// Check whether security token still valid
session = request.getSessionInternal();
if (session == null) {
LOG.debug("Session should not be null after authentication");
} else {
FederationResponse wfRes = (FederationResponse)session.getNote(FEDERATION_NOTE);
Date tokenExpires = wfRes.getTokenExpires();
if (tokenExpires == null) {
LOG.debug("Token doesn't expire");
return true;
}
if (!this.tokenExpirationValidation) {
LOG.debug("Token expiration not validated.");
return true;
}
Date currentTime = new Date();
if (currentTime.after(wfRes.getTokenExpires())) {
LOG.debug("Token already expired. Clean up and redirect");
session.removeNote(FEDERATION_NOTE);
session.removeNote(Constants.FORM_PRINCIPAL_NOTE);
session.setPrincipal(null);
request.getSession().removeAttribute(SECURITY_TOKEN);
if (LOG.isDebugEnabled()) {
LOG.debug("Save request in session '"
+ session.getIdInternal() + "'");
}
try {
saveRequest(request, session);
} catch (IOException ioe) {
LOG.debug("Request body too big to save during authentication");
response.sendError(HttpServletResponse.SC_FORBIDDEN,
sm.getString("authenticator.requestBodyTooBig"));
return false;
}
FederationProcessor wfProc = new FederationProcessorImpl();
redirectToIssuer(request, response, wfProc);
return false;
}
}
return true;
}
// Is this the re-submit of the original request URI after successful
// authentication? If so, forward the *original* request instead.
if (matchRequest(request)) {
session = request.getSessionInternal(true);
if (LOG.isDebugEnabled()) {
LOG.debug("Restore request from session '"
+ session.getIdInternal() + "'");
}
principal = (Principal)session.getNote(Constants.FORM_PRINCIPAL_NOTE);
register(request, response, principal,
FederationConstants.WSFED_METHOD, null, null);
if (restoreRequest(request, session)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Proceed to restored request");
}
return true;
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Restore of original request failed");
}
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
}
// Acquire references to objects we will need to evaluate
/*
* MessageBytes uriMB = MessageBytes.newInstance(); CharChunk uriCC =
* uriMB.getCharChunk(); uriCC.setLimit(-1);
*/
// String contextPath = request.getContextPath();
String requestURI = request.getDecodedRequestURI();
String wa = request.getParameter("wa");
// Unauthenticated -> redirect
if (wa == null) {
session = request.getSessionInternal(true);
if (LOG.isDebugEnabled()) {
LOG.debug("Save request in session '" + session.getIdInternal() + "'");
}
try {
saveRequest(request, session);
} catch (IOException ioe) {
LOG.debug("Request body too big to save during authentication");
response.sendError(HttpServletResponse.SC_FORBIDDEN,
sm.getString("authenticator.requestBodyTooBig"));
return false;
}
FederationProcessor wfProc = new FederationProcessorImpl();
redirectToIssuer(request, response, wfProc);
return false;
}
// Check whether it is the signin request, validate the token.
// If failed, redirect to the error page if they are not correct
String wresult = request.getParameter("wresult");
FederationResponse wfRes = null;
if (wa.equals(FederationConstants.ACTION_SIGNIN)) {
if (LOG.isDebugEnabled()) {
LOG.debug("SignIn request found");
LOG.debug("SignIn action...");
}
if (wresult == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("SignIn request must contain wresult");
}
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
return false;
} else {
request.getResponse().sendAcknowledgement();
// processSignInRequest
if (LOG.isDebugEnabled()) {
LOG.debug("Process SignIn request");
LOG.debug("wresult=\n" + wresult);
}
FederationRequest wfReq = new FederationRequest();
wfReq.setWa(wa);
wfReq.setWresult(wresult);
X509Certificate certs[] =
(X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
wfReq.setCerts(certs);
String contextName = request.getServletContext().getContextPath();
if (contextName == null || contextName.isEmpty()) {
contextName = "/";
}
FederationContext fedConfig = getContextConfiguration(contextName);
FederationProcessor wfProc = new FederationProcessorImpl();
try {
wfRes = wfProc.processRequest(wfReq, fedConfig);
} catch (ProcessingException ex) {
LOG.error("Federation processing failed: " + ex.getMessage());
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
// Validate the AudienceRestriction in Security Token (e.g. SAML)
// against the configured list of audienceURIs
if (wfRes.getAudience() != null) {
List<String> audienceURIs = fedConfig.getAudienceUris();
boolean validAudience = false;
for (String a : audienceURIs) {
if (wfRes.getAudience().startsWith(a)) {
validAudience = true;
break;
}
}
if (!validAudience) {
LOG.warn("Token AudienceRestriction [" + wfRes.getAudience()
+ "] doesn't match with specified list of URIs.");
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return false;
}
if (LOG.isDebugEnabled() && request.getRequestURL().indexOf(wfRes.getAudience()) == -1) {
LOG.debug("Token AudienceRestriction doesn't match with request URL ["
+ wfRes.getAudience() + "] ["
+ request.getRequestURL() + "]");
}
}
List<String> roles = wfRes.getRoles();
if (roles == null || roles.size() == 0) {
roles = new ArrayList<String>();
roles.add(new String("Authenticated"));
}
principal = new FederationPrincipalImpl(wfRes.getUsername(), roles,
wfRes.getClaims(), wfRes.getToken());
}
} else {
LOG.error("Not supported action found in parameter wa: " + wa);
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
/*
* Realm realm = context.getRealm(); if (characterEncoding != null) {
* request.setCharacterEncoding(characterEncoding);
*
* String username = request.getParameter(Constants.FORM_USERNAME);
* String password = request.getParameter(Constants.FORM_PASSWORD); if
* (log.isDebugEnabled()) log.debug("Authenticating username '" +
* username + "'"); principal = realm.authenticate(username, password);
*/
if (principal == null) {
forwardToErrorPage(request, response, config);
return false;
}
if (LOG.isDebugEnabled()) {
LOG.debug("Authentication of '" + principal + "' was successful");
}
// context.addServletContainerInitializer(sci, classes)
// session.addSessionListener(listener)
// HttpSessionAttributeListener
if (session == null) {
session = request.getSessionInternal(false);
}
if (session == null) {
if (containerLog.isDebugEnabled()) {
containerLog.debug("User took so long to log on the session expired");
}
if (landingPage == null) {
response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
sm.getString("authenticator.sessionExpired"));
} else {
// Make the authenticator think the user originally requested
// the landing page
String uri = request.getContextPath() + landingPage;
SavedRequest saved = new SavedRequest();
saved.setMethod("GET");
saved.setRequestURI(uri);
request.getSessionInternal(true).setNote(Constants.FORM_REQUEST_NOTE, saved);
response.sendRedirect(response.encodeRedirectURL(uri));
}
return false;
}
// Save the authenticated Principal in our session
session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
// Save Federation response in our session
session.setNote(FEDERATION_NOTE, wfRes);
// Save Federation response in public session
request.getSession(true).setAttribute(SECURITY_TOKEN, wfRes.getToken());
/*
* // Save the username and password as well
* session.setNote(Constants.SESS_USERNAME_NOTE, username);
* session.setNote(Constants.SESS_PASSWORD_NOTE, password);