import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-
/**
- * Authentication handlers are responsible for authenticating a user using a
+ * Authentication handlers are responsible for authenticating a user using a
* particular authentication context class and logging users out for that same
* mechanism.
*
- * When this handler is invoked to log a user in the incoming request will contain a
- * {@link AuthnRequest} attribute registered under the name
+ * When this handler is invoked to log a user in the incoming request will
+ * contain a {@link AuthnRequest} attribute registered under the name
* <strong>AuthnRequest</strong>. If the authentication request coming into the
* IdP is not a SAML 2 request the receiving profile handler will translate the
* incoming details into a {@link AuthnRequest}.
*
- * Upon successfull authentication the handler <strong>must</strong> set a
- * request attribute called <strong>principal</strong> with the principal name
- * of the authenticated user. It must then forward the request/response to the
+ * Upon successfull authentication the handler <strong>must</strong> set a
+ * request attribute called <strong>principal</strong> with the principal name
+ * of the authenticated user. It must then forward the request/response to the
* provided return location by means of the
* {@link javax.servlet.RequestDispatcher.RequestDispatcher#forward(
- * javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
- * method.
+ * javax.servlet.ServletRequest, javax.servlet.ServletResponse)} method.
*
* When this handler is invoked to log a user out of the particular
- * authentication source the handler may perform any operation necessary to
- * log a user out. When finished it must then forward the request/response to
- * the provided return location by means of the
+ * authentication source the handler may perform any operation necessary to log
+ * a user out. When finished it must then forward the request/response to the
+ * provided return location by means of the
* {@link RequestDispatcher#forward(javax.servlet.ServletRequest, javax.servlet.ServletResponse)}
- * method. This call will occur before SAML logout requests have been sent to all services
- * supporting such requests.
+ * method. This call will occur before SAML logout requests have been sent to
+ * all services supporting such requests.
*
- * AuthentcationHandlers <strong>MUST NOT</strong> change or add any data to the
- * user's {@link javax.servlet.http.HttpSession} that persists past the process
- * of authenticating the user, that is no additional session data may be added
- * and no existing session data may be changed when the handler redirects back
- * to the return location.
+ * AuthentcationHandlers <strong>MUST NOT</strong> change or add any data to
+ * the user's {@link javax.servlet.http.HttpSession} that persists past the
+ * process of authenticating the user, that is no additional session data may be
+ * added and no existing session data may be changed when the handler redirects
+ * back to the return location.
*/
public interface AuthenticationHandler {
-
- /**
- * Authenticates the user making the request.
- *
- * @param request user request
- * @param response response to user
- * @param loginCtx The {@link LoginContext} for the reqeust.
- */
- public void login(HttpServletRequest request, HttpServletResponse response,
- LoginContext loginCtx);
-
-
- /**
- * Logs out the given user from the authentication
- * mechanism represented by this handler.
- *
- * @param request user request
- * @param response response to user
- * @param principal principal named as returned during authentication
- */
- public void logout(HttpServletRequest request, HttpServletResponse response,
- String principal);
-
+ /**
+ * Authenticates the user making the request.
+ *
+ * @param request
+ * user request
+ * @param response
+ * response to user
+ * @param loginCtx
+ * The {@link LoginContext} for the reqeust.
+ */
+ public void login(HttpServletRequest request, HttpServletResponse response,
+ LoginContext loginCtx);
- /**
- * Gets whether this handler supports passive authentication.
- *
- * @return whether this handler supports passive authentication
- */
- public boolean supportsPassive();
+ /**
+ * Logs out the given user from the authentication mechanism represented by
+ * this handler.
+ *
+ * @param request
+ * user request
+ * @param response
+ * response to user
+ * @param principal
+ * principal named as returned during authentication
+ */
+ public void logout(HttpServletRequest request,
+ HttpServletResponse response, String principal);
+ /**
+ * Gets whether this handler supports passive authentication.
+ *
+ * @return whether this handler supports passive authentication
+ */
+ public boolean supportsPassive();
- /**
- * Returns if this handler supports the ability
- * to force a user to (re-)authenticate.
- *
- * @return if this handler can force a user to (re-)authenticate.
- */
- public boolean supportsForceAuthentication();
+ /**
+ * Returns if this handler supports the ability to force a user to
+ * (re-)authenticate.
+ *
+ * @return if this handler can force a user to (re-)authenticate.
+ */
+ public boolean supportsForceAuthentication();
}
\ No newline at end of file
import org.apache.log4j.Logger;
import org.springframework.web.servlet.HttpServletBean;
-
/**
* Manager responsible for handling authentication requests.
*/
public class AuthenticationManager extends HttpServletBean {
-
- /** log4j. */
- private static final Logger log =
- Logger.getLogger(AuthenticationManager.class.getName());
-
- /** SessionManager to be used. */
- private SessionManager sessionMgr;
-
- /** Map of URIs onto AuthenticationHandlerInfo. */
- private FastMap<String, AuthenticationHandler> handlerMap
- = new FastMap<String, AuthenticationHandler>();
-
- /** The default AuthenticationHandler. */
- private AuthenticationHandler defaultHandler;
-
- /* The URI for the default AuthenticationHandler. */
- private String defaultHandlerURI;
-
-
- /**
- * Gets the session manager to be used.
- *
- * @return session manager to be used
- */
- public SessionManager getSessionManager() {
- return sessionMgr;
- }
-
-
- /**
- * Sets the session manager to be used.
- *
- * @param manager session manager to be used.
- */
- public void setSessionManager(final SessionManager manager) {
- sessionMgr = manager;
- }
-
-
- /**
- * Get the map of {@link AuthenticationHandlers}.
- *
- * @return The map of AuthenticationHandlers
- */
- public Map<String, AuthenticationHandler> getHandlerMap() {
-
- return new FastMap<String, AuthenticationHandler>(handlerMap);
- }
-
-
- /**
- * Set the {@link AuthenticationHandler} map.
