View Javadoc

1   /*
2    * Copyright 2011 University Corporation for Advanced Internet Development, Inc.
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package edu.internet2.middleware.shibboleth.idp.authn.provider;
18  
19  import java.io.IOException;
20  
21  import javax.servlet.RequestDispatcher;
22  import javax.servlet.ServletException;
23  import javax.servlet.http.HttpServletRequest;
24  import javax.servlet.http.HttpServletResponse;
25  
26  import org.opensaml.xml.util.DatatypeHelper;
27  import org.slf4j.Logger;
28  import org.slf4j.LoggerFactory;
29  
30  import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
31  import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
32  
33  /**
34   * A login handler meant to bridge between the IdP and an external, web-based, authentication service.
35   * 
36   * This login handler will forward the user-agent to a context-relative path and include the following request
37   * attributes: {@link #FORCE_AUTHN_PARAM}, {@link #PASSIVE_AUTHN_PARAM}, {@link #AUTHN_METHOD_PARAM}, and
38   * {@link #RELYING_PARTY_PARAM}.
39   * 
40   * The external authentication system invocation Fileter/Servlet/JSP must, upon completion of authentication, set the
41   * appropriate {@link HttpServletRequest} attributes, as described by the
42   * {@link edu.internet2.middleware.shibboleth.idp.authn.LoginHandler} interface and then invoke
43   * {@link edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest, HttpServletResponse)}
44   * .
45   */
46  public class ExternalAuthnSystemLoginHandler extends AbstractLoginHandler {
47  
48      /** Query parameter, {@value} , that indicates whether the authentication request requires forced authentication. */
49      public static final String FORCE_AUTHN_PARAM = "forceAuthn";
50  
51      /** Query parameter, {@value} , that indicates whether the authentication requires passive authentication. */
52      public static final String PASSIVE_AUTHN_PARAM = "isPassive";
53  
54      /** Query parameter, {@value} , that provides which authentication method should be attempted. */
55      public static final String AUTHN_METHOD_PARAM = "authnMethod";
56  
57      /** Query parameter, {@value} , that provides the entity ID of the relying party that is requesting authentication. */
58      public static final String RELYING_PARTY_PARAM = "relyingParty";
59  
60      /** Class logger. */
61      private final Logger log = LoggerFactory.getLogger(RemoteUserLoginHandler.class);
62  
63      /** The context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system. */
64      private String externalAuthnPath;
65  
66      /** Constructor. */
67      public ExternalAuthnSystemLoginHandler() {
68          super();
69      }
70  
71      /**
72       * Get context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
73       * 
74       * @return context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system
75       */
76      public String getExternalAuthnPath() {
77          return externalAuthnPath;
78      }
79  
80      /**
81       * Set context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
82       * 
83       * @param path context-relative path to the Filter, Servlet, or JSP that triggers the external authentication
84       *            system, may not be null or empty
85       */
86      public void setExternalAuthnPath(String path) {
87          String trimmedPath = DatatypeHelper.safeTrimOrNullString(path);
88          if (trimmedPath == null) {
89              throw new IllegalArgumentException("External Authn path may not be null or empty");
90          }
91  
92          externalAuthnPath = trimmedPath;
93      }
94  
95      /** {@inheritDoc} */
96      public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
97  
98          try {
99              log.debug("Forwarding authentication request to {}", externalAuthnPath);
100             populateRequestAttributes(httpRequest);
101             RequestDispatcher dispatcher = httpRequest.getRequestDispatcher(externalAuthnPath);
102             dispatcher.forward(httpRequest, httpResponse);
103             return;
104         } catch (IOException e) {
105             log.error("Unable to forward authentication request to external authentication system.", e);
106         } catch (ServletException e) {
107             log.error("Unable to forward authentication request to external authentication system.", e);
108         }
109     }
110 
111     /**
112      * Sets the request attributes that will be sent to the external authentication service.
113      * 
114      * @param httpRequest current HTTP request
115      */
116     protected void populateRequestAttributes(HttpServletRequest httpRequest) {
117         LoginContext loginContext = HttpServletHelper.getLoginContext(httpRequest);
118 
119         if (loginContext.isForceAuthRequired()) {
120             httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.TRUE);
121         } else {
122             httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.FALSE);
123         }
124 
125         if (loginContext.isPassiveAuthRequired()) {
126             httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.TRUE);
127         } else {
128             httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.FALSE);
129         }
130 
131         httpRequest.setAttribute(AUTHN_METHOD_PARAM, loginContext.getAttemptedAuthnMethod());
132 
133         httpRequest.setAttribute(RELYING_PARTY_PARAM, loginContext.getRelyingPartyId());
134     }
135 }