, {@link LoginContext#{setAuthenticationDuration(long)}
+ * 
+ * LoginContexts should be created by a profile handler when authentication is
+ * needed. Once control has returned to the profile handler, it should remove
+ * the LoginContext from the HttpSession.
+ * 
+ * The {@link AuthenticationManager} or an {@link AuthenticationHandler} should
+ * set the {@link LoginContext#setAuthenticationAttempted()},
+ * {@link LoginContext#setAuthnOK(boolean)},
+ * {@link LoginContext#setAuthnFailure(String)},
+ * {@link LoginContext#{setAuthenticationDuration(long)}
  * {@link LoginContext#setAuthenticationInstant(DateTime)} appropriately.
- *
+ * 
  */
 public class LoginContext {
-    
-    /** the key in a HttpSession where login contexts are stored */
-    public static final String LOGIN_CONTEXT_KEY = "shib2.logincontext";
-    
-    
-    /** Should user authentication be forced */
-    protected boolean forceAuth = false;
-    
-    /** Must authentication not interact with the UI */
-    protected boolean passiveAuth = false;
-    
-    /** a catch-all map for other properties */
-    protected Map<String, Object> propsMap = new ConcurrentHashMap<String, Object>();;
-    
-    /** The ProfileHandler URL */
-    protected String profileHandlerURL;
-    
-    /** The AuthenticationManager's URL */
-    protected String authnManagerURL;
-    
-    /** has authentication been attempted yet */
-    protected boolean authnAttempted = false;
-    
-    /** The id of the authenticated user */ 
-    protected String userID;
-
-    /** Did authentication succceed? */
-    protected boolean authenticationOK;
-    
-    /** Optional failure message  */
-    protected String authnFailureMessage;
-
-    /** The instant of authentication */
-    protected DateTime authnInstant;
-    
-    /** The duration of authentication */
-    protected long authnDuration;
-    
-    /** The method used to authenticate the user */
-    protected String authnMethod;        
-    
-    /** The session id */
-    protected String sessionID;
-    
-    
-    /** Creates a new instance of LoginContext */
-    public LoginContext() {
-    }
-    
-    
-    /**
-     * Creates a new instance of LoginContext
-     *
-     * @param forceAuth if the authentication manager must reauth the user.
-     * @param passiveAuth if the authentication manager must not interact with the users UI. 
-     */
-    public LoginContext(boolean forceAuth, boolean passiveAuth) {
-        
-        forceAuth = forceAuth;
-        passiveAuth = passiveAuth;
-    }    
-    
-    
-    /**
-     * Returns if authentication must be forced.
-     *
-     * @return <code>true</code> if the authentication manager must reauth the user.
-     */
-    public boolean getForceAuth() {
-        return forceAuth;
-    }
-    
-    
-    /**
-     * Returns if authentication must be passive.
-     * 
-     * @return <code>true</code> if the authentication manager must not interact with the users UI.
-     */
-    public boolean getPassiveAuth() {
-        return passiveAuth;
-    }
-    
-    
-    /**
-     * Sets if authentication must be forced.
-     *
-     * @param forceAuth if the authentication manager must reauth the user.
-     */
-    public void setForceAuth(boolean forceAuth) {
-        this.forceAuth = forceAuth;
-    }
-    
-    
-    /**
-     * Sets if authentication must be passive.
-     * 
-     * @param passiveAuth if the authentication manager must not interact with the users UI.
-     */
-    public void setPassiveAuth(boolean passiveAuth) {
-        this.passiveAuth = passiveAuth;
-    }
-    
-    
-    /**
-     * Get an optional property object.
-     * 
-     * @param key The key in the properites Map.
-     * 
-     * @return The object, or <code>null</code> is no object exists for the key.
-     */
-    public Object getProperty(String key) {
-        return propsMap.get(key);
-    }
-    
-    
-    /**
-     * Sets an optional property object.
-     * 
-     * If an object is already associated with key, it will be overwritten.
-     * 
-     * @param key The key to set.
-     * @param obj The object to associate with key.
