Filter to strip realm from Kerberized principal names.
authorcantor <cantor@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 21 Aug 2003 04:08:37 +0000 (04:08 +0000)
committercantor <cantor@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 21 Aug 2003 04:08:37 +0000 (04:08 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@734 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/utils/KerberosPrincipalFilter.java [new file with mode: 0644]

diff --git a/src/edu/internet2/middleware/shibboleth/utils/KerberosPrincipalFilter.java b/src/edu/internet2/middleware/shibboleth/utils/KerberosPrincipalFilter.java
new file mode 100644 (file)
index 0000000..22a9681
--- /dev/null
@@ -0,0 +1,161 @@
+/*
+ * The Shibboleth License, Version 1.
+ * Copyright (c) 2002
+ * University Corporation for Advanced Internet Development, Inc.
+ * All rights reserved
+ *
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution, if any, must include
+ * the following acknowledgment: "This product includes software developed by
+ * the University Corporation for Advanced Internet Development
+ * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
+ * may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear.
+ *
+ * Neither the name of Shibboleth nor the names of its contributors, nor
+ * Internet2, nor the University Corporation for Advanced Internet Development,
+ * Inc., nor UCAID may be used to endorse or promote products derived from this
+ * software without specific prior written permission. For written permission,
+ * please contact shibboleth@shibboleth.org
+ *
+ * Products derived from this software may not be called Shibboleth, Internet2,
+ * UCAID, or the University Corporation for Advanced Internet Development, nor
+ * may Shibboleth appear in their name, without prior written permission of the
+ * University Corporation for Advanced Internet Development.
+ *
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
+ * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
+ * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
+ * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+package edu.internet2.middleware.shibboleth.utils;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.log4j.Logger;
+import org.apache.log4j.MDC;
+
+/**
+ * Simple Servlet Filter that strips realm information from Kerberos authenticated container-managed security
+ *
+ * @author Scott Cantor
+ */
+public class KerberosPrincipalFilter implements Filter {
+
+       private static Logger log = Logger.getLogger(KerberosPrincipalFilter.class.getName());
+
+       /**
+        * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
+        */
+       public void init(FilterConfig config) throws ServletException {
+       }
+
+       /**
+        * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
+        */
+       public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+               throws IOException, ServletException {
+               if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
+            MDC.put("serviceId", "[Kerberos Principal Filter]");
+                       log.error("Only HTTP(s) requests are supported by the KerberosPrincipalFilter.");
+                       return;
+               }
+               HttpServletRequest httpRequest = (HttpServletRequest) request;
+
+        String name = httpRequest.getRemoteUser();
+        int split = name.indexOf('@');
+        if (split > -1)
+            name = name.substring(0,split);
+        
+               chain.doFilter(new KerberosPrincipalWrapper(httpRequest, new PrincipalImpl(name)), response);
+       }
+
+       /**
+        * @see javax.servlet.Filter#destroy()
+        */
+       public void destroy() {
+       }
+
+       class KerberosPrincipalWrapper extends HttpServletRequestWrapper {
+
+               Principal principal;
+
+        KerberosPrincipalWrapper(HttpServletRequest request, Principal principal) {
+                       super(request);
+                       this.principal = principal;
+               }
+
+               /**
+                * @see javax.servlet.http.HttpServletRequest#getRemoteUser()
+                */
+               public String getRemoteUser() {
+                       return principal.getName();
+               }
+
+               /**
+                * @see javax.servlet.http.HttpServletRequest#getUserPrincipal()
+                */
+               public Principal getUserPrincipal() {
+                       return principal;
+               }
+       }
+
+    class PrincipalImpl implements Principal {
+        
+        private String name = null;
+
+        PrincipalImpl(String name) {
+            this.name=name;
+        }
+        /**
+         * @see java.security.Principal#getName()
+         */
+        public String getName() {
+            return name;
+        }
+        /**
+         * @see java.lang.Object#equals(java.lang.Object)
+         */
+        public boolean equals(Object obj) {
+            return name.equals(obj);
+        }
+
+        /**
+         * @see java.lang.Object#toString()
+         */
+        public String toString() {
+            return name;
+        }
+
+    }
+}