- *
- * @param handlerMap The Map of URIs to AuthenticationHandlers
- */
- public void setHandlerMap(final Map<String, AuthenticationHandler> handlerMap) {
-
- for (String uri : handlerMap.keySet()) {
- addHandlerMapping(uri, handlerMap.get(uri));
+
+ /** log4j. */
+ private static final Logger log = Logger
+ .getLogger(AuthenticationManager.class.getName());
+
+ /** SessionManager to be used. */
+ private SessionManager sessionMgr;
+
+ /** Map of URIs onto AuthenticationHandlerInfo. */
+ private FastMap<String, AuthenticationHandler> handlerMap = new FastMap<String, AuthenticationHandler>();
+
+ /** The default AuthenticationHandler. */
+ private AuthenticationHandler defaultHandler;
+
+ /* The URI for the default AuthenticationHandler. */
+ private String defaultHandlerURI;
+
+ /**
+ * Gets the session manager to be used.
+ *
+ * @return session manager to be used
+ */
+ public SessionManager getSessionManager() {
+ return sessionMgr;
}
- }
-
-
- /**
- * Add a <code><String:AuthenticationHandler&gr;</code> mapping to the
- * AuthenticationManager's table. If a mapping for the URI
- * already exists, it will be overwritten.
- *
- * The URI SHOULD be from the saml-autn-context-2.0-os
- *
- * @param uri A URI identifying the authentcation method.
- * @param handler The AuthenticationHandler.
- */
- public void addHandlerMapping(String uri, AuthenticationHandler handler) {
-
- if (uri == null || handler == null) {
- return;
+
+ /**
+ * Sets the session manager to be used.
+ *
+ * @param manager
+ * session manager to be used.
+ */
+ public void setSessionManager(final SessionManager manager) {
+ sessionMgr = manager;
}
-
- log.debug("registering " + handler.getClass().getName()
- + " for " + uri);
-
- handlerMap.put(uri, handler);
- }
-
-
- /**
- * Register the default {@link AuthenticationHandler}.
- *
- * @param uri The URI of the default authentication handler (from saml-authn-context-2.0-os)
- * @param handler The default {@link AuthenticationHandler}.
- */
- public void setDefaultHandler(String uri, AuthenticationHandler handler) {
-
- log.debug("Registering default handler "
- + handler.getClass().getName());
-
- defaultHandler = handler;
- defaultHandlerURI = uri;
- }
-
-
- /**
- * Remove a <String:AuthenticationHandler> mapping from the
- * AuthenticationManager's table.
- *
- * The URI SHOULD be from the saml-authn-context-2.0-os
- *
- * @param uri A URI identifying the authentcation method.
- */
- public void removeHandlerMapping(String uri) {
-
- if (uri == null) {
- return;
+
+ /**
+ * Get the map of {@link AuthenticationHandlers}.
+ *
+ * @return The map of AuthenticationHandlers
+ */
+ public Map<String, AuthenticationHandler> getHandlerMap() {
+
+ return new FastMap<String, AuthenticationHandler>(handlerMap);
}
-
- log.debug("unregistering handler for " + uri);
-
- handlerMap.remove(uri);
- }
-
-
-
- /**
- * Primary entrypoint for the AuthnManager.
- *
- * @param req The ServletRequest.
- * @param resp The ServletResponse.
- */
- public void doPost(HttpServletRequest req,
- HttpServletResponse resp) throws ServletException, IOException {
-
- if (req == null || resp == null) {
- log.error("Invalid parameters in AuthenticationManager's doPost().");
- return;
+
+ /**
+ * Set the {@link AuthenticationHandler} map.
+ *
+ * @param handlerMap
+ * The Map of URIs to AuthenticationHandlers
+ */
+ public void setHandlerMap(
+ final Map<String, AuthenticationHandler> handlerMap) {
+
+ for (String uri : handlerMap.keySet()) {
+ addHandlerMapping(uri, handlerMap.get(uri));
+ }
}
-
- HttpSession httpSession = req.getSession();
- Object o = httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
- if (! (o instanceof LoginContext)) {
- log.error("Invalid login context object -- object is not an instance of LoginContext.");
- return;
+
+ /**
+ * Add a <code><String:AuthenticationHandler&gr;</code> mapping to the
+ * AuthenticationManager's table. If a mapping for the URI already exists,
+ * it will be overwritten.
+ *
+ * The URI SHOULD be from the saml-autn-context-2.0-os
+ *
+ * @param uri
+ * A URI identifying the authentcation method.
+ * @param handler
+ * The AuthenticationHandler.
+ */
+ public void addHandlerMapping(String uri, AuthenticationHandler handler) {
+
+ if (uri == null || handler == null) {
+ return;
+ }
+
+ log
+ .debug("registering " + handler.getClass().getName() + " for "
+ + uri);
+
+ handlerMap.put(uri, handler);
}
- LoginContext loginContext = (LoginContext)o;
-
- // If authentication has been attempted, don't try it again.
- if (loginContext.getAuthenticationAttempted()) {
- handleNewAuthnRequest(loginContext, req, resp);
- } else {
- finishAuthnRequest(loginContext, req, resp);
+
+ /**
+ * Register the default {@link AuthenticationHandler}.
+ *
+ * @param uri
+ * The URI of the default authentication handler (from
+ * saml-authn-context-2.0-os)
+ * @param handler
+ * The default {@link AuthenticationHandler}.
+ */
+ public void setDefaultHandler(String uri, AuthenticationHandler handler) {
+
+ log
+ .debug("Registering default handler "
+ + handler.getClass().getName());
+
+ defaultHandler = handler;
+ defaultHandlerURI = uri;
}
- }
-
-
-
- /**
- * Handle a new authentication request.
- *
- * @param loginContext The {@link LoginContext} for the new authentication request
- * @param servletRequest The servlet request containing the authn request
- * @param servletResponse The associated servlet response.