-     */
-    public void setProperty(String key, final Object obj) {
-        propsMap.put(key, obj);
-    }
-    
-    /**
-     * Sets if authentication succeeded.
-     * 
-     * @param authnOK if authentication succeeded;
-     */
-    public void setAuthenticationOK(boolean authnOK) {
-        this.authenticationOK = authnOK;
-    }
-    
-    
-    /**
-     * Returns if authentication succeeded.
-     * 
-     * @return <code>true</code> is the user was successfully authenticated.
-     */
-    public boolean getAuthenticationOK() {
-        return authenticationOK;
-    }
-    
-    
-    /** Sets the optional authentication failure message.
-     * 
-     * @param failureMessage A description of why authN failed.
-     */ 
-    public void setAuthenticationFailureMessage(String failureMessage) {
-        authnFailureMessage = failureMessage;
-    }
-    
-    
-    /**
-     * Returns the optional authentication failure message.
-     * 
-     * @return The failure message, or <code>null</code> is none was set.
-     */
-    public String getAuthenticationFailureMessage() {
-        return authnFailureMessage;
-    }
-    
-    
-    /**
-     * Set if authentication has been attempted.
-     *
-     * This method should be called by an {@link AuthenticationHandler} 
-     * while processing a request.
-     */
-    public void setAuthenticationAttempted() {
-        authnAttempted = true;
-    }
-    
-    
-    /**
-     * Returns if authentication has been attempted for this user.
-     */
-    public boolean getAuthenticationAttempted() {
-        return authnAttempted;
-    }
-    
-    
-    /**
-     * Sets the ID of the authenticated user.
-     * 
-     * @param userID The userid.
-     */
-    public void setUserID(String userID) {
-        this.userID = userID;
-    }
-    
-    
-    /**
-     * Returns the ID of the authenticated user.
-     * 
-     * @return the ID of the user, or <code>null</code> if authentication failed.
-     */
-    public String getUserID() {
-        return userID;
-    }
-    
-    
-    /**
-     * Gets the ProfileHandler URL.
-     *
-     * @return the URL of the profile handler that is invoking the Authentication Manager.
-     */
-    public String getProfileHandlerURL() {
-        return profileHandlerURL;
-    }
-    
-    
-    /**
-     * Sets the ProfileHandler URL.
-     *
-     * @param profileHandlerURL The URL of the profile handler that invoked the AuthenticationManager/
-     */
-    public void setProfileHandlerURL(String profileHandlerURL) {
-        this.profileHandlerURL = profileHandlerURL;
-    }
-    
-    
-    /**
-     * Gets the AuthenticationManager URL.
-     *
-     * @return the URL of the AuthenticationManager.
-     */
-    public String getAuthenticationManagerURL() {
-        return authnManagerURL;
-    }
-    
-    
-    /**
-     * Sets the AuthenticationManager's URL.
-     *
-     * @param authnManagerURL the URL of the AuthenticationManager.
-     */
-    public void setAuthenticationManagerURL(String authnManagerURL) {
-        this.authnManagerURL = authnManagerURL;
-    }
-    
-    
-    /**
-     * Gets the authentication instant.
-     *
-     * @return The instant of authentication, or <code>null</code> if none was set.
-     */
-    public DateTime getAuthenticationInstant() {
-        return authnInstant;
-    }
-    
-    
-    /**
-     * Sets the authentication instant.
-     *
-     * @param authnInstant The instant of authentication.
-     */
-    public void setAuthenticationInstant(final DateTime authnInstant) {
-        this.authnInstant = authnInstant;
-    }
-    
-    
-    /**
-     * Gets the duration of authentication.
-     *
-     * @return The duration of authentication, or zero if none was set.
-     */
-    public long getAuthenticationDuration() {
-        return authnDuration;
-    }
-    
-    
-    /**
-     * Sets the duration of authentication.
-     *
-     * @param authnDuration The duration of authentication.
-     */
-    public void setAuthenticationDuration(long authnDuration) {
-        this.authnDuration = authnDuration;
-    }
-    
-    
-    /**
-     * Gets the method used to authenticate the user.
