Clean up AuthN state better in the event of a failure

Attempt to detect when a user aborts midway through the AuthN process

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2461 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

diff --git a/src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java b/src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
index 5f9f77b..7ceabc8 100644 (file)
--- a/src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
+++ b/src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
@@ -148,11 +148,9 @@ public class AuthenticationEngine extends HttpServlet {
                 AuthenticationMethodInformation authenticationMethod = getUsableExistingAuthenticationMethod(
                         loginContext, shibSession);
                 if (authenticationMethod != null) {
-                    LOG
-                            .debug(
-                                    "An active authentication method is applicable for relying party.  "
-                                            + "Using authentication method {} as authentication method to relying party without re-authenticating user.",
-                                    authenticationMethod.getAuthenticationMethod());
+                    LOG.debug("An active authentication method is applicable for relying party.  Using authentication "
+                            + "method {} as authentication method to relying party without re-authenticating user.",
+                            authenticationMethod.getAuthenticationMethod());
                     authenticateUserWithActiveMethod(httpRequest, httpResponse, authenticationMethod);
                 }
             }

diff --git a/src/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java b/src/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java
index 1cc2440..c8c5325 100644 (file)
--- a/src/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java
+++ b/src/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java
@@ -108,10 +108,14 @@ public class ShibbolethSSOProfileHandler extends AbstractSAML1ProfileHandler {
 
         HttpServletRequest httpRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
         HttpSession httpSession = httpRequest.getSession();
+        LoginContext loginContext = (LoginContext) httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
 
-        if (httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY) == null) {
+        if (loginContext == null) {
             log.debug("User session does not contain a login context, processing as first leg of request");
             performAuthentication(inTransport, outTransport);
+        }else if (!loginContext.isPrincipalAuthenticated()){
+            log.debug("User session contained a login context but user was not authenticated, processing as first leg of request");
+            performAuthentication(inTransport, outTransport);
         } else {
             log.debug("User session contains a login context, processing as second leg of request");
             completeAuthenticationRequest(inTransport, outTransport);
@@ -154,9 +158,11 @@ public class ShibbolethSSOProfileHandler extends AbstractSAML1ProfileHandler {
             dispatcher.forward(httpRequest, httpResponse);
             return;
         } catch (IOException ex) {
+            httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
             log.error("Error forwarding Shibboleth SSO request to AuthenticationManager", ex);
             throw new ProfileException("Error forwarding Shibboleth SSO request to AuthenticationManager", ex);
         } catch (ServletException ex) {
+            httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
             log.error("Error forwarding Shibboleth SSO request to AuthenticationManager", ex);
             throw new ProfileException("Error forwarding Shibboleth SSO request to AuthenticationManager", ex);
         }

diff --git a/src/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java b/src/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java
index 083df26..6f794a1 100644 (file)
--- a/src/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java
+++ b/src/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java
@@ -123,10 +123,16 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
     public void processRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport) throws ProfileException {
         HttpServletRequest servletRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
         HttpSession httpSession = servletRequest.getSession(true);
+        LoginContext loginContext = (LoginContext) httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
 
-        if (httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY) == null) {
+        if (loginContext == null) {
+            log.debug("User session does not contain a login context, processing as first leg of request");
+            performAuthentication(inTransport, outTransport);
+        }else if (!loginContext.isPrincipalAuthenticated()){
+            log.debug("User session contained a login context but user was not authenticated, processing as first leg of request");
             performAuthentication(inTransport, outTransport);
         } else {
+            log.debug("User session contains a login context, processing as second leg of request");
             completeAuthenticationRequest(inTransport, outTransport);
         }
     }
@@ -144,6 +150,7 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
     protected void performAuthentication(HTTPInTransport inTransport, HTTPOutTransport outTransport)
             throws ProfileException {
         HttpServletRequest servletRequest = ((HttpServletRequestAdapter) inTransport).getWrappedRequest();
+        HttpSession httpSession = servletRequest.getSession();
 
         try {
             SSORequestContext requestContext = decodeRequest(inTransport, outTransport);
@@ -166,18 +173,20 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
             if (loginContext.getRequestedAuthenticationMethods().size() == 0) {
                 loginContext.getRequestedAuthenticationMethods().add(rpConfig.getDefaultAuthenticationMethod());
             }
-
-            HttpSession httpSession = servletRequest.getSession();
+            
             httpSession.setAttribute(Saml2LoginContext.LOGIN_CONTEXT_KEY, loginContext);
             RequestDispatcher dispatcher = servletRequest.getRequestDispatcher(authenticationManagerPath);
             dispatcher.forward(servletRequest, ((HttpServletResponseAdapter) outTransport).getWrappedResponse());
         } catch (MarshallingException e) {
+            httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
             log.error("Unable to marshall authentication request context");
             throw new ProfileException("Unable to marshall authentication request context", e);
         } catch (IOException ex) {
+            httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
             log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
             throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
         } catch (ServletException ex) {
+            httpSession.removeAttribute(LoginContext.LOGIN_CONTEXT_KEY);
             log.error("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
             throw new ProfileException("Error forwarding SAML 2 AuthnRequest to AuthenticationManager", ex);
         }