import java.net.UnknownHostException;
import java.util.List;
+import javax.security.auth.Subject;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
if (LOG.isDebugEnabled()) {
LOG.debug("Processing incoming request");
}
-
- if(httpResponse.isCommitted()){
+
+ if (httpResponse.isCommitted()) {
LOG.error("HTTP Response already committed");
}
}
authenticateUserWithoutActiveMethod2(httpRequest, httpResponse);
}
-
+
return;
}
* @param httpRequest current HTTP request
* @param httpResponse current HTTP response
*/
- protected void authenticateUserWithoutActiveMethod1(HttpServletRequest httpRequest,
- HttpServletResponse httpResponse) {
+ protected void authenticateUserWithoutActiveMethod1(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
HttpSession httpSession = httpRequest.getSession();
LoginContext loginContext = (LoginContext) httpSession.getAttribute(LoginContext.LOGIN_CONTEXT_KEY);
if (LOG.isDebugEnabled()) {
LOG.debug("Selecting appropriate authentication method for request.");
}
- Pair<String, AuthenticationHandler> handler = getProfileHandlerManager().getAuthenticationHandler(
- loginContext);
+ Pair<String, AuthenticationHandler> handler = getProfileHandlerManager().getAuthenticationHandler(loginContext);
if (handler == null) {
loginContext.setPrincipalAuthenticated(false);
loginContext.setAuthenticationFailureMessage("No AuthenticationHandler satisfys the request from: "
- + loginContext.getRelyingPartyId());
+ + loginContext.getRelyingPartyId());
LOG.error("No AuthenticationHandler satisfies the request from relying party: "
+ loginContext.getRelyingPartyId());
returnToProfileHandler(loginContext, httpRequest, httpResponse);
* @param httpRequest current HTTP request
* @param httpResponse current HTTP response
*/
- protected void authenticateUserWithoutActiveMethod2(HttpServletRequest httpRequest,
- HttpServletResponse httpResponse) {
+ protected void authenticateUserWithoutActiveMethod2(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
HttpSession httpSession = httpRequest.getSession();
String principalName = (String) httpRequest.getAttribute(AuthenticationHandler.PRINCIPAL_NAME_KEY);
LOG.debug("Recording authentication and service information in Shibboleth session for principal: "
+ principalName);
}
- AuthenticationMethodInformation authnMethodInfo = new AuthenticationMethodInformationImpl(loginContext
+ Subject subject = (Subject) httpRequest.getAttribute(AuthenticationHandler.SUBJECT_KEY);
+ AuthenticationMethodInformation authnMethodInfo = new AuthenticationMethodInformationImpl(subject, loginContext
.getAuthenticationMethod(), new DateTime(), loginContext.getAuthenticationDuration());
+
shibSession.getAuthenticationMethods().put(authnMethodInfo.getAuthenticationMethod(), authnMethodInfo);
ServiceInformation serviceInfo = new ServiceInformationImpl(loginContext.getRelyingPartyId(), new DateTime(),
import java.util.List;
+import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
+
/**
* Authentication handlers authenticate a user in an implementation specific manner. Some examples of this might be by
* collecting a user name and password and validating it against an LDAP directory or collecting and validating a client
* certificate or one-time password.
*
* After the handler has authenticated the user it <strong>MUST</strong> bind the user's principal name to the
- * {@link HttpServletRequest} attribute identified by {@link AuthenticationHandler#PRINCIPAL_NAME_KEY}. The handler may
- * also bind an error message, if an error occurred during authentication to the request attribute identified by
- * {@link AuthenticationHandler#AUTHENTICATION_ERROR_KEY}. Finally, the handler must return control to the
- * authentication engine by invoking
+ * {@link HttpServletRequest} attribute identified by {@link AuthenticationHandler#PRINCIPAL_NAME_KEY}.
+ *
+ * The handler may bind a {@link Subject} to the attribute identified by {@link #SUBJECT_KEY} if one was created during
+ * the authentication process. This Subject is stored in the {@link AuthenticationMethodInformation}, created for this
+ * authentication, in the user's session.
+ *
+ * The handler may also bind an error message, if an error occurred during authentication to the request attribute
+ * identified by {@link AuthenticationHandler#AUTHENTICATION_ERROR_KEY}.
+ *
+ * Finally, the handler must return control to the authentication engine by invoking
* {@link AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest, HttpServletResponse)}. After which the
* authentication handler must immediately return.
*
/** Request attribute to which user's principal name should be bound. */
public static final String PRINCIPAL_NAME_KEY = "principal";
+ /** Request attribute to which user's subject should be bound. */
+ public static final String SUBJECT_KEY = "subject";
+
/** Request attribute to which an error message may be bound. */
public static final String AUTHENTICATION_ERROR_KEY = "authnError";
* @return authentication methods this handler supports
*/
public List<String> getSupportedAuthenticationMethods();
-
+
/**
* Gets the length of time, in milliseconds, after which a user authenticated by this handler should be
* re-authenticated.
package edu.internet2.middleware.shibboleth.idp.session;
+import javax.security.auth.Subject;
+
import org.joda.time.DateTime;
/**
* Information about an authentication method employed by a user.
*/
public interface AuthenticationMethodInformation {
+
+ /**
+ * Gets the Subject created by this authentication method.
+ *
+ * @return subject created by this authentication method
+ */
+ public Subject getAuthenticationSubject();
/**
* Gets the unique identifier for the authentication method.
package edu.internet2.middleware.shibboleth.idp.session.impl;
+import javax.security.auth.Subject;
+
import org.joda.time.DateTime;
import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
*/
public class AuthenticationMethodInformationImpl implements AuthenticationMethodInformation {
+ /** Subject created by this authentication mechanism. */
+ private Subject authenticationSubject;
+
/** The authentication method (a URI). */
private String authenticationMethod;
authenticationDuration = duration;
expirationInstant = instant.plus(duration);
}
+
+ /**
+ * Default constructor.
+ *
+ * @param subject Subject created by the authentication method
+ * @param method The unique identifier for the authentication method.
+ * @param instant The time the user authenticated with this member.
+ * @param duration The duration of this authentication method.
+ */
+ public AuthenticationMethodInformationImpl(Subject subject, String method, DateTime instant, long duration) {
+
+ if (method == null || instant == null || duration < 0) {
+ throw new IllegalArgumentException("Authentication method, instant, and duration may not be null");
+ }
+
+ authenticationSubject = subject;
+ authenticationMethod = method;
+ authenticationInstant = instant;
+ authenticationDuration = duration;
+ expirationInstant = instant.plus(duration);
+ }
+
+ /** {@inheritDoc} */
+ public Subject getAuthenticationSubject() {
+ return authenticationSubject;
+ }
/** {@inheritDoc} */
public String getAuthenticationMethod() {