1 /*
2 * Copyright 2011 University Corporation for Advanced Internet Development, Inc.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 package edu.internet2.middleware.shibboleth.idp.authn.provider;
18
19 import java.io.IOException;
20
21 import javax.servlet.RequestDispatcher;
22 import javax.servlet.ServletException;
23 import javax.servlet.http.HttpServletRequest;
24 import javax.servlet.http.HttpServletResponse;
25
26 import org.opensaml.xml.util.DatatypeHelper;
27 import org.slf4j.Logger;
28 import org.slf4j.LoggerFactory;
29
30 import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
31 import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
32
33 /**
34 * A login handler meant to bridge between the IdP and an external, web-based, authentication service.
35 *
36 * This login handler will forward the user-agent to a context-relative path and include the following request
37 * attributes: {@link #FORCE_AUTHN_PARAM}, {@link #PASSIVE_AUTHN_PARAM}, {@link #AUTHN_METHOD_PARAM}, and
38 * {@link #RELYING_PARTY_PARAM}.
39 *
40 * The external authentication system invocation Fileter/Servlet/JSP must, upon completion of authentication, set the
41 * appropriate {@link HttpServletRequest} attributes, as described by the
42 * {@link edu.internet2.middleware.shibboleth.idp.authn.LoginHandler} interface and then invoke
43 * {@link edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest, HttpServletResponse)}
44 * .
45 */
46 public class ExternalAuthnSystemLoginHandler extends AbstractLoginHandler {
47
48 /** Query parameter, {@value} , that indicates whether the authentication request requires forced authentication. */
49 public static final String FORCE_AUTHN_PARAM = "forceAuthn";
50
51 /** Query parameter, {@value} , that indicates whether the authentication requires passive authentication. */
52 public static final String PASSIVE_AUTHN_PARAM = "isPassive";
53
54 /** Query parameter, {@value} , that provides which authentication method should be attempted. */
55 public static final String AUTHN_METHOD_PARAM = "authnMethod";
56
57 /** Query parameter, {@value} , that provides the entity ID of the relying party that is requesting authentication. */
58 public static final String RELYING_PARTY_PARAM = "relyingParty";
59
60 /** Class logger. */
61 private final Logger log = LoggerFactory.getLogger(RemoteUserLoginHandler.class);
62
63 /** The context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system. */
64 private String externalAuthnPath;
65
66 /** Constructor. */
67 public ExternalAuthnSystemLoginHandler() {
68 super();
69 }
70
71 /**
72 * Get context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
73 *
74 * @return context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system
75 */
76 public String getExternalAuthnPath() {
77 return externalAuthnPath;
78 }
79
80 /**
81 * Set context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
82 *
83 * @param path context-relative path to the Filter, Servlet, or JSP that triggers the external authentication
84 * system, may not be null or empty
85 */
86 public void setExternalAuthnPath(String path) {
87 String trimmedPath = DatatypeHelper.safeTrimOrNullString(path);
88 if (trimmedPath == null) {
89 throw new IllegalArgumentException("External Authn path may not be null or empty");
90 }
91
92 externalAuthnPath = trimmedPath;
93 }
94
95 /** {@inheritDoc} */
96 public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
97
98 try {
99 log.debug("Forwarding authentication request to {}", externalAuthnPath);
100 populateRequestAttributes(httpRequest);
101 RequestDispatcher dispatcher = httpRequest.getRequestDispatcher(externalAuthnPath);
102 dispatcher.forward(httpRequest, httpResponse);
103 return;
104 } catch (IOException e) {
105 log.error("Unable to forward authentication request to external authentication system.", e);
106 } catch (ServletException e) {
107 log.error("Unable to forward authentication request to external authentication system.", e);
108 }
109 }
110
111 /**
112 * Sets the request attributes that will be sent to the external authentication service.
113 *
114 * @param httpRequest current HTTP request
115 */
116 protected void populateRequestAttributes(HttpServletRequest httpRequest) {
117 LoginContext loginContext = HttpServletHelper.getLoginContext(httpRequest);
118
119 if (loginContext.isForceAuthRequired()) {
120 httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.TRUE);
121 } else {
122 httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.FALSE);
123 }
124
125 if (loginContext.isPassiveAuthRequired()) {
126 httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.TRUE);
127 } else {
128 httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.FALSE);
129 }
130
131 httpRequest.setAttribute(AUTHN_METHOD_PARAM, loginContext.getAttemptedAuthnMethod());
132
133 httpRequest.setAttribute(RELYING_PARTY_PARAM, loginContext.getRelyingPartyId());
134 }
135 }