- */
- private void handleNewAuthnRequest(final LoginContext loginContext,
- final HttpServletRequest servletRequest,
- final HttpServletResponse servletResponse) throws ServletException, IOException {
-
- boolean forceAuthN = loginContext.getForceAuth();
- boolean passiveAuthN = loginContext.getPassiveAuth();
-
- // set that authentication has been attempted, to prevent processing loops
- loginContext.setAuthenticationAttempted();
-
- // if the profile handler set a list of requested authn methods,
- // evaluate them. otherwise, evaluate the default handler.
- String[] requestedAuthnMethods = loginContext.getRequestedAuthenticationMethods();
- AuthenticationHandler handler = null;
-
- if (requestedAuthnMethods == null) {
-
- // if no authn methods were specified, try the default handler
-
- if (evaluateHandler(defaultHandler, "default", forceAuthN, passiveAuthN)) {
- handler = defaultHandler;
- loginContext.setAuthenticationMethod(defaultHandlerURI);
- }
-
- } else {
-
- // evaluate all requested authn methods until we find a match.
-
- for (String authnMethodURI : requestedAuthnMethods) {
-
- AuthenticationHandler candidateHandler = handlerMap.get(authnMethodURI);
- if (candidateHandler == null) {
- log.debug("No registered authentication handlers can satisfy the "
- + " requested authentication method " + authnMethodURI);
- continue;
- }
-
- if (evaluateHandler(candidateHandler, authnMethodURI, forceAuthN, passiveAuthN)) {
-
- // we found a match. stop iterating.
- handler = candidateHandler;
- log.info("Using authentication handler " + handler.getClass().getName()
- + " for authentication method " + authnMethodURI);
- loginContext.setAuthenticationMethod(authnMethodURI);
- break;
+
+ /**
+ * Remove a <String:AuthenticationHandler> mapping from the
+ * AuthenticationManager's table.
+ *
+ * The URI SHOULD be from the saml-authn-context-2.0-os
+ *
+ * @param uri
+ * A URI identifying the authentcation method.
+ */
+ public void removeHandlerMapping(String uri) {
+
+ if (uri == null) {
+ return;
}
- }
+
+ log.debug("unregistering handler for " + uri);
+
+ handlerMap.remove(uri);
}
-
- // if no acceptable handler was found, abort.
- if (handler == null) {
- loginContext.setAuthenticationOK(false);
- loginContext.setAuthenticationFailureMessage(
- "No installed AuthenticationHandler can satisfy the authentication request.");
-
- log.error("No registered authentication handlers could satisify any requested "
- + "authentication methods. Unable to process authentication request.");
-
- RequestDispatcher dispatcher =
- servletRequest.getRequestDispatcher(loginContext.getProfileHandlerURL());
- dispatcher.forward(servletRequest, servletResponse);
+
+ /**
+ * Primary entrypoint for the AuthnManager.
+ *
+ * @param req
+ * The ServletRequest.
+ * @param resp
+ * The ServletResponse.
+ */
+ public void doPost(HttpServletRequest req, HttpServletResponse resp)
+ throws ServletException, IOException {
+
+ if (req == null || resp == null) {
+ log
+ .error("Invalid parameters in AuthenticationManager's doPost().");
+ return;
+ }
+
+ HttpSession httpSession = req.getSession();
+ Object o = httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
+ if (!(o instanceof LoginContext)) {
+ log
+ .error("Invalid login context object -- object is not an instance of LoginContext.");
+ return;
+ }
+ LoginContext loginContext = (LoginContext) o;
+
+ // If authentication has been attempted, don't try it again.
+ if (loginContext.getAuthenticationAttempted()) {
+ handleNewAuthnRequest(loginContext, req, resp);
+ } else {
+ finishAuthnRequest(loginContext, req, resp);
+ }
}
-
- // otherwise, forward control to the AuthenticationHandler
- ServletContext servletContext = getServletContext();
- loginContext.setAuthenticationManagerURL(servletRequest.getPathInfo());
- handler.login(servletRequest, servletResponse, loginContext);
- }
-
-
- /**
- * Handle the "return leg" of an authentication request
- * (i.e. clean up after an authentication handler has run).
- *
- */
- private void finishAuthnRequest(final LoginContext loginContext,
- final HttpServletRequest servletRequest,
- final HttpServletResponse servletResponse) throws ServletException, IOException {
-
- // if authentication was successful, the authentication handler should
- // have updated the LoginContext with additional information. Use that
- // info to create a Session.
- if (loginContext.getAuthenticationOK()) {
-
- AuthenticationMethodInformation authMethodInfo = new AuthenticationMethodInformationImpl(
- loginContext.getAuthenticationMethod(), loginContext.getAuthenticationInstant(),
- loginContext.getAuthenticationDuration());
-
- InetAddress addr;
- try {
- addr = InetAddress.getByName(servletRequest.getRemoteAddr());
- } catch (Exception ex) {
- addr = null;
- }
-
- Session shibSession = (Session) sessionMgr.createSession(addr,
- loginContext.getUserID());
- List<AuthenticationMethodInformation> authMethods =
- shibSession.getAuthenticationMethods();
- authMethods.add(authMethodInfo);
- loginContext.setSessionID(shibSession.getSessionID());
+
+ /**
+ * Handle a new authentication request.
+ *
+ * @param loginContext
+ * The {@link LoginContext} for the new authentication request
+ * @param servletRequest
+ * The servlet request containing the authn request
+ * @param servletResponse
+ * The associated servlet response.
+ */
+ private void handleNewAuthnRequest(final LoginContext loginContext,
+ final HttpServletRequest servletRequest,
+ final HttpServletResponse servletResponse) throws ServletException,
+ IOException {
+
+ boolean forceAuthN = loginContext.getForceAuth();
+ boolean passiveAuthN = loginContext.getPassiveAuth();
+
+ // set that authentication has been attempted, to prevent processing
+ // loops
+ loginContext.setAuthenticationAttempted();
+
+ // if the profile handler set a list of requested authn methods,
+ // evaluate them. otherwise, evaluate the default handler.
