Carry subjects, created during authentication, as AuthN method information
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 25 Jul 2007 20:01:51 +0000 (20:01 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 25 Jul 2007 20:01:51 +0000 (20:01 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2323 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
src/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationHandler.java
src/edu/internet2/middleware/shibboleth/idp/session/AuthenticationMethodInformation.java
src/edu/internet2/middleware/shibboleth/idp/session/impl/AuthenticationMethodInformationImpl.java

index d68bd43..53feb1f 100644 (file)
@@ -21,6 +21,7 @@ import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.List;
 
+import javax.security.auth.Subject;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -129,8 +130,8 @@ public class AuthenticationEngine extends HttpServlet {
         if (LOG.isDebugEnabled()) {
             LOG.debug("Processing incoming request");
         }
-        
-        if(httpResponse.isCommitted()){
+
+        if (httpResponse.isCommitted()) {
             LOG.error("HTTP Response already committed");
         }
 
@@ -169,7 +170,7 @@ public class AuthenticationEngine extends HttpServlet {
             }
             authenticateUserWithoutActiveMethod2(httpRequest, httpResponse);
         }
-        
+
         return;
     }
 
@@ -212,21 +213,19 @@ public class AuthenticationEngine extends HttpServlet {
      * @param httpRequest current HTTP request
      * @param httpResponse current HTTP response
      */
-    protected void authenticateUserWithoutActiveMethod1(HttpServletRequest httpRequest, 
-            HttpServletResponse httpResponse) {
+    protected void authenticateUserWithoutActiveMethod1(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
         HttpSession httpSession = httpRequest.getSession();
         LoginContext loginContext = (LoginContext) httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
 
         if (LOG.isDebugEnabled()) {
             LOG.debug("Selecting appropriate authentication method for request.");
         }
-        Pair<String, AuthenticationHandler> handler = getProfileHandlerManager().getAuthenticationHandler(
-                loginContext);
+        Pair<String, AuthenticationHandler> handler = getProfileHandlerManager().getAuthenticationHandler(loginContext);
 
         if (handler == null) {
             loginContext.setPrincipalAuthenticated(false);
             loginContext.setAuthenticationFailureMessage("No AuthenticationHandler satisfys the request from: "
-                            + loginContext.getRelyingPartyId());
+                    + loginContext.getRelyingPartyId());
             LOG.error("No AuthenticationHandler satisfies the request from relying party: "
                     + loginContext.getRelyingPartyId());
             returnToProfileHandler(loginContext, httpRequest, httpResponse);
@@ -257,8 +256,7 @@ public class AuthenticationEngine extends HttpServlet {
      * @param httpRequest current HTTP request
      * @param httpResponse current HTTP response
      */
-    protected void authenticateUserWithoutActiveMethod2(HttpServletRequest httpRequest, 
-            HttpServletResponse httpResponse) {
+    protected void authenticateUserWithoutActiveMethod2(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
         HttpSession httpSession = httpRequest.getSession();
 
         String principalName = (String) httpRequest.getAttribute(AuthenticationHandler.PRINCIPAL_NAME_KEY);
@@ -298,8 +296,10 @@ public class AuthenticationEngine extends HttpServlet {
             LOG.debug("Recording authentication and service information in Shibboleth session for principal: "
                     + principalName);
         }
-        AuthenticationMethodInformation authnMethodInfo = new AuthenticationMethodInformationImpl(loginContext
+        Subject subject = (Subject) httpRequest.getAttribute(AuthenticationHandler.SUBJECT_KEY);
+        AuthenticationMethodInformation authnMethodInfo = new AuthenticationMethodInformationImpl(subject, loginContext
                 .getAuthenticationMethod(), new DateTime(), loginContext.getAuthenticationDuration());
+
         shibSession.getAuthenticationMethods().put(authnMethodInfo.getAuthenticationMethod(), authnMethodInfo);
 
         ServiceInformation serviceInfo = new ServiceInformationImpl(loginContext.getRelyingPartyId(), new DateTime(),
index e25443c..04f3830 100644 (file)
@@ -18,19 +18,28 @@ package edu.internet2.middleware.shibboleth.idp.authn;
 
 import java.util.List;
 