-     *
-     * @return The method used to authenticate the user.
-     */
-    public String getAuthenticationMethod() {
-        return authnMethod;
-    }
-    
-    
-    /**
-     * Sets the method used to authenticate the user.
-     *
-     * @param authnMethod The method used to authenticate the user.
-     */
-    public void setAuthenticationMethod(String authnMethod) {
-        this.authnMethod = authnMethod;
-    }
-    
-    
-    /**
-     * Gets the {@link Session} ID
-     *
-     * @return the Session id.
-     */
-    public String getSessionID() {
-        return sessionID;
-    }
-    
-    
-    /**
-     * Sets the {@link Session} ID
-     *
-     * @param sessionID the Session ID
-     */
-    public void setSessionID(String sessionID) {
-        this.sessionID = sessionID;
-    }
-    
-    
-    /**
-     * Return the acceptable authentication handler URIs
-     * for authenticating this user. If no authentication
-     * methods are preferred, this method will return 
-     * <code>null</code>.
-     *
-     * @return an array of URIs, or <code>null</code>.
-     */
-    public String[] getRequestedAuthenticationMethods() {
-    
-        return null;
-    }
+
+       /** the key in a HttpSession where login contexts are stored */
+       public static final String LOGIN_CONTEXT_KEY = "shib2.logincontext";
+
+       /** Should user authentication be forced */
+       protected boolean forceAuth = false;
+
+       /** Must authentication not interact with the UI */
+       protected boolean passiveAuth = false;
+
+       /** a catch-all map for other properties */
+       protected Map<String, Object> propsMap = new ConcurrentHashMap<String, Object>();;
+
+       /** The ProfileHandler URL */
+       protected String profileHandlerURL;
+
+       /** The AuthenticationManager's URL */
+       protected String authnManagerURL;
+
+       /** has authentication been attempted yet */
+       protected boolean authnAttempted = false;
+
+       /** The id of the authenticated user */
+       protected String userID;
+
+       /** Did authentication succceed? */
+       protected boolean authenticationOK;
+
+       /** Optional failure message */
+       protected String authnFailureMessage;
+
+       /** The instant of authentication */
+       protected DateTime authnInstant;
+
+       /** The duration of authentication */
+       protected long authnDuration;
+
+       /** The method used to authenticate the user */
+       protected String authnMethod;
+
+       /** The session id */
+       protected String sessionID;
+
+       /** Creates a new instance of LoginContext */
+       public LoginContext() {
+       }
+
+       /**
+        * Creates a new instance of LoginContext
+        * 
+        * @param forceAuth
+        *            if the authentication manager must reauth the user.
+        * @param passiveAuth
+        *            if the authentication manager must not interact with the users
+        *            UI.
+        */
+       public LoginContext(boolean forceAuth, boolean passiveAuth) {
+
+               forceAuth = forceAuth;
+               passiveAuth = passiveAuth;
+       }
+
+       /**
+        * Returns if authentication must be forced.
+        * 
+        * @return <code>true</code> if the authentication manager must reauth the
+        *         user.
+        */
+       public boolean getForceAuth() {
+               return forceAuth;
+       }
+
+       /**
+        * Returns if authentication must be passive.
+        * 
+        * @return <code>true</code> if the authentication manager must not
+        *         interact with the users UI.
+        */
+       public boolean getPassiveAuth() {
+               return passiveAuth;
+       }
+
+       /**
+        * Sets if authentication must be forced.
+        * 
+        * @param forceAuth
+        *            if the authentication manager must reauth the user.
+        */
+       public void setForceAuth(boolean forceAuth) {
+               this.forceAuth = forceAuth;
+       }
+
+       /**
+        * Sets if authentication must be passive.
+        * 
+        * @param passiveAuth
+        *            if the authentication manager must not interact with the users
+        *            UI.
+        */
+       public void setPassiveAuth(boolean passiveAuth) {
+               this.passiveAuth = passiveAuth;
+       }
+
+       /**
+        * Get an optional property object.
+        * 
+        * @param key
+        *            The key in the properites Map.