+ String[] requestedAuthnMethods = loginContext
+ .getRequestedAuthenticationMethods();
+ AuthenticationHandler handler = null;
+
+ if (requestedAuthnMethods == null) {
+
+ // if no authn methods were specified, try the default handler
+
+ if (evaluateHandler(defaultHandler, "default", forceAuthN,
+ passiveAuthN)) {
+ handler = defaultHandler;
+ loginContext.setAuthenticationMethod(defaultHandlerURI);
+ }
+
+ } else {
+
+ // evaluate all requested authn methods until we find a match.
+
+ for (String authnMethodURI : requestedAuthnMethods) {
+
+ AuthenticationHandler candidateHandler = handlerMap
+ .get(authnMethodURI);
+ if (candidateHandler == null) {
+ log
+ .debug("No registered authentication handlers can satisfy the "
+ + " requested authentication method "
+ + authnMethodURI);
+ continue;
+ }
+
+ if (evaluateHandler(candidateHandler, authnMethodURI,
+ forceAuthN, passiveAuthN)) {
+
+ // we found a match. stop iterating.
+ handler = candidateHandler;
+ log.info("Using authentication handler "
+ + handler.getClass().getName()
+ + " for authentication method " + authnMethodURI);
+ loginContext.setAuthenticationMethod(authnMethodURI);
+ break;
+ }
+ }
+ }
+
+ // if no acceptable handler was found, abort.
+ if (handler == null) {
+ loginContext.setAuthenticationOK(false);
+ loginContext
+ .setAuthenticationFailureMessage("No installed AuthenticationHandler can satisfy the authentication request.");
+
+ log
+ .error("No registered authentication handlers could satisify any requested "
+ + "authentication methods. Unable to process authentication request.");
+
+ RequestDispatcher dispatcher = servletRequest
+ .getRequestDispatcher(loginContext.getProfileHandlerURL());
+ dispatcher.forward(servletRequest, servletResponse);
+ }
+
+ // otherwise, forward control to the AuthenticationHandler
+ ServletContext servletContext = getServletContext();
+ loginContext.setAuthenticationManagerURL(servletRequest.getPathInfo());
+ handler.login(servletRequest, servletResponse, loginContext);
}
-
- RequestDispatcher dispatcher =
- servletRequest.getRequestDispatcher(loginContext.getProfileHandlerURL());
- dispatcher.forward(servletRequest, servletResponse);
- }
-
-
- /**
- * "Stub" method for handling LogoutRequest.
- */
- private void handleLogoutRequest(final HttpServletRequest servletRequest,
- final HttpServletResponse servletResponse) throws ServletException, IOException {
-
- }
-
-
- /**
- * Evaluate an authenticationhandler against a set of evaluation criteria.
- *
- * @param handler A candiate {@link AuthenticationHandler}
- * @param description A description of the handler
- * @param forceAuthN Is (re)authentication forced?
- * @param passiveAuthN Can the AuthenticationHandler take control of the UI
- *
- * @return <code>true</code> if handler meets the criteria, otherwise <code>false</code>
- */
- private boolean evaluateHandler(final AuthenticationHandler handler,
- String description, boolean forceAuthN, boolean passiveAuthN) {
-
- if (handler == null) {
- return false;
+
+ /**
+ * Handle the "return leg" of an authentication request (i.e. clean up after
+ * an authentication handler has run).
+ *
+ */
+ private void finishAuthnRequest(final LoginContext loginContext,
+ final HttpServletRequest servletRequest,
+ final HttpServletResponse servletResponse) throws ServletException,
+ IOException {
+
+ // if authentication was successful, the authentication handler should
+ // have updated the LoginContext with additional information. Use that
+ // info to create a Session.
+ if (loginContext.getAuthenticationOK()) {
+
+ AuthenticationMethodInformation authMethodInfo = new AuthenticationMethodInformationImpl(
+ loginContext.getAuthenticationMethod(), loginContext
+ .getAuthenticationInstant(), loginContext
+ .getAuthenticationDuration());
+
+ InetAddress addr;
+ try {
+ addr = InetAddress.getByName(servletRequest.getRemoteAddr());
+ } catch (Exception ex) {
+ addr = null;
+ }
+
+ Session shibSession = (Session) sessionMgr.createSession(addr,
+ loginContext.getUserID());
+ List<AuthenticationMethodInformation> authMethods = shibSession
+ .getAuthenticationMethods();
+ authMethods.add(authMethodInfo);
+ loginContext.setSessionID(shibSession.getSessionID());
+ }
+
+ RequestDispatcher dispatcher = servletRequest
+ .getRequestDispatcher(loginContext.getProfileHandlerURL());
+ dispatcher.forward(servletRequest, servletResponse);
}
-
- if (forceAuthN && !handler.supportsForceAuthentication()) {
- log.debug("The RequestedAuthnContext required forced authentication, "
- + "but the " + description + " handler does not support that feature.");
- return false;
+
+ /**
+ * "Stub" method for handling LogoutRequest.
+ */
+ private void handleLogoutRequest(final HttpServletRequest servletRequest,
+ final HttpServletResponse servletResponse) throws ServletException,
+ IOException {
+
}
-
- if (passiveAuthN && !handler.supportsPassive()) {
- log.debug("The RequestedAuthnContext required passive authentication, "
- + "but the " + description + " handler does not support that feature.");
- return false;
+
+ /**
+ * Evaluate an authenticationhandler against a set of evaluation criteria.
+ *
+ * @param handler
+ * A candiate {@link AuthenticationHandler}
+ * @param description
+ * A description of the handler
+ * @param forceAuthN
+ * Is (re)authentication forced?
