1 /*
2 * Licensed to the University Corporation for Advanced Internet Development,
3 * Inc. (UCAID) under one or more contributor license agreements. See the
4 * NOTICE file distributed with this work for additional information regarding
5 * copyright ownership. The UCAID licenses this file to You under the Apache
6 * License, Version 2.0 (the "License"); you may not use this file except in
7 * compliance with the License. You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 package edu.internet2.middleware.shibboleth.idp.authn.provider;
19
20 import java.io.IOException;
21
22 import javax.servlet.RequestDispatcher;
23 import javax.servlet.ServletException;
24 import javax.servlet.http.HttpServletRequest;
25 import javax.servlet.http.HttpServletResponse;
26
27 import org.opensaml.xml.util.DatatypeHelper;
28 import org.slf4j.Logger;
29 import org.slf4j.LoggerFactory;
30
31 import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
32 import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
33
34 /**
35 * A login handler meant to bridge between the IdP and an external, web-based, authentication service.
36 *
37 * This login handler will forward the user-agent to a context-relative path and include the following request
38 * attributes: {@link #FORCE_AUTHN_PARAM}, {@link #PASSIVE_AUTHN_PARAM}, {@link #AUTHN_METHOD_PARAM}, and
39 * {@link #RELYING_PARTY_PARAM}.
40 *
41 * The external authentication system invocation Fileter/Servlet/JSP must, upon completion of authentication, set the
42 * appropriate {@link HttpServletRequest} attributes, as described by the
43 * {@link edu.internet2.middleware.shibboleth.idp.authn.LoginHandler} interface and then invoke
44 * {@link edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest, HttpServletResponse)}
45 * .
46 */
47 public class ExternalAuthnSystemLoginHandler extends AbstractLoginHandler {
48
49 /** Query parameter, {@value} , that indicates whether the authentication request requires forced authentication. */
50 public static final String FORCE_AUTHN_PARAM = "forceAuthn";
51
52 /** Query parameter, {@value} , that indicates whether the authentication requires passive authentication. */
53 public static final String PASSIVE_AUTHN_PARAM = "isPassive";
54
55 /** Query parameter, {@value} , that provides which authentication method should be attempted. */
56 public static final String AUTHN_METHOD_PARAM = "authnMethod";
57
58 /** Query parameter, {@value} , that provides the entity ID of the relying party that is requesting authentication. */
59 public static final String RELYING_PARTY_PARAM = "relyingParty";
60
61 /** Class logger. */
62 private final Logger log = LoggerFactory.getLogger(RemoteUserLoginHandler.class);
63
64 /** The context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system. */
65 private String externalAuthnPath;
66
67 /** Constructor. */
68 public ExternalAuthnSystemLoginHandler() {
69 super();
70 }
71
72 /**
73 * Get context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
74 *
75 * @return context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system
76 */
77 public String getExternalAuthnPath() {
78 return externalAuthnPath;
79 }
80
81 /**
82 * Set context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
83 *
84 * @param path context-relative path to the Filter, Servlet, or JSP that triggers the external authentication
85 * system, may not be null or empty
86 */
87 public void setExternalAuthnPath(String path) {
88 String trimmedPath = DatatypeHelper.safeTrimOrNullString(path);
89 if (trimmedPath == null) {
90 throw new IllegalArgumentException("External Authn path may not be null or empty");
91 }
92
93 externalAuthnPath = trimmedPath;
94 }
95
96 /** {@inheritDoc} */
97 public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
98
99 try {
100 log.debug("Forwarding authentication request to {}", externalAuthnPath);
101 populateRequestAttributes(httpRequest);
102 RequestDispatcher dispatcher = httpRequest.getRequestDispatcher(externalAuthnPath);
103 dispatcher.forward(httpRequest, httpResponse);
104 return;
105 } catch (IOException e) {
106 log.error("Unable to forward authentication request to external authentication system.", e);
107 } catch (ServletException e) {
108 log.error("Unable to forward authentication request to external authentication system.", e);
109 }
110 }
111
112 /**
113 * Sets the request attributes that will be sent to the external authentication service.
114 *
115 * @param httpRequest current HTTP request
116 */
117 protected void populateRequestAttributes(HttpServletRequest httpRequest) {
118 LoginContext loginContext = HttpServletHelper.getLoginContext(httpRequest);
119
120 if (loginContext.isForceAuthRequired()) {
121 httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.TRUE);
122 } else {
123 httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.FALSE);
124 }
125
126 if (loginContext.isPassiveAuthRequired()) {
127 httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.TRUE);
128 } else {
129 httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.FALSE);
130 }
131
132 httpRequest.setAttribute(AUTHN_METHOD_PARAM, loginContext.getAttemptedAuthnMethod());
133
134 httpRequest.setAttribute(RELYING_PARTY_PARAM, loginContext.getRelyingPartyId());
135 }
136 }