+        * 
+        * @return The object, or <code>null</code> is no object exists for the
+        *         key.
+        */
+       public Object getProperty(String key) {
+               return propsMap.get(key);
+       }
+
+       /**
+        * Sets an optional property object.
+        * 
+        * If an object is already associated with key, it will be overwritten.
+        * 
+        * @param key
+        *            The key to set.
+        * @param obj
+        *            The object to associate with key.
+        */
+       public void setProperty(String key, final Object obj) {
+               propsMap.put(key, obj);
+       }
+
+       /**
+        * Sets if authentication succeeded.
+        * 
+        * @param authnOK
+        *            if authentication succeeded;
+        */
+       public void setAuthenticationOK(boolean authnOK) {
+               this.authenticationOK = authnOK;
+       }
+
+       /**
+        * Returns if authentication succeeded.
+        * 
+        * @return <code>true</code> is the user was successfully authenticated.
+        */
+       public boolean getAuthenticationOK() {
+               return authenticationOK;
+       }
+
+       /**
+        * Sets the optional authentication failure message.
+        * 
+        * @param failureMessage
+        *            A description of why authN failed.
+        */
+       public void setAuthenticationFailureMessage(String failureMessage) {
+               authnFailureMessage = failureMessage;
+       }
+
+       /**
+        * Returns the optional authentication failure message.
+        * 
+        * @return The failure message, or <code>null</code> is none was set.
+        */
+       public String getAuthenticationFailureMessage() {
+               return authnFailureMessage;
+       }
+
+       /**
+        * Set if authentication has been attempted.
+        * 
+        * This method should be called by an {@link AuthenticationHandler} while
+        * processing a request.
+        */
+       public void setAuthenticationAttempted() {
+               authnAttempted = true;
+       }
+
+       /**
+        * Returns if authentication has been attempted for this user.
+        */
+       public boolean getAuthenticationAttempted() {
+               return authnAttempted;
+       }
+
+       /**
+        * Sets the ID of the authenticated user.
+        * 
+        * @param userID
+        *            The userid.
+        */
+       public void setUserID(String userID) {
+               this.userID = userID;
+       }
+
+       /**
+        * Returns the ID of the authenticated user.
+        * 
+        * @return the ID of the user, or <code>null</code> if authentication
+        *         failed.
+        */
+       public String getUserID() {
+               return userID;
+       }
+
+       /**
+        * Gets the ProfileHandler URL.
+        * 
+        * @return the URL of the profile handler that is invoking the
+        *         Authentication Manager.
+        */
+       public String getProfileHandlerURL() {
+               return profileHandlerURL;
+       }
+
+       /**
+        * Sets the ProfileHandler URL.
+        * 
+        * @param profileHandlerURL
+        *            The URL of the profile handler that invoked the
+        *            AuthenticationManager/
+        */
+       public void setProfileHandlerURL(String profileHandlerURL) {
+               this.profileHandlerURL = profileHandlerURL;
+       }
+
+       /**
+        * Gets the AuthenticationManager URL.
+        * 
+        * @return the URL of the AuthenticationManager.
+        */
+       public String getAuthenticationManagerURL() {
+               return authnManagerURL;
+       }
+
+       /**
+        * Sets the AuthenticationManager's URL.
+        * 
+        * @param authnManagerURL
+        *            the URL of the AuthenticationManager.
+        */
+       public void setAuthenticationManagerURL(String authnManagerURL) {
+               this.authnManagerURL = authnManagerURL;
+       }
+
+       /**
+        * Gets the authentication instant.
+        * 
+        * @return The instant of authentication, or <code>null</code> if none was
+        *         set.
+        */
+       public DateTime getAuthenticationInstant() {
+               return authnInstant;
+       }
+
+       /**
+        * Sets the authentication instant.
+        * 
+        * @param authnInstant
+        *            The instant of authentication.
+        */
+       public void setAuthenticationInstant(final DateTime authnInstant) {
+               this.authnInstant = authnInstant;
+       }
+
+       /**
+        * Gets the duration of authentication.
+        * 
+        * @return The duration of authentication, or zero if none was set.