+ * @param passiveAuthN
+ * Can the AuthenticationHandler take control of the UI
+ *
+ * @return <code>true</code> if handler meets the criteria, otherwise
+ * <code>false</code>
+ */
+ private boolean evaluateHandler(final AuthenticationHandler handler,
+ String description, boolean forceAuthN, boolean passiveAuthN) {
+
+ if (handler == null) {
+ return false;
+ }
+
+ if (forceAuthN && !handler.supportsForceAuthentication()) {
+ log
+ .debug("The RequestedAuthnContext required forced authentication, "
+ + "but the "
+ + description
+ + " handler does not support that feature.");
+ return false;
+ }
+
+ if (passiveAuthN && !handler.supportsPassive()) {
+ log
+ .debug("The RequestedAuthnContext required passive authentication, "
+ + "but the "
+ + description
+ + " handler does not support that feature.");
+ return false;
+ }
+
+ return true;
}
-
- return true;
- }
}
package edu.internet2.middleware.shibboleth.idp.authn;
-
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.joda.time.DateTime;
-
/**
- * Login context created by a profile handler and interpreted
- * by the authentication package.
+ * Login context created by a profile handler and interpreted by the
+ * authentication package.
*
* Two properties are tracked by default:
*
* A Map<String, Object> is provided to store other properties.
* Alternatively, a profile handler may create a subclass of LoginContext with
* extra fields.
- *
- * LoginContexts should be created by a profile handler when authentication is needed.
- * Once control has returned to the profile handler, it should remove the LoginContext
- * from the HttpSession.
- *
- * The {@link AuthenticationManager} or an {@link AuthenticationHandler} should set the
- * {@link LoginContext#setAuthenticationAttempted()}, {@link LoginContext#setAuthnOK(boolean)},
- * {@link LoginContext#setAuthnFailure(String)}, {@link LoginContext#{setAuthenticationDuration(long)}
+ *
+ * LoginContexts should be created by a profile handler when authentication is
+ * needed. Once control has returned to the profile handler, it should remove
+ * the LoginContext from the HttpSession.
+ *
+ * The {@link AuthenticationManager} or an {@link AuthenticationHandler} should
+ * set the {@link LoginContext#setAuthenticationAttempted()},
+ * {@link LoginContext#setAuthnOK(boolean)},
+ * {@link LoginContext#setAuthnFailure(String)},
+ * {@link LoginContext#{setAuthenticationDuration(long)}
* {@link LoginContext#setAuthenticationInstant(DateTime)} appropriately.
- *
+ *
*/
public class LoginContext {
-
- /** the key in a HttpSession where login contexts are stored */
- public static final String LOGIN_CONTEXT_KEY = "shib2.logincontext";
-
-
- /** Should user authentication be forced */
- protected boolean forceAuth = false;
-
- /** Must authentication not interact with the UI */
- protected boolean passiveAuth = false;
-
- /** a catch-all map for other properties */
- protected Map<String, Object> propsMap = new ConcurrentHashMap<String, Object>();;
-
- /** The ProfileHandler URL */
- protected String profileHandlerURL;
-
- /** The AuthenticationManager's URL */
- protected String authnManagerURL;
-
- /** has authentication been attempted yet */
- protected boolean authnAttempted = false;
-
- /** The id of the authenticated user */
- protected String userID;
-
- /** Did authentication succceed? */
- protected boolean authenticationOK;
-
- /** Optional failure message */
- protected String authnFailureMessage;
-
- /** The instant of authentication */
- protected DateTime authnInstant;
-
- /** The duration of authentication */
- protected long authnDuration;
-
- /** The method used to authenticate the user */
- protected String authnMethod;
-
- /** The session id */
- protected String sessionID;
-
-
- /** Creates a new instance of LoginContext */
- public LoginContext() {
- }
-
-
- /**
- * Creates a new instance of LoginContext
- *
- * @param forceAuth if the authentication manager must reauth the user.
- * @param passiveAuth if the authentication manager must not interact with the users UI.
- */
- public LoginContext(boolean forceAuth, boolean passiveAuth) {
-
- forceAuth = forceAuth;
- passiveAuth = passiveAuth;
- }
-
-
- /**
- * Returns if authentication must be forced.
- *
- * @return <code>true</code> if the authentication manager must reauth the user.
- */
- public boolean getForceAuth() {
- return forceAuth;
- }
-
-
- /**
- * Returns if authentication must be passive.
- *
- * @return <code>true</code> if the authentication manager must not interact with the users UI.
- */
- public boolean getPassiveAuth() {
- return passiveAuth;
- }
-
-
- /**
- * Sets if authentication must be forced.
- *
- * @param forceAuth if the authentication manager must reauth the user.
- */
- public void setForceAuth(boolean forceAuth) {
- this.forceAuth = forceAuth;
- }
-
-
- /**
- * Sets if authentication must be passive.
- *
- * @param passiveAuth if the authentication manager must not interact with the users UI.
- */
- public void setPassiveAuth(boolean passiveAuth) {
- this.passiveAuth = passiveAuth;
- }
-
-
- /**
- * Get an optional property object.
- *
- * @param key The key in the properites Map.
- *
- * @return The object, or <code>null</code> is no object exists for the key.
- */
- public Object getProperty(String key) {
- return propsMap.get(key);
- }
-
-
- /**
- * Sets an optional property object.
- *
- * If an object is already associated with key, it will be overwritten.
- *
- * @param key The key to set.
- * @param obj The object to associate with key.
- */
- public void setProperty(String key, final Object obj) {
- propsMap.put(key, obj);
- }
-
-
- /**
- * Sets if authentication succeeded.
- *
- * @param authnOK if authentication succeeded;
- */
- public void setAuthenticationOK(boolean authnOK) {
- this.authenticationOK = authnOK;
- }
-
-
- /**
- * Returns if authentication succeeded.
- *
- * @return <code>true</code> is the user was successfully authenticated.
- */
- public boolean getAuthenticationOK() {
- return authenticationOK;
- }
-
-
- /** Sets the optional authentication failure message.
- *
- * @param failureMessage A description of why authN failed.
- */
- public void setAuthenticationFailureMessage(String failureMessage) {
- authnFailureMessage = failureMessage;
- }
-
-
- /**
- * Returns the optional authentication failure message.
- *
- * @return The failure message, or <code>null</code> is none was set.
- */
- public String getAuthenticationFailureMessage() {
- return authnFailureMessage;
- }
-
-
- /**
- * Set if authentication has been attempted.