+import javax.security.auth.Subject;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
+
 /**
  * Authentication handlers authenticate a user in an implementation specific manner. Some examples of this might be by
  * collecting a user name and password and validating it against an LDAP directory or collecting and validating a client
  * certificate or one-time password.
  * 
  * After the handler has authenticated the user it <strong>MUST</strong> bind the user's principal name to the
- * {@link HttpServletRequest} attribute identified by {@link AuthenticationHandler#PRINCIPAL_NAME_KEY}. The handler may
- * also bind an error message, if an error occurred during authentication to the request attribute identified by
- * {@link AuthenticationHandler#AUTHENTICATION_ERROR_KEY}. Finally, the handler must return control to the
- * authentication engine by invoking
+ * {@link HttpServletRequest} attribute identified by {@link AuthenticationHandler#PRINCIPAL_NAME_KEY}.
+ * 
+ * The handler may bind a {@link Subject} to the attribute identified by {@link #SUBJECT_KEY} if one was created during
+ * the authentication process. This Subject is stored in the {@link AuthenticationMethodInformation}, created for this
+ * authentication, in the user's session.
+ * 
+ * The handler may also bind an error message, if an error occurred during authentication to the request attribute
+ * identified by {@link AuthenticationHandler#AUTHENTICATION_ERROR_KEY}.
+ * 
+ * Finally, the handler must return control to the authentication engine by invoking
  * {@link AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest, HttpServletResponse)}. After which the
  * authentication handler must immediately return.
  * 
@@ -43,6 +52,9 @@ public interface AuthenticationHandler {
     /** Request attribute to which user's principal name should be bound. */
     public static final String PRINCIPAL_NAME_KEY = "principal";
 
+    /** Request attribute to which user's subject should be bound. */
+    public static final String SUBJECT_KEY = "subject";
+
     /** Request attribute to which an error message may be bound. */
     public static final String AUTHENTICATION_ERROR_KEY = "authnError";
 
@@ -52,7 +64,7 @@ public interface AuthenticationHandler {
      * @return authentication methods this handler supports
      */
     public List<String> getSupportedAuthenticationMethods();
-    
+
     /**
      * Gets the length of time, in milliseconds, after which a user authenticated by this handler should be
      * re-authenticated.
index f209dd7..0274c62 100644 (file)
 
 package edu.internet2.middleware.shibboleth.idp.session;
 
+import javax.security.auth.Subject;
+
 import org.joda.time.DateTime;
 
 /**
  * Information about an authentication method employed by a user.
  */
 public interface AuthenticationMethodInformation {
+    
+    /**
+     * Gets the Subject created by this authentication method.
+     * 
+     * @return subject created by this authentication method
+     */
+    public Subject getAuthenticationSubject();
 
     /**
      * Gets the unique identifier for the authentication method.
index 017edda..2cbb6c0 100644 (file)
@@ -16,6 +16,8 @@
 
 package edu.internet2.middleware.shibboleth.idp.session.impl;
 
+import javax.security.auth.Subject;
+
 import org.joda.time.DateTime;
 
 import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
@@ -25,6 +27,9 @@ import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInfor
  */
 public class AuthenticationMethodInformationImpl implements AuthenticationMethodInformation {
 
+    /** Subject created by this authentication mechanism. */
+    private Subject authenticationSubject;
+    
     /** The authentication method (a URI). */
     private String authenticationMethod;
 
@@ -55,6 +60,32 @@ public class AuthenticationMethodInformationImpl implements AuthenticationMethod
         authenticationDuration = duration;
         expirationInstant = instant.plus(duration);
     }
+    
+    /**
+     * Default constructor.
+     * 
+     * @param subject Subject created by the authentication method
+     * @param method The unique identifier for the authentication method.
+     * @param instant The time the user authenticated with this member.
+     * @param duration The duration of this authentication method.
+     */
+    public AuthenticationMethodInformationImpl(Subject subject, String method, DateTime instant, long duration) {
+
+        if (method == null || instant == null || duration < 0) {
+            throw new IllegalArgumentException("Authentication method, instant, and duration may not be null");
+        }
+
+        authenticationSubject = subject;
+        authenticationMethod = method;
+        authenticationInstant = instant;
+        authenticationDuration = duration;
+        expirationInstant = instant.plus(duration);
+    }
+    
+    /** {@inheritDoc} */
+    public Subject getAuthenticationSubject() {
+        return authenticationSubject;
+    }
 
     /** {@inheritDoc} */
     public String getAuthenticationMethod() {