+        */
+       public long getAuthenticationDuration() {
+               return authnDuration;
+       }
+
+       /**
+        * Sets the duration of authentication.
+        * 
+        * @param authnDuration
+        *            The duration of authentication.
+        */
+       public void setAuthenticationDuration(long authnDuration) {
+               this.authnDuration = authnDuration;
+       }
+
+       /**
+        * Gets the method used to authenticate the user.
+        * 
+        * @return The method used to authenticate the user.
+        */
+       public String getAuthenticationMethod() {
+               return authnMethod;
+       }
+
+       /**
+        * Sets the method used to authenticate the user.
+        * 
+        * @param authnMethod
+        *            The method used to authenticate the user.
+        */
+       public void setAuthenticationMethod(String authnMethod) {
+               this.authnMethod = authnMethod;
+       }
+
+       /**
+        * Gets the {@link Session} ID
+        * 
+        * @return the Session id.
+        */
+       public String getSessionID() {
+               return sessionID;
+       }
+
+       /**
+        * Sets the {@link Session} ID
+        * 
+        * @param sessionID
+        *            the Session ID
+        */
+       public void setSessionID(String sessionID) {
+               this.sessionID = sessionID;
+       }
+
+       /**
+        * Return the acceptable authentication handler URIs for authenticating this
+        * user. If no authentication methods are preferred, this method will return
+        * <code>null</code>.
+        * 
+        * @return an array of URIs, or <code>null</code>.
+        */
+       public String[] getRequestedAuthenticationMethods() {
+
+               return null;
+       }
 }
index 0602692..945716a 100644 (file)
@@ -16,7 +16,6 @@
 
 package edu.internet2.middleware.shibboleth.idp.authn;
 
-
 import java.util.List;
 import java.util.LinkedList;
 
@@ -28,92 +27,94 @@ import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
 import org.opensaml.saml2.core.AuthnRequest;
 import org.opensaml.saml2.core.RequestedAuthnContext;
 
-
 /**
- * A SAML 2.0 {@link LoginContext}. 
+ * A SAML 2.0 {@link LoginContext}.
  * 
  * This class can interpret {@link RequestedAuthnContext} and act accordingly.
  */
 public class Saml2LoginContext extends LoginContext {
-    
-    private static final Logger log = Logger.getLogger(Saml2LoginContext.class);
-    
-    /** The {@link RequestedAuthnContext} */
-    private RequestedAuthnContext ctx;
-    
-    
-    /**
-     * Creates a new instance of Saml2LoginContext.
-     *
-     * @param authnRequest A SAML 2.0 Authentication Request.
-     */
-    public Saml2LoginContext(AuthnRequest authnRequest) {
-        
-        if (authnRequest != null) {
-            forceAuth = authnRequest.isForceAuthn();
-            passiveAuth = authnRequest.isPassive();
-            ctx = authnRequest.getRequestedAuthnContext();
-        }
-    }
-    
-    
-    /** 
-     * This method evaluates a SAML2 {@link RequestedAuthnContext}
-     * and returns the list of requested authentication method URIs.
-     *
-     * If the AuthnQuery did not contain a RequestedAuthnContext,
-     * this method will return <code>null</code>.
-     *
-     * @return An array of authentication method URIs, or <code>null</code>.
-     */
-    public String[] getRequestedAuthenticationMethods() {
-
-        if (ctx == null)
-            return null;
-
-        // For the immediate future, we only support the "exact" comparator.
-        // XXX: we should probably throw an exception or somehow indicate this 
-        // as an error to the caller.