- *
- * This method should be called by an {@link AuthenticationHandler}
- * while processing a request.
- */
- public void setAuthenticationAttempted() {
- authnAttempted = true;
- }
-
-
- /**
- * Returns if authentication has been attempted for this user.
- */
- public boolean getAuthenticationAttempted() {
- return authnAttempted;
- }
-
-
- /**
- * Sets the ID of the authenticated user.
- *
- * @param userID The userid.
- */
- public void setUserID(String userID) {
- this.userID = userID;
- }
-
-
- /**
- * Returns the ID of the authenticated user.
- *
- * @return the ID of the user, or <code>null</code> if authentication failed.
- */
- public String getUserID() {
- return userID;
- }
-
-
- /**
- * Gets the ProfileHandler URL.
- *
- * @return the URL of the profile handler that is invoking the Authentication Manager.
- */
- public String getProfileHandlerURL() {
- return profileHandlerURL;
- }
-
-
- /**
- * Sets the ProfileHandler URL.
- *
- * @param profileHandlerURL The URL of the profile handler that invoked the AuthenticationManager/
- */
- public void setProfileHandlerURL(String profileHandlerURL) {
- this.profileHandlerURL = profileHandlerURL;
- }
-
-
- /**
- * Gets the AuthenticationManager URL.
- *
- * @return the URL of the AuthenticationManager.
- */
- public String getAuthenticationManagerURL() {
- return authnManagerURL;
- }
-
-
- /**
- * Sets the AuthenticationManager's URL.
- *
- * @param authnManagerURL the URL of the AuthenticationManager.
- */
- public void setAuthenticationManagerURL(String authnManagerURL) {
- this.authnManagerURL = authnManagerURL;
- }
-
-
- /**
- * Gets the authentication instant.
- *
- * @return The instant of authentication, or <code>null</code> if none was set.
- */
- public DateTime getAuthenticationInstant() {
- return authnInstant;
- }
-
-
- /**
- * Sets the authentication instant.
- *
- * @param authnInstant The instant of authentication.
- */
- public void setAuthenticationInstant(final DateTime authnInstant) {
- this.authnInstant = authnInstant;
- }
-
-
- /**
- * Gets the duration of authentication.
- *
- * @return The duration of authentication, or zero if none was set.
- */
- public long getAuthenticationDuration() {
- return authnDuration;
- }
-
-
- /**
- * Sets the duration of authentication.
- *
- * @param authnDuration The duration of authentication.
- */
- public void setAuthenticationDuration(long authnDuration) {
- this.authnDuration = authnDuration;
- }
-
-
- /**
- * Gets the method used to authenticate the user.
- *
- * @return The method used to authenticate the user.
- */
- public String getAuthenticationMethod() {
- return authnMethod;
- }
-
-
- /**
- * Sets the method used to authenticate the user.
- *
- * @param authnMethod The method used to authenticate the user.
- */
- public void setAuthenticationMethod(String authnMethod) {
- this.authnMethod = authnMethod;
- }
-
-
- /**
- * Gets the {@link Session} ID
- *
- * @return the Session id.
- */
- public String getSessionID() {
- return sessionID;
- }
-
-
- /**
- * Sets the {@link Session} ID
- *
- * @param sessionID the Session ID
- */
- public void setSessionID(String sessionID) {
- this.sessionID = sessionID;
- }
-
-
- /**
- * Return the acceptable authentication handler URIs
- * for authenticating this user. If no authentication
- * methods are preferred, this method will return
- * <code>null</code>.
- *
- * @return an array of URIs, or <code>null</code>.
- */
- public String[] getRequestedAuthenticationMethods() {
-
- return null;
- }
+
+ /** the key in a HttpSession where login contexts are stored */
+ public static final String LOGIN_CONTEXT_KEY = "shib2.logincontext";
+
+ /** Should user authentication be forced */
+ protected boolean forceAuth = false;
+
+ /** Must authentication not interact with the UI */
+ protected boolean passiveAuth = false;
+
+ /** a catch-all map for other properties */
+ protected Map<String, Object> propsMap = new ConcurrentHashMap<String, Object>();;
+
+ /** The ProfileHandler URL */
+ protected String profileHandlerURL;
+
+ /** The AuthenticationManager's URL */
+ protected String authnManagerURL;
+
+ /** has authentication been attempted yet */
+ protected boolean authnAttempted = false;
+
+ /** The id of the authenticated user */
+ protected String userID;
+
+ /** Did authentication succceed? */
+ protected boolean authenticationOK;
+
+ /** Optional failure message */
+ protected String authnFailureMessage;
+
+ /** The instant of authentication */
+ protected DateTime authnInstant;
+
+ /** The duration of authentication */
+ protected long authnDuration;
+
+ /** The method used to authenticate the user */
+ protected String authnMethod;
+
+ /** The session id */
+ protected String sessionID;
+
+ /** Creates a new instance of LoginContext */
+ public LoginContext() {
+ }
+
+ /**
+ * Creates a new instance of LoginContext
+ *
+ * @param forceAuth
+ * if the authentication manager must reauth the user.
+ * @param passiveAuth
+ * if the authentication manager must not interact with the users
+ * UI.
+ */
+ public LoginContext(boolean forceAuth, boolean passiveAuth) {
+
+ forceAuth = forceAuth;
+ passiveAuth = passiveAuth;
+ }
+
+ /**
+ * Returns if authentication must be forced.
+ *
+ * @return <code>true</code> if the authentication manager must reauth the
+ * user.
+ */
+ public boolean getForceAuth() {
+ return forceAuth;
+ }
+
+ /**
+ * Returns if authentication must be passive.
+ *
+ * @return <code>true</code> if the authentication manager must not
+ * interact with the users UI.
+ */
+ public boolean getPassiveAuth() {
+ return passiveAuth;
+ }
+
+ /**
+ * Sets if authentication must be forced.
+ *
+ * @param forceAuth
+ * if the authentication manager must reauth the user.
