View Javadoc

1   /*
2    * Licensed to the University Corporation for Advanced Internet Development, 
3    * Inc. (UCAID) under one or more contributor license agreements.  See the 
4    * NOTICE file distributed with this work for additional information regarding
5    * copyright ownership. The UCAID licenses this file to You under the Apache 
6    * License, Version 2.0 (the "License"); you may not use this file except in 
7    * compliance with the License.  You may obtain a copy of the License at
8    *
9    *    http://www.apache.org/licenses/LICENSE-2.0
10   *
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  
18  package edu.internet2.middleware.shibboleth.idp.authn.provider;
19  
20  import java.io.IOException;
21  
22  import javax.servlet.RequestDispatcher;
23  import javax.servlet.ServletException;
24  import javax.servlet.http.HttpServletRequest;
25  import javax.servlet.http.HttpServletResponse;
26  
27  import org.opensaml.xml.util.DatatypeHelper;
28  import org.slf4j.Logger;
29  import org.slf4j.LoggerFactory;
30  
31  import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
32  import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
33  
34  /**
35   * A login handler meant to bridge between the IdP and an external, web-based, authentication service.
36   * 
37   * This login handler will forward the user-agent to a context-relative path and include the following request
38   * attributes: {@link #FORCE_AUTHN_PARAM}, {@link #PASSIVE_AUTHN_PARAM}, {@link #AUTHN_METHOD_PARAM}, and
39   * {@link #RELYING_PARTY_PARAM}.
40   * 
41   * The external authentication system invocation Fileter/Servlet/JSP must, upon completion of authentication, set the
42   * appropriate {@link HttpServletRequest} attributes, as described by the
43   * {@link edu.internet2.middleware.shibboleth.idp.authn.LoginHandler} interface and then invoke
44   * {@link edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest, HttpServletResponse)}
45   * .
46   */
47  public class ExternalAuthnSystemLoginHandler extends AbstractLoginHandler {
48  
49      /** Query parameter, {@value} , that indicates whether the authentication request requires forced authentication. */
50      public static final String FORCE_AUTHN_PARAM = "forceAuthn";
51  
52      /** Query parameter, {@value} , that indicates whether the authentication requires passive authentication. */
53      public static final String PASSIVE_AUTHN_PARAM = "isPassive";
54  
55      /** Query parameter, {@value} , that provides which authentication method should be attempted. */
56      public static final String AUTHN_METHOD_PARAM = "authnMethod";
57  
58      /** Query parameter, {@value} , that provides the entity ID of the relying party that is requesting authentication. */
59      public static final String RELYING_PARTY_PARAM = "relyingParty";
60  
61      /** Class logger. */
62      private final Logger log = LoggerFactory.getLogger(RemoteUserLoginHandler.class);
63  
64      /** The context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system. */
65      private String externalAuthnPath;
66  
67      /** Constructor. */
68      public ExternalAuthnSystemLoginHandler() {
69          super();
70      }
71  
72      /**
73       * Get context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
74       * 
75       * @return context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system
76       */
77      public String getExternalAuthnPath() {
78          return externalAuthnPath;
79      }
80  
81      /**
82       * Set context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
83       * 
84       * @param path context-relative path to the Filter, Servlet, or JSP that triggers the external authentication
85       *            system, may not be null or empty
86       */
87      public void setExternalAuthnPath(String path) {
88          String trimmedPath = DatatypeHelper.safeTrimOrNullString(path);
89          if (trimmedPath == null) {
90              throw new IllegalArgumentException("External Authn path may not be null or empty");
91          }
92  
93          externalAuthnPath = trimmedPath;
94      }
95  
96      /** {@inheritDoc} */
97      public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
98  
99          try {
100             log.debug("Forwarding authentication request to {}", externalAuthnPath);
101             populateRequestAttributes(httpRequest);
102             RequestDispatcher dispatcher = httpRequest.getRequestDispatcher(externalAuthnPath);
103             dispatcher.forward(httpRequest, httpResponse);
104             return;
105         } catch (IOException e) {
106             log.error("Unable to forward authentication request to external authentication system.", e);
107         } catch (ServletException e) {
108             log.error("Unable to forward authentication request to external authentication system.", e);
109         }
110     }
111 
112     /**
113      * Sets the request attributes that will be sent to the external authentication service.
114      * 
115      * @param httpRequest current HTTP request
116      */
117     protected void populateRequestAttributes(HttpServletRequest httpRequest) {
118         LoginContext loginContext = HttpServletHelper.getLoginContext(httpRequest);
119 
120         if (loginContext.isForceAuthRequired()) {
121             httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.TRUE);
122         } else {
123             httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.FALSE);
124         }
125 
126         if (loginContext.isPassiveAuthRequired()) {
127             httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.TRUE);
128         } else {
129             httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.FALSE);
130         }
131 
132         httpRequest.setAttribute(AUTHN_METHOD_PARAM, loginContext.getAttemptedAuthnMethod());
133 
134         httpRequest.setAttribute(RELYING_PARTY_PARAM, loginContext.getRelyingPartyId());
135     }
136 }