-        AuthnContextComparisonTypeEnumeration comparator = ctx.getComparison();
-        if (comparator != null && comparator != AuthnContextComparisonTypeEnumeration.EXACT) {
-            log.error("Unsupported comparision operator ( " + comparator
-                + ") in RequestedAuthnContext. Only exact comparisions are supported.");
-            return null;
-        }
-    
-        // build a list of all requested authn classes and declrefs
-        List<String> requestedAuthnMethods = new LinkedList<String>();
-        List<AuthnContextClassRef> authnClasses = ctx.getAuthnContextClassRefs();
-        List<AuthnContextDeclRef> authnDeclRefs = ctx.getAuthnContextDeclRefs();
-    
-        if (authnClasses != null) {
-            for (AuthnContextClassRef classRef : authnClasses) {
-                if (classRef != null) {
-                    String s = classRef.getAuthnContextClassRef();
-                    if (s != null) {
-                        requestedAuthnMethods.add(s);
-                    }
-                }
-            }
-        }
-    
-        if (authnDeclRefs != null) {
-            for (AuthnContextDeclRef declRef : authnDeclRefs) {
-                if (declRef != null) {
-                    String s = declRef.getAuthnContextDeclRef();
-                    if (s != null) {
-                        requestedAuthnMethods.add(s);
-                    }
-                }
-            }
-        }
-    
-        if (requestedAuthnMethods.size() == 0) {
-            return null;
-        } else {
-            String[] methods = new String[requestedAuthnMethods.size()];
-            return requestedAuthnMethods.toArray(methods);
-        }
-
-    }
+
+       private static final Logger log = Logger.getLogger(Saml2LoginContext.class);
+
+       /** The {@link RequestedAuthnContext} */
+       private RequestedAuthnContext ctx;
+
+       /**
+        * Creates a new instance of Saml2LoginContext.
+        * 
+        * @param authnRequest
+        *            A SAML 2.0 Authentication Request.
+        */
+       public Saml2LoginContext(AuthnRequest authnRequest) {
+
+               if (authnRequest != null) {
+                       forceAuth = authnRequest.isForceAuthn();
+                       passiveAuth = authnRequest.isPassive();
+                       ctx = authnRequest.getRequestedAuthnContext();
+               }
+       }
+
+       /**
+        * This method evaluates a SAML2 {@link RequestedAuthnContext} and returns
+        * the list of requested authentication method URIs.
+        * 
+        * If the AuthnQuery did not contain a RequestedAuthnContext, this method
+        * will return <code>null</code>.
+        * 
+        * @return An array of authentication method URIs, or <code>null</code>.
+        */
+       public String[] getRequestedAuthenticationMethods() {
+
+               if (ctx == null)
+                       return null;
+
+               // For the immediate future, we only support the "exact" comparator.
+               // XXX: we should probably throw an exception or somehow indicate this
+               // as an error to the caller.
+               AuthnContextComparisonTypeEnumeration comparator = ctx.getComparison();
+               if (comparator != null
+                               && comparator != AuthnContextComparisonTypeEnumeration.EXACT) {
+                       log
+                                       .error("Unsupported comparision operator ( "
+                                                       + comparator
+                                                       + ") in RequestedAuthnContext. Only exact comparisions are supported.");
+                       return null;
+               }
+
+               // build a list of all requested authn classes and declrefs
+               List<String> requestedAuthnMethods = new LinkedList<String>();
+               List<AuthnContextClassRef> authnClasses = ctx
+                               .getAuthnContextClassRefs();
+               List<AuthnContextDeclRef> authnDeclRefs = ctx.getAuthnContextDeclRefs();
+
+               if (authnClasses != null) {
+                       for (AuthnContextClassRef classRef : authnClasses) {
+                               if (classRef != null) {
+                                       String s = classRef.getAuthnContextClassRef();
+                                       if (s != null) {
+                                               requestedAuthnMethods.add(s);
+                                       }
+                               }
+                       }
+               }
+
+               if (authnDeclRefs != null) {
+                       for (AuthnContextDeclRef declRef : authnDeclRefs) {
+                               if (declRef != null) {
+                                       String s = declRef.getAuthnContextDeclRef();
+                                       if (s != null) {
+                                               requestedAuthnMethods.add(s);
+                                       }
+                               }
+                       }
+               }
+
+               if (requestedAuthnMethods.size() == 0) {
+                       return null;
+               } else {
+                       String[] methods = new String[requestedAuthnMethods.size()];
+                       return requestedAuthnMethods.toArray(methods);
+               }
+
+       }
 }