+ */
+ public void setForceAuth(boolean forceAuth) {
+ this.forceAuth = forceAuth;
+ }
+
+ /**
+ * Sets if authentication must be passive.
+ *
+ * @param passiveAuth
+ * if the authentication manager must not interact with the users
+ * UI.
+ */
+ public void setPassiveAuth(boolean passiveAuth) {
+ this.passiveAuth = passiveAuth;
+ }
+
+ /**
+ * Get an optional property object.
+ *
+ * @param key
+ * The key in the properites Map.
+ *
+ * @return The object, or <code>null</code> is no object exists for the
+ * key.
+ */
+ public Object getProperty(String key) {
+ return propsMap.get(key);
+ }
+
+ /**
+ * Sets an optional property object.
+ *
+ * If an object is already associated with key, it will be overwritten.
+ *
+ * @param key
+ * The key to set.
+ * @param obj
+ * The object to associate with key.
+ */
+ public void setProperty(String key, final Object obj) {
+ propsMap.put(key, obj);
+ }
+
+ /**
+ * Sets if authentication succeeded.
+ *
+ * @param authnOK
+ * if authentication succeeded;
+ */
+ public void setAuthenticationOK(boolean authnOK) {
+ this.authenticationOK = authnOK;
+ }
+
+ /**
+ * Returns if authentication succeeded.
+ *
+ * @return <code>true</code> is the user was successfully authenticated.
+ */
+ public boolean getAuthenticationOK() {
+ return authenticationOK;
+ }
+
+ /**
+ * Sets the optional authentication failure message.
+ *
+ * @param failureMessage
+ * A description of why authN failed.
+ */
+ public void setAuthenticationFailureMessage(String failureMessage) {
+ authnFailureMessage = failureMessage;
+ }
+
+ /**
+ * Returns the optional authentication failure message.
+ *
+ * @return The failure message, or <code>null</code> is none was set.
+ */
+ public String getAuthenticationFailureMessage() {
+ return authnFailureMessage;
+ }
+
+ /**
+ * Set if authentication has been attempted.
+ *
+ * This method should be called by an {@link AuthenticationHandler} while
+ * processing a request.
+ */
+ public void setAuthenticationAttempted() {
+ authnAttempted = true;
+ }
+
+ /**
+ * Returns if authentication has been attempted for this user.
+ */
+ public boolean getAuthenticationAttempted() {
+ return authnAttempted;
+ }
+
+ /**
+ * Sets the ID of the authenticated user.
+ *
+ * @param userID
+ * The userid.
+ */
+ public void setUserID(String userID) {
+ this.userID = userID;
+ }
+
+ /**
+ * Returns the ID of the authenticated user.
+ *
+ * @return the ID of the user, or <code>null</code> if authentication
+ * failed.
+ */
+ public String getUserID() {
+ return userID;
+ }
+
+ /**
+ * Gets the ProfileHandler URL.
+ *
+ * @return the URL of the profile handler that is invoking the
+ * Authentication Manager.
+ */
+ public String getProfileHandlerURL() {
+ return profileHandlerURL;
+ }
+
+ /**
+ * Sets the ProfileHandler URL.
+ *
+ * @param profileHandlerURL
+ * The URL of the profile handler that invoked the
+ * AuthenticationManager/
+ */
+ public void setProfileHandlerURL(String profileHandlerURL) {
+ this.profileHandlerURL = profileHandlerURL;
+ }
+
+ /**
+ * Gets the AuthenticationManager URL.
+ *
+ * @return the URL of the AuthenticationManager.
+ */
+ public String getAuthenticationManagerURL() {
+ return authnManagerURL;
+ }
+
+ /**
+ * Sets the AuthenticationManager's URL.
+ *
+ * @param authnManagerURL
+ * the URL of the AuthenticationManager.
+ */
+ public void setAuthenticationManagerURL(String authnManagerURL) {
+ this.authnManagerURL = authnManagerURL;
+ }
+
+ /**
+ * Gets the authentication instant.
+ *
+ * @return The instant of authentication, or <code>null</code> if none was
+ * set.
+ */
+ public DateTime getAuthenticationInstant() {
+ return authnInstant;
+ }
+
+ /**
+ * Sets the authentication instant.
+ *
+ * @param authnInstant
+ * The instant of authentication.
+ */
+ public void setAuthenticationInstant(final DateTime authnInstant) {
+ this.authnInstant = authnInstant;
+ }
+
+ /**
+ * Gets the duration of authentication.
+ *
+ * @return The duration of authentication, or zero if none was set.
+ */
+ public long getAuthenticationDuration() {
+ return authnDuration;
+ }
+
+ /**
+ * Sets the duration of authentication.
+ *
+ * @param authnDuration
+ * The duration of authentication.
+ */
+ public void setAuthenticationDuration(long authnDuration) {
+ this.authnDuration = authnDuration;
+ }
+
+ /**
+ * Gets the method used to authenticate the user.
+ *
+ * @return The method used to authenticate the user.
+ */
+ public String getAuthenticationMethod() {
+ return authnMethod;
+ }
+
+ /**
+ * Sets the method used to authenticate the user.
+ *
+ * @param authnMethod
+ * The method used to authenticate the user.
+ */
+ public void setAuthenticationMethod(String authnMethod) {
+ this.authnMethod = authnMethod;
+ }
+
+ /**
+ * Gets the {@link Session} ID
+ *
+ * @return the Session id.
+ */
+ public String getSessionID() {
+ return sessionID;
+ }
+
+ /**
+ * Sets the {@link Session} ID
+ *
+ * @param sessionID
+ * the Session ID
+ */
+ public void setSessionID(String sessionID) {
+ this.sessionID = sessionID;
+ }
+
+ /**
+ * Return the acceptable authentication handler URIs for authenticating this
+ * user. If no authentication methods are preferred, this method will return
+ * <code>null</code>.
+ *
+ * @return an array of URIs, or <code>null</code>.
+ */
+ public String[] getRequestedAuthenticationMethods() {
+
+ return null;
+ }
}
package edu.internet2.middleware.shibboleth.idp.authn;
-
import java.util.List;
import java.util.LinkedList;
import org.opensaml.saml2.core.AuthnRequest;
import org.opensaml.saml2.core.RequestedAuthnContext;
-
/**
- * A SAML 2.0 {@link LoginContext}.
+ * A SAML 2.0 {@link LoginContext}.
*
* This class can interpret {@link RequestedAuthnContext} and act accordingly.
*/
public class Saml2LoginContext extends LoginContext {
-
- private static final Logger log = Logger.getLogger(Saml2LoginContext.class);
-
- /** The {@link RequestedAuthnContext} */
- private RequestedAuthnContext ctx;
-
-
- /**
- * Creates a new instance of Saml2LoginContext.
- *
- * @param authnRequest A SAML 2.0 Authentication Request.
- */
- public Saml2LoginContext(AuthnRequest authnRequest) {
-
- if (authnRequest != null) {
- forceAuth = authnRequest.isForceAuthn();
- passiveAuth = authnRequest.isPassive();
- ctx = authnRequest.getRequestedAuthnContext();
- }
- }
-
-
- /**
- * This method evaluates a SAML2 {@link RequestedAuthnContext}
- * and returns the list of requested authentication method URIs.
- *
- * If the AuthnQuery did not contain a RequestedAuthnContext,
- * this method will return <code>null</code>.
- *
- * @return An array of authentication method URIs, or <code>null</code>.
- */
- public String[] getRequestedAuthenticationMethods() {
-
- if (ctx == null)
- return null;
-
- // For the immediate future, we only support the "exact" comparator.
- // XXX: we should probably throw an exception or somehow indicate this
- // as an error to the caller.
- AuthnContextComparisonTypeEnumeration comparator = ctx.getComparison();
- if (comparator != null && comparator != AuthnContextComparisonTypeEnumeration.EXACT) {
- log.error("Unsupported comparision operator ( " + comparator
- + ") in RequestedAuthnContext. Only exact comparisions are supported.");
- return null;
- }
-
- // build a list of all requested authn classes and declrefs
- List<String> requestedAuthnMethods = new LinkedList<String>();
- List<AuthnContextClassRef> authnClasses = ctx.getAuthnContextClassRefs();
- List<AuthnContextDeclRef> authnDeclRefs = ctx.getAuthnContextDeclRefs();
-
- if (authnClasses != null) {
- for (AuthnContextClassRef classRef : authnClasses) {
- if (classRef != null) {
- String s = classRef.getAuthnContextClassRef();
- if (s != null) {
- requestedAuthnMethods.add(s);
- }
- }
- }
- }
-
- if (authnDeclRefs != null) {
- for (AuthnContextDeclRef declRef : authnDeclRefs) {
- if (declRef != null) {
- String s = declRef.getAuthnContextDeclRef();
- if (s != null) {
- requestedAuthnMethods.add(s);
- }
- }
- }
- }
-
- if (requestedAuthnMethods.size() == 0) {
- return null;
- } else {
- String[] methods = new String[requestedAuthnMethods.size()];
- return requestedAuthnMethods.toArray(methods);
- }
-
- }
+
+ private static final Logger log = Logger.getLogger(Saml2LoginContext.class);
+
+ /** The {@link RequestedAuthnContext} */
+ private RequestedAuthnContext ctx;
+
+ /**
+ * Creates a new instance of Saml2LoginContext.
+ *
+ * @param authnRequest
+ * A SAML 2.0 Authentication Request.
+ */
+ public Saml2LoginContext(AuthnRequest authnRequest) {
+
+ if (authnRequest != null) {
+ forceAuth = authnRequest.isForceAuthn();
+ passiveAuth = authnRequest.isPassive();
+ ctx = authnRequest.getRequestedAuthnContext();
+ }
+ }
+
+ /**
+ * This method evaluates a SAML2 {@link RequestedAuthnContext} and returns
+ * the list of requested authentication method URIs.
+ *
+ * If the AuthnQuery did not contain a RequestedAuthnContext, this method
+ * will return <code>null</code>.
+ *
+ * @return An array of authentication method URIs, or <code>null</code>.
+ */
+ public String[] getRequestedAuthenticationMethods() {
+
+ if (ctx == null)
+ return null;
+
+ // For the immediate future, we only support the "exact" comparator.
+ // XXX: we should probably throw an exception or somehow indicate this
+ // as an error to the caller.
+ AuthnContextComparisonTypeEnumeration comparator = ctx.getComparison();
+ if (comparator != null
+ && comparator != AuthnContextComparisonTypeEnumeration.EXACT) {
+ log
+ .error("Unsupported comparision operator ( "
+ + comparator
+ + ") in RequestedAuthnContext. Only exact comparisions are supported.");
+ return null;
+ }
+
+ // build a list of all requested authn classes and declrefs
+ List<String> requestedAuthnMethods = new LinkedList<String>();
+ List<AuthnContextClassRef> authnClasses = ctx
+ .getAuthnContextClassRefs();
+ List<AuthnContextDeclRef> authnDeclRefs = ctx.getAuthnContextDeclRefs();
+
+ if (authnClasses != null) {
+ for (AuthnContextClassRef classRef : authnClasses) {
+ if (classRef != null) {
+ String s = classRef.getAuthnContextClassRef();
+ if (s != null) {
+ requestedAuthnMethods.add(s);
+ }
+ }
+ }
+ }
+
+ if (authnDeclRefs != null) {
+ for (AuthnContextDeclRef declRef : authnDeclRefs) {
+ if (declRef != null) {
+ String s = declRef.getAuthnContextDeclRef();
+ if (s != null) {
+ requestedAuthnMethods.add(s);
+ }
+ }
+ }
+ }
+
+ if (requestedAuthnMethods.size() == 0) {
+ return null;
+ } else {
+ String[] methods = new String[requestedAuthnMethods.size()];
+ return requestedAuthnMethods.toArray(methods);
+ }
+